From 532901856c574b8edc5f1b0479353132060e985b Mon Sep 17 00:00:00 2001
From: "Internet Software Consortium, Inc" <@isc.org>
Date: Wed, 17 Feb 2010 14:19:33 -0700
Subject: 9.7.0

---
 CHANGES                              |  18 +
 HISTORY                              | 313 +++++++++++++++
 README                               | 453 ++++------------------
 README.dnssec                        | 186 ---------
 README.libdns                        | 275 --------------
 README.pkcs11                        | 309 ---------------
 README.rfc5011                       |  74 ----
 bin/dnssec/dnssec-settime.8          |   8 +-
 bin/dnssec/dnssec-settime.c          |   4 +-
 bin/dnssec/dnssec-settime.docbook    |   7 +-
 bin/dnssec/dnssec-settime.html       |  18 +-
 bin/named/statschannel.c             | 354 ++++++++++-------
 doc/arm/Bv9ARM-book.xml              |  19 +-
 doc/arm/Bv9ARM.ch04.html             | 711 ++++++++++++++++++++++++++++++++++-
 doc/arm/Bv9ARM.ch05.html             |   6 +-
 doc/arm/Bv9ARM.ch06.html             | 162 ++++----
 doc/arm/Bv9ARM.ch07.html             |  14 +-
 doc/arm/Bv9ARM.ch08.html             |  18 +-
 doc/arm/Bv9ARM.ch09.html             | 655 +++++++++++++++++++++++++++-----
 doc/arm/Bv9ARM.html                  | 120 ++++--
 doc/arm/dnssec.xml                   | 244 ++++++++++++
 doc/arm/libdns.xml                   | 530 ++++++++++++++++++++++++++
 doc/arm/man.arpaname.html            |   8 +-
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +-
 doc/arm/man.dnssec-dsfromkey.html    |  16 +-
 doc/arm/man.dnssec-keyfromlabel.html |  14 +-
 doc/arm/man.dnssec-keygen.html       |  16 +-
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |  16 +-
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.genrandom.html           |  10 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.isc-hmac-fixup.html      |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named-journalprint.html  |   8 +-
 doc/arm/man.named.html               |  16 +-
 doc/arm/man.nsec3hash.html           |  10 +-
 doc/arm/man.nsupdate.html            |  14 +-
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 doc/arm/managed-keys.xml             | 100 +++++
 doc/arm/pkcs11.xml                   | 372 ++++++++++++++++++
 lib/dns/api                          |   2 +-
 lib/dns/zone.c                       |  24 +-
 lib/isc/api                          |   2 +-
 lib/isc/httpd.c                      |  45 ++-
 lib/isc/unix/socket.c                |  24 +-
 version                              |   6 +-
 win32utils/BuildSetup.bat            |   1 +
 52 files changed, 3556 insertions(+), 1778 deletions(-)
 create mode 100644 HISTORY
 delete mode 100644 README.dnssec
 delete mode 100644 README.libdns
 delete mode 100644 README.pkcs11
 delete mode 100644 README.rfc5011
 create mode 100644 doc/arm/dnssec.xml
 create mode 100644 doc/arm/libdns.xml
 create mode 100644 doc/arm/managed-keys.xml
 create mode 100644 doc/arm/pkcs11.xml

diff --git a/CHANGES b/CHANGES
index aec133c9..09a6f58a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,21 @@
+	--- 9.7.0 released ---
+
+2849.	[bug]		Don't treat errors from the xml2 library as fatal.
+			[RT #20945]
+
+2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
+			README.rfc5011 into the ARM. [RT #20899]
+
+2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
+
+2846.	[bug]		EOF on unix domain sockets was not being handled
+			correctly. [RT #20731]
+
+2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
+
+2844.	[doc]		notify-delay default in ARM was wrong.  It should have
+			been five (5) seconds.
+
 	--- 9.7.0rc2 released ---
 
 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
diff --git a/HISTORY b/HISTORY
new file mode 100644
index 00000000..e98f9b41
--- /dev/null
+++ b/HISTORY
@@ -0,0 +1,313 @@
+Summary of functional enhancements from prior major releases of BIND 9:
+
+BIND 9.6.0
+
+        Full NSEC3 support
+
+        Automatic zone re-signing
+
+	New update-policy methods tcp-self and 6to4-self
+
+        The BIND 8 resolver library, libbind, has been removed from the
+        BIND 9 distribution and is now available as a separate download.
+
+	Change the default pid file location from /var/run to
+	/var/run/{named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+	GSS-TSIG support (RFC 3645).
+
+	DHCID support.
+
+	Experimental http server and statistics support for named via xml.
+
+	More detailed statistics counters including those supported in BIND 8.
+
+	Faster ACL processing.
+
+	Use Doxygen to generate internal documentation.
+
+        Efficient LRU cache-cleaning mechanism.
+
+        NSID support.
+
+BIND 9.4.0
+
+	Implemented "additional section caching (or acache)", an
+	internal cache framework for additional section content to
+	improve response performance.  Several configuration options
+	were provided to control the behavior.
+
+	New notify type 'master-only'.  Enable notify for master
+	zones only.
+
+	Accept 'notify-source' style syntax for query-source.
+
+	rndc now allows addresses to be set in the server clauses.
+
+	New option "allow-query-cache".  This lets "allow-query"
+	be used to specify the default zone access level rather
+	than having to have every zone override the global value.
+	"allow-query-cache" can be set at both the options and view
+	levels.  If "allow-query-cache" is not set then "allow-recursion"
+	is used if set, otherwise "allow-query" is used if set
+	unless "recursion no;" is set in which case "none;" is used,
+	otherwise the default (localhost; localnets;) is used.
+
+	rndc: the source address can now be specified.
+
+	ixfr-from-differences now takes master and slave in addition
+	to yes and no at the options and view levels.
+
+	Allow the journal's name to be changed via named.conf.
+
+	'rndc notify zone [class [view]]' resend the NOTIFY messages
+	for the specified zone.
+
+	'dig +trace' now randomly selects the next servers to try.
+	Report if there is a bad delegation.
+
+	Improve check-names error messages.
+
+	Make public the function to read a key file, dst_key_read_public().
+
+	dig now returns the byte count for axfr/ixfr.
+			
+	allow-update is now settable at the options / view level.
+
+	named-checkconf now checks the logging configuration.
+
+	host now can turn on memory debugging flags with '-m'.
+
+	Don't send notify messages to self.
+
+	Perform sanity checks on NS records which refer to 'in zone' names.
+
+	New zone option "notify-delay".  Specify a minimum delay
+	between sets of NOTIFY messages.
+
+	Extend adjusting TTL warning messages.
+
+	Named and named-checkzone can now both check for non-terminal
+	wildcard records.
+
+	"rndc freeze/thaw" now freezes/thaws all zones.
+
+	named-checkconf now check acls to verify that they only
+	refer to existing acls.
+
+	The server syntax has been extended to support a range of
+	servers.
+
+	Report differences between hints and real NS rrset and
+	associated address records.
+
+	Preserve the case of domain names in rdata during zone
+	transfers.
+
+	Restructured the data locking framework using architecture
+	dependent atomic operations (when available), improving
+	response performance on multi-processor machines significantly.
+	x86, x86_64, alpha, powerpc, and mips are currently supported.
+
+	UNIX domain controls are now supported.
+
+	Add support for additional zone file formats for improving
+	loading performance.  The masterfile-format option in
+	named.conf can be used to specify a non-default format.  A
+	separate command named-compilezone was provided to generate
+	zone files in the new format.  Additionally, the -I and -O
+	options for dnssec-signzone specify the input and output
+	formats.
+
+	dnssec-signzone can now randomize signature end times
+	(dnssec-signzone -j jitter).
+
+	Add support for CH A record.
+
+	Add additional zone data constancy checks.  named-checkzone
+	has extended checking of NS, MX and SRV record and the hosts
+	they reference.  named has extended post zone load checks.
+	New zone options: check-mx and integrity-check.
+
+
+	edns-udp-size can now be overridden on a per server basis.
+
+	dig can now specify the EDNS version when making a query.
+
+	Added framework for handling multiple EDNS versions.
+
+	Additional memory debugging support to track size and mctx
+	arguments.
+
+	Detect duplicates of UDP queries we are recursing on and
+	drop them.  New stats category "duplicates".
+
+	"USE INTERNAL MALLOC" is now runtime selectable.
+
+	The lame cache is now done on a <qname,qclass,qtype> basis
+	as some servers only appear to be lame for certain query
+	types.
+
+	Limit the number of recursive clients that can be waiting
+	for a single query (<qname,qtype,qclass>) to resolve.  New
+	options clients-per-query and max-clients-per-query.
+
+	dig: report the number of extra bytes still left in the
+	packet after processing all the records.
+
+	Support for IPSECKEY rdata type.
+
+	Raise the UDP recieve buffer size to 32k if it is less than 32k.
+
+	x86 and x86_64 now have seperate atomic locking implementations.
+
+	named-checkconf now validates update-policy entries.
+
+	Attempt to make the amount of work performed in a iteration
+	self tuning.  The covers nodes clean from the cache per
+	iteration, nodes written to disk when rewriting a master
+	file and nodes destroyed per iteration when destroying a
+	zone or a cache.
+
+	ISC string copy API.
+
+	Automatic empty zone creation for D.F.IP6.ARPA and friends.
+	Note: RFC 1918 zones are not yet covered by this but are
+	likely to be in a future release.
+
+	New options: empty-server, empty-contact, empty-zones-enable
+	and disable-empty-zone.
+
+	dig now has a '-q queryname' and '+showsearch' options.
+
+	host/nslookup now continue (default)/fail on SERVFAIL.
+
+	dig now warns if 'RA' is not set in the answer when 'RD'
+	was set in the query.  host/nslookup skip servers that fail
+	to set 'RA' when 'RD' is set unless a server is explicitly
+	set.
+
+	Integrate contibuted DLZ code into named.
+
+	Integrate contibuted IDN code from JPNIC.
+
+	libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+	DNSSEC is now DS based (RFC 3658).
+	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
+
+	DNSSEC lookaside validation.
+
+	check-names is now implemented.
+	rrset-order in more complete.
+
+	IPv4/IPv6 transition support, dual-stack-servers.
+
+	IXFR deltas can now be generated when loading master files,
+	ixfr-from-differences.
+
+	It is now possible to specify the size of a journal, max-journal-size.
+
+	It is now possible to define a named set of master servers to be
+	used in masters clause, masters.
+
+	The advertised EDNS UDP size can now be set, edns-udp-size.
+
+	allow-v6-synthesis has been obsoleted.
+
+	NOTE:
+	* Zones containing MD and MF will now be rejected.
+	* dig, nslookup name. now report "Not Implemented" as
+	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
+	  that are looking for NOTIMPL.
+
+	libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+	The size of the cache can now be limited using the
+        "max-cache-size" option.
+
+	The server can now automatically convert RFC1886-style recursive
+	lookup requests into RFC2874-style lookups, when enabled using the
+	new option "allow-v6-synthesis".  This allows stub resolvers that
+	support AAAA records but not A6 record chains or binary labels to
+	perform lookups in domains that make use of these IPv6 DNS
+	features.
+
+	Performance has been improved.
+
+	The man pages now use the more portable "man" macros rather than
+	the "mandoc" macros, and are installed by "make install".
+
+	The named.conf parser has been completely rewritten.  It now
+	supports "include" directives in more places such as inside "view"
+	statements, and it no longer has any reserved words.
+
+	The "rndc status" command is now implemented.
+
+	rndc can now be configured automatically.
+
+	A BIND 8 compatible stub resolver library is now included in
+	lib/bind.
+
+	OpenSSL has been removed from the distribution.  This means that to
+	use DNSSEC, OpenSSL must be installed and the --with-openssl option
+	must be supplied to configure.  This does not apply to the use of
+	TSIG, which does not require OpenSSL.
+
+	The source distribution now builds on Windows.  See
+	win32utils/readme1.txt and win32utils/win32-build.txt for details.
+
+	This distribution also includes a new lightweight stub
+	resolver library and associated resolver daemon that fully
+	support forward and reverse lookups of both IPv4 and IPv6
+	addresses.  This library is considered experimental and
+	is not a complete replacement for the BIND 8 resolver library.
+	Applications that use the BIND 8 res_* functions to perform
+	DNS lookups or dynamic updates still need to be linked against
+	the BIND 8 libraries.  For DNS lookups, they can also use the
+	new "getrrsetbyname()" API.
+
+	BIND 9.2 is capable of acting as an authoritative server
+	for DNSSEC secured zones.  This functionality is believed to
+	be stable and complete except for lacking support for
+	verifications involving wildcard records in secure zones.
+
+	When acting as a caching server, BIND 9.2 can be configured
+	to perform DNSSEC secure resolution on behalf of its clients.
+	This part of the DNSSEC implementation is still considered
+	experimental.  For detailed information about the state of the
+	DNSSEC implementation, see the file doc/misc/dnssec.
+
+	There are a few known bugs:
+
+	    On some systems, IPv6 and IPv4 sockets interact in
+	    unexpected ways.  For details, see doc/misc/ipv6.
+	    To reduce the impact of these problems, the server
+	    no longer listens for requests on IPv6 addresses
+	    by default.  If you need to accept DNS queries over
+	    IPv6, you must specify "listen-on-v6 { any; };"
+	    in the named.conf options statement.
+
+	    FreeBSD prior to 4.2 (and 4.2 if running as non-root)
+	    and OpenBSD prior to 2.8 log messages like
+	    "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
+	    This is due to a bug in "/dev/random" and impacts the
+	    server's DNSSEC support.
+
+	    OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
+	    OS X 10.2 (Darwin 6.0) reports errors like
+	    "fcntl(3, F_SETFL, 4): Operation not supported by device".
+	    This is due to a bug in "/dev/random" and impacts the
+	    server's DNSSEC support.
+
+	    --with-libtool does not work on AIX.
+
+	A bug in some versions of the Microsoft DNS server can cause zone
+        transfers from a BIND 9 server to a W2K server to fail.  For details,
+	see the "Zone Transfers" section in doc/misc/migration.
diff --git a/README b/README
index c1def626..f0e1d200 100644
--- a/README
+++ b/README
@@ -42,6 +42,12 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+	For a summary of functional enhancements in previous
+	releases, see the HISTORY file.
+
+	For a detailed list of user-visible changes from
+	previous releases, see the CHANGES file.
+
 BIND 9.7.0
 
 	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
@@ -60,383 +66,64 @@ BIND 9.7.0
 	- DNS rebinding attack prevention.
 	- New default values for dnssec-keygen parameters.
 	- Support for RFC 5011 automated trust anchor maintenance
-          (see README.rfc5011 for additional details).
 	- Smart signing: simplified tools for zone signing and key
 	  maintenance.
 	- The "statistics-channels" option is now available on Windows.
-        - A new DNSSEC-aware libdns API for use by non-BIND9 applications
-          (see README.libdns for details).
-        - On some platforms, named and other binaries can now print out
-          a stack backtrace on assertion failure, to aid in debugging.
-        - A "tools only" installation mode on Windows, which only installs
-          dig, host, nslookup and nsupdate.
-        - Improved PKCS#11 support, including Keyper support and explicit
-          OpenSSL engine selection (see README.pkcs11 for additional details).
-
-        COMPATIBILITY NOTES:
-
-        - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
-          ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
-          you should ensure that all changes that are in progress have
-          completed prior to upgrading to BIND 9.7.  BIND 9.7 implements
-          those features in a way which is not backwards compatible.
-
-        - Prior releases had a bug which caused HMAC-SHA* keys with long
-          secrets to be used incorrectly.  Fixing this bug means that older
-          versions of BIND 9 may fail to interoperate with this version
-          when using TSIG keys.  If this occurs, the new "isc-hmac-fixup"
-          tool will convert a key with a long secret into a form that works
-          correctly with all versions of BIND 9.  See the "isc-hmac-fixup"
-          man page for additional details.
-
-        - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
-          It is possible for the new key ID to collide with that of a
-          different key.  Newly generated keys will not have this problem,
-          as "dnssec-keygen" looks for potential collisions before
-          generating keys, but exercise caution if using key revokation
-          with keys that were generated by older versions of BIND 9.
-          See README.rfc5011 for more details.
-          
-        - A bug was fixed in which a key's scheduled inactivity date was
-          stored incorectly.  Users who participated in the 9.7.0 BETA
-          test and had DNSSEC keys with scheduled inactivity dates will
-          need to reset those keys' dates using "dnssec-settime -I".
-
-BIND 9.6.0
-
-        BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
-        releases, including:
-
-        Full NSEC3 support
-
-        Automatic zone re-signing
-
-	New update-policy methods tcp-self and 6to4-self
-
-        The BIND 8 resolver library, libbind, has been removed from the
-        BIND 9 distribution and is now available as a separate download.
-
-	Change the default pid file location from /var/run to
-	/var/run/{named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
-	BIND 9.5.0 has a number of new features over 9.4,
-	including:
-
-	GSS-TSIG support (RFC 3645).
-
-	DHCID support.
-
-	Experimental http server and statistics support for named via xml.
-
-	More detailed statistics counters including those supported in BIND 8.
-
-	Faster ACL processing.
-
-	Use Doxygen to generate internal documentation.
-
-        Efficient LRU cache-cleaning mechanism.
-
-        NSID support.
-
-BIND 9.4.0
-
-	BIND 9.4.0 has a number of new features over 9.3,
-	including:
-
-	Implemented "additional section caching (or acache)", an
-	internal cache framework for additional section content to
-	improve response performance.  Several configuration options
-	were provided to control the behavior.
-
-	New notify type 'master-only'.  Enable notify for master
-	zones only.
-
-	Accept 'notify-source' style syntax for query-source.
-
-	rndc now allows addresses to be set in the server clauses.
-
-	New option "allow-query-cache".  This lets "allow-query"
-	be used to specify the default zone access level rather
-	than having to have every zone override the global value.
-	"allow-query-cache" can be set at both the options and view
-	levels.  If "allow-query-cache" is not set then "allow-recursion"
-	is used if set, otherwise "allow-query" is used if set
-	unless "recursion no;" is set in which case "none;" is used,
-	otherwise the default (localhost; localnets;) is used.
-
-	rndc: the source address can now be specified.
-
-	ixfr-from-differences now takes master and slave in addition
-	to yes and no at the options and view levels.
-
-	Allow the journal's name to be changed via named.conf.
-
-	'rndc notify zone [class [view]]' resend the NOTIFY messages
-	for the specified zone.
-
-	'dig +trace' now randomly selects the next servers to try.
-	Report if there is a bad delegation.
-
-	Improve check-names error messages.
-
-	Make public the function to read a key file, dst_key_read_public().
-
-	dig now returns the byte count for axfr/ixfr.
-			
-	allow-update is now settable at the options / view level.
-
-	named-checkconf now checks the logging configuration.
-
-	host now can turn on memory debugging flags with '-m'.
-
-	Don't send notify messages to self.
-
-	Perform sanity checks on NS records which refer to 'in zone' names.
-
-	New zone option "notify-delay".  Specify a minimum delay
-	between sets of NOTIFY messages.
-
-	Extend adjusting TTL warning messages.
-
-	Named and named-checkzone can now both check for non-terminal
-	wildcard records.
-
-	"rndc freeze/thaw" now freezes/thaws all zones.
-
-	named-checkconf now check acls to verify that they only
-	refer to existing acls.
-
-	The server syntax has been extended to support a range of
-	servers.
-
-	Report differences between hints and real NS rrset and
-	associated address records.
-
-	Preserve the case of domain names in rdata during zone
-	transfers.
-
-	Restructured the data locking framework using architecture
-	dependent atomic operations (when available), improving
-	response performance on multi-processor machines significantly.
-	x86, x86_64, alpha, powerpc, and mips are currently supported.
-
-	UNIX domain controls are now supported.
-
-	Add support for additional zone file formats for improving
-	loading performance.  The masterfile-format option in
-	named.conf can be used to specify a non-default format.  A
-	separate command named-compilezone was provided to generate
-	zone files in the new format.  Additionally, the -I and -O
-	options for dnssec-signzone specify the input and output
-	formats.
-
-	dnssec-signzone can now randomize signature end times
-	(dnssec-signzone -j jitter).
-
-	Add support for CH A record.
-
-	Add additional zone data constancy checks.  named-checkzone
-	has extended checking of NS, MX and SRV record and the hosts
-	they reference.  named has extended post zone load checks.
-	New zone options: check-mx and integrity-check.
-
-
-	edns-udp-size can now be overridden on a per server basis.
-
-	dig can now specify the EDNS version when making a query.
-
-	Added framework for handling multiple EDNS versions.
-
-	Additional memory debugging support to track size and mctx
-	arguments.
-
-	Detect duplicates of UDP queries we are recursing on and
-	drop them.  New stats category "duplicates".
-
-	"USE INTERNAL MALLOC" is now runtime selectable.
-
-	The lame cache is now done on a <qname,qclass,qtype> basis
-	as some servers only appear to be lame for certain query
-	types.
-
-	Limit the number of recursive clients that can be waiting
-	for a single query (<qname,qtype,qclass>) to resolve.  New
-	options clients-per-query and max-clients-per-query.
-
-	dig: report the number of extra bytes still left in the
-	packet after processing all the records.
-
-	Support for IPSECKEY rdata type.
-
-	Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
-	x86 and x86_64 now have seperate atomic locking implementations.
-
-	named-checkconf now validates update-policy entries.
-
-	Attempt to make the amount of work performed in a iteration
-	self tuning.  The covers nodes clean from the cache per
-	iteration, nodes written to disk when rewriting a master
-	file and nodes destroyed per iteration when destroying a
-	zone or a cache.
-
-	ISC string copy API.
-
-	Automatic empty zone creation for D.F.IP6.ARPA and friends.
-	Note: RFC 1918 zones are not yet covered by this but are
-	likely to be in a future release.
-
-	New options: empty-server, empty-contact, empty-zones-enable
-	and disable-empty-zone.
-
-	dig now has a '-q queryname' and '+showsearch' options.
-
-	host/nslookup now continue (default)/fail on SERVFAIL.
-
-	dig now warns if 'RA' is not set in the answer when 'RD'
-	was set in the query.  host/nslookup skip servers that fail
-	to set 'RA' when 'RD' is set unless a server is explicitly
-	set.
-
-	Integrate contibuted DLZ code into named.
-
-	Integrate contibuted IDN code from JPNIC.
-
-	libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
-	BIND 9.3.0 has a number of new features over 9.2,
-	including:
-
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-	BIND 9.2.0 has a number of new features over 9.1,
-	including:
-
-	  - The size of the cache can now be limited using the
-            "max-cache-size" option.
-
-	  - The server can now automatically convert RFC1886-style
-	    recursive lookup requests into RFC2874-style lookups, 
-	    when enabled using the new option "allow-v6-synthesis".
-            This allows stub resolvers that support AAAA records
-            but not A6 record chains or binary labels to perform
-            lookups in domains that make use of these IPv6 DNS
-            features.
-
-	  - Performance has been improved.
-
-	  - The man pages now use the more portable "man" macros
-	    rather than the "mandoc" macros, and are installed
-            by "make install".
-
-          - The named.conf parser has been completely rewritten.
-            It now supports "include" directives in more
-            places such as inside "view" statements, and it no
-            longer has any reserved words.
-
-          - The "rndc status" command is now implemented.
-
-	  - rndc can now be configured automatically.
-
-	  - A BIND 8 compatible stub resolver library is now
-	    included in lib/bind.
-
-	  - OpenSSL has been removed from the distribution.  This
-	    means that to use DNSSEC, OpenSSL must be installed and
-	    the --with-openssl option must be supplied to configure.
-	    This does not apply to the use of TSIG, which does not
-	    require OpenSSL.
-
-	  - The source distribution now builds on Windows.
-	    See win32utils/readme1.txt and win32utils/win32-build.txt
-	    for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-		On some systems, IPv6 and IPv4 sockets interact in
-		unexpected ways.  For details, see doc/misc/ipv6.
-		To reduce the impact of these problems, the server
-		no longer listens for requests on IPv6 addresses
-		by default.  If you need to accept DNS queries over
-		IPv6, you must specify "listen-on-v6 { any; };"
-		in the named.conf options statement.
-
-		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-		and OpenBSD prior to 2.8 log messages like
-		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-		This is due to a bug in "/dev/random" and impacts the
-		server's DNSSEC support.
-
-		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-		OS X 10.2 (Darwin 6.0) reports errors like
-		"fcntl(3, F_SETFL, 4): Operation not supported by device".
-		This is due to a bug in "/dev/random" and impacts the
-		server's DNSSEC support.
-
-		--with-libtool does not work on AIX.
-
-	A bug in some versions of the Microsoft DNS server can cause zone
-        transfers from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
-
-	For a detailed list of user-visible changes from
-	previous releases, see the CHANGES file.
-
+	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
+	- On some platforms, named and other binaries can now print out
+	  a stack backtrace on assertion failure, to aid in debugging.
+	- A "tools only" installation mode on Windows, which only installs
+	  dig, host, nslookup and nsupdate.
+	- Improved PKCS#11 support, including Keyper support and explicit
+	  OpenSSL engine selection.
+
+	Known issues in this release:
+
+	- A validating resolver that has been incorrectly configured with
+	  an invalid trust anchor will be unable to resolve names covered
+	  by that trust anchor.  In all current versions of BIND 9, such a
+	  resolver will also generate significant unnecessary DNS traffic
+	  while trying to validate.  The latter problem will be addressed
+	  in future BIND 9 releases.  In the meantime, to avoid these
+	  problems, exercise caution when configuring "trusted-keys":
+	  make sure all keys are correct and current when you add them,
+	  and update your configuration in a timely manner when keys
+	  roll over.
+
+	- In rare cases, DNSSEC validation can leak memory.  When this 
+	  happens, it will cause an assertion failure when named exits,
+	  but is otherwise harmless.  A fix exists, but was too late for
+	  this release; it will be included in BIND 9.7.1.
+
+	Compatibility notes:
+
+	- If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
+	  ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
+	  you should ensure that all changes that are in progress have
+	  completed prior to upgrading to BIND 9.7.  BIND 9.7 implements
+	  those features in a way which is not backwards compatible.
+
+	- Prior releases had a bug which caused HMAC-SHA* keys with long
+	  secrets to be used incorrectly.  Fixing this bug means that older
+	  versions of BIND 9 may fail to interoperate with this version
+	  when using TSIG keys.  If this occurs, the new "isc-hmac-fixup"
+	  tool will convert a key with a long secret into a form that works
+	  correctly with all versions of BIND 9.  See the "isc-hmac-fixup"
+	  man page for additional details.
+
+	- Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
+	  It is possible for the new key ID to collide with that of a
+	  different key.  Newly generated keys will not have this problem,
+	  as "dnssec-keygen" looks for potential collisions before
+	  generating keys, but exercise caution if using key revokation
+	  with keys that were generated by older versions of BIND 9.  See
+	  the Administrator's Reference Manual, section 4.10 ("Dynamic
+	  Trust Anchor Management") for more details.
+
+	- A bug was fixed in which a key's scheduled inactivity date was
+	  stored incorectly.  Users who participated in the 9.7.0 BETA test
+	  and had DNSSEC keys with scheduled inactivity dates will need to
+	  reset those keys' dates using "dnssec-settime -I".
 
 Building
 
@@ -456,9 +143,9 @@ Building
 		Ubuntu 7.04, 7.10
 		Windows XP/2003/2008
 
-        NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
-        Windows, including Windows NT and Windows 2000, are no longer
-        supported.
+	NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
+	Windows, including Windows NT and Windows 2000, are no longer
+	supported.
 
 	We have recent reports from the user community that a supported
 	version of BIND will build and run on the following systems:
@@ -558,10 +245,10 @@ Building
 	on the configure command line.  The default is operating
 	system dependent.
 
-        Support for the "fixed" rrset-order option can be enabled
-        or disabled by specifying "--enable-fixed-rrset" or
-        "--disable-fixed-rrset" on the configure command line.
-        The default is "disabled", to reduce memory footprint.
+	Support for the "fixed" rrset-order option can be enabled
+	or disabled by specifying "--enable-fixed-rrset" or
+	"--disable-fixed-rrset" on the configure command line.
+	The default is "disabled", to reduce memory footprint.
 
 	If your operating system has integrated support for IPv6, it
 	will be used automatically.  If you have installed KAME IPv6
@@ -627,8 +314,8 @@ Documentation
 	Frequently asked questions and their answers can be found in
 	FAQ.
 
-        Additional information on various subjects can be found
-        in the other README files.
+	Additional information on various subjects can be found
+	in the other README files.
 
 
 Bug Reports and Mailing Lists
diff --git a/README.dnssec b/README.dnssec
deleted file mode 100644
index a3eda796..00000000
--- a/README.dnssec
+++ /dev/null
@@ -1,186 +0,0 @@
-
-			DNSSEC and Dynamic Zones
-
-As of BIND 9.7.0 it is possible to change a dynamic zone from
-insecure to secure and back again.  A secure zone can use either
-NSEC or NSEC3 chains.
-
-		Converting from insecure to secure
-
-Changing a zone from insecure to secure can be done in two ways:
-using a dynamic DNS update, or the "auto-dnssec" zone option.
-
-For either method, you need to configure named so that it can see
-the K* files which contain the public and private parts of the keys
-that will be used to sign the zone.  These files will have been
-generated by dnssec-keygen.  You can do this by placing them in
-the key-directory, as specified in named.conf:
-
-	zone example.net {
-		type master;
-		update-policy local;
-		file "dynamic/example.net/example.net";
-		key-directory "dynamic/example.net";
-	};
-
-If one KSK and one ZSK DNSKEY key have been generated, this configuration
-will cause all records in the zone to be signed with the ZSK, and the
-DNSKEY RRset to be signed with the KSK as well.  An NSEC chain will be
-generated as part of the initial signing process.
-
-		Dynamic DNS update method
-
-To insert the keys via dynamic update:
-
-	% nsupdate
-	> ttl 3600
-	> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-	> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-	> send
-
-While the update request will complete almost immediately, the zone
-will not be completely signed until named has had time to walk the
-zone and generate the NSEC and RRSIG records.  The NSEC record at the
-apex will be added last, to signal that there is a complete NSEC chain.
-
-If you wish to sign using NSEC3 instead of NSEC, you should add an
-NSEC3PARAM record to the initial update request.  If you wish the
-NSEC3 chain to have the OPTOUT bit set, set it in the flags field
-of the NSEC3PARAM record.
-
-	% nsupdate
-	> ttl 3600
-	> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-	> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-	> update add example.net NSEC3PARAM 1 1 100 1234567890
-	> send
-
-Again, this update request will complete almost immediately; however,
-the record won't show up until named has had a chance to build/remove
-the relevant chain.  A private type record will be created to record
-the state of the operation (see below for more details), and will be
-removed once the operation completes.
-
-While the initial signing and NSEC/NSEC3 chain generation is happening,
-other updates are possible as well.
-
-		Fully automatic zone signing
-
-To enable automatic signing, add the "auto-dnssec" option to the zone
-statement in named.conf.  "auto-dnssec" has two possible arguments:
-"allow" or "maintain".
-
-With "auto-dnssec allow", named can search the key directory for keys
-matching the zone, insert them into the zone, and use them to sign the
-zone.  It will do so only when it receives an "rndc sign <zonename>"
-command.
-
-"auto-dnssec maintain" includes the above functionality, but will also
-automatically adjust the zone's DNSKEY records on schedule according to the
-keys' timing metadata (see the man pages for dnssec-keygen and
-dnssec-settime for more information).  If keys are present in the key
-directory the first time the zone is loaded, it will be signed
-immediately, without waiting for an "rndc sign" command.  (This
-command can still be used for unscheduled key changes, however.)
-
-Using the "auto-dnssec" option requires the zone to be configured to
-allow dynamic updates, by adding an "allow-update" or "update-policy"
-statement to the zone configuration.  If this has not been done, the
-configuration will fail.
-
-		Private-type records
-
-The state of the signing process is signaled by private-type records
-(with a default type value of 65534).  When signing is complete, these
-records will have a nonzero value for the final octet (for those records
-which have a nonzero initial octet).
-
-The private type record format:
-If the first octet is non-zero then the record indicates that the zone needs
-to be signed with the key matching the record, or that all signatures that
-match the record should be removed.
-
-	algorithm (octet 1)
-	key id in network order (octet 2 and 3)
-	removal flag (octet 4)
-	complete flag (octet 5)
-
-Only records flagged as "complete" can be removed via dynamic update.
-Attempts to remove other private type records will be silently ignored.
-
-If the first octet is zero (this is a reserved algorithm number
-that should never appear in a DNSKEY record) then the record indicates
-changes to the NSEC3 chains are in progress.  The rest of the record
-contains an NSEC3PARAM record.  The flag field tells what operation
-to perform based on the flag bits.
-
-	0x01 OPTOUT
-	0x80 CREATE
-	0x40 REMOVE
-	0x20 NONSEC
-
-		DNSKEY rollovers via UPDATE
-
-It is possible to perform key rollovers via dynamic update.  You need
-to add the K* files for the new keys so that named can find them.  You
-can then add the new DNSKEY RRs via dynamic update.  Named will then cause
-the zone to be signed with the new keys.  When the signing is
-complete the private type records will be updated so that the last
-octet is non zero.
-
-If this is for a KSK you need to inform the parent and any trust
-anchor repositories of the new KSK.
-
-You should then wait for the maximum TTL in the zone before removing the
-old DNSKEY.  If it is a KSK that is being updated, you also need to wait
-for the DS RRset in the parent to be updated and its TTL to expire.
-This ensures that all clients will be able to verify at least one
-signature when you remove the old DNSKEY.
-
-The old DNSKEY can be removed via UPDATE.  Take care to specify
-the correct key.  Named will clean out any signatures generated by
-the old key after the update completes.
-
-		NSEC3PARAM rollovers via UPDATE
-
-Add the new NSEC3PARAM record via dynamic update.  When the new NSEC3 chain
-has been generated, the NSEC3PARAM flag field will be zero.  At this
-point you can remove the old NSEC3PARAM record.  The old chain will
-be removed after the update request completes.
-
-		Converting from NSEC to NSEC3
-
-To do this, you just need to add an NSEC3PARAM record.  When the
-conversion is complete, the NSEC chain will have been removed and
-the NSEC3PARAM record will have a zero flag field.  The NSEC3 chain
-will be generated before the NSEC chain is destroyed.
-
-		Converting from NSEC3 to NSEC
-
-To do this, remove all NSEC3PARAM records with a zero flag field.  The
-NSEC chain will be generated before the NSEC3 chain is removed.
-
-		Converting from secure to insecure
-
-To do this, remove all the DNSKEY records.  Any NSEC or NSEC3 chains
-will be removed as well, along with associated NSEC3PARAM records.
-This will take place after the update request completes.  This
-requires the "dnssec-secure-to-insecure" option to be set to "yes"
-in named.conf.
-
-		Periodic re-signing
-
-In any secure zone which supports dynamic updates, named will
-periodically re-sign RRsets which have not been re-signed as
-a result of some update action.  The signature lifetimes will
-be adjusted so as to spread the re-sign load over time rather than
-all at once.
-
-		NSEC3 and OPTOUT
-
-Named only supports creating new NSEC3 chains where all the NSEC3
-records in the zone have the same OPTOUT state.  Named supports
-UPDATES to zones where the NSEC3 records in the chain have mixed
-OPTOUT state.  Named does not support changing the OPTOUT state of
-an individual NSEC3 record, the entire chain needs to be changed if
-the OPTOUT state of an individual NSEC3 needs to be changed.
diff --git a/README.libdns b/README.libdns
deleted file mode 100644
index e00444f9..00000000
--- a/README.libdns
+++ /dev/null
@@ -1,275 +0,0 @@
-
-			BIND-9 DNS Library Support
-
-This version of BIND9 "exports" its internal libraries so that they
-can be used by third-party applications more easily (we call them
-"export" libraries in this document).  In addition to all major
-DNS-related APIs BIND9 is currently using, the export libraries
-provide the following features:
-
-- The newly created "DNS client" module.  This is a higher level API
-  that provides an interface to name resolution, single DNS
-  transaction with a particular server, and dynamic update.  Regarding
-  name resolution, it supports advanced features such as DNSSEC
-  validation and caching.  This module supports both synchronous and
-  asynchronous mode.
-- The new "IRS" (Information Retrieval System) library.  It provides
-  an interface to parse the traditional resolv.conf file and more
-  advanced, DNS-specific configuration file for the rest of this
-  package (see the description for the dns.conf file below).
-- As part of the IRS library, newly implemented standard address-name
-  mapping functions, getaddrinfo() and getnameinfo(), are provided.
-  They use the DNSSEC-aware validating resolver backend, and could use
-  other advanced features of the BIND9 libraries such as caching.  The
-  getaddrinfo() function resolves both A and AAAA RRs concurrently
-  (when the address family is unspecified).
-- An experimental framework to support other event libraries than
-  BIND9's internal event task system.
-
-* Prerequisite
-
-GNU make is required to build the export libraries (other part of
-BIND9 can still be built with other types of make).  In the reminder
-of this document, "make" means GNU make.  Note that in some platforms
-you may need to invoke a different command name than "make"
-(e.g. "gmake") to indicate it's GNU make.
-
-* Compilation
-
-1. ./configure --enable-exportlib [other flags]
-2. make
-
-This will create (in addition to usual BIND9 programs) and a separate
-set of libraries under the lib/export directory.  For example,
-lib/export/dns/libdns.a is the archive file of the export version of
-the BIND9 DNS library.
-
-Sample application programs using the libraries will also be built
-under the lib/export/samples directory (see below).
-
-* Installation
-
-1. cd lib/export
-2. make install (root privilege is normally required)
-   (make install at the top directory will do the same)
-
-This will install library object files under the directory specified
-by the --with-export-libdir configure option (default:
-EPREFIX/lib/bind9), and header files under the directory specified by
-the --with-export-includedir configure option (default:
-PREFIX/include/bind9).
-
-To see how to build your own application after the installation, see
-lib/export/samples/Makefile-postinstall.in
-
-* Known Defects/Restrictions
-
-- Currently, win32 is not supported for the export library.  (Normal
-  BIND9 application can be built as before).
-- The "fixed" RRset order is not (currently) supported in the export
-  library.  If you want to use "fixed" RRset order for, e.g. named
-  while still building the export library even without the fixed
-  order support, build them separately:
-  % ./configure --enable-fixed-rrset [other flags, but not --enable-exportlib]
-  % make (this doesn't have to be make)
-  % ./configure --enable-exportlib [other flags, but not --enable-fixed-rrset]
-  % cd lib/export
-  % make
-- The client module and the IRS library currently do not support
-  DNSSEC validation using DLV (the underlying modules can handle it,
-  but there is no tunable interface to enable the feature).
-- RFC5011 is not supported in the validating stub resolver of the
-  export library.  In fact, it is not clear whether it should: trust
-  anchors would be a system-wide configuration which would be managed
-  by an administrator, while the stub resolver will be used by
-  ordinary applications run by a normal user.
-- Not all common /etc/resolv.conf options are supported in the IRS library.
-  The only available options in this version are "debug" and "ndots".
-
-* The dns.conf File
-
-The IRS library supports an "advanced" configuration file related to
-the DNS library for configuration parameters that would be beyond the
-capability of the resolv.conf file.  Specifically, it is intended to
-provide DNSSEC related configuration parameters.
-
-By default the path to this configuration file is /etc/dns.conf.
-
-This module is very experimental and the configuration syntax or
-library interfaces may change in future versions.  Currently, only the
-'trusted-keys' statement is supported, whose syntax is the same as the
-same name of statement for named.conf.
-
-* Sample Applications
-
-Some sample application programs using this API are provided for
-reference.  The following is a brief description of these
-applications.
-
-- sample: a simple stub resolver utility.
-
-  It sends a query of a given name (of a given optional RR type)
-  to a specified recursive server, and prints the result as a list of
-  RRs.  It can also act as a validating stub resolver if a trust
-  anchor is given via a set of command line options.
-
-  Usage: sample [options] server_address hostname
-
-  Options and Arguments:
-  -t RRtype
-	specify the RR type of the query.  The default is the A RR.
-  [-a algorithm] [-e] -k keyname -K keystring
-	specify a command-line DNS key to validate the answer.  For
-	example, to specify the following DNSKEY of example.com:
-		example.com. 3600 IN DNSKEY 257 3 5 xxx
-        specify the options as follows:
-	  -e -k example.com -K "xxx"
-	-e means that this key is a zone's "key signing key" (as known
-        as "secure Entry point").
- 	when -a is omitted rsasha1 will be used by default.
-  -s domain:alt_server_address
-	specify a separate recursive server address for the specific
-	"domain".  Example: -s example.com:2001:db8::1234
-  server_address
-	an IP(v4/v6) address of the recursive server to which queries
-	are sent.
-  hostname
-	the domain name for the query
-
-- sample-async: a simple stub resolver, working asynchronously.
-
-  Similar to "sample", but accepts a list of (query) domain names as a
-  separate file and resolves the names asynchronously.
-
-  Usage: sample-async [-s server_address] [-t RR_type] input_file
-  Options and Arguments:
-  -s server_address
-	an IPv4 address of the recursive server to which queries are
-	sent.  (IPv6 addresses are not supported in this implementation)
-  -t RR_type
-	specify the RR type of the queries.  The default is the A RR.
-  input_file
-	a list of domain names to be resolved.  each line consists of a
-	single domain name.  Example:
-  	www.example.com
-	mx.examle.net
-	ns.xxx.example
-
-- sample-request: a simple DNS transaction client.
-
-  It sends a query to a specified server, and prints the response with
-  minimal processing.  It doesn't act as a "stub resolver": it stops
-  the processing once it gets any response from the server, whether
-  it's a referral or an alias (CNAME or DNAME) that would require
-  further queries to get the ultimate answer.  In other words, this
-  utility acts as a very simplified dig.
-
-  Usage: sample-request [-t RRtype] server_address hostname
-  Options and Arguments:
-  -t RRtype
-	specify the RR type of the queries.  The default is the A RR.
-  server_address
-	an IP(v4/v6) address of the recursive server to which the query is
-	sent.
-  hostname
-	the domain name for the query
-
-- sample-gai: getaddrinfo() and getnameinfo() test code.
-
-  This is a test program to check getaddrinfo() and getnameinfo()
-  behavior.  It takes a host name as an argument, calls getaddrinfo()
-  with the given host name, and calls getnameinfo() with the resulting
-  IP addresses returned by getaddrinfo().  If the dns.conf file exists
-  and defines a trust anchor, the underlying resolver will act as a
-  validating resolver, and getaddrinfo()/getnameinfo() will fail with
-  an EAI_INSECUREDATA error when DNSSEC validation fails.
-
-  Usage: sample-gai hostname
-
-- sample-update: a simple dynamic update client program
-
-  It accepts a single update command as a command-line argument, sends
-  an update request message to the authoritative server, and shows the
-  response from the server.  In other words, this is a simplified
-  nsupdate.
-
-  Usage: sample-update [options] (add|delete) "update data"
-  Options and Arguments:
-  -a auth_server
-	An IP address of the authoritative server that has authority
-	for the zone containing the update name.  This should normally
-	be the primary authoritative server that accepts dynamic
-	updates.  It can also be a secondary server that is configured
-	to forward update requests to the primary server.
-  -k keyfile
-	A TSIG key file to secure the update transaction.  The keyfile
-	format is the same as that for the nsupdate utility.
-  -p prerequisite
-	A prerequisite for the update (only one prerequisite can be
-	specified).  The prerequisite format is the same as that is
-	accepted by the nsupdate utility.
-  -r recursive_server
-	An IP address of a recursive server that this utility will
-	use.  A recursive server may be necessary to identify the
-	authoritative server address to which the update request is
-	sent.
-  -z zonename
-	The domain name of the zone that contains
-  (add|delete)
-	Specify the type of update operation.  Either "add" or "delete"
-	must be specified.
-  "update data"
-	Specify the data to be updated.  A typical example of the data
-	would look like "name TTL RRtype RDATA".
-
-   Note: in practice, either -a or -r must be specified.  Others can
-   be optional; the underlying library routine tries to identify the
-   appropriate server and the zone name for the update.
-
-   Examples: assuming the primary authoritative server of the
-   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
-   + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"
-     adds an A RR for foo.dynamic.example.com using the given key.
-   + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"
-     removes all A RRs for foo.dynamic.example.com using the given key.
-   + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"
-     removes all RRs for foo.dynamic.example.com using the given key.
-
-- nsprobe: domain/name server checker in terms of RFC4074.
-
-  It checks a set of domains to see the name servers of the domains
-  behave correctly in terms of RFC4074.  This is included in the set
-  of sample programs to show how the export library can be used in a
-  DNS-related application.
-
-  Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
-  Options
-  -d
-	run in the "debug" mode.  with this option nsprobe will dump
-	every RRs it receives.
-  -v
-	increase verbosity of other normal log messages.  This can be
-	specified multiple times
-  -c cache_address
-	specify an IP address of a recursive (caching) name server.
-	nsprobe uses this server to get the NS RRset of each domain and
-	the A and/or AAAA RRsets for the name servers.  The default
-	value is 127.0.0.1.
-  input_file
-	a file name containing a list of domain (zone) names to be
-	probed.  when omitted the standard input will be used.  Each
-	line of the input file specifies a single domain name such as
-	"example.com".  In general this domain name must be the apex
-	name of some DNS zone (unlike normal "host names" such as
-	"www.example.com").  nsprobe first identifies the NS RRsets for
-	the given domain name, and sends A and AAAA queries to these
-	servers for some "widely used" names under the zone;
-	specifically, adding "www" and "ftp" to the zone name.
-
-* Library References
-
-As of this writing, there is no formal "manual" of the libraries,
-except this document, header files (some of them provide pretty
-detailed explanations), and sample application programs.
-
-; $Id: README.libdns,v 1.3 2009/09/15 19:12:03 jinmei Exp $
diff --git a/README.pkcs11 b/README.pkcs11
deleted file mode 100644
index 72ce281e..00000000
--- a/README.pkcs11
+++ /dev/null
@@ -1,309 +0,0 @@
-
-		BIND 9 PKCS #11 (Cryptoki) support
-
-INTRODUCTION
-
-PKCS #11 (Public Key Cryptography Standard #11) defines a platform-
-independent API for the control of hardware security modules (HSMs)
-and other cryptographic support devices. 
-
-BIND 9 is known to work with two HSMs:  The Sun SCA 6000 cryptographic
-acceleration board, tested under Solaris x86, and the AEP Keyper
-network-attached key storage device, tested with Debian Linux,
-Solaris x86 and Windows Server 2003.
-
-PREREQUISITES
-
-See the HSM vendor documentation for information about installing,
-initializing, testing and troubleshooting the HSM.
-
-BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not
-yet fully support PKCS #11.  However, a PKCS #11 engine for OpenSSL
-is available from the OpenSolaris project.  It has been modified by
-ISC to work with with BIND 9, and to provide new features such as
-PIN management and key by reference.
-
-The patched OpenSSL depends on a "PKCS #11 provider".  This is a shared
-library object, providing a low-level PKCS #11 interface to the HSM
-hardware.  It is dynamically loaded by OpenSSL at runtime.  The PKCS #11
-provider comes from the HSM vendor, and and is specific to the HSM to be
-controlled.
-
-There are two "flavors" of PKCS #11 support provided by the patched
-OpenSSL, one of which must be chosen at configuration time.  The correct
-choice depends on the HSM hardware:
-
- - Use 'crypto-accelerator' with HSMs that have hardware cryptographic
-   acceleration features, such as the SCA 6000 board.  This causes OpenSSL
-   to run all supported cryptographic operations in the HSM.
-
- - Use 'sign-only' with HSMs that are designed to function primarily as
-   secure key storage devices, but lack hardware acceleration.  These
-   devices are highly secure, but are not necessarily any faster at
-   cryptography than the system CPU--often, they are slower.  It is
-   therefore most efficient to use them only for those cryptographic
-   functions that require access to the secured private key, such as
-   zone signing, and to use the system CPU for all other computationally-
-   intensive operations.  The AEP Keyper is an example of such a device.
-
-The modified OpenSSL code is included in the BIND 9.7.0b1 release, in the
-form of a context diff against OpenSSL 0.9.8l.  Before building BIND 9
-with PKCS #11 support, it will be necessary to build OpenSSL with this
-patch in place and inform it of the path to the HSM-specific PKCS #11
-provider library.
-
-Obtain OpenSSL 0.9.8l:
-
-    wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
-
-Extract the tarball:
-
-    tar zxf openssl-0.9.8l.tar.gz
-
-Apply the patch from the BIND 9 release:
-
-    patch -p1 -d openssl-0.9.8l \
-            < bind-9.7.0b1/bin/pkcs11/openssl-0.9.8l-patch 
-
-(Note that the patch file may not be compatible with the "patch"
-utility on all operating systems.  You may need to install GNU patch.)
-
-When building OpenSSL, place it in a non-standard location so that it
-does not interfere with OpenSSL libraries elsewhere on the system.
-In the following examples, we choose to install into "/opt/pkcs11/usr".
-We will use this location when we configure BIND 9.
-
-    EXAMPLE 1--BUILDING OPENSSL FOR THE AEP KEYPER ON LINUX:
-
-    The AEP Keyper is a highly secure key storage device, but does
-    not provide hardware cryptographic acceleration.  It can carry out
-    cryptographic operations, but it is probably slower than your
-    system's CPU.  Therefore, we choose the 'sign-only' flavor when
-    building OpenSSL.
-
-    The Keyper-specific PKCS #11 provider library is delivered with the
-    Keyper software.  In this example, we place it /opt/pkcs11/usr/lib:
-
-        cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
-
-    This library is only available for Linux as a 32-bit binary.  If we are
-    compiling on a 64-bit Linux system, it is necessary to force a 32-bit
-    build, by specifying -m32 in the build options.
-
-    Finally, the Keyper library requires threads, so we must specify -pthread.
-    
-        cd openssl-0.9.8l
-        ./Configure linux-generic32 -m32 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr
-
-    After configuring, run "make" and "make test".  If "make test" fails
-    with "pthread_atfork() not found", you forgot to add the -pthread
-    above.
-
-    EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS:
-
-    The SCA-6000 PKCS #11 provider is installed as a system library,
-    libpkcs11. It is a true crypto accelerator, up to 4 times faster
-    than any CPU, so the flavor shall be 'crypto-accelerator'.
-
-    In this example, we are building on Solaris x86 on an AMD64 system.
-
-        cd openssl-0.9.8l
-        ./Configure solaris64-x86_64-cc \
-            --pk11-libname=/usr/lib/64/libpkcs11.so \
-            --pk11-flavor=crypto-accelerator \
-            --prefix=/opt/pkcs11/usr
-
-    (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
-
-    After configuring, run "make" and "make test".
-
-Once you have built OpenSSL, run "apps/openssl engine pkcs11" to confirm
-that PKCS #11 support was compiled in correctly.  The output should be
-one of the following lines, depending on the flavor selected:
-
-        (pkcs11) PKCS #11 engine support (sign only)
-
-Or:
-
-        (pkcs11) PKCS #11 engine support (crypto accelerator)
-
-Next, run "apps/openssl engine pkcs11 -t".  This will attempt to initialize
-the PKCS #11 engine.  If it is able to do so successfully, it will report
-"[ available ]".
-
-If the output is correct, run "make install".
-
-BUILDING BIND 9
-
-When building BIND 9, the location of the custom-built OpenSSL
-library must be specified via configure.
-
-    EXAMPLE 3--CONFIGURING BIND 9 FOR LINUX
-
-    To link with the PKCS #11 provider, threads must be enabled in the
-    BIND 9 build.
-
-    The PKCS #11 library for the AEP Keyper is currently only available as
-    a 32-bit binary.  If we are building on a 64-bit host, we must force a
-    32-bit build by adding "-m32" to the CC options on the "configure"
-    command line.
-
-        cd ../bind-9.7.0b1
-        ./configure CC="gcc -m32" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr \
-            --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
-
-    EXAMPLE 4--CONFIGURING BIND 9 FOR SOLARIS
-
-    To link with the PKCS #11 provider, threads must be enabled in the
-    BIND 9 build.
-
-        cd ../bind-9.7.0b1
-        ./configure CC="cc -xarch=amd64" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr \
-            --with-pkcs11=/usr/lib/64/libpkcs11.so
-
-    (For a 32-bit build, omit CC="cc -xarch=amd64".)
-
-If configure complains about OpenSSL not working, you may have a 32/64-bit
-architecture mismatch.  Or, you may have incorrectly specified the path to
-OpenSSL (it should be the same as the --prefix argument to the OpenSSL
-Configure).  
-
-After configuring, run "make", "make test" and "make install".
-
-PKCS #11 TOOLS
-
-BIND 9 includes a minimal set of tools to operate the HSM, including
-"pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list"
-to list objects currently available, and "pkcs11-destroy" to remove
-objects.
-
-In UNIX/Linux builds, these tools are built only if BIND 9 is configured
-with the --with-pkcs11 option.  (NOTE: If --with-pkcs11 is set to "yes",
-rather than to the path of the PKCS #11 provider, then the tools will be
-built but the provider will be left undefined.  Use the -m option or the
-PKCS11_PROVIDER environment variable to specify the path to the provider.)
-
-USING THE HSM
-
-First, we must set up the runtime environment so the OpenSSL and PKCS #11
-libraries can be loaded:
-
-    export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
-
-When operating an AEP Keyper, it is also necessary to specify the
-location of the "machine" file, which stores information about the Keyper
-for use by PKCS #11 provider library.  If the machine file is in
-/opt/Keyper/PKCS11Provider/machine, use:
-
-    export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
-
-These environment variables must be set whenever running any tool
-that uses the HSM, including pkcs11-keygen, pkcs11-list, pkcs11-destroy,
-dnssec-keyfromlabel, dnssec-signzone, dnssec-keygen (which will use
-the HSM for random number generation), and named.
-
-We can now create and use keys in the HSM.  In this case, we will
-create a 2048 bit key and give it the label "sample-ksk":
-
-    pkcs11-keygen -b 2048 -l sample-ksk
-
-To confirm that the key exists:
-
-    pkcs11-list
-    Enter PIN:
-    object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] 
-    object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] 
-
-Before using this key to sign a zone, we must create a pair of BIND 9
-key files.  The "dnssec-keyfromlabel" utility does this.  In this case,
-we will be using the HSM key "sample-ksk" as the key-signing key for
-"example.net":
-
-    dnssec-keyfromlabel -l sample-ksk -f KSK example.net
-
-The resulting K*.key and K*.private files can now be used to sign the
-zone.  Unlike normal K* files, which contain both public and private
-key data, these files will contain only the public key data, plus an
-identifier for the private key which remains stored within the HSM.
-The HSM handles signing with the private key.
-
-If you wish to generate a second key in the HSM for use as a zone-signing
-key, follow the same procedure above, using a different keylabel, a
-smaller key size, and omitting "-f KSK" from the dnssec-keyfromlabel
-arguments:
-
-    pkcs11-keygen -b 1024 -l sample-zsk
-    dnssec-keyfromlabel -l sample-zsk example.net
-
-Alternatively, you may prefer to generate a conventional on-disk key,
-using dnssec-keygen:
-
-    dnssec-keygen example.net
-
-This provides less security than an HSM key, but since HSMs can be
-slow or cumbersome to use for security reasons, it may be more
-efficient to reserve HSM keys for use in the less frequent
-key-signing operation.  The zone-signing key can be rolled more
-frequently, if you wish, to compensate for a reduction in key
-security.
-
-Now you can sign the zone.  (Note: If not using the -S option to
-dnssec-signzone, it will be necessary to add the contents of both
-K*.key files to the zone master file before signing it.)
-
-    dnssec-signzone -S example.net
-    Enter PIN:
-    Verifying the zone using the following algorithms: NSEC3RSASHA1.
-    Zone signing complete:
-    Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
-    example.net.signed
-
-SPECIFYING THE ENGINE ON THE COMMAND LINE
-
-The OpenSSL engine can be specified in named and all of the dnssec-*
-tools by using the "-E <engine>" command line option.  If BIND 9 is built
-with the --with-pkcs11 option, this option defaults to "pkcs11".
-Specifying the engine will generally not be necessary unless for
-some reason you wish to use a different OpenSSL engine.
-
-If you wish to disable use of the "pkcs11" engine--for troubleshooting
-purposes, or because the HSM is unavailable--set the engine to the empty
-string.  For example:
-
-    dnssec-signzone -E '' -S example.net
-
-This causes dnssec-signzone to run as if it were compiled without the
---with-pkcs11 option.
-
-RUNNING NAMED WITH AUTOMATIC ZONE RE-SIGNING
-
-If you want named to dynamically re-sign zones using HSM keys, and/or to
-to sign new records inserted via nsupdate, then named must have access
-to the HSM PIN.  This can be accomplished by placing the PIN into the
-openssl.cnf file (in the above examples, /opt/pkcs11/usr/ssl/openssl.cnf).
-
-The location of the openssl.cnf file can be overridden by setting the
-OPENSSL_CONF environment variable before running named.
-
-Sample openssl.cnf:
-
-        openssl_conf = openssl_def
-        [ openssl_def ]
-        engines = engine_section
-        [ engine_section ]
-        pkcs11 = pkcs11_section
-        [ pkcs11_section ]
-        PIN = <PLACE PIN HERE>
-
-This will also allow the dnssec-* tools to access the HSM without
-PIN entry.  (The pkcs11-* tools access the HSM directly, not via
-OpenSSL, so a PIN will still be required to use them.)
-
-PLEASE NOTE:  Placing the HSM's PIN in a text file in this manner
-may reduce the security advantage of using an HSM.  Be sure this
-is what you want to do before configuring BIND 9 in this way.
diff --git a/README.rfc5011 b/README.rfc5011
deleted file mode 100644
index 7cf34912..00000000
--- a/README.rfc5011
+++ /dev/null
@@ -1,74 +0,0 @@
-
-                        BIND 9 RFC 5011 support
-
-BIND 9.7.0 introduces support for RFC 5011, dynamic trust anchor
-management.  Using this feature allows named to keep track of changes to
-critical DNSSEC keys without any need for the operator to make changes to
-configuration files.
-
-VALIDATING RESOLVER
--------------------
-
-To configure a validating resolver to use RFC5011 to maintain a trust
-anchor, configure the trust anchor using a "managed-keys" statement.
-Information about this can be found in the ARM, in the section titled
-"managed-keys Statement Definition".
-
-AUTHORITATIVE SERVER
---------------------
-
-To set up an authoritative zone for RFC5011 trust anchor maintenance,
-generate two (or more) key signing keys (KSKs) for the zone.  Sign the zone
-with one of them; this is the "active" KSK.  All KSK's which do not sign
-the zone are "stand-by" keys.
-
-Any validating resolver which is configured to use the active KSK as an
-RFC5011-managed trust anchor will take note of the stand-by KSKs in the
-zone's DNSKEY RRset, and store them for future reference.  The resolver
-will recheck the zone periodically, and after 30 days, if the new key is
-still there, then the key will be accepted by the resolver as a valid
-trust anchor for the zone.  Any time after this 30-day acceptance timer
-has completed, the active KSK can be revoked, and the zone can be "rolled
-over" to the newly accepted key.
-
-The easiest way to place a stand-by key in a zone is to use the "smart
-signing" features of dnssec-keygen and dnssec-signzone.  If a key with a
-publication date in the past, but an activation date which is unset or in
-the future, "dnssec-signzone -S" will include the DNSKEY record in the
-zone, but will not sign with it:
-
-    $ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
-    $ dnssec-signzone -S -K keys example.net
-
-To revoke a key, the new command "dnssec-revoke" has been added.  This adds
-the REVOKED bit to the key flags and re-generates the K*.key and K*.private
-files.
-
-After revoking the active key, the zone must be signed with both the
-revoked KSK and the new active KSK.  (Smart signing takes care of this
-automatically.)
-
-Once a key has been revoked and used to sign the DNSKEY RRset in which it
-appears, that key will never again be accepted as a valid trust anchor by
-the resolver.  However, validation can proceed using the new active key
-(which had been accepted by the resolver when it was a stand-by key).
-
-See RFC 5011 for more details on key rollover scenarios.
-
-When a key has been revoked, its key ID changes, increasing by
-128, and wrapping around at 65535.  So, for example, the key
-"Kexample.com.+005+10000" becomes "Kexample.com.+005+10128".
-
-If two keys have ID's exactly 128 apart, and one is revoked, then the
-two key ID's will collide, causing several problems.  To prevent this,
-dnssec-keygen will not generate a new key if another key is present which
-may collide.  This checking will only occur if the new keys are written
-to the same directory which holds all other keys in use for that zone.
-
-Older versions of BIND 9 did not have this precaution.  Exercise caution if
-using key revocation on keys that were generated by previous releases, or
-if using keys stored in multiple directories or on multiple machines.
-
-It is expected that a future release of BIND 9 will address this problem
-in a different way, by storing revoked keys with their original unrevoked
-key ID's.
diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index b2b33b51..0eaf97cd 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-settime.8,v 1.9 2009/11/03 21:58:30 tbox Exp $
+.\" $Id: dnssec-settime.8,v 1.9.24.3 2010/02/04 02:08:19 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -131,7 +131,7 @@ for the publication date,
 \fBA\fR
 for the activation date,
 \fBR\fR
-for the revokation date,
+for the revocation date,
 \fBU\fR
 for the unpublication date, or
 \fBD\fR
@@ -148,5 +148,5 @@ RFC 5011.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 70ad94ad..1c084bb2 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.19.34.5 2010/01/07 19:16:30 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.19.34.6 2010/02/03 01:02:17 each Exp $ */
 
 /*! \file */
 
@@ -80,7 +80,7 @@ usage(void) {
 	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
 						     "deletion date\n");
 	fprintf(stderr, "Printing options:\n");
-	fprintf(stderr, "    -p C/P/A/R/U/D/all: print a particular time "
+	fprintf(stderr, "    -p C/P/A/R/I/D/all: print a particular time "
 						"value or values "
 						"[default: all]\n");
 	fprintf(stderr, "    -u:                 print times in unix epoch "
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index 8c081379..b4db0528 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
                [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-settime.docbook,v 1.7 2009/11/03 21:44:46 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.7.24.2 2010/02/03 23:48:29 tbox Exp $ -->
 <refentry id="man.dnssec-settime">
   <refentryinfo>
     <date>July 15, 2009</date>
@@ -37,6 +37,7 @@
   <docinfo>
     <copyright>
       <year>2009</year>
+      <year>2010</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -240,7 +241,7 @@
             <option>C</option> for the creation date,
             <option>P</option> for the publication date,
             <option>A</option> for the activation date,
-            <option>R</option> for the revokation date,
+            <option>R</option> for the revocation date,
             <option>U</option> for the unpublication date, or
             <option>D</option> for the deletion date.
             To print all of the metadata, use <option>-p all</option>.
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index 935ec031..e3efc583 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-settime.html,v 1.9 2009/11/03 21:58:30 tbox Exp $ -->
+<!-- $Id: dnssec-settime.html,v 1.9.24.3 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543416"></a><h2>DESCRIPTION</h2>
+<a name="id2543419"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -57,7 +57,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543464"></a><h2>OPTIONS</h2>
+<a name="id2543467"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f</span></dt>
 <dd><p>
@@ -88,7 +88,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543556"></a><h2>TIMING OPTIONS</h2>
+<a name="id2543559"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -133,7 +133,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543654"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2543657"></a><h2>PRINTING OPTIONS</h2>
 <p>
       <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
@@ -151,7 +151,7 @@
             <code class="option">C</code> for the creation date,
             <code class="option">P</code> for the publication date,
             <code class="option">A</code> for the activation date,
-            <code class="option">R</code> for the revokation date,
+            <code class="option">R</code> for the revocation date,
             <code class="option">U</code> for the unpublication date, or
             <code class="option">D</code> for the deletion date.
             To print all of the metadata, use <code class="option">-p all</code>.
@@ -159,7 +159,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543732"></a><h2>SEE ALSO</h2>
+<a name="id2543735"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -167,7 +167,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543765"></a><h2>AUTHOR</h2>
+<a name="id2543768"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 062fdb5d..c1a287cf 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2010  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: statschannel.c,v 1.24 2009/10/20 03:30:07 marka Exp $ */
+/* $Id: statschannel.c,v 1.24.40.2 2010/02/04 23:48:30 tbox Exp $ */
 
 /*! \file */
 
@@ -71,6 +71,7 @@ stats_dumparg {
 	int		ncounters;	/* used for general statistics */
 	int		*counterindices; /* used for general statistics */
 	isc_uint64_t	*countervalues;	 /* used for general statistics */
+	isc_result_t	result;
 } stats_dumparg_t;
 
 static isc_once_t once = ISC_ONCE_INIT;
@@ -96,6 +97,8 @@ static const char *sockstats_xmldesc[isc_sockstatscounter_max];
 #define sockstats_xmldesc NULL
 #endif	/* HAVE_LIBXML2 */
 
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+
 /*%
  * Mapping arrays to represent statistics counters in the order of our
  * preference, regardless of the order of counter indices.  For example,
@@ -438,7 +441,7 @@ generalstat_dump(isc_statscounter_t counter, isc_uint64_t val, void *arg) {
 	dumparg->countervalues[counter] = val;
 }
 
-static void
+static isc_result_t
 dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
 	      const char *category, const char **desc, int ncounters,
 	      int *indices, isc_uint64_t *values, int options)
@@ -449,6 +452,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
 	FILE *fp;
 #ifdef HAVE_LIBXML2
 	xmlTextWriterPtr writer;
+	int xmlrc;
 #endif
 
 #ifndef HAVE_LIBXML2
@@ -481,31 +485,41 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
 			writer = arg;
 
 			if (category != NULL) {
-				xmlTextWriterStartElement(writer,
-							  ISC_XMLCHAR
-							  category);
-				xmlTextWriterStartElement(writer,
-							  ISC_XMLCHAR "name");
-				xmlTextWriterWriteString(writer, ISC_XMLCHAR
-							desc[index]);
-				xmlTextWriterEndElement(writer); /* name */
-
-				xmlTextWriterStartElement(writer, ISC_XMLCHAR
-							  "counter");
+				TRY0(xmlTextWriterStartElement(writer,
+							       ISC_XMLCHAR
+							       category));
+				TRY0(xmlTextWriterStartElement(writer,
+							       ISC_XMLCHAR
+							       "name"));
+				TRY0(xmlTextWriterWriteString(writer,
+							      ISC_XMLCHAR
+							      desc[index]));
+				TRY0(xmlTextWriterEndElement(writer)); /* name */
+
+				TRY0(xmlTextWriterStartElement(writer,
+							       ISC_XMLCHAR
+							       "counter"));
 			} else {
-				xmlTextWriterStartElement(writer, ISC_XMLCHAR
-							  desc[index]);
+				TRY0(xmlTextWriterStartElement(writer,
+							       ISC_XMLCHAR
+							       desc[index]));
 			}
-			xmlTextWriterWriteFormatString(writer,
-						       "%" ISC_PRINT_QUADFORMAT
-						       "u", value);
-			xmlTextWriterEndElement(writer); /* counter */
+			TRY0(xmlTextWriterWriteFormatString(writer,
+							    "%"
+							    ISC_PRINT_QUADFORMAT
+							    "u", value));
+			TRY0(xmlTextWriterEndElement(writer)); /* counter */
 			if (category != NULL)
-				xmlTextWriterEndElement(writer); /* category */
+				TRY0(xmlTextWriterEndElement(writer)); /* category */
 #endif
 			break;
 		}
 	}
+	return (ISC_R_SUCCESS);
+#ifdef HAVE_LIBXML2
+ error:
+	return (ISC_R_FAILURE);
+#endif
 }
 
 static void
@@ -516,6 +530,7 @@ rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 	FILE *fp;
 #ifdef HAVE_LIBXML2
 	xmlTextWriterPtr writer;
+	int xmlrc;
 #endif
 
 	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE)
@@ -535,22 +550,28 @@ rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 #ifdef HAVE_LIBXML2
 		writer = dumparg->arg;
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype");
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype"));
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
-		xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr);
-		xmlTextWriterEndElement(writer); /* name */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr));
+		TRY0(xmlTextWriterEndElement(writer)); /* name */
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter");
-		xmlTextWriterWriteFormatString(writer,
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteFormatString(writer,
 					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val);
-		xmlTextWriterEndElement(writer); /* counter */
+					       val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
 
-		xmlTextWriterEndElement(writer); /* rdtype */
+		TRY0(xmlTextWriterEndElement(writer)); /* rdtype */
 #endif
 		break;
 	}
+	return;
+#ifdef HAVE_LIBXML2
+ error:
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif
 }
 
 static void
@@ -562,6 +583,7 @@ rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 	isc_boolean_t nxrrset = ISC_FALSE;
 #ifdef HAVE_LIBXML2
 	xmlTextWriterPtr writer;
+	int xmlrc;
 #endif
 
 	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXDOMAIN)
@@ -590,22 +612,28 @@ rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
 #ifdef HAVE_LIBXML2
 		writer = dumparg->arg;
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset");
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
-		xmlTextWriterWriteFormatString(writer, "%s%s",
-					       nxrrset ? "!" : "", typestr);
-		xmlTextWriterEndElement(writer); /* name */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s%s",
+					       nxrrset ? "!" : "", typestr));
+		TRY0(xmlTextWriterEndElement(writer)); /* name */
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter");
-		xmlTextWriterWriteFormatString(writer,
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteFormatString(writer,
 					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val);
-		xmlTextWriterEndElement(writer); /* counter */
+					       val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
 
-		xmlTextWriterEndElement(writer); /* rrset */
+		TRY0(xmlTextWriterEndElement(writer)); /* rrset */
 #endif
 		break;
 	}
+	return;
+#ifdef HAVE_LIBXML2
+ error:
+	dumparg->result = ISC_R_FAILURE;
+#endif
+
 }
 
 static void
@@ -616,6 +644,7 @@ opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
 	stats_dumparg_t *dumparg = arg;
 #ifdef HAVE_LIBXML2
 	xmlTextWriterPtr writer;
+	int xmlrc;
 #endif
 
 	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
@@ -631,30 +660,35 @@ opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
 #ifdef HAVE_LIBXML2
 		writer = dumparg->arg;
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode");
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode"));
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
-		xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf);
-		xmlTextWriterEndElement(writer); /* name */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf));
+		TRY0(xmlTextWriterEndElement(writer)); /* name */
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter");
-		xmlTextWriterWriteFormatString(writer,
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteFormatString(writer,
 					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val);
-		xmlTextWriterEndElement(writer); /* counter */
+					       val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
 
-		xmlTextWriterEndElement(writer); /* opcode */
+		TRY0(xmlTextWriterEndElement(writer)); /* opcode */
 #endif
 		break;
 	}
+	return;
+
+#ifdef HAVE_LIBXML2
+ error:
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif
 }
 
 #ifdef HAVE_LIBXML2
 
 /* XXXMLG below here sucks. */
 
-#define TRY(a) do { result = (a); INSIST(result == ISC_R_SUCCESS); } while(0);
-#define TRY0(a) do { xmlrc = (a); INSIST(xmlrc >= 0); } while(0);
 
 static isc_result_t
 zone_xmlrender(dns_zone_t *zone, void *arg) {
@@ -664,49 +698,55 @@ zone_xmlrender(dns_zone_t *zone, void *arg) {
 	xmlTextWriterPtr writer = arg;
 	isc_stats_t *zonestats;
 	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	int xmlrc;
+	isc_result_t result;
 
-	xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone");
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
 
 	dns_zone_name(zone, buf, sizeof(buf));
-	xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
-	xmlTextWriterWriteString(writer, ISC_XMLCHAR buf);
-	xmlTextWriterEndElement(writer);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
+	TRY0(xmlTextWriterEndElement(writer));
 
 	rdclass = dns_zone_getclass(zone);
 	dns_rdataclass_format(rdclass, buf, sizeof(buf));
-	xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass");
-	xmlTextWriterWriteString(writer, ISC_XMLCHAR buf);
-	xmlTextWriterEndElement(writer);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
+	TRY0(xmlTextWriterEndElement(writer));
 
-	xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial");
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
 	if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
-		xmlTextWriterWriteFormatString(writer, "%u", serial);
+		TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
 	else
-		xmlTextWriterWriteString(writer, ISC_XMLCHAR "-");
-	xmlTextWriterEndElement(writer);
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"));
+	TRY0(xmlTextWriterEndElement(writer));
 
 	zonestats = dns_zone_getrequeststats(zone);
 	if (zonestats != NULL) {
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters");
-		dump_counters(zonestats, statsformat_xml, writer, NULL,
-			      nsstats_xmldesc, dns_nsstatscounter_max,
-			      nsstats_index, nsstat_values,
-			      ISC_STATSDUMP_VERBOSE);
-		xmlTextWriterEndElement(writer); /* counters */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		result = dump_counters(zonestats, statsformat_xml, writer, NULL,
+				      nsstats_xmldesc, dns_nsstatscounter_max,
+				      nsstats_index, nsstat_values,
+				      ISC_STATSDUMP_VERBOSE);
+		if (result != ISC_R_SUCCESS)
+			goto error;
+		TRY0(xmlTextWriterEndElement(writer)); /* counters */
 	}
 
-	xmlTextWriterEndElement(writer); /* zone */
+	TRY0(xmlTextWriterEndElement(writer)); /* zone */
 
 	return (ISC_R_SUCCESS);
+ error:
+	return (ISC_R_FAILURE);
 }
 
-static void
+static isc_result_t
 generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
 	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
 	isc_time_t now;
-	xmlTextWriterPtr writer;
-	xmlDocPtr doc;
+	xmlTextWriterPtr writer = NULL;
+	xmlDocPtr doc = NULL;
 	int xmlrc;
 	dns_view_t *view;
 	stats_dumparg_t dumparg;
@@ -715,12 +755,15 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	isc_uint64_t resstat_values[dns_resstatscounter_max];
 	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
 	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
+	isc_result_t result;
 
 	isc_time_now(&now);
 	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
 	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
 
 	writer = xmlNewTextWriterDoc(&doc, 0);
+	if (writer == NULL)
+		goto error;
 	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
 	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
 			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
@@ -744,27 +787,36 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	view = ISC_LIST_HEAD(server->viewlist);
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
 	while (view != NULL) {
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "view");
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
-		xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name);
-		xmlTextWriterEndElement(writer);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name));
+		TRY0(xmlTextWriterEndElement(writer));
 
-		xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones");
-		dns_zt_apply(view->zonetable, ISC_FALSE, zone_xmlrender,
-			     writer);
-		xmlTextWriterEndElement(writer);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"));
+		result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender,
+				      writer);
+		if (result != ISC_R_SUCCESS)
+			goto error;
+		TRY0(xmlTextWriterEndElement(writer));
 
 		if (view->resquerystats != NULL) {
+			dumparg.result = ISC_R_SUCCESS;
 			dns_rdatatypestats_dump(view->resquerystats,
 						rdtypestat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS)
+				goto error;
 		}
 
 		if (view->resstats != NULL) {
-			dump_counters(view->resstats, statsformat_xml, writer,
-				      "resstat", resstats_xmldesc,
-				      dns_resstatscounter_max, resstats_index,
-				      resstat_values, ISC_STATSDUMP_VERBOSE);
+			result = dump_counters(view->resstats, statsformat_xml,
+					       writer, "resstat",
+					       resstats_xmldesc,
+					       dns_resstatscounter_max,
+					       resstats_index, resstat_values,
+					       ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS)
+				goto error;
 		}
 
 		cachestats = dns_db_getrrsetstats(view->cachedb);
@@ -775,12 +827,15 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 					 ISC_XMLCHAR "name",
 					 ISC_XMLCHAR
 					 dns_cache_getname(view->cache)));
+			dumparg.result = ISC_R_SUCCESS;
 			dns_rdatasetstats_dump(cachestats, rdatasetstats_dump,
 					       &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS)
+				goto error;
 			TRY0(xmlTextWriterEndElement(writer)); /* cache */
 		}
 
-		xmlTextWriterEndElement(writer); /* view */
+		TRY0(xmlTextWriterEndElement(writer)); /* view */
 
 		view = ISC_LIST_NEXT(view, link);
 	}
@@ -795,44 +850,63 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
-	xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time");
-	xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime);
-	xmlTextWriterEndElement(writer);
-	xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time");
-	xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr);
-	xmlTextWriterEndElement(writer);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
+	TRY0(xmlTextWriterEndElement(writer));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
+	TRY0(xmlTextWriterEndElement(writer));
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "requests"));
+	dumparg.result = ISC_R_SUCCESS;
 	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
 			     0);
-	xmlTextWriterEndElement(writer); /* requests */
+	if (dumparg.result != ISC_R_SUCCESS)
+		goto error;
+	TRY0(xmlTextWriterEndElement(writer)); /* requests */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "queries-in"));
+	dumparg.result = ISC_R_SUCCESS;
 	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
 				&dumparg, 0);
-	xmlTextWriterEndElement(writer); /* queries-in */
-
-	dump_counters(server->nsstats, statsformat_xml, writer,
-		      "nsstat", nsstats_xmldesc, dns_nsstatscounter_max,
-		      nsstats_index, nsstat_values, ISC_STATSDUMP_VERBOSE);
+	if (dumparg.result != ISC_R_SUCCESS)
+		goto error;
+	TRY0(xmlTextWriterEndElement(writer)); /* queries-in */
+
+	result = dump_counters(server->nsstats, statsformat_xml, writer,
+			       "nsstat", nsstats_xmldesc,
+				dns_nsstatscounter_max,
+				nsstats_index, nsstat_values,
+				ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
 
-	dump_counters(server->zonestats, statsformat_xml, writer, "zonestat",
-		      zonestats_xmldesc, dns_zonestatscounter_max,
-		      zonestats_index, zonestat_values, ISC_STATSDUMP_VERBOSE);
+	result = dump_counters(server->zonestats, statsformat_xml, writer,
+			       "zonestat", zonestats_xmldesc,
+			       dns_zonestatscounter_max, zonestats_index,
+			       zonestat_values, ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
 
 	/*
 	 * Most of the common resolver statistics entries are 0, so we don't
 	 * use the verbose dump here.
 	 */
-	dump_counters(server->resolverstats, statsformat_xml, writer, "resstat",
-		      resstats_xmldesc, dns_resstatscounter_max, resstats_index,
-		      resstat_values, 0);
+	result = dump_counters(server->resolverstats, statsformat_xml, writer,
+			       "resstat", resstats_xmldesc,
+			       dns_resstatscounter_max, resstats_index,
+			       resstat_values, 0);
+	if (result != ISC_R_SUCCESS)
+		goto error;
 
-	dump_counters(server->sockstats, statsformat_xml, writer, "sockstat",
-		      sockstats_xmldesc, isc_sockstatscounter_max,
-		      sockstats_index, sockstat_values, ISC_STATSDUMP_VERBOSE);
+	result = dump_counters(server->sockstats, statsformat_xml, writer,
+			       "sockstat", sockstats_xmldesc,
+			       isc_sockstatscounter_max, sockstats_index,
+			       sockstat_values, ISC_STATSDUMP_VERBOSE);
+	if (result != ISC_R_SUCCESS)
+		goto error;
 
-	xmlTextWriterEndElement(writer); /* server */
+	TRY0(xmlTextWriterEndElement(writer)); /* server */
 
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
 	isc_mem_renderxml(writer);
@@ -848,6 +922,14 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 
 	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1);
 	xmlFreeDoc(doc);
+	return (ISC_R_SUCCESS);
+
+ error:
+	if (writer != NULL)
+		xmlFreeTextWriter(writer);
+	if (doc != NULL)
+		xmlFreeDoc(doc);
+	return (ISC_R_FAILURE);
 }
 
 static void
@@ -866,21 +948,24 @@ render_index(const char *url, const char *querystring, void *arg,
 	unsigned char *msg;
 	int msglen;
 	ns_server_t *server = arg;
+	isc_result_t result;
 
 	UNUSED(url);
 	UNUSED(querystring);
 
-	generatexml(server, &msglen, &msg);
+	result = generatexml(server, &msglen, &msg);
 
-	*retcode = 200;
-	*retmsg = "OK";
-	*mimetype = "text/xml";
-	isc_buffer_reinit(b, msg, msglen);
-	isc_buffer_add(b, msglen);
-	*freecb = wrap_xmlfree;
-	*freecb_args = NULL;
+	if (result == ISC_R_SUCCESS) {
+		*retcode = 200;
+		*retmsg = "OK";
+		*mimetype = "text/xml";
+		isc_buffer_reinit(b, msg, msglen);
+		isc_buffer_add(b, msglen);
+		*freecb = wrap_xmlfree;
+		*freecb_args = NULL;
+	}
 
-	return (ISC_R_SUCCESS);
+	return (result);
 }
 
 #endif	/* HAVE_LIBXML2 */
@@ -1281,20 +1366,20 @@ ns_stats_dump(ns_server_t *server, FILE *fp) {
 	}
 
 	fprintf(fp, "++ Name Server Statistics ++\n");
-	dump_counters(server->nsstats, statsformat_file, fp, NULL,
-		      nsstats_desc, dns_nsstatscounter_max, nsstats_index,
-		      nsstat_values, 0);
+	(void) dump_counters(server->nsstats, statsformat_file, fp, NULL,
+			     nsstats_desc, dns_nsstatscounter_max,
+			     nsstats_index, nsstat_values, 0);
 
 	fprintf(fp, "++ Zone Maintenance Statistics ++\n");
-	dump_counters(server->zonestats, statsformat_file, fp, NULL,
-		      zonestats_desc, dns_zonestatscounter_max,
-		      zonestats_index, zonestat_values, 0);
+	(void) dump_counters(server->zonestats, statsformat_file, fp, NULL,
+			     zonestats_desc, dns_zonestatscounter_max,
+			     zonestats_index, zonestat_values, 0);
 
 	fprintf(fp, "++ Resolver Statistics ++\n");
 	fprintf(fp, "[Common]\n");
-	dump_counters(server->resolverstats, statsformat_file, fp, NULL,
-		      resstats_desc, dns_resstatscounter_max, resstats_index,
-		      resstat_values, 0);
+	(void) dump_counters(server->resolverstats, statsformat_file, fp, NULL,
+			     resstats_desc, dns_resstatscounter_max,
+			     resstats_index, resstat_values, 0);
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
@@ -1304,9 +1389,9 @@ ns_stats_dump(ns_server_t *server, FILE *fp) {
 			fprintf(fp, "[View: default]\n");
 		else
 			fprintf(fp, "[View: %s]\n", view->name);
-		dump_counters(view->resstats, statsformat_file, fp, NULL,
-			      resstats_desc, dns_resstatscounter_max,
-			      resstats_index, resstat_values, 0);
+		(void) dump_counters(view->resstats, statsformat_file, fp, NULL,
+				     resstats_desc, dns_resstatscounter_max,
+				     resstats_index, resstat_values, 0);
 	}
 
 	fprintf(fp, "++ Cache DB RRsets ++\n");
@@ -1335,9 +1420,9 @@ ns_stats_dump(ns_server_t *server, FILE *fp) {
 	}
 
 	fprintf(fp, "++ Socket I/O Statistics ++\n");
-	dump_counters(server->sockstats, statsformat_file, fp, NULL,
-		      sockstats_desc, isc_sockstatscounter_max, sockstats_index,
-		      sockstat_values, 0);
+	(void) dump_counters(server->sockstats, statsformat_file, fp, NULL,
+			     sockstats_desc, isc_sockstatscounter_max,
+			     sockstats_index, sockstat_values, 0);
 
 	fprintf(fp, "++ Per Zone Query Statistics ++\n");
 	zone = NULL;
@@ -1358,9 +1443,10 @@ ns_stats_dump(ns_server_t *server, FILE *fp) {
 				fprintf(fp, " (view: %s)", view->name);
 			fprintf(fp, "]\n");
 
-			dump_counters(zonestats, statsformat_file, fp, NULL,
-				      nsstats_desc, dns_nsstatscounter_max,
-				      nsstats_index, nsstat_values, 0);
+			(void) dump_counters(zonestats, statsformat_file, fp,
+					     NULL, nsstats_desc,
+					     dns_nsstatscounter_max,
+					     nsstats_index, nsstat_values, 0);
 		}
 	}
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 5661a036..9700f12a 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.3 2010/01/07 23:48:15 tbox Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.5 2010/02/03 01:32:43 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -2655,6 +2655,13 @@ options {
       </sect2>
 
     </sect1>
+
+    <xi:include href="dnssec.xml"/>
+
+    <xi:include href="managed-keys.xml"/>
+
+    <xi:include href="pkcs11.xml"/>
+
     <sect1>
       <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
 
@@ -8437,7 +8444,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
               <listitem>
                 <para>
                   The delay, in seconds, between sending sets of notify
-                  messages for a zone.  The default is zero.
+                  messages for a zone.  The default is five (5) seconds.
                 </para>
               </listitem>
             </varlistentry>
@@ -9187,7 +9194,7 @@ deny-answer-aliases { "example.net"; };
 
       </sect2>
 
-        <sect2>
+	<sect2 id="trusted-keys">
           <title><command>trusted-keys</command> Statement Grammar</title>
 
 <programlisting><command>trusted-keys</command> {
@@ -9248,7 +9255,7 @@ deny-answer-aliases { "example.net"; };
 </programlisting>
 
         </sect2>
-	<sect2>
+	<sect2 id="managed-keys">
 	  <title><command>managed-keys</command> Statement Definition
 	    and Usage</title>
 	  <para>
@@ -15650,8 +15657,12 @@ zone "example.com" {
           </bibliography>
         </sect2>
       </sect1>
+
+      <xi:include href="libdns.xml"/>
+
     </appendix>
 
+
     <reference id="Bv9ARM.ch10">
       <title>Manual pages</title>
       <xi:include href="../../bin/dig/dig.docbook"/>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 259fbe00..306cb6ac 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.1 2010/01/08 02:08:24 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.3 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -68,10 +68,38 @@
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605770">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563550">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563587">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563662">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563768">DNSKEY rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563801">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563811">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563820">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563948">NSEC3 and OPTOUT</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605417">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605440">Authoritative Server</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607939">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606230">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606325">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606356">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608124">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608443">Running named with automatic zone re-signing</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572077">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572344">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572434">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -1019,7 +1047,676 @@ options {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572065"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
+<p>As of BIND 9.7.0 it is possible to change a dynamic zone
+  from insecure to signed and back again. A secure zone can use
+  either NSEC or NSEC3 chains.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2605770"></a>Converting from insecure to secure</h3></div></div></div></div>
+<p>Changing a zone from insecure to secure can be done in two
+  ways: using a dynamic DNS update, or the 
+  <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
+<p>For either method, you need to configure 
+  <span><strong class="command">named</strong></span> so that it can see the 
+  <code class="filename">K*</code> files which contain the public and private
+  parts of the keys that will be used to sign the zone. These files
+  will have been generated by 
+  <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
+  in the key-directory, as specified in 
+  <code class="filename">named.conf</code>:</p>
+<pre class="programlisting">
+        zone example.net {
+                type master;
+                update-policy local;
+                file "dynamic/example.net/example.net";
+                key-directory "dynamic/example.net";
+        };
+</pre>
+<p>If one KSK and one ZSK DNSKEY key have been generated, this
+  configuration will cause all records in the zone to be signed
+  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
+  well. An NSEC chain will be generated as part of the initial
+  signing process.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563550"></a>Dynamic DNS update method</h3></div></div></div></div>
+<p>To insert the keys via dynamic update:</p>
+<pre class="screen">
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; send
+</pre>
+<p>While the update request will complete almost immediately,
+  the zone will not be completely signed until 
+  <span><strong class="command">named</strong></span> has had time to walk the zone and
+  generate the NSEC and RRSIG records. The NSEC record at the apex
+  will be added last, to signal that there is a complete NSEC
+  chain.</p>
+<p>If you wish to sign using NSEC3 instead of NSEC, you should
+  add an NSEC3PARAM record to the initial update request. If you
+  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+  flags field of the NSEC3PARAM record.</p>
+<pre class="screen">
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
+        &gt; send
+</pre>
+<p>Again, this update request will complete almost
+  immediately; however, the record won't show up until 
+  <span><strong class="command">named</strong></span> has had a chance to build/remove the
+  relevant chain. A private type record will be created to record
+  the state of the operation (see below for more details), and will
+  be removed once the operation completes.</p>
+<p>While the initial signing and NSEC/NSEC3 chain generation
+  is happening, other updates are possible as well.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563587"></a>Fully automatic zone signing</h3></div></div></div></div>
+<p>To enable automatic signing, add the 
+  <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in 
+  <code class="filename">named.conf</code>. 
+  <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: 
+  <code class="constant">allow</code> or 
+  <code class="constant">maintain</code>.</p>
+<p>With 
+  <span><strong class="command">auto-dnssec allow</strong></span>, 
+  <span><strong class="command">named</strong></span> can search the key directory for keys
+  matching the zone, insert them into the zone, and use them to
+  sign the zone. It will do so only when it receives an 
+  <span><strong class="command">rndc sign &lt;zonename&gt;</strong></span> command.</p>
+<p>
+  
+  <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
+  functionality, but will also automatically adjust the zone's
+  DNSKEY records on schedule according to the keys' timing metadata.
+  (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
+  <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) 
+  If keys are present in the key directory the first time the zone
+  is loaded, it will be signed immediately, without waiting for an 
+  <span><strong class="command">rndc sign</strong></span> command. (This command can still be
+  used for unscheduled key changes, however.)</p>
+<p>Using the 
+  <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
+  configured to allow dynamic updates, by adding an 
+  <span><strong class="command">allow-update</strong></span> or 
+  <span><strong class="command">update-policy</strong></span> statement to the zone
+  configuration. If this has not been done, the configuration will
+  fail.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563662"></a>Private-type records</h3></div></div></div></div>
+<p>The state of the signing process is signaled by
+  private-type records (with a default type value of 65534). When
+  signing is complete, these records will have a nonzero value for
+  the final octet (for those records which have a nonzero initial
+  octet).</p>
+<p>The private type record format: If the first octet is
+  non-zero then the record indicates that the zone needs to be
+  signed with the key matching the record, or that all signatures
+  that match the record should be removed.</p>
+<p>
+    </p>
+<div class="literallayout"><p><br>
+<br>
+  algorithm (octet 1)<br>
+  key id in network order (octet 2 and 3)<br>
+  removal flag (octet 4)<br>
+  complete flag (octet 5)<br>
+</p></div>
+<p>
+  </p>
+<p>Only records flagged as "complete" can be removed via
+  dynamic update. Attempts to remove other private type records
+  will be silently ignored.</p>
+<p>If the first octet is zero (this is a reserved algorithm
+  number that should never appear in a DNSKEY record) then the
+  record indicates changes to the NSEC3 chains are in progress. The
+  rest of the record contains an NSEC3PARAM record. The flag field
+  tells what operation to perform based on the flag bits.</p>
+<p>
+    </p>
+<div class="literallayout"><p><br>
+<br>
+  0x01 OPTOUT<br>
+  0x80 CREATE<br>
+  0x40 REMOVE<br>
+  0x20 NONSEC<br>
+</p></div>
+<p>
+  </p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563768"></a>DNSKEY rollovers via UPDATE</h3></div></div></div></div>
+<p>It is possible to perform key rollovers via dynamic update.
+  You need to add the 
+  <code class="filename">K*</code> files for the new keys so that 
+  <span><strong class="command">named</strong></span> can find them. You can then add the new
+  DNSKEY RRs via dynamic update. 
+  <span><strong class="command">named</strong></span> will then cause the zone to be signed
+  with the new keys. When the signing is complete the private type
+  records will be updated so that the last octet is non
+  zero.</p>
+<p>If this is for a KSK you need to inform the parent and any
+  trust anchor repositories of the new KSK.</p>
+<p>You should then wait for the maximum TTL in the zone before
+  removing the old DNSKEY. If it is a KSK that is being updated,
+  you also need to wait for the DS RRset in the parent to be
+  updated and its TTL to expire. This ensures that all clients will
+  be able to verify at least one signature when you remove the old
+  DNSKEY.</p>
+<p>The old DNSKEY can be removed via UPDATE. Take care to
+  specify the correct key. 
+  <span><strong class="command">named</strong></span> will clean out any signatures generated
+  by the old key after the update completes.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563801"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
+<p>Add the new NSEC3PARAM record via dynamic update. When the
+  new NSEC3 chain has been generated, the NSEC3PARAM flag field
+  will be zero. At this point you can remove the old NSEC3PARAM
+  record. The old chain will be removed after the update request
+  completes.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563811"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
+<p>To do this, you just need to add an NSEC3PARAM record. When
+  the conversion is complete, the NSEC chain will have been removed
+  and the NSEC3PARAM record will have a zero flag field. The NSEC3
+  chain will be generated before the NSEC chain is
+  destroyed.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563820"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
+<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
+  remove all NSEC3PARAM records with a zero flag
+  field. The NSEC chain will be generated before the NSEC3 chain is
+  removed.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563901"></a>Converting from secure to insecure</h3></div></div></div></div>
+<p>To convert a signed zone to unsigned using dynamic DNS,
+  delete all the DNSKEY records from the zone apex using
+  <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
+  and associated NSEC3PARAM records will be removed automatically.
+  This will take place after the update request completes.</p>
+<p> This requires the 
+  <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to 
+  <strong class="userinput"><code>yes</code></strong> in 
+  <code class="filename">named.conf</code>.</p>
+<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
+  zone statement is used, it should be removed or changed to
+  <span><strong class="command">allow</strong></span> instead (or it will re-sign).
+  </p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563939"></a>Periodic re-signing</h3></div></div></div></div>
+<p>In any secure zone which supports dynamic updates, named
+  will periodically re-sign RRsets which have not been re-signed as
+  a result of some update action. The signature lifetimes will be
+  adjusted so as to spread the re-sign load over time rather than
+  all at once.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563948"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
+<p>
+  <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
+  where all the NSEC3 records in the zone have the same OPTOUT
+  state. 
+  <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
+  records in the chain have mixed OPTOUT state. 
+  <span><strong class="command">named</strong></span> does not support changing the OPTOUT
+  state of an individual NSEC3 record, the entire chain needs to be
+  changed if the OPTOUT state of an individual NSEC3 needs to be
+  changed.</p>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
+<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
+  anchor management. Using this feature allows 
+  <span><strong class="command">named</strong></span> to keep track of changes to critical
+  DNSSEC keys without any need for the operator to make changes to
+  configuration files.</p>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2605417"></a>Validating Resolver</h3></div></div></div>
+<p>To configure a validating resolver to use RFC 5011 to
+    maintain a trust anchor, configure the trust anchor using a 
+    <span><strong class="command">managed-keys</strong></span> statement. Information about
+    this can be found in 
+    <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
+            and Usage">the section called &#8220;<span><strong class="command">managed-keys</strong></span> Statement Definition
+            and Usage&#8221;</a>.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2605440"></a>Authoritative Server</h3></div></div></div>
+<p>To set up an authoritative zone for RFC 5011 trust anchor
+    maintenance, generate two (or more) key signing keys (KSKs) for
+    the zone. Sign the zone with one of them; this is the "active"
+    KSK. All KSK's which do not sign the zone are "stand-by"
+    keys.</p>
+<p>Any validating resolver which is configured to use the
+    active KSK as an RFC 5011-managed trust anchor will take note
+    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
+    for future reference. The resolver will recheck the zone
+    periodically, and after 30 days, if the new key is still there,
+    then the key will be accepted by the resolver as a valid trust
+    anchor for the zone. Any time after this 30-day acceptance
+    timer has completed, the active KSK can be revoked, and the
+    zone can be "rolled over" to the newly accepted key.</p>
+<p>The easiest way to place a stand-by key in a zone is to
+    use the "smart signing" features of 
+    <span><strong class="command">dnssec-keygen</strong></span> and 
+    <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
+    date in the past, but an activation date which is unset or in
+    the future, " 
+    <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
+    record in the zone, but will not sign with it:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
+$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
+</pre>
+<p>To revoke a key, the new command 
+    <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
+    REVOKED bit to the key flags and re-generates the 
+    <code class="filename">K*.key</code> and 
+    <code class="filename">K*.private</code> files.</p>
+<p>After revoking the active key, the zone must be signed
+    with both the revoked KSK and the new active KSK. (Smart
+    signing takes care of this automatically.)</p>
+<p>Once a key has been revoked and used to sign the DNSKEY
+    RRset in which it appears, that key will never again be
+    accepted as a valid trust anchor by the resolver. However,
+    validation can proceed using the new active key (which had been
+    accepted by the resolver when it was a stand-by key).</p>
+<p>See RFC 5011 for more details on key rollover
+    scenarios.</p>
+<p>When a key has been revoked, its key ID changes,
+    increasing by 128, and wrapping around at 65535. So, for
+    example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
+    "<code class="filename">Kexample.com.+005+10128</code>".</p>
+<p>If two keys have ID's exactly 128 apart, and one is
+    revoked, then the two key ID's will collide, causing several
+    problems. To prevent this, 
+    <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
+    another key is present which may collide. This checking will
+    only occur if the new keys are written to the same directory
+    which holds all other keys in use for that zone.</p>
+<p>Older versions of BIND 9 did not have this precaution.
+    Exercise caution if using key revocation on keys that were
+    generated by previous releases, or if using keys stored in
+    multiple directories or on multiple machines.</p>
+<p>It is expected that a future release of BIND 9 will
+    address this problem in a different way, by storing revoked
+    keys with their original unrevoked key ID's.</p>
+</div>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
+<p>PKCS #11 (Public Key Cryptography Standard #11) defines a
+  platform- independent API for the control of hardware security
+  modules (HSMs) and other cryptographic support devices.</p>
+<p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
+  cryptographic acceleration board, tested under Solaris x86, and
+  the AEP Keyper network-attached key storage device, tested with
+  Debian Linux, Solaris x86 and Windows Server 2003.</p>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2607939"></a>Prerequisites</h3></div></div></div>
+<p>See the HSM vendor documentation for information about
+    installing, initializing, testing and troubleshooting the
+    HSM.</p>
+<p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
+    does not yet fully support PKCS #11. However, a PKCS #11 engine
+    for OpenSSL is available from the OpenSolaris project. It has
+    been modified by ISC to work with with BIND 9, and to provide
+    new features such as PIN management and key by
+    reference.</p>
+<p>The patched OpenSSL depends on a "PKCS #11 provider".
+    This is a shared library object, providing a low-level PKCS #11
+    interface to the HSM hardware. It is dynamically loaded by
+    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
+    vendor, and and is specific to the HSM to be controlled.</p>
+<p>There are two "flavors" of PKCS #11 support provided by
+    the patched OpenSSL, one of which must be chosen at
+    configuration time. The correct choice depends on the HSM
+    hardware:</p>
+<div class="itemizedlist"><ul type="disc">
+<li><p>Use 'crypto-accelerator' with HSMs that have hardware
+        cryptographic acceleration features, such as the SCA 6000
+        board. This causes OpenSSL to run all supported
+        cryptographic operations in the HSM.</p></li>
+<li><p>Use 'sign-only' with HSMs that are designed to
+        function primarily as secure key storage devices, but lack
+        hardware acceleration. These devices are highly secure, but
+        are not necessarily any faster at cryptography than the
+        system CPU &#8212; often, they are slower. It is therefore
+        most efficient to use them only for those cryptographic
+        functions that require access to the secured private key,
+        such as zone signing, and to use the system CPU for all
+        other computationally-intensive operations. The AEP Keyper
+        is an example of such a device.</p></li>
+</ul></div>
+<p>The modified OpenSSL code is included in the BIND 9.7.0
+    release, in the form of a context diff against the latest OpenSSL.
+    </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+      The latest OpenSSL version at the time of the BIND release
+      is 0.9.8l.
+      ISC will provide an updated patch as new versions of OpenSSL
+      are released. The version number in the following examples
+      is expected to change.</div>
+<p>
+    Before building BIND 9 with PKCS #11 support, it will be
+    necessary to build OpenSSL with this patch in place and inform
+    it of the path to the HSM-specific PKCS #11 provider
+    library.</p>
+<p>Obtain OpenSSL 0.9.8l:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8l.tar.gz</a></code></strong>
+</pre>
+<p>Extract the tarball:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>tar zxf openssl-0.9.8l.tar.gz</code></strong>
+</pre>
+<p>Apply the patch from the BIND 9 release:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8l \
+            &lt; bind-9.7.0/bin/pkcs11/openssl-0.9.8l-patch</code></strong>
+</pre>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
+    "patch" utility on all operating systems. You may need to
+    install GNU patch.)</div>
+<p>When building OpenSSL, place it in a non-standard
+    location so that it does not interfere with OpenSSL libraries
+    elsewhere on the system. In the following examples, we choose
+    to install into "/opt/pkcs11/usr". We will use this location
+    when we configure BIND 9.</p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2580318"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
+<p>The AEP Keyper is a highly secure key storage device,
+      but does not provide hardware cryptographic acceleration. It
+      can carry out cryptographic operations, but it is probably
+      slower than your system's CPU. Therefore, we choose the
+      'sign-only' flavor when building OpenSSL.</p>
+<p>The Keyper-specific PKCS #11 provider library is
+      delivered with the Keyper software. In this example, we place
+      it /opt/pkcs11/usr/lib:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+</pre>
+<p>This library is only available for Linux as a 32-bit
+      binary. If we are compiling on a 64-bit Linux system, it is
+      necessary to force a 32-bit build, by specifying -m32 in the
+      build options.</p>
+<p>Finally, the Keyper library requires threads, so we
+      must specify -pthread.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd openssl-0.9.8l</code></strong>
+$ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</code></strong>
+</pre>
+<p>After configuring, run "<span><strong class="command">make</strong></span>"
+      and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
+      test</strong></span>" fails with "pthread_atfork() not found", you forgot to
+      add the -pthread above.</p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2606056"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
+<p>The SCA-6000 PKCS #11 provider is installed as a system
+      library, libpkcs11. It is a true crypto accelerator, up to 4
+      times faster than any CPU, so the flavor shall be
+      'crypto-accelerator'.</p>
+<p>In this example, we are building on Solaris x86 on an
+      AMD64 system.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd openssl-0.9.8l</code></strong>
+$ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
+            --pk11-libname=/usr/lib/64/libpkcs11.so \
+            --pk11-flavor=crypto-accelerator \
+            --prefix=/opt/pkcs11/usr</code></strong>
+</pre>
+<p>(For a 32-bit build, use "solaris-x86-cc" and
+      /usr/lib/libpkcs11.so.)</p>
+<p>After configuring, run 
+      <span><strong class="command">make</strong></span> and 
+      <span><strong class="command">make test</strong></span>.</p>
+<p>Once you have built OpenSSL, run
+      "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
+      that PKCS #11 support was compiled in correctly. The output
+      should be one of the following lines, depending on the flavor
+      selected:</p>
+<pre class="screen">
+        (pkcs11) PKCS #11 engine support (sign only)
+</pre>
+<p>Or:</p>
+<pre class="screen">
+        (pkcs11) PKCS #11 engine support (crypto accelerator)
+</pre>
+<p>Next, run
+      "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
+      attempt to initialize the PKCS #11 engine. If it is able to
+      do so successfully, it will report
+      &#8220;<span class="quote"><code class="literal">[ available ]</code></span>&#8221;.</p>
+<p>If the output is correct, run
+      "<span><strong class="command">make install</strong></span>" which will install the
+      modified OpenSSL suite to 
+      <code class="filename">/opt/pkcs11/usr</code>.</p>
+</div>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2606230"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
+<p>When building BIND 9, the location of the custom-built
+    OpenSSL library must be specified via configure.</p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2606238"></a>Configuring BIND 9 for Linux</h4></div></div></div>
+<p>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</p>
+<p>The PKCS #11 library for the AEP Keyper is currently
+      only available as a 32-bit binary. If we are building on a
+      64-bit host, we must force a 32-bit build by adding "-m32" to
+      the CC options on the "configure" command line.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd ../bind-9.7.0</code></strong>
+$ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+</pre>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2606269"></a>Configuring BIND 9 for Solaris</h4></div></div></div>
+<p>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd ../bind-9.7.0</code></strong>
+$ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
+            --with-openssl=/opt/pkcs11/usr \
+            --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
+</pre>
+<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
+<p>If configure complains about OpenSSL not working, you
+      may have a 32/64-bit architecture mismatch. Or, you may have
+      incorrectly specified the path to OpenSSL (it should be the
+      same as the --prefix argument to the OpenSSL
+      Configure).</p>
+</div>
+<p>After configuring, run
+    "<span><strong class="command">make</strong></span>",
+    "<span><strong class="command">make test</strong></span>" and
+    "<span><strong class="command">make install</strong></span>".</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2606325"></a>PKCS #11 Tools</h3></div></div></div>
+<p>BIND 9 includes a minimal set of tools to operate the
+    HSM, including 
+    <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
+    within the HSM, 
+    <span><strong class="command">pkcs11-list</strong></span> to list objects currently
+    available, and 
+    <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p>
+<p>In UNIX/Linux builds, these tools are built only if BIND
+    9 is configured with the --with-pkcs11 option. (NOTE: If
+    --with-pkcs11 is set to "yes", rather than to the path of the
+    PKCS #11 provider, then the tools will be built but the
+    provider will be left undefined. Use the -m option or the
+    PKCS11_PROVIDER environment variable to specify the path to the
+    provider.)</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2606356"></a>Using the HSM</h3></div></div></div>
+<p>First, we must set up the runtime environment so the
+    OpenSSL and PKCS #11 libraries can be loaded:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
+</pre>
+<p>When operating an AEP Keyper, it is also necessary to
+    specify the location of the "machine" file, which stores
+    information about the Keyper for use by PKCS #11 provider
+    library. If the machine file is in 
+    <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
+    use:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
+</pre>
+<p>These environment variables must be set whenever running
+    any tool that uses the HSM, including 
+    <span><strong class="command">pkcs11-keygen</strong></span>, 
+    <span><strong class="command">pkcs11-list</strong></span>, 
+    <span><strong class="command">pkcs11-destroy</strong></span>, 
+    <span><strong class="command">dnssec-keyfromlabel</strong></span>, 
+    <span><strong class="command">dnssec-signzone</strong></span>, 
+    <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for
+    random number generation), and 
+    <span><strong class="command">named</strong></span>.</p>
+<p>We can now create and use keys in the HSM. In this case,
+    we will create a 2048 bit key and give it the label
+    "sample-ksk":</p>
+<pre class="screen">
+$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
+</pre>
+<p>To confirm that the key exists:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>pkcs11-list</code></strong>
+Enter PIN:
+object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
+object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
+</pre>
+<p>Before using this key to sign a zone, we must create a
+    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
+    does this. In this case, we will be using the HSM key
+    "sample-ksk" as the key-signing key for "example.net":</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
+</pre>
+<p>The resulting K*.key and K*.private files can now be used
+    to sign the zone. Unlike normal K* files, which contain both
+    public and private key data, these files will contain only the
+    public key data, plus an identifier for the private key which
+    remains stored within the HSM. The HSM handles signing with the
+    private key.</p>
+<p>If you wish to generate a second key in the HSM for use
+    as a zone-signing key, follow the same procedure above, using a
+    different keylabel, a smaller key size, and omitting "-f KSK"
+    from the dnssec-keyfromlabel arguments:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
+$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
+</pre>
+<p>Alternatively, you may prefer to generate a conventional
+    on-disk key, using dnssec-keygen:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
+</pre>
+<p>This provides less security than an HSM key, but since
+    HSMs can be slow or cumbersome to use for security reasons, it
+    may be more efficient to reserve HSM keys for use in the less
+    frequent key-signing operation. The zone-signing key can be
+    rolled more frequently, if you wish, to compensate for a
+    reduction in key security.</p>
+<p>Now you can sign the zone. (Note: If not using the -S
+    option to 
+    <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add
+    the contents of both 
+    <code class="filename">K*.key</code> files to the zone master file before
+    signing it.)</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
+Enter PIN:
+Verifying the zone using the following algorithms:
+NSEC3RSASHA1.
+Zone signing complete:
+Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
+example.net.signed
+</pre>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608124"></a>Specifying the engine on the command line</h3></div></div></div>
+<p>The OpenSSL engine can be specified in 
+    <span><strong class="command">named</strong></span> and all of the BIND 
+    <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
+    &lt;engine&gt;" command line option. If BIND 9 is built with
+    the --with-pkcs11 option, this option defaults to "pkcs11".
+    Specifying the engine will generally not be necessary unless
+    for some reason you wish to use a different OpenSSL
+    engine.</p>
+<p>If you wish to disable use of the "pkcs11" engine &#8212;
+    for troubleshooting purposes, or because the HSM is unavailable
+    &#8212; set the engine to the empty string. For example:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
+</pre>
+<p>This causes 
+    <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
+    without the --with-pkcs11 option.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608443"></a>Running named with automatic zone re-signing</h3></div></div></div>
+<p>If you want 
+    <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
+    keys, and/or to to sign new records inserted via nsupdate, then
+    named must have access to the HSM PIN. This can be accomplished
+    by placing the PIN into the openssl.cnf file (in the above
+    examples, 
+    <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
+<p>The location of the openssl.cnf file can be overridden by
+    setting the OPENSSL_CONF environment variable before running
+    named.</p>
+<p>Sample openssl.cnf:</p>
+<pre class="programlisting">
+        openssl_conf = openssl_def
+        [ openssl_def ]
+        engines = engine_section
+        [ engine_section ]
+        pkcs11 = pkcs11_section
+        [ pkcs11_section ]
+        PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
+</pre>
+<p>This will also allow the dnssec-* tools to access the HSM
+    without PIN entry. (The pkcs11-* tools access the HSM directly,
+    not via OpenSSL, so a PIN will still be required to use
+    them.)</p>
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+<p>Placing the HSM's PIN in a text file in
+      this manner may reduce the security advantage of using an
+      HSM. Be sure this is what you want to do before configuring
+      OpenSSL in this way.</p>
+</div>
+</div>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="id2572077"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -1057,7 +1754,7 @@ options {
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572331"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572344"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -1076,7 +1773,7 @@ host            3600    IN      AAAA    2001:db8::1
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572353"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572434"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index bc5d02a1..a1690f75 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.1 2010/01/08 02:08:24 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.2 2010/02/03 02:08:10 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572467">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572454"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572467"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index a76ee137..7173ab89 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.2 2010/01/08 02:08:24 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.4 2010/02/03 02:08:10 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,58 +48,58 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573932">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574518"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575136"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575153"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575200"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575290"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575416"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577483"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577557"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577689"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577733"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577748"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588122"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588203"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588277"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588328"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588411"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588375"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588494"><span><strong class="command">managed-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588458"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588867"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588952"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590440"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590525"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593176">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593193">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595406">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595424">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595954">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596149">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596422"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596039">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596166">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596439"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -477,7 +477,7 @@
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573630"></a>Syntax</h4></div></div></div>
+<a name="id2573643"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -486,7 +486,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573658"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573671"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -570,7 +570,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573932"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573945"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
@@ -580,7 +580,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573947"></a>Syntax</h4></div></div></div>
+<a name="id2573960"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -596,7 +596,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573977"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573990"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
@@ -848,7 +848,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574518"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574531"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
@@ -930,7 +930,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574776"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574789"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow { <em class="replaceable"><code> address_match_list </code></em> }
@@ -1054,12 +1054,12 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575136"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575148"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575153"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2575165"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
@@ -1074,7 +1074,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575176"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575189"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -1083,7 +1083,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575200"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575212"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1130,7 +1130,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575290"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575303"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
@@ -1154,7 +1154,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575416"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575429"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
@@ -1188,7 +1188,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575468"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575481"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
@@ -1753,7 +1753,7 @@ category notify { null; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2576964"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2576977"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
 <p>
             The <span><strong class="command">query-errors</strong></span> category is
             specifically intended for debugging purposes: To identify
@@ -1981,7 +1981,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577483"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577496"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -1997,7 +1997,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577557"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577570"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
@@ -2048,7 +2048,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577689"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577702"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 
       <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
@@ -2056,7 +2056,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577733"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577746"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
@@ -2065,7 +2065,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577748"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577761"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -3517,7 +3517,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582836"></a>Forwarding</h4></div></div></div>
+<a name="id2582849"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3561,7 +3561,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583031"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2583044"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3758,7 +3758,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583468"></a>Interfaces</h4></div></div></div>
+<a name="id2583481"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@@ -4210,7 +4210,7 @@ avoid-v6-udp-ports {};
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584672"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2584684"></a>UDP Port Lists</h4></div></div></div>
 <p>
             <span><strong class="command">use-v4-udp-ports</strong></span>,
             <span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -4252,7 +4252,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584731"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2584744"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4414,7 +4414,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2585222"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2585235"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
@@ -4960,7 +4960,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
 <dd><p>
                   The delay, in seconds, between sending sets of notify
-                  messages for a zone.  The default is zero.
+                  messages for a zone.  The default is five (5) seconds.
                 </p></dd>
 </dl></div>
 </div>
@@ -5210,7 +5210,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587165"></a>Content Filtering</h4></div></div></div>
+<a name="id2587315"></a>Content Filtering</h4></div></div></div>
 <p>
             <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5540,7 +5540,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588122"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<a name="id2588203"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">statistics-channels</strong></span> statement
@@ -5591,7 +5591,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588277"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5600,7 +5600,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588328"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2588411"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -5640,7 +5640,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588375"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2588458"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5649,7 +5649,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588494"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
+<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">managed-keys</strong></span> statement, like 
@@ -5775,7 +5775,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588867"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2588952"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
@@ -6055,10 +6055,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2590440"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2590525"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590448"></a>Zone Types</h4></div></div></div>
+<a name="id2590533"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -6269,7 +6269,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590807"></a>Class</h4></div></div></div>
+<a name="id2590892"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -6291,7 +6291,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590840"></a>Zone Options</h4></div></div></div>
+<a name="id2590994"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
@@ -6962,7 +6962,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593176"></a>Zone File</h2></div></div></div>
+<a name="id2593193"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -6975,7 +6975,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2593262"></a>Resource Records</h4></div></div></div>
+<a name="id2593211"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7712,7 +7712,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594886"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2594903"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7915,7 +7915,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2595406"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2595424"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8171,7 +8171,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2595954"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2596039"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -8232,7 +8232,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2596149"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2596166"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8247,7 +8247,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596171"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
+<a name="id2596257"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
 <p>
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8258,7 +8258,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596256"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2596273"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
@@ -8287,7 +8287,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596316"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2596333"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
@@ -8323,7 +8323,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596386"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2596403"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
@@ -8342,7 +8342,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2596422"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2596439"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
@@ -8766,7 +8766,7 @@ HOST-127.EXAMPLE. MX 0 .
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2597444"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2597529"></a>Name Server Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9323,7 +9323,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2598917"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2599002"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9477,7 +9477,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2599436"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2599453"></a>Resolver Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9860,7 +9860,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2600458"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2600475"></a>Socket I/O Statistics Counters</h4></div></div></div>
 <p>
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -10015,7 +10015,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2600900"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2600917"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
 <p>
               Most statistics counters that were available
               in <span><strong class="command">BIND</strong></span> 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 02d84d46..2742c2fb 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.2 2010/01/08 02:08:25 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.3 2010/02/03 02:08:11 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601142"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601159"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601223">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601283">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601308">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601368">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -122,7 +122,7 @@ zone "example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601142"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2601159"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
@@ -148,7 +148,7 @@ zone "example.com" {
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2601223"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2601308"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2601283"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2601368"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 578609e7..1aae0d76 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.2 2010/01/08 02:08:25 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.3 2010/02/03 02:08:11 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601363">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601368">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601380">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601397">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601448">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601453">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601465">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601482">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601363"></a>Common Problems</h2></div></div></div>
+<a name="id2601448"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2601368"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2601453"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601380"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2601465"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601397"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2601482"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index a8e96f8a..50726b4e 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.2 2010/01/08 02:08:25 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.4 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,31 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601595">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601612">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601835">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601921">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605047">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605064">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607411">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607420">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605329">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605360">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606529">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606555">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607528">Library References</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601595"></a>Acknowledgments</h2></div></div></div>
+<a name="id2601612"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -162,7 +172,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601835"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2601921"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -250,17 +260,17 @@
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2602023"></a>Bibliography</h4></div></div></div>
+<a name="id2602040"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2602034"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2602051"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602057"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2602074"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602081"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2602098"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
@@ -268,42 +278,42 @@
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2602117"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2602134"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602144"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2602161"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602169"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602186"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602194"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602211"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602217"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2602234"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602273"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2602290"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602299"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2602316"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602326"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2602343"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602388"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602405"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602418"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602435"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602448"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2602465"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602474"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2602491"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
@@ -312,19 +322,19 @@
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2602556"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2602573"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602583"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2602600"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602619"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2602636"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602684"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2602701"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602749"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2602766"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
@@ -332,146 +342,146 @@
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
-<a name="id2602823"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2602840"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602849"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2602866"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602917"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602934"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602952"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2602969"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2602998"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2603015"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603056"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2603073"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603093"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2603178"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603128"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2603213"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603251"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2603268"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603289"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2603306"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603315"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2603332"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603340"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603357"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603367"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603384"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603394"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603411"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603433"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603450"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603463"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603480"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603493"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2603510"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603536"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2603553"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603569"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2603586"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603595"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2603612"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603619"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2603636"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603676"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2603693"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2603708"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2603725"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603734"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2603751"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603756"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2603773"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603780"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2603797"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603826"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2603843"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603849"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2603866"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2603907"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2603924"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603930"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2603947"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603957"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2603974"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603984"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2604001"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604020"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2604105"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
-<a name="id2604066"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2604151"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604098"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2604183"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604212"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2604229"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604247"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2604264"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
@@ -487,47 +497,47 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2604292"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2604309"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604314"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2604331"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604340"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2604357"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604365"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2604382"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604389"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2604406"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604435"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2604452"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604458"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2604475"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604485"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2604502"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604510"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2604528"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
-<a name="id2604554"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2604571"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604612"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2604629"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604638"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2604656"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
@@ -541,39 +551,39 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2604686"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2604704"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604726"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2604743"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604753"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2604770"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604782"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2604800"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604808"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2604825"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604835"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2604852"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604871"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2604888"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604907"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2604924"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604934"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2604951"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604961"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2604978"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2605005"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2605022"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -594,16 +604,481 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2605047"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2605064"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2605057"></a>Bibliography</h4></div></div></div>
+<a name="id2605074"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2605059"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2605076"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
+<p>This version of BIND 9 "exports" its internal libraries so
+  that they can be used by third-party applications more easily (we
+  call them "export" libraries in this document). In addition to
+  all major DNS-related APIs BIND 9 is currently using, the export
+  libraries provide the following features:</p>
+<div class="itemizedlist"><ul type="disc">
+<li><p>The newly created "DNS client" module. This is a higher
+      level API that provides an interface to name resolution,
+      single DNS transaction with a particular server, and dynamic
+      update. Regarding name resolution, it supports advanced
+      features such as DNSSEC validation and caching. This module
+      supports both synchronous and asynchronous mode.</p></li>
+<li><p>The new "IRS" (Information Retrieval System) library.
+      It provides an interface to parse the traditional resolv.conf
+      file and more advanced, DNS-specific configuration file for
+      the rest of this package (see the description for the
+      dns.conf file below).</p></li>
+<li><p>As part of the IRS library, newly implemented standard
+      address-name mapping functions, getaddrinfo() and
+      getnameinfo(), are provided. They use the DNSSEC-aware
+      validating resolver backend, and could use other advanced
+      features of the BIND 9 libraries such as caching. The
+      getaddrinfo() function resolves both A and AAAA RRs
+      concurrently (when the address family is unspecified).</p></li>
+<li><p>An experimental framework to support other event
+      libraries than BIND 9's internal event task system.</p></li>
+</ul></div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2607411"></a>Prerequisite</h3></div></div></div>
+<p>GNU make is required to build the export libraries (other
+  part of BIND 9 can still be built with other types of make). In
+  the reminder of this document, "make" means GNU make. Note that
+  in some platforms you may need to invoke a different command name
+  than "make" (e.g. "gmake") to indicate it's GNU make.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2607420"></a>Compilation</h3></div></div></div>
+<pre class="screen">
+$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+</pre>
+<p>
+  This will create (in addition to usual BIND 9 programs) and a
+  separate set of libraries under the lib/export directory. For
+  example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the
+  export version of the BIND 9 DNS library. Sample application
+  programs using the libraries will also be built under the
+  lib/export/samples directory (see below).</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2605329"></a>Installation</h3></div></div></div>
+<pre class="screen">
+$ <strong class="userinput"><code>cd lib/export</code></strong>
+$ <strong class="userinput"><code>make install</code></strong>
+</pre>
+<p>
+  This will install library object files under the directory
+  specified by the --with-export-libdir configure option (default:
+  EPREFIX/lib/bind9), and header files under the directory
+  specified by the --with-export-includedir configure option
+  (default: PREFIX/include/bind9).
+  Root privilege is normally required.
+  "<span><strong class="command">make install</strong></span>" at the top directory will do the
+  same.
+  </p>
+<p>
+  To see how to build your own
+  application after the installation, see
+  <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2605360"></a>Known Defects/Restrictions</h3></div></div></div>
+<div class="itemizedlist"><ul type="disc">
+<li><p>Currently, win32 is not supported for the export
+      library. (Normal BIND 9 application can be built as
+      before).</p></li>
+<li>
+<p>The "fixed" RRset order is not (currently) supported in
+      the export library. If you want to use "fixed" RRset order
+      for, e.g. <span><strong class="command">named</strong></span> while still building the
+      export library even without the fixed order support, build
+      them separately:
+      </p>
+<pre class="screen">
+$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
+$ <strong class="userinput"><code>cd lib/export</code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+</pre>
+<p>
+    </p>
+</li>
+<li><p>The client module and the IRS library currently do not
+      support DNSSEC validation using DLV (the underlying modules
+      can handle it, but there is no tunable interface to enable
+      the feature).</p></li>
+<li><p>RFC 5011 is not supported in the validating stub
+      resolver of the export library. In fact, it is not clear
+      whether it should: trust anchors would be a system-wide
+      configuration which would be managed by an administrator,
+      while the stub resolver will be used by ordinary applications
+      run by a normal user.</p></li>
+<li><p>Not all common <code class="filename">/etc/resolv.conf</code>
+      options are supported
+      in the IRS library. The only available options in this
+      version are "debug" and "ndots".</p></li>
+</ul></div>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2606529"></a>The dns.conf File</h3></div></div></div>
+<p>The IRS library supports an "advanced" configuration file
+  related to the DNS library for configuration parameters that
+  would be beyond the capability of the
+  <code class="filename">resolv.conf</code> file.
+  Specifically, it is intended to provide DNSSEC related
+  configuration parameters. By default the path to this
+  configuration file is <code class="filename">/etc/dns.conf</code>.
+  This module is very
+  experimental and the configuration syntax or library interfaces
+  may change in future versions. Currently, only the
+  <span><strong class="command">trusted-keys</strong></span>
+  statement is supported, whose syntax is the same as the same name
+  of statement for <code class="filename">named.conf</code>. (See
+  <a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span><strong class="command">trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2606555"></a>Sample Applications</h3></div></div></div>
+<p>Some sample application programs using this API are
+  provided for reference. The following is a brief description of
+  these applications.
+  </p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2606564"></a>sample: a simple stub resolver utility</h4></div></div></div>
+<p>
+  It sends a query of a given name (of a given optional RR type) to a
+  specified recursive server, and prints the result as a list of
+  RRs. It can also act as a validating stub resolver if a trust
+  anchor is given via a set of command line options.</p>
+<p>
+  Usage: sample [options] server_address hostname
+  </p>
+<p>
+  Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+  -t RRtype
+  </span></dt>
+<dd><p>
+        specify the RR type of the query.  The default is the A RR.
+  </p></dd>
+<dt><span class="term">
+  [-a algorithm] [-e] -k keyname -K keystring
+  </span></dt>
+<dd>
+<p>
+        specify a command-line DNS key to validate the answer.  For
+        example, to specify the following DNSKEY of example.com:
+</p>
+<div class="literallayout"><p><br>
+                example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
+</p></div>
+<p>
+        specify the options as follows:
+</p>
+<pre class="screen">
+<strong class="userinput"><code>
+          -e -k example.com -K "xxx"
+</code></strong>
+</pre>
+<p>
+        -e means that this key is a zone's "key signing key" (as known
+        as "secure Entry point").
+        When -a is omitted rsasha1 will be used by default.
+  </p>
+</dd>
+<dt><span class="term">
+  -s domain:alt_server_address
+  </span></dt>
+<dd><p>
+         specify a separate recursive server address for the specific
+        "domain".  Example: -s example.com:2001:db8::1234
+  </p></dd>
+<dt><span class="term">server_address</span></dt>
+<dd><p>
+        an IP(v4/v6) address of the recursive server to which queries
+        are sent.
+  </p></dd>
+<dt><span class="term">hostname</span></dt>
+<dd><p>
+        the domain name for the query
+  </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2606654"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+<p>
+  Similar to "sample", but accepts a list
+  of (query) domain names as a separate file and resolves the names
+  asynchronously.</p>
+<p>
+    Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
+<p>
+ Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+   -s server_address
+   </span></dt>
+<dd>
+   an IPv4 address of the recursive server to which queries are sent.
+  (IPv6 addresses are not supported in this implementation)
+  </dd>
+<dt><span class="term">
+   -t RR_type
+  </span></dt>
+<dd>
+  specify the RR type of the queries. The default is the A
+  RR.
+  </dd>
+<dt><span class="term">
+   input_file
+  </span></dt>
+<dd>
+   a list of domain names to be resolved. each line
+  consists of a single domain name. Example:
+  <div class="literallayout"><p><br>
+  www.example.com<br>
+  mx.examle.net<br>
+  ns.xxx.example<br>
+</p></div>
+</dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2606708"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+<p>
+  It sends a query to a specified server, and
+  prints the response with minimal processing. It doesn't act as a
+  "stub resolver": it stops the processing once it gets any
+  response from the server, whether it's a referral or an alias
+  (CNAME or DNAME) that would require further queries to get the
+  ultimate answer. In other words, this utility acts as a very
+  simplified <span><strong class="command">dig</strong></span>.
+  </p>
+<p>
+  Usage: sample-request [-t RRtype] server_address hostname
+  </p>
+<p>
+    Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+   -t RRtype
+  </span></dt>
+<dd><p>
+  specify the RR type of
+  the queries. The default is the A RR.
+  </p></dd>
+<dt><span class="term">
+  server_address
+  </span></dt>
+<dd><p>
+   an IP(v4/v6)
+  address of the recursive server to which the query is sent.
+  </p></dd>
+<dt><span class="term">
+  hostname
+  </span></dt>
+<dd><p>
+  the domain name for the query
+  </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2607250"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+<p>
+  This is a test program
+  to check getaddrinfo() and getnameinfo() behavior. It takes a
+  host name as an argument, calls getaddrinfo() with the given host
+  name, and calls getnameinfo() with the resulting IP addresses
+  returned by getaddrinfo(). If the dns.conf file exists and
+  defines a trust anchor, the underlying resolver will act as a
+  validating resolver, and getaddrinfo()/getnameinfo() will fail
+  with an EAI_INSECUREDATA error when DNSSEC validation fails.
+  </p>
+<p>
+  Usage: sample-gai hostname
+  </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2607265"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+<p>
+  It accepts a single update command as a
+  command-line argument, sends an update request message to the
+  authoritative server, and shows the response from the server. In
+  other words, this is a simplified <span><strong class="command">nsupdate</strong></span>.
+  </p>
+<p>
+   Usage: sample-update [options] (add|delete) "update data"
+  </p>
+<p>
+  Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+  -a auth_server
+   </span></dt>
+<dd><p>
+        An IP address of the authoritative server that has authority
+        for the zone containing the update name.  This should normally
+        be the primary authoritative server that accepts dynamic
+        updates.  It can also be a secondary server that is configured
+        to forward update requests to the primary server.
+   </p></dd>
+<dt><span class="term">
+  -k keyfile
+   </span></dt>
+<dd><p>
+        A TSIG key file to secure the update transaction.  The keyfile
+        format is the same as that for the nsupdate utility.
+   </p></dd>
+<dt><span class="term">
+  -p prerequisite
+   </span></dt>
+<dd><p>
+        A prerequisite for the update (only one prerequisite can be
+        specified).  The prerequisite format is the same as that is
+        accepted by the nsupdate utility.
+   </p></dd>
+<dt><span class="term">
+  -r recursive_server
+   </span></dt>
+<dd><p>
+        An IP address of a recursive server that this utility will
+        use.  A recursive server may be necessary to identify the
+        authoritative server address to which the update request is
+        sent.
+   </p></dd>
+<dt><span class="term">
+  -z zonename
+   </span></dt>
+<dd><p>
+        The domain name of the zone that contains
+   </p></dd>
+<dt><span class="term">
+  (add|delete)
+   </span></dt>
+<dd><p>
+        Specify the type of update operation.  Either "add" or "delete"
+        must be specified.
+   </p></dd>
+<dt><span class="term">
+  "update data"
+   </span></dt>
+<dd><p>
+        Specify the data to be updated.  A typical example of the data
+        would look like "name TTL RRtype RDATA".
+  </p></dd>
+</dl></div>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>In practice, either -a or -r must be specified.  Others can
+   be optional; the underlying library routine tries to identify the
+   appropriate server and the zone name for the update.</div>
+<p>
+   Examples: assuming the primary authoritative server of the
+   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
+   </p>
+<pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
+<p>
+     adds an A RR for foo.dynamic.example.com using the given key.
+   </p>
+<pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
+<p>
+     removes all A RRs for foo.dynamic.example.com using the given key.
+   </p>
+<pre class="screen">   
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
+<p>
+     removes all RRs for foo.dynamic.example.com using the given key.
+   </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2607464"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+<p>
+  It checks a set
+  of domains to see the name servers of the domains behave
+  correctly in terms of RFC 4074. This is included in the set of
+  sample programs to show how the export library can be used in a
+  DNS-related application.
+  </p>
+<p>
+ Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
+  </p>
+<p>
+   Options
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+  -d
+  </span></dt>
+<dd><p>
+        run in the "debug" mode.  with this option nsprobe will dump
+        every RRs it receives.
+  </p></dd>
+<dt><span class="term">
+  -v
+  </span></dt>
+<dd><p>
+        increase verbosity of other normal log messages.  This can be
+        specified multiple times
+  </p></dd>
+<dt><span class="term">
+  -c cache_address
+  </span></dt>
+<dd><p>
+        specify an IP address of a recursive (caching) name server.
+        nsprobe uses this server to get the NS RRset of each domain and
+        the A and/or AAAA RRsets for the name servers.  The default
+        value is 127.0.0.1.
+  </p></dd>
+<dt><span class="term">
+  input_file
+  </span></dt>
+<dd><p>
+        a file name containing a list of domain (zone) names to be
+        probed.  when omitted the standard input will be used.  Each
+        line of the input file specifies a single domain name such as
+        "example.com".  In general this domain name must be the apex
+        name of some DNS zone (unlike normal "host names" such as
+        "www.example.com").  nsprobe first identifies the NS RRsets for
+        the given domain name, and sends A and AAAA queries to these
+        servers for some "widely used" names under the zone;
+        specifically, adding "www" and "ftp" to the zone name.
+  </p></dd>
+</dl></div>
 </div>
 </div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2607528"></a>Library References</h3></div></div></div>
+<p>As of this writing, there is no formal "manual" of the
+  libraries, except this document, header files (some of them
+  provide pretty detailed explanations), and sample application
+  programs.</p>
 </div>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index c66282bc..533f113c 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.html,v 1.239.4.2 2010/01/08 02:08:24 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.239.4.4 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -111,15 +111,43 @@
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605770">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563550">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563587">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563662">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563768">DNSKEY rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563801">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563811">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563820">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563948">NSEC3 and OPTOUT</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605417">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605440">Authoritative Server</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607939">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606230">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606325">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606356">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608124">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608443">Running named with automatic zone re-signing</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572077">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572344">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572434">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572467">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,58 +155,58 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573932">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574518"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575136"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575153"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575200"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575290"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575416"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577483"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577557"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577689"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577733"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577748"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588122"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588203"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588277"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588328"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588411"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588375"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588494"><span><strong class="command">managed-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588458"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588867"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588952"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590440"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590525"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593176">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593193">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595406">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595424">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595954">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596149">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596422"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596039">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596166">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596439"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -187,31 +215,41 @@
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601142"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601159"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601223">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601283">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601308">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601368">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601363">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601368">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601380">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601397">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601448">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601453">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601465">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601482">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601595">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601612">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601835">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601921">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605047">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605064">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607411">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607420">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605329">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605360">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606529">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606555">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607528">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
diff --git a/doc/arm/dnssec.xml b/doc/arm/dnssec.xml
new file mode 100644
index 00000000..8dca8be7
--- /dev/null
+++ b/doc/arm/dnssec.xml
@@ -0,0 +1,244 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec.xml,v 1.2.2.2 2010/02/03 23:48:29 tbox Exp $ -->
+
+<sect1 id="dnssec.dynamic.zones">
+  <title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
+  <para>As of BIND 9.7.0 it is possible to change a dynamic zone
+  from insecure to signed and back again. A secure zone can use
+  either NSEC or NSEC3 chains.</para>
+  <sect2>
+    <title>Converting from insecure to secure</title>
+  </sect2>
+  <para>Changing a zone from insecure to secure can be done in two
+  ways: using a dynamic DNS update, or the 
+  <command>auto-dnssec</command> zone option.</para>
+  <para>For either method, you need to configure 
+  <command>named</command> so that it can see the 
+  <filename>K*</filename> files which contain the public and private
+  parts of the keys that will be used to sign the zone. These files
+  will have been generated by 
+  <command>dnssec-keygen</command>. You can do this by placing them
+  in the key-directory, as specified in 
+  <filename>named.conf</filename>:</para>
+  <programlisting>
+        zone example.net {
+                type master;
+                update-policy local;
+                file "dynamic/example.net/example.net";
+                key-directory "dynamic/example.net";
+        };
+</programlisting>
+  <para>If one KSK and one ZSK DNSKEY key have been generated, this
+  configuration will cause all records in the zone to be signed
+  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
+  well. An NSEC chain will be generated as part of the initial
+  signing process.</para>
+  <sect2>
+    <title>Dynamic DNS update method</title>
+  </sect2>
+  <para>To insert the keys via dynamic update:</para>
+  <screen>
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; send
+</screen>
+  <para>While the update request will complete almost immediately,
+  the zone will not be completely signed until 
+  <command>named</command> has had time to walk the zone and
+  generate the NSEC and RRSIG records. The NSEC record at the apex
+  will be added last, to signal that there is a complete NSEC
+  chain.</para>
+  <para>If you wish to sign using NSEC3 instead of NSEC, you should
+  add an NSEC3PARAM record to the initial update request. If you
+  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+  flags field of the NSEC3PARAM record.</para>
+  <screen>
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
+        &gt; send
+</screen>
+  <para>Again, this update request will complete almost
+  immediately; however, the record won't show up until 
+  <command>named</command> has had a chance to build/remove the
+  relevant chain. A private type record will be created to record
+  the state of the operation (see below for more details), and will
+  be removed once the operation completes.</para>
+  <para>While the initial signing and NSEC/NSEC3 chain generation
+  is happening, other updates are possible as well.</para>
+  <sect2>
+    <title>Fully automatic zone signing</title>
+  </sect2>
+  <para>To enable automatic signing, add the 
+  <command>auto-dnssec</command> option to the zone statement in 
+  <filename>named.conf</filename>. 
+  <command>auto-dnssec</command> has two possible arguments: 
+  <constant>allow</constant> or 
+  <constant>maintain</constant>.</para>
+  <para>With 
+  <command>auto-dnssec allow</command>, 
+  <command>named</command> can search the key directory for keys
+  matching the zone, insert them into the zone, and use them to
+  sign the zone. It will do so only when it receives an 
+  <command>rndc sign &lt;zonename&gt;</command> command.</para>
+  <para>
+  <!-- TODO: this is repeated in the ARM -->
+  <command>auto-dnssec maintain</command> includes the above
+  functionality, but will also automatically adjust the zone's
+  DNSKEY records on schedule according to the keys' timing metadata.
+  (See <xref linkend="man.dnssec-keygen"/> and
+  <xref linkend="man.dnssec-settime"/> for more information.) 
+  If keys are present in the key directory the first time the zone
+  is loaded, it will be signed immediately, without waiting for an 
+  <command>rndc sign</command> command. (This command can still be
+  used for unscheduled key changes, however.)</para>
+  <para>Using the 
+  <command>auto-dnssec</command> option requires the zone to be
+  configured to allow dynamic updates, by adding an 
+  <command>allow-update</command> or 
+  <command>update-policy</command> statement to the zone
+  configuration. If this has not been done, the configuration will
+  fail.</para>
+  <sect2>
+    <title>Private-type records</title>
+  </sect2>
+  <para>The state of the signing process is signaled by
+  private-type records (with a default type value of 65534). When
+  signing is complete, these records will have a nonzero value for
+  the final octet (for those records which have a nonzero initial
+  octet).</para>
+  <para>The private type record format: If the first octet is
+  non-zero then the record indicates that the zone needs to be
+  signed with the key matching the record, or that all signatures
+  that match the record should be removed.</para>
+  <para>
+    <literallayout>
+<!-- TODO: how to format this? -->
+  algorithm (octet 1)
+  key id in network order (octet 2 and 3)
+  removal flag (octet 4)
+  complete flag (octet 5)
+</literallayout>
+  </para>
+  <para>Only records flagged as "complete" can be removed via
+  dynamic update. Attempts to remove other private type records
+  will be silently ignored.</para>
+  <para>If the first octet is zero (this is a reserved algorithm
+  number that should never appear in a DNSKEY record) then the
+  record indicates changes to the NSEC3 chains are in progress. The
+  rest of the record contains an NSEC3PARAM record. The flag field
+  tells what operation to perform based on the flag bits.</para>
+  <para>
+    <literallayout>
+<!-- TODO: how to format this? -->
+  0x01 OPTOUT
+  0x80 CREATE
+  0x40 REMOVE
+  0x20 NONSEC
+</literallayout>
+  </para>
+  <sect2>
+    <title>DNSKEY rollovers via UPDATE</title>
+  </sect2>
+  <para>It is possible to perform key rollovers via dynamic update.
+  You need to add the 
+  <filename>K*</filename> files for the new keys so that 
+  <command>named</command> can find them. You can then add the new
+  DNSKEY RRs via dynamic update. 
+  <command>named</command> will then cause the zone to be signed
+  with the new keys. When the signing is complete the private type
+  records will be updated so that the last octet is non
+  zero.</para>
+  <para>If this is for a KSK you need to inform the parent and any
+  trust anchor repositories of the new KSK.</para>
+  <para>You should then wait for the maximum TTL in the zone before
+  removing the old DNSKEY. If it is a KSK that is being updated,
+  you also need to wait for the DS RRset in the parent to be
+  updated and its TTL to expire. This ensures that all clients will
+  be able to verify at least one signature when you remove the old
+  DNSKEY.</para>
+  <para>The old DNSKEY can be removed via UPDATE. Take care to
+  specify the correct key. 
+  <command>named</command> will clean out any signatures generated
+  by the old key after the update completes.</para>
+  <sect2>
+    <title>NSEC3PARAM rollovers via UPDATE</title>
+  </sect2>
+  <para>Add the new NSEC3PARAM record via dynamic update. When the
+  new NSEC3 chain has been generated, the NSEC3PARAM flag field
+  will be zero. At this point you can remove the old NSEC3PARAM
+  record. The old chain will be removed after the update request
+  completes.</para>
+  <sect2>
+    <title>Converting from NSEC to NSEC3</title>
+  </sect2>
+  <para>To do this, you just need to add an NSEC3PARAM record. When
+  the conversion is complete, the NSEC chain will have been removed
+  and the NSEC3PARAM record will have a zero flag field. The NSEC3
+  chain will be generated before the NSEC chain is
+  destroyed.</para>
+  <sect2>
+    <title>Converting from NSEC3 to NSEC</title>
+  </sect2>
+  <para>To do this, use <command>nsupdate</command> to
+  remove all NSEC3PARAM records with a zero flag
+  field. The NSEC chain will be generated before the NSEC3 chain is
+  removed.</para>
+  <sect2>
+    <title>Converting from secure to insecure</title>
+  </sect2>
+  <para>To convert a signed zone to unsigned using dynamic DNS,
+  delete all the DNSKEY records from the zone apex using
+  <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
+  and associated NSEC3PARAM records will be removed automatically.
+  This will take place after the update request completes.</para>
+  <para> This requires the 
+  <command>dnssec-secure-to-insecure</command> option to be set to 
+  <userinput>yes</userinput> in 
+  <filename>named.conf</filename>.</para>
+  <para>In addition, if the <command>auto-dnssec maintain</command>
+  zone statement is used, it should be removed or changed to
+  <command>allow</command> instead (or it will re-sign).
+  </para>
+  <sect2>
+    <title>Periodic re-signing</title>
+  </sect2>
+  <para>In any secure zone which supports dynamic updates, named
+  will periodically re-sign RRsets which have not been re-signed as
+  a result of some update action. The signature lifetimes will be
+  adjusted so as to spread the re-sign load over time rather than
+  all at once.</para>
+  <sect2>
+    <title>NSEC3 and OPTOUT</title>
+  </sect2>
+  <para>
+  <command>named</command> only supports creating new NSEC3 chains
+  where all the NSEC3 records in the zone have the same OPTOUT
+  state. 
+  <command>named</command> supports UPDATES to zones where the NSEC3
+  records in the chain have mixed OPTOUT state. 
+  <command>named</command> does not support changing the OPTOUT
+  state of an individual NSEC3 record, the entire chain needs to be
+  changed if the OPTOUT state of an individual NSEC3 needs to be
+  changed.</para>
+</sect1>
diff --git a/doc/arm/libdns.xml b/doc/arm/libdns.xml
new file mode 100644
index 00000000..5c2022f1
--- /dev/null
+++ b/doc/arm/libdns.xml
@@ -0,0 +1,530 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<sect1 id="bind9.library">
+  <title>BIND 9 DNS Library Support</title>
+  <para>This version of BIND 9 "exports" its internal libraries so
+  that they can be used by third-party applications more easily (we
+  call them "export" libraries in this document). In addition to
+  all major DNS-related APIs BIND 9 is currently using, the export
+  libraries provide the following features:</para>
+  <itemizedlist>
+    <listitem>
+      <para>The newly created "DNS client" module. This is a higher
+      level API that provides an interface to name resolution,
+      single DNS transaction with a particular server, and dynamic
+      update. Regarding name resolution, it supports advanced
+      features such as DNSSEC validation and caching. This module
+      supports both synchronous and asynchronous mode.</para>
+    </listitem>
+    <listitem>
+      <para>The new "IRS" (Information Retrieval System) library.
+      It provides an interface to parse the traditional resolv.conf
+      file and more advanced, DNS-specific configuration file for
+      the rest of this package (see the description for the
+      dns.conf file below).</para>
+    </listitem>
+    <listitem>
+      <para>As part of the IRS library, newly implemented standard
+      address-name mapping functions, getaddrinfo() and
+      getnameinfo(), are provided. They use the DNSSEC-aware
+      validating resolver backend, and could use other advanced
+      features of the BIND 9 libraries such as caching. The
+      getaddrinfo() function resolves both A and AAAA RRs
+      concurrently (when the address family is unspecified).</para>
+    </listitem>
+    <listitem>
+      <para>An experimental framework to support other event
+      libraries than BIND 9's internal event task system.</para>
+    </listitem>
+  </itemizedlist>
+  <sect2>
+    <title>Prerequisite</title>
+  <para>GNU make is required to build the export libraries (other
+  part of BIND 9 can still be built with other types of make). In
+  the reminder of this document, "make" means GNU make. Note that
+  in some platforms you may need to invoke a different command name
+  than "make" (e.g. "gmake") to indicate it's GNU make.</para>
+  </sect2>
+  <sect2>
+    <title>Compilation</title>
+  <screen>
+$ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
+$ <userinput>make</userinput>
+</screen>
+  <para>
+  This will create (in addition to usual BIND 9 programs) and a
+  separate set of libraries under the lib/export directory. For
+  example, <filename>lib/export/dns/libdns.a</filename> is the archive file of the
+  export version of the BIND 9 DNS library. Sample application
+  programs using the libraries will also be built under the
+  lib/export/samples directory (see below).</para>
+  </sect2>
+  <sect2>
+    <title>Installation</title>
+  <screen>
+$ <userinput>cd lib/export</userinput>
+$ <userinput>make install</userinput>
+</screen>
+  <para>
+  This will install library object files under the directory
+  specified by the --with-export-libdir configure option (default:
+  EPREFIX/lib/bind9), and header files under the directory
+  specified by the --with-export-includedir configure option
+  (default: PREFIX/include/bind9).
+  Root privilege is normally required.
+  "<command>make install</command>" at the top directory will do the
+  same.
+  </para>
+  <para>
+  To see how to build your own
+  application after the installation, see
+  <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
+  </sect2>
+  <sect2>
+    <title>Known Defects/Restrictions</title>
+  <itemizedlist>
+    <listitem>
+<!-- TODO: what about AIX? -->
+      <para>Currently, win32 is not supported for the export
+      library. (Normal BIND 9 application can be built as
+      before).</para>
+    </listitem>
+    <listitem>
+      <para>The "fixed" RRset order is not (currently) supported in
+      the export library. If you want to use "fixed" RRset order
+      for, e.g. <command>named</command> while still building the
+      export library even without the fixed order support, build
+      them separately:
+      <screen>
+$ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput>
+$ <userinput>make</userinput>
+$ <userinput>./configure --enable-exportlib <replaceable>[other flags, but not --enable-fixed-rrset]</replaceable></userinput>
+$ <userinput>cd lib/export</userinput>
+$ <userinput>make</userinput>
+</screen>
+    </para>
+    </listitem>
+    <listitem>
+      <para>The client module and the IRS library currently do not
+      support DNSSEC validation using DLV (the underlying modules
+      can handle it, but there is no tunable interface to enable
+      the feature).</para>
+    </listitem>
+    <listitem>
+      <para>RFC 5011 is not supported in the validating stub
+      resolver of the export library. In fact, it is not clear
+      whether it should: trust anchors would be a system-wide
+      configuration which would be managed by an administrator,
+      while the stub resolver will be used by ordinary applications
+      run by a normal user.</para>
+    </listitem>
+    <listitem>
+      <para>Not all common <filename>/etc/resolv.conf</filename>
+      options are supported
+      in the IRS library. The only available options in this
+      version are "debug" and "ndots".</para>
+    </listitem>
+  </itemizedlist>
+  </sect2>
+  <sect2>
+    <title>The dns.conf File</title>
+  <para>The IRS library supports an "advanced" configuration file
+  related to the DNS library for configuration parameters that
+  would be beyond the capability of the
+  <filename>resolv.conf</filename> file.
+  Specifically, it is intended to provide DNSSEC related
+  configuration parameters. By default the path to this
+  configuration file is <filename>/etc/dns.conf</filename>.
+  This module is very
+  experimental and the configuration syntax or library interfaces
+  may change in future versions. Currently, only the
+  <command>trusted-keys</command>
+  statement is supported, whose syntax is the same as the same name
+  of statement for <filename>named.conf</filename>. (See
+  <xref linkend="trusted-keys" /> for details.)</para>
+  </sect2>
+  <sect2>
+    <title>Sample Applications</title>
+  <para>Some sample application programs using this API are
+  provided for reference. The following is a brief description of
+  these applications.
+  </para>
+  <sect3>
+    <title>sample: a simple stub resolver utility</title>
+  <para>
+  It sends a query of a given name (of a given optional RR type) to a
+  specified recursive server, and prints the result as a list of
+  RRs. It can also act as a validating stub resolver if a trust
+  anchor is given via a set of command line options.</para>
+  <para>
+  Usage: sample [options] server_address hostname
+  </para>
+  <para>
+  Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+  <term>
+  -t RRtype
+  </term>
+  <listitem><para>
+        specify the RR type of the query.  The default is the A RR.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  [-a algorithm] [-e] -k keyname -K keystring
+  </term>
+  <listitem><para>
+        specify a command-line DNS key to validate the answer.  For
+        example, to specify the following DNSKEY of example.com:
+<literallayout>
+                example.com. 3600 IN DNSKEY 257 3 5 xxx
+</literallayout>
+        specify the options as follows:
+<screen>
+<userinput>
+          -e -k example.com -K "xxx"
+</userinput>
+</screen>
+        -e means that this key is a zone's "key signing key" (as known
+        as "secure Entry point").
+        When -a is omitted rsasha1 will be used by default.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  -s domain:alt_server_address
+  </term>
+  <listitem><para>
+         specify a separate recursive server address for the specific
+        "domain".  Example: -s example.com:2001:db8::1234
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>server_address</term>
+  <listitem><para>
+        an IP(v4/v6) address of the recursive server to which queries
+        are sent.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>hostname</term>
+  <listitem><para>
+        the domain name for the query
+  </para></listitem>
+  </varlistentry>
+  </variablelist>
+  </sect3>
+  <sect3>
+    <title>sample-async: a simple stub resolver, working asynchronously</title>
+  <para>
+  Similar to "sample", but accepts a list
+  of (query) domain names as a separate file and resolves the names
+  asynchronously.</para>
+  <para>
+    Usage: sample-async [-s server_address] [-t RR_type] input_file</para>
+  <para>
+ Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+   <term>
+   -s server_address
+   </term>
+  <listitem>
+   an IPv4 address of the recursive server to which queries are sent.
+  (IPv6 addresses are not supported in this implementation)
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+   -t RR_type
+  </term>
+  <listitem>
+  specify the RR type of the queries. The default is the A
+  RR.
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+   input_file
+  </term>
+  <listitem>
+   a list of domain names to be resolved. each line
+  consists of a single domain name. Example:
+  <literallayout>
+  www.example.com
+  mx.examle.net
+  ns.xxx.example
+</literallayout>
+  </listitem>
+    </varlistentry>
+    </variablelist>
+  </sect3>
+  <sect3>
+    <title>sample-request: a simple DNS transaction client</title>
+  <para>
+  It sends a query to a specified server, and
+  prints the response with minimal processing. It doesn't act as a
+  "stub resolver": it stops the processing once it gets any
+  response from the server, whether it's a referral or an alias
+  (CNAME or DNAME) that would require further queries to get the
+  ultimate answer. In other words, this utility acts as a very
+  simplified <command>dig</command>.
+  </para>
+  <para>
+  Usage: sample-request [-t RRtype] server_address hostname
+  </para>
+  <para>
+    Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+   <term>
+   -t RRtype
+  </term>
+  <listitem>
+  <para>
+  specify the RR type of
+  the queries. The default is the A RR.
+  </para>
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  server_address
+  </term>
+  <listitem>
+  <para>
+   an IP(v4/v6)
+  address of the recursive server to which the query is sent.
+  </para>
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  hostname
+  </term>
+  <listitem>
+  <para>
+  the domain name for the query
+  </para>
+  </listitem>
+  </varlistentry>
+  </variablelist>
+  </sect3>
+  <sect3>
+    <title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
+  <para>
+  This is a test program
+  to check getaddrinfo() and getnameinfo() behavior. It takes a
+  host name as an argument, calls getaddrinfo() with the given host
+  name, and calls getnameinfo() with the resulting IP addresses
+  returned by getaddrinfo(). If the dns.conf file exists and
+  defines a trust anchor, the underlying resolver will act as a
+  validating resolver, and getaddrinfo()/getnameinfo() will fail
+  with an EAI_INSECUREDATA error when DNSSEC validation fails.
+  </para>
+  <para>
+  Usage: sample-gai hostname
+  </para>
+  </sect3>
+  <sect3>
+    <title>sample-update: a simple dynamic update client program</title>
+  <para>
+  It accepts a single update command as a
+  command-line argument, sends an update request message to the
+  authoritative server, and shows the response from the server. In
+  other words, this is a simplified <command>nsupdate</command>.
+  </para>
+  <para>
+   Usage: sample-update [options] (add|delete) "update data"
+  </para>
+  <para>
+  Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+   <term>
+  -a auth_server
+   </term>
+   <listitem><para>
+        An IP address of the authoritative server that has authority
+        for the zone containing the update name.  This should normally
+        be the primary authoritative server that accepts dynamic
+        updates.  It can also be a secondary server that is configured
+        to forward update requests to the primary server.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -k keyfile
+   </term>
+   <listitem><para>
+        A TSIG key file to secure the update transaction.  The keyfile
+        format is the same as that for the nsupdate utility.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -p prerequisite
+   </term>
+   <listitem><para>
+        A prerequisite for the update (only one prerequisite can be
+        specified).  The prerequisite format is the same as that is
+        accepted by the nsupdate utility.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -r recursive_server
+   </term>
+   <listitem><para>
+        An IP address of a recursive server that this utility will
+        use.  A recursive server may be necessary to identify the
+        authoritative server address to which the update request is
+        sent.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -z zonename
+   </term>
+   <listitem><para>
+        The domain name of the zone that contains
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  (add|delete)
+   </term>
+   <listitem><para>
+        Specify the type of update operation.  Either "add" or "delete"
+        must be specified.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  "update data"
+   </term>
+   <listitem><para>
+        Specify the data to be updated.  A typical example of the data
+        would look like "name TTL RRtype RDATA".
+  </para></listitem>
+  </varlistentry>
+  </variablelist>
+
+   <note>In practice, either -a or -r must be specified.  Others can
+   be optional; the underlying library routine tries to identify the
+   appropriate server and the zone name for the update.</note>
+
+   <para>
+   Examples: assuming the primary authoritative server of the
+   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
+   </para>
+   <screen>
+$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</userinput></screen>
+   <para>
+     adds an A RR for foo.dynamic.example.com using the given key.
+   </para>
+   <screen>
+$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</userinput></screen>
+   <para>
+     removes all A RRs for foo.dynamic.example.com using the given key.
+   </para>
+   <screen>   
+$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen>
+   <para>
+     removes all RRs for foo.dynamic.example.com using the given key.
+   </para>
+  </sect3>
+  <sect3>
+    <title>nsprobe: domain/name server checker in terms of RFC 4074</title>
+  <para>
+  It checks a set
+  of domains to see the name servers of the domains behave
+  correctly in terms of RFC 4074. This is included in the set of
+  sample programs to show how the export library can be used in a
+  DNS-related application.
+  </para>
+  <para>
+ Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
+  </para>
+  <para>
+   Options
+  </para>
+
+  <variablelist>
+  <varlistentry>
+  <term>
+  -d
+  </term>
+  <listitem><para>
+        run in the "debug" mode.  with this option nsprobe will dump
+        every RRs it receives.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  -v
+  </term>
+  <listitem><para>
+        increase verbosity of other normal log messages.  This can be
+        specified multiple times
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  -c cache_address
+  </term>
+  <listitem><para>
+        specify an IP address of a recursive (caching) name server.
+        nsprobe uses this server to get the NS RRset of each domain and
+        the A and/or AAAA RRsets for the name servers.  The default
+        value is 127.0.0.1.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  input_file
+  </term>
+  <listitem><para>
+        a file name containing a list of domain (zone) names to be
+        probed.  when omitted the standard input will be used.  Each
+        line of the input file specifies a single domain name such as
+        "example.com".  In general this domain name must be the apex
+        name of some DNS zone (unlike normal "host names" such as
+        "www.example.com").  nsprobe first identifies the NS RRsets for
+        the given domain name, and sends A and AAAA queries to these
+        servers for some "widely used" names under the zone;
+        specifically, adding "www" and "ftp" to the zone name.
+  </para></listitem>
+  </varlistentry>
+  </variablelist>
+  </sect3>
+  </sect2>
+  <sect2>
+    <title>Library References</title>
+  <para>As of this writing, there is no formal "manual" of the
+  libraries, except this document, header files (some of them
+  provide pretty detailed explanations), and sample application
+  programs.</para>
+  </sect2>
+</sect1>
+<!-- $Id: libdns.xml,v 1.2.2.2 2010/02/03 23:48:29 tbox Exp $ -->
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 0bf82d4a..efe0b199 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: man.arpaname.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.arpaname.html,v 1.2.4.7 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,20 +50,20 @@
 <div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613190"></a><h2>DESCRIPTION</h2>
+<a name="id2612434"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613205"></a><h2>SEE ALSO</h2>
+<a name="id2612449"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613219"></a><h2>AUTHOR</h2>
+<a name="id2612462"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index aeed4b8e..df75b751 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.ddns-confgen.html,v 1.40.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.ddns-confgen.html,v 1.40.4.6 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638336"></a><h2>DESCRIPTION</h2>
+<a name="id2640788"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">ddns-confgen</strong></span>
       generates a key for use by <span><strong class="command">nsupdate</strong></span>
       and <span><strong class="command">named</strong></span>.  It simplifies configuration
@@ -77,7 +77,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638491"></a><h2>OPTIONS</h2>
+<a name="id2640875"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
@@ -144,7 +144,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638760"></a><h2>SEE ALSO</h2>
+<a name="id2645104"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -152,7 +152,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638798"></a><h2>AUTHOR</h2>
+<a name="id2645142"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index fafebe92..8d4b4a4d 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dig.html,v 1.138.4.2 2010/01/08 02:08:26 tbox Exp $ -->
+<!-- $Id: man.dig.html,v 1.138.4.4 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2563925"></a><h2>DESCRIPTION</h2>
+<a name="id2608836"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2580199"></a><h2>SIMPLE USAGE</h2>
+<a name="id2608931"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -144,7 +144,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2580310"></a><h2>OPTIONS</h2>
+<a name="id2609110"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -248,7 +248,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2632262"></a><h2>QUERY OPTIONS</h2>
+<a name="id2660721"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633262"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2661789"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633348"></a><h2>IDN SUPPORT</h2>
+<a name="id2661875"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633377"></a><h2>FILES</h2>
+<a name="id2661904"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633466"></a><h2>SEE ALSO</h2>
+<a name="id2661925"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633504"></a><h2>BUGS</h2>
+<a name="id2661962"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index bbde3499..a995f392 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.2 2010/01/08 02:08:23 tbox Exp $ -->
+<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.4 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,14 +51,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606181"></a><h2>DESCRIPTION</h2>
+<a name="id2610610"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606195"></a><h2>OPTIONS</h2>
+<a name="id2610624"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -119,7 +119,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606452"></a><h2>EXAMPLE</h2>
+<a name="id2610949"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -134,7 +134,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606488"></a><h2>FILES</h2>
+<a name="id2610985"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -148,13 +148,13 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606598"></a><h2>CAVEAT</h2>
+<a name="id2611027"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606608"></a><h2>SEE ALSO</h2>
+<a name="id2611036"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -164,7 +164,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606715"></a><h2>AUTHOR</h2>
+<a name="id2611622"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 3c9177cd..cb3316cb 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.3 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.5 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607019"></a><h2>DESCRIPTION</h2>
+<a name="id2612131"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607040"></a><h2>OPTIONS</h2>
+<a name="id2612151"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -182,7 +182,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608158"></a><h2>TIMING OPTIONS</h2>
+<a name="id2614021"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -229,7 +229,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610168"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2614119"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -268,7 +268,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651085"></a><h2>SEE ALSO</h2>
+<a name="id2614281"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -276,7 +276,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651118"></a><h2>AUTHOR</h2>
+<a name="id2614314"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index c83bff82..e90125c1 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keygen.html,v 1.152.4.3 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.152.4.5 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608560"></a><h2>DESCRIPTION</h2>
+<a name="id2613125"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608580"></a><h2>OPTIONS</h2>
+<a name="id2613145"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -256,7 +256,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660619"></a><h2>TIMING OPTIONS</h2>
+<a name="id2663751"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -303,7 +303,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660922"></a><h2>GENERATED KEYS</h2>
+<a name="id2663917"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -349,7 +349,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661030"></a><h2>EXAMPLE</h2>
+<a name="id2664093"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -370,7 +370,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661086"></a><h2>SEE ALSO</h2>
+<a name="id2664218"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -379,7 +379,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661117"></a><h2>AUTHOR</h2>
+<a name="id2664249"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 217d2efd..6ba61479 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-revoke.html,v 1.35.4.3 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.dnssec-revoke.html,v 1.35.4.5 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609060"></a><h2>DESCRIPTION</h2>
+<a name="id2614376"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-revoke</strong></span>
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609074"></a><h2>OPTIONS</h2>
+<a name="id2614390"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -91,14 +91,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609181"></a><h2>SEE ALSO</h2>
+<a name="id2614498"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609206"></a><h2>AUTHOR</h2>
+<a name="id2614522"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index b778af86..20dd97be 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-settime.html,v 1.30.4.3 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.dnssec-settime.html,v 1.30.4.5 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609702"></a><h2>DESCRIPTION</h2>
+<a name="id2614615"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -75,7 +75,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609761"></a><h2>OPTIONS</h2>
+<a name="id2614674"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f</span></dt>
 <dd><p>
@@ -106,7 +106,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610469"></a><h2>TIMING OPTIONS</h2>
+<a name="id2615041"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610567"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2615139"></a><h2>PRINTING OPTIONS</h2>
 <p>
       <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
@@ -169,7 +169,7 @@
             <code class="option">C</code> for the creation date,
             <code class="option">P</code> for the publication date,
             <code class="option">A</code> for the activation date,
-            <code class="option">R</code> for the revokation date,
+            <code class="option">R</code> for the revocation date,
             <code class="option">U</code> for the unpublication date, or
             <code class="option">D</code> for the deletion date.
             To print all of the metadata, use <code class="option">-p all</code>.
@@ -177,7 +177,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610852"></a><h2>SEE ALSO</h2>
+<a name="id2615219"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -185,7 +185,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610885"></a><h2>AUTHOR</h2>
+<a name="id2615457"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index e5fda458..4c93e082 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-signzone.html,v 1.152.4.3 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.152.4.5 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612066"></a><h2>DESCRIPTION</h2>
+<a name="id2617044"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612085"></a><h2>OPTIONS</h2>
+<a name="id2617063"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -397,7 +397,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2662105"></a><h2>EXAMPLE</h2>
+<a name="id2665240"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -427,14 +427,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2662252"></a><h2>SEE ALSO</h2>
+<a name="id2665319"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2662277"></a><h2>AUTHOR</h2>
+<a name="id2665412"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 21885b8b..a0608f71 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: man.genrandom.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.genrandom.html,v 1.2.4.7 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">genrandom</code>  {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638850"></a><h2>DESCRIPTION</h2>
+<a name="id2612562"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">genrandom</strong></span>
       generates a file containing a specified quantity of pseudo-random
@@ -59,7 +59,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638865"></a><h2>ARGUMENTS</h2>
+<a name="id2648758"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">size</span></dt>
 <dd><p>
@@ -72,14 +72,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638900"></a><h2>SEE ALSO</h2>
+<a name="id2648793"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638926"></a><h2>AUTHOR</h2>
+<a name="id2648820"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index dc783775..9bce126e 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.host.html,v 1.136.4.2 2010/01/08 02:08:26 tbox Exp $ -->
+<!-- $Id: man.host.html,v 1.136.4.4 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605431"></a><h2>DESCRIPTION</h2>
+<a name="id2609314"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607242"></a><h2>IDN SUPPORT</h2>
+<a name="id2609691"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607271"></a><h2>FILES</h2>
+<a name="id2609720"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607285"></a><h2>SEE ALSO</h2>
+<a name="id2609734"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index fbcefeb9..23a9c998 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.6 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2643593"></a><h2>DESCRIPTION</h2>
+<a name="id2613346"></a><h2>DESCRIPTION</h2>
 <p>
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2643621"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2613373"></a><h2>SECURITY CONSIDERATIONS</h2>
 <p>
       Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2643637"></a><h2>SEE ALSO</h2>
+<a name="id2649434"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2104</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2643654"></a><h2>AUTHOR</h2>
+<a name="id2649451"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index bae1246f..747380c4 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkconf.html,v 1.146.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.146.4.6 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612385"></a><h2>DESCRIPTION</h2>
+<a name="id2617909"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a
       <span><strong class="command">named</strong></span> configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612455"></a><h2>OPTIONS</h2>
+<a name="id2617979"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -109,21 +109,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612589"></a><h2>RETURN VALUES</h2>
+<a name="id2626169"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612603"></a><h2>SEE ALSO</h2>
+<a name="id2626183"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612633"></a><h2>AUTHOR</h2>
+<a name="id2626213"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2965763d..14183283 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkzone.html,v 1.154.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.154.4.6 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613378"></a><h2>DESCRIPTION</h2>
+<a name="id2631122"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613428"></a><h2>OPTIONS</h2>
+<a name="id2665510"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -265,14 +265,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665809"></a><h2>RETURN VALUES</h2>
+<a name="id2666281"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665891"></a><h2>SEE ALSO</h2>
+<a name="id2666295"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -280,7 +280,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665924"></a><h2>AUTHOR</h2>
+<a name="id2666328"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 691616d0..6724ad5c 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: man.named-journalprint.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.named-journalprint.html,v 1.2.4.7 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610712"></a><h2>DESCRIPTION</h2>
+<a name="id2610775"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">named-journalprint</strong></span>
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614444"></a><h2>SEE ALSO</h2>
+<a name="id2635943"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
@@ -84,7 +84,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614475"></a><h2>AUTHOR</h2>
+<a name="id2635974"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index c18bad7b..da7865f3 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named.html,v 1.156.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.named.html,v 1.156.4.6 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613748"></a><h2>DESCRIPTION</h2>
+<a name="id2631355"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613779"></a><h2>OPTIONS</h2>
+<a name="id2631386"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -246,7 +246,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614401"></a><h2>SIGNALS</h2>
+<a name="id2636445"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -267,7 +267,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635204"></a><h2>CONFIGURATION</h2>
+<a name="id2637793"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635253"></a><h2>FILES</h2>
+<a name="id2637842"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -297,7 +297,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635297"></a><h2>SEE ALSO</h2>
+<a name="id2637885"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -310,7 +310,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669978"></a><h2>AUTHOR</h2>
+<a name="id2668130"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 90294a57..684b6feb 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: man.nsec3hash.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.nsec3hash.html,v 1.2.4.7 2010/02/04 02:08:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,7 +48,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646089"></a><h2>DESCRIPTION</h2>
+<a name="id2650521"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646104"></a><h2>ARGUMENTS</h2>
+<a name="id2650536"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">salt</span></dt>
 <dd><p>
@@ -80,14 +80,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646166"></a><h2>SEE ALSO</h2>
+<a name="id2650598"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5155</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2646183"></a><h2>AUTHOR</h2>
+<a name="id2650615"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 219a41b0..8cb502f9 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.nsupdate.html,v 1.80.4.5 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.nsupdate.html,v 1.80.4.7 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614750"></a><h2>DESCRIPTION</h2>
+<a name="id2636590"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -210,7 +210,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619044"></a><h2>INPUT FORMAT</h2>
+<a name="id2637402"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -474,7 +474,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2672983"></a><h2>EXAMPLES</h2>
+<a name="id2669086"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -528,7 +528,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673033"></a><h2>FILES</h2>
+<a name="id2669137"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -551,7 +551,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673116"></a><h2>SEE ALSO</h2>
+<a name="id2669288"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">RFC 2136</em>,
       <em class="citetitle">RFC 3007</em>,
@@ -566,7 +566,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673174"></a><h2>BUGS</h2>
+<a name="id2669346"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index fdaf9480..3085907b 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc-confgen.html,v 1.160.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.160.4.6 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637536"></a><h2>DESCRIPTION</h2>
+<a name="id2639783"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -66,7 +66,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637738"></a><h2>OPTIONS</h2>
+<a name="id2639849"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -173,7 +173,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638193"></a><h2>EXAMPLES</h2>
+<a name="id2645424"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639341"></a><h2>SEE ALSO</h2>
+<a name="id2645480"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -198,7 +198,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639380"></a><h2>AUTHOR</h2>
+<a name="id2645518"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 41ca9787..43c3131f 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.conf.html,v 1.161.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.161.4.6 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611242"></a><h2>DESCRIPTION</h2>
+<a name="id2611305"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2636331"></a><h2>EXAMPLE</h2>
+<a name="id2639193"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637272"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2639383"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637298"></a><h2>SEE ALSO</h2>
+<a name="id2639477"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637336"></a><h2>AUTHOR</h2>
+<a name="id2639515"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index cd59e490..aa88635d 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.html,v 1.159.4.4 2010/01/20 02:08:51 tbox Exp $ -->
+<!-- $Id: man.rndc.html,v 1.159.4.6 2010/02/04 02:08:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2623637"></a><h2>DESCRIPTION</h2>
+<a name="id2638445"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2623687"></a><h2>OPTIONS</h2>
+<a name="id2638496"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -151,7 +151,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635654"></a><h2>LIMITATIONS</h2>
+<a name="id2638721"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635685"></a><h2>SEE ALSO</h2>
+<a name="id2638752"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635740"></a><h2>AUTHOR</h2>
+<a name="id2638807"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/managed-keys.xml b/doc/arm/managed-keys.xml
new file mode 100644
index 00000000..2279d883
--- /dev/null
+++ b/doc/arm/managed-keys.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: managed-keys.xml,v 1.2.2.2 2010/02/03 23:48:29 tbox Exp $ -->
+
+<sect1 id="rfc5011.support">
+  <title>Dynamic Trust Anchor Management</title>
+  <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
+  anchor management. Using this feature allows 
+  <command>named</command> to keep track of changes to critical
+  DNSSEC keys without any need for the operator to make changes to
+  configuration files.</para>
+  <sect2>
+    <title>Validating Resolver</title>
+    <!-- TODO: command tag is overloaded for configuration and executables -->
+    <para>To configure a validating resolver to use RFC 5011 to
+    maintain a trust anchor, configure the trust anchor using a 
+    <command>managed-keys</command> statement. Information about
+    this can be found in 
+    <xref linkend="managed-keys" />.</para>
+    <!-- TODO: managed-keys examples
+also in DNSSEC section above here in ARM -->
+  </sect2>
+  <sect2>
+    <title>Authoritative Server</title>
+    <para>To set up an authoritative zone for RFC 5011 trust anchor
+    maintenance, generate two (or more) key signing keys (KSKs) for
+    the zone. Sign the zone with one of them; this is the "active"
+    KSK. All KSK's which do not sign the zone are "stand-by"
+    keys.</para>
+    <para>Any validating resolver which is configured to use the
+    active KSK as an RFC 5011-managed trust anchor will take note
+    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
+    for future reference. The resolver will recheck the zone
+    periodically, and after 30 days, if the new key is still there,
+    then the key will be accepted by the resolver as a valid trust
+    anchor for the zone. Any time after this 30-day acceptance
+    timer has completed, the active KSK can be revoked, and the
+    zone can be "rolled over" to the newly accepted key.</para>
+    <para>The easiest way to place a stand-by key in a zone is to
+    use the "smart signing" features of 
+    <command>dnssec-keygen</command> and 
+    <command>dnssec-signzone</command>. If a key with a publication
+    date in the past, but an activation date which is unset or in
+    the future, " 
+    <command>dnssec-signzone -S</command>" will include the DNSKEY
+    record in the zone, but will not sign with it:</para>
+    <screen>
+$ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput>
+$ <userinput>dnssec-signzone -S -K keys example.net</userinput>
+</screen>
+    <para>To revoke a key, the new command 
+    <command>dnssec-revoke</command> has been added. This adds the
+    REVOKED bit to the key flags and re-generates the 
+    <filename>K*.key</filename> and 
+    <filename>K*.private</filename> files.</para>
+    <para>After revoking the active key, the zone must be signed
+    with both the revoked KSK and the new active KSK. (Smart
+    signing takes care of this automatically.)</para>
+    <para>Once a key has been revoked and used to sign the DNSKEY
+    RRset in which it appears, that key will never again be
+    accepted as a valid trust anchor by the resolver. However,
+    validation can proceed using the new active key (which had been
+    accepted by the resolver when it was a stand-by key).</para>
+    <para>See RFC 5011 for more details on key rollover
+    scenarios.</para>
+    <para>When a key has been revoked, its key ID changes,
+    increasing by 128, and wrapping around at 65535. So, for
+    example, the key "<filename>Kexample.com.+005+10000</filename>" becomes
+    "<filename>Kexample.com.+005+10128</filename>".</para>
+    <para>If two keys have ID's exactly 128 apart, and one is
+    revoked, then the two key ID's will collide, causing several
+    problems. To prevent this, 
+    <command>dnssec-keygen</command> will not generate a new key if
+    another key is present which may collide. This checking will
+    only occur if the new keys are written to the same directory
+    which holds all other keys in use for that zone.</para>
+    <para>Older versions of BIND 9 did not have this precaution.
+    Exercise caution if using key revocation on keys that were
+    generated by previous releases, or if using keys stored in
+    multiple directories or on multiple machines.</para>
+    <para>It is expected that a future release of BIND 9 will
+    address this problem in a different way, by storing revoked
+    keys with their original unrevoked key ID's.</para>
+  </sect2>
+</sect1>
diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml
new file mode 100644
index 00000000..f416d176
--- /dev/null
+++ b/doc/arm/pkcs11.xml
@@ -0,0 +1,372 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+               [<!ENTITY mdash "&#8212;">]>
+<sect1 id="pkcs11">
+  <title>PKCS #11 (Cryptoki) support</title>
+  <para>PKCS #11 (Public Key Cryptography Standard #11) defines a
+  platform- independent API for the control of hardware security
+  modules (HSMs) and other cryptographic support devices.</para>
+  <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000
+  cryptographic acceleration board, tested under Solaris x86, and
+  the AEP Keyper network-attached key storage device, tested with
+  Debian Linux, Solaris x86 and Windows Server 2003.</para>
+  <sect2>
+    <title>Prerequisites</title>
+    <para>See the HSM vendor documentation for information about
+    installing, initializing, testing and troubleshooting the
+    HSM.</para>
+    <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
+    does not yet fully support PKCS #11. However, a PKCS #11 engine
+    for OpenSSL is available from the OpenSolaris project. It has
+    been modified by ISC to work with with BIND 9, and to provide
+    new features such as PIN management and key by
+    reference.</para>
+    <para>The patched OpenSSL depends on a "PKCS #11 provider".
+    This is a shared library object, providing a low-level PKCS #11
+    interface to the HSM hardware. It is dynamically loaded by
+    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
+    vendor, and and is specific to the HSM to be controlled.</para>
+    <para>There are two "flavors" of PKCS #11 support provided by
+    the patched OpenSSL, one of which must be chosen at
+    configuration time. The correct choice depends on the HSM
+    hardware:</para>
+    <itemizedlist>
+      <listitem>
+        <para>Use 'crypto-accelerator' with HSMs that have hardware
+        cryptographic acceleration features, such as the SCA 6000
+        board. This causes OpenSSL to run all supported
+        cryptographic operations in the HSM.</para>
+      </listitem>
+      <listitem>
+        <para>Use 'sign-only' with HSMs that are designed to
+        function primarily as secure key storage devices, but lack
+        hardware acceleration. These devices are highly secure, but
+        are not necessarily any faster at cryptography than the
+        system CPU &mdash; often, they are slower. It is therefore
+        most efficient to use them only for those cryptographic
+        functions that require access to the secured private key,
+        such as zone signing, and to use the system CPU for all
+        other computationally-intensive operations. The AEP Keyper
+        is an example of such a device.</para>
+      </listitem>
+    </itemizedlist>
+    <para>The modified OpenSSL code is included in the BIND 9.7.0
+    release, in the form of a context diff against the latest OpenSSL.
+    </para>
+    <note>
+      The latest OpenSSL version at the time of the BIND release
+      is 0.9.8l.
+      ISC will provide an updated patch as new versions of OpenSSL
+      are released. The version number in the following examples
+      is expected to change.</note>
+    <para>
+    Before building BIND 9 with PKCS #11 support, it will be
+    necessary to build OpenSSL with this patch in place and inform
+    it of the path to the HSM-specific PKCS #11 provider
+    library.</para>
+    <para>Obtain OpenSSL 0.9.8l:</para>
+    <screen>
+$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8l.tar.gz</ulink></userinput>
+</screen>
+    <para>Extract the tarball:</para>
+    <screen>
+$ <userinput>tar zxf openssl-0.9.8l.tar.gz</userinput>
+</screen>
+    <para>Apply the patch from the BIND 9 release:</para>
+    <screen>
+$ <userinput>patch -p1 -d openssl-0.9.8l \
+            &lt; bind-9.7.0/bin/pkcs11/openssl-0.9.8l-patch</userinput>
+</screen>
+    <note>(Note that the patch file may not be compatible with the
+    "patch" utility on all operating systems. You may need to
+    install GNU patch.)</note>
+    <para>When building OpenSSL, place it in a non-standard
+    location so that it does not interfere with OpenSSL libraries
+    elsewhere on the system. In the following examples, we choose
+    to install into "/opt/pkcs11/usr". We will use this location
+    when we configure BIND 9.</para>
+    <sect3>
+      <!-- Example 1 -->
+      <title>Building OpenSSL for the AEP Keyper on Linux</title>
+      <para>The AEP Keyper is a highly secure key storage device,
+      but does not provide hardware cryptographic acceleration. It
+      can carry out cryptographic operations, but it is probably
+      slower than your system's CPU. Therefore, we choose the
+      'sign-only' flavor when building OpenSSL.</para>
+      <para>The Keyper-specific PKCS #11 provider library is
+      delivered with the Keyper software. In this example, we place
+      it /opt/pkcs11/usr/lib:</para>
+      <screen>
+$ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+</screen>
+      <para>This library is only available for Linux as a 32-bit
+      binary. If we are compiling on a 64-bit Linux system, it is
+      necessary to force a 32-bit build, by specifying -m32 in the
+      build options.</para>
+      <para>Finally, the Keyper library requires threads, so we
+      must specify -pthread.</para>
+      <screen>
+$ <userinput>cd openssl-0.9.8l</userinput>
+$ <userinput>./Configure linux-generic32 -m32 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</userinput>
+</screen>
+      <para>After configuring, run "<command>make</command>"
+      and "<command>make test</command>". If "<command>make
+      test</command>" fails with "pthread_atfork() not found", you forgot to
+      add the -pthread above.</para>
+    </sect3>
+    <sect3>
+      <!-- Example 2 -->
+      <title>Building OpenSSL for the SCA 6000 on Solaris</title>
+      <para>The SCA-6000 PKCS #11 provider is installed as a system
+      library, libpkcs11. It is a true crypto accelerator, up to 4
+      times faster than any CPU, so the flavor shall be
+      'crypto-accelerator'.</para>
+      <para>In this example, we are building on Solaris x86 on an
+      AMD64 system.</para>
+      <screen>
+$ <userinput>cd openssl-0.9.8l</userinput>
+$ <userinput>./Configure solaris64-x86_64-cc \
+            --pk11-libname=/usr/lib/64/libpkcs11.so \
+            --pk11-flavor=crypto-accelerator \
+            --prefix=/opt/pkcs11/usr</userinput>
+</screen>
+      <para>(For a 32-bit build, use "solaris-x86-cc" and
+      /usr/lib/libpkcs11.so.)</para>
+      <para>After configuring, run 
+      <command>make</command> and 
+      <command>make test</command>.</para>
+      <para>Once you have built OpenSSL, run
+      "<command>apps/openssl engine pkcs11</command>" to confirm
+      that PKCS #11 support was compiled in correctly. The output
+      should be one of the following lines, depending on the flavor
+      selected:</para>
+      <screen>
+        (pkcs11) PKCS #11 engine support (sign only)
+</screen>
+      <para>Or:</para>
+      <screen>
+        (pkcs11) PKCS #11 engine support (crypto accelerator)
+</screen>
+      <para>Next, run
+      "<command>apps/openssl engine pkcs11 -t</command>". This will
+      attempt to initialize the PKCS #11 engine. If it is able to
+      do so successfully, it will report
+      <quote><literal>[ available ]</literal></quote>.</para>
+      <para>If the output is correct, run
+      "<command>make install</command>" which will install the
+      modified OpenSSL suite to 
+      <filename>/opt/pkcs11/usr</filename>.</para>
+    </sect3>
+  </sect2>
+  <sect2>
+    <title>Building BIND 9 with PKCS#11</title>
+    <para>When building BIND 9, the location of the custom-built
+    OpenSSL library must be specified via configure.</para>
+    <sect3>
+      <!-- Example 3 -->
+      <title>Configuring BIND 9 for Linux</title>
+      <para>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</para>
+      <para>The PKCS #11 library for the AEP Keyper is currently
+      only available as a 32-bit binary. If we are building on a
+      64-bit host, we must force a 32-bit build by adding "-m32" to
+      the CC options on the "configure" command line.</para>
+      <screen>
+$ <userinput>cd ../bind-9.7.0</userinput>
+$ <userinput>./configure CC="gcc -m32" --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+</screen>
+    </sect3>
+    <sect3>
+      <!-- Example 4 -->
+      <title>Configuring BIND 9 for Solaris</title>
+      <para>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</para>
+      <screen>
+$ <userinput>cd ../bind-9.7.0</userinput>
+$ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
+            --with-openssl=/opt/pkcs11/usr \
+            --with-pkcs11=/usr/lib/64/libpkcs11.so</userinput>
+</screen>
+      <para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para>
+      <para>If configure complains about OpenSSL not working, you
+      may have a 32/64-bit architecture mismatch. Or, you may have
+      incorrectly specified the path to OpenSSL (it should be the
+      same as the --prefix argument to the OpenSSL
+      Configure).</para>
+    </sect3>
+    <para>After configuring, run
+    "<command>make</command>",
+    "<command>make test</command>" and
+    "<command>make install</command>".</para>
+  </sect2>
+  <sect2>
+    <title>PKCS #11 Tools</title>
+    <para>BIND 9 includes a minimal set of tools to operate the
+    HSM, including 
+    <command>pkcs11-keygen</command> to generate a new key pair
+    within the HSM, 
+    <command>pkcs11-list</command> to list objects currently
+    available, and 
+    <command>pkcs11-destroy</command> to remove objects.</para>
+    <para>In UNIX/Linux builds, these tools are built only if BIND
+    9 is configured with the --with-pkcs11 option. (NOTE: If
+    --with-pkcs11 is set to "yes", rather than to the path of the
+    PKCS #11 provider, then the tools will be built but the
+    provider will be left undefined. Use the -m option or the
+    PKCS11_PROVIDER environment variable to specify the path to the
+    provider.)</para>
+  </sect2>
+  <sect2>
+    <title>Using the HSM</title>
+    <para>First, we must set up the runtime environment so the
+    OpenSSL and PKCS #11 libraries can be loaded:</para>
+    <screen>
+$ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput>
+</screen>
+    <para>When operating an AEP Keyper, it is also necessary to
+    specify the location of the "machine" file, which stores
+    information about the Keyper for use by PKCS #11 provider
+    library. If the machine file is in 
+    <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
+    use:</para>
+    <screen>
+$ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput>
+</screen>
+    <!-- TODO: why not defined at compile time? -->
+    <para>These environment variables must be set whenever running
+    any tool that uses the HSM, including 
+    <command>pkcs11-keygen</command>, 
+    <command>pkcs11-list</command>, 
+    <command>pkcs11-destroy</command>, 
+    <command>dnssec-keyfromlabel</command>, 
+    <command>dnssec-signzone</command>, 
+    <command>dnssec-keygen</command>(which will use the HSM for
+    random number generation), and 
+    <command>named</command>.</para>
+    <para>We can now create and use keys in the HSM. In this case,
+    we will create a 2048 bit key and give it the label
+    "sample-ksk":</para>
+    <screen>
+$ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput>
+</screen>
+    <para>To confirm that the key exists:</para>
+    <screen>
+$ <userinput>pkcs11-list</userinput>
+Enter PIN:
+object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
+object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
+</screen>
+    <para>Before using this key to sign a zone, we must create a
+    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
+    does this. In this case, we will be using the HSM key
+    "sample-ksk" as the key-signing key for "example.net":</para>
+    <screen>
+$ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput>
+</screen>
+    <para>The resulting K*.key and K*.private files can now be used
+    to sign the zone. Unlike normal K* files, which contain both
+    public and private key data, these files will contain only the
+    public key data, plus an identifier for the private key which
+    remains stored within the HSM. The HSM handles signing with the
+    private key.</para>
+    <para>If you wish to generate a second key in the HSM for use
+    as a zone-signing key, follow the same procedure above, using a
+    different keylabel, a smaller key size, and omitting "-f KSK"
+    from the dnssec-keyfromlabel arguments:</para>
+    <screen>
+$ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput>
+$ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput>
+</screen>
+    <para>Alternatively, you may prefer to generate a conventional
+    on-disk key, using dnssec-keygen:</para>
+    <screen>
+$ <userinput>dnssec-keygen example.net</userinput>
+</screen>
+    <para>This provides less security than an HSM key, but since
+    HSMs can be slow or cumbersome to use for security reasons, it
+    may be more efficient to reserve HSM keys for use in the less
+    frequent key-signing operation. The zone-signing key can be
+    rolled more frequently, if you wish, to compensate for a
+    reduction in key security.</para>
+    <para>Now you can sign the zone. (Note: If not using the -S
+    option to 
+    <command>dnssec-signzone</command>, it will be necessary to add
+    the contents of both 
+    <filename>K*.key</filename> files to the zone master file before
+    signing it.)</para>
+    <screen>
+$ <userinput>dnssec-signzone -S example.net</userinput>
+Enter PIN:
+Verifying the zone using the following algorithms:
+NSEC3RSASHA1.
+Zone signing complete:
+Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
+example.net.signed
+</screen>
+  </sect2>
+  <sect2>
+    <title>Specifying the engine on the command line</title>
+    <para>The OpenSSL engine can be specified in 
+    <command>named</command> and all of the BIND 
+    <command>dnssec-*</command> tools by using the "-E
+    &lt;engine&gt;" command line option. If BIND 9 is built with
+    the --with-pkcs11 option, this option defaults to "pkcs11".
+    Specifying the engine will generally not be necessary unless
+    for some reason you wish to use a different OpenSSL
+    engine.</para>
+    <para>If you wish to disable use of the "pkcs11" engine &mdash;
+    for troubleshooting purposes, or because the HSM is unavailable
+    &mdash; set the engine to the empty string. For example:</para>
+    <screen>
+$ <userinput>dnssec-signzone -E '' -S example.net</userinput>
+</screen>
+    <para>This causes 
+    <command>dnssec-signzone</command> to run as if it were compiled
+    without the --with-pkcs11 option.</para>
+  </sect2>
+  <sect2>
+    <title>Running named with automatic zone re-signing</title>
+    <para>If you want 
+    <command>named</command> to dynamically re-sign zones using HSM
+    keys, and/or to to sign new records inserted via nsupdate, then
+    named must have access to the HSM PIN. This can be accomplished
+    by placing the PIN into the openssl.cnf file (in the above
+    examples, 
+    <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para>
+    <para>The location of the openssl.cnf file can be overridden by
+    setting the OPENSSL_CONF environment variable before running
+    named.</para>
+    <para>Sample openssl.cnf:</para>
+    <programlisting>
+        openssl_conf = openssl_def
+        [ openssl_def ]
+        engines = engine_section
+        [ engine_section ]
+        pkcs11 = pkcs11_section
+        [ pkcs11_section ]
+        PIN = <replaceable>&lt;PLACE PIN HERE&gt;</replaceable>
+</programlisting>
+    <para>This will also allow the dnssec-* tools to access the HSM
+    without PIN entry. (The pkcs11-* tools access the HSM directly,
+    not via OpenSSL, so a PIN will still be required to use
+    them.)</para>
+<!-- 
+If the PIN is not known, I believe the first time named needs the
+PIN to open a key, it'll ask you to type in the PIN, which will be
+a problem because it probably won't be running on a terminal
+-->
+    <warning>
+      <para>Placing the HSM's PIN in a text file in
+      this manner may reduce the security advantage of using an
+      HSM. Be sure this is what you want to do before configuring
+      OpenSSL in this way.</para>
+    </warning>
+  </sect2>
+  <!-- TODO: what is alternative then for named dynamic re-signing? -->
+  <!-- TODO: what happens if PIN is not known? named will log about it? -->
+</sect1>
diff --git a/lib/dns/api b/lib/dns/api
index c4e83f4e..6a453afb 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 64
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f4f6a85e..319fe2ff 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.540.2.13 2010/01/22 01:46:43 each Exp $ */
+/* $Id: zone.c,v 1.540.2.14 2010/01/26 23:35:22 fdupont Exp $ */
 
 /*! \file */
 
@@ -7179,6 +7179,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
 	dns_keyfetch_t *kfetch;
 	dns_zone_t *zone;
+	isc_mem_t *mctx;
 	dns_keytable_t *secroots = NULL;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t diff;
@@ -7205,6 +7206,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	kfetch = event->ev_arg;
 	zone = kfetch->zone;
+	mctx = zone->mctx;
 	keyname = dns_fixedname_name(&kfetch->name);
 
 	devent = (dns_fetchevent_t *) event;
@@ -7226,7 +7228,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	LOCK_ZONE(zone);
 	dns_db_newversion(kfetch->db, &ver);
-	dns_diff_init(zone->mctx, &diff);
+	dns_diff_init(mctx, &diff);
 
 	/* Fetch failed */
 	if (eresult != ISC_R_SUCCESS ||
@@ -7459,8 +7461,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 					/* Remove from secroots */
 					untrust_key(zone->view->viewlist,
-						    keyname, zone->mctx,
-						    &dnskey);
+						    keyname, mctx, &dnskey);
 
 					/* If initializing, delete now */
 					if (keydata.addhd == 0)
@@ -7506,7 +7507,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			if (initializing) {
 				dns_keytag_t tag = 0;
 				CHECK(compute_tag(keyname, &dnskey,
-						  zone->mctx, &tag));
+						  mctx, &tag));
 				dns_zone_log(zone, ISC_LOG_WARNING,
 					     "Initializing automatic trust "
 					     "anchor management for zone '%s'; "
@@ -7564,7 +7565,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			/* Trust this key in all views */
 			dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
 			trust_key(zone->view->viewlist, keyname, &dnskey,
-				  zone->mctx);
+				  mctx);
 		}
 
 		if (!deletekey)
@@ -7599,8 +7600,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	/* Write changes to journal file. */
 	if (alldone) {
-		result = increment_soa_serial(kfetch->db, ver, &diff,
-					      zone->mctx);
+		result = increment_soa_serial(kfetch->db, ver, &diff, mctx);
 		if (result == ISC_R_SUCCESS)
 			zone_journal(zone, &diff, "keyfetch_done");
 	}
@@ -7608,6 +7608,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dns_diff_clear(&diff);
 	dns_db_closeversion(kfetch->db, &ver, changed);
 	dns_db_detach(&kfetch->db);
+	dns_zone_detach(&kfetch->zone);
 
 	if (dns_rdataset_isassociated(&kfetch->keydataset))
 		dns_rdataset_disassociate(&kfetch->keydataset);
@@ -7616,8 +7617,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
 		dns_rdataset_disassociate(&kfetch->dnskeysigset);
 
-	dns_name_free(keyname, zone->mctx);
-	isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+	dns_name_free(keyname, mctx);
+	isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t));
 
 	if (secroots != NULL)
 		dns_keytable_detach(&secroots);
@@ -7706,7 +7707,8 @@ zone_refreshkeys(dns_zone_t *zone) {
 		zone->refreshkeycount++;
 
 		kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
-		kfetch->zone = zone;
+		kfetch->zone = NULL;
+		dns_zone_attach(zone, &kfetch->zone);
 		dns_fixedname_init(&kfetch->name);
 		dns_name_dup(name, zone->mctx,
 			     dns_fixedname_name(&kfetch->name));
diff --git a/lib/isc/api b/lib/isc/api
index ea516a14..f7fd6642 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 61
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 1
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
index fa313253..9690b084 100644
--- a/lib/isc/httpd.c
+++ b/lib/isc/httpd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006-2008, 2010  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: httpd.c,v 1.16 2008/08/08 05:06:49 marka Exp $ */
+/* $Id: httpd.c,v 1.16.284.2 2010/02/04 23:48:30 tbox Exp $ */
 
 /*! \file */
 
@@ -151,6 +151,7 @@ struct isc_httpdmgr {
 
 	ISC_LIST(isc_httpdurl_t) urls;		/*%< urls we manage */
 	isc_httpdaction_t      *render_404;
+	isc_httpdaction_t      *render_500;
 };
 
 /*%
@@ -221,6 +222,11 @@ static isc_result_t render_404(const char *, const char *,
 			       unsigned int *, const char **,
 			       const char **, isc_buffer_t *,
 			       isc_httpdfree_t **, void **);
+static isc_result_t render_500(const char *, const char *,
+			       void *,
+			       unsigned int *, const char **,
+			       const char **, isc_buffer_t *,
+			       isc_httpdfree_t **, void **);
 
 static void
 destroy_client(isc_httpd_t **httpdp)
@@ -300,6 +306,7 @@ isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 		goto cleanup;
 
 	httpd->render_404 = render_404;
+	httpd->render_500 = render_500;
 
 	*httpdp = httpd;
 	return (ISC_R_SUCCESS);
@@ -623,6 +630,30 @@ render_404(const char *url, const char *querystring,
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+render_500(const char *url, const char *querystring,
+	   void *arg,
+	   unsigned int *retcode, const char **retmsg,
+	   const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args)
+{
+	static char msg[] = "Internal server failure.";
+
+	UNUSED(url);
+	UNUSED(querystring);
+	UNUSED(arg);
+
+	*retcode = 500;
+	*retmsg = "Internal server failure";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
 static void
 isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev)
 {
@@ -691,8 +722,14 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev)
 				     &httpd->mimetype, &httpd->bodybuffer,
 				     &httpd->freecb, &httpd->freecb_arg);
 	if (result != ISC_R_SUCCESS) {
-		destroy_client(&httpd);
-		goto out;
+	    result = httpd->mgr->render_500(httpd->url, httpd->querystring,
+					    NULL,
+					    &httpd->retcode,
+					    &httpd->retmsg,
+					    &httpd->mimetype,
+					    &httpd->bodybuffer,
+					    &httpd->freecb,
+					    &httpd->freecb_arg);
 	}
 
 	isc_httpd_response(httpd);
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index c3e5430f..9add24fa 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.326 2009/11/13 00:41:58 each Exp $ */
+/* $Id: socket.c,v 1.326.20.2 2010/01/31 23:48:29 tbox Exp $ */
 
 /*! \file */
 
@@ -1674,12 +1674,22 @@ doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
 	}
 
 	/*
-	 * On TCP, zero length reads indicate EOF, while on
-	 * UDP, zero length reads are perfectly valid, although
-	 * strange.
+	 * On TCP and UNIX sockets, zero length reads indicate EOF,
+	 * while on UDP sockets, zero length reads are perfectly valid,
+	 * although strange.
 	 */
-	if ((sock->type == isc_sockettype_tcp) && (cc == 0))
-		return (DOIO_EOF);
+	switch (sock->type) {
+	case isc_sockettype_tcp:
+	case isc_sockettype_unix:
+		if (cc == 0)
+			return (DOIO_EOF);
+		break;
+	case isc_sockettype_udp:
+		break;
+	case isc_sockettype_fdwatch:
+	default:
+		INSIST(0);
+	}
 
 	if (sock->type == isc_sockettype_udp) {
 		dev->address.length = msghdr.msg_namelen;
diff --git a/version b/version
index c23b0bea..97cf3817 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.51.2.1 2010/01/21 21:26:06 each Exp $
+# $Id: version,v 1.51.2.2 2010/02/04 05:19:29 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=7
 PATCHVER=0
-RELEASETYPE=rc
-RELEASEVER=2
+RELEASETYPE=
+RELEASEVER=
diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat
index 5942e267..5e371453 100644
--- a/win32utils/BuildSetup.bat
+++ b/win32utils/BuildSetup.bat
@@ -45,6 +45,7 @@ echo Copying the ARM and the Installation Notes.
 
 copy ..\COPYRIGHT ..\Build\Release
 copy ..\README ..\Build\Release
+copy ..\HISTORY ..\Build\Release
 copy readme1st.txt ..\Build\Release
 copy index.html ..\Build\Release
 copy ..\doc\arm\*.html ..\Build\Release
-- 
cgit v1.2.3