Add a patch each to code and documentation so that drill probes

for /etc/trusted-key.key, and uses that as a trust anchor if neither
-D nor -k options were specified. This feature is borrowed from
BIND's dig when it is compiled with SIGCHASE support.  Bump
PKGREVISION.

4 files changed, 68 insertions, 2 deletions

diff --git a/net/drill/Makefile b/net/drill/Makefile
index 40d6a49d5a9..41103e349a0 100644
--- a/net/drill/Makefile
+++ b/net/drill/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.5 2012/10/08 13:30:43 he Exp $
+# $NetBSD: Makefile,v 1.6 2012/10/08 13:58:48 he Exp $
 
 VERSION=	1.6.13
 DISTNAME=	ldns-${VERSION}
 PKGNAME=	drill-${VERSION}
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	http://www.nlnetlabs.nl/downloads/ldns/
 
diff --git a/net/drill/distinfo b/net/drill/distinfo
index 4808668968a..8c032b894cc 100644
--- a/net/drill/distinfo
+++ b/net/drill/distinfo
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.5 2012/10/08 13:30:43 he Exp $
+$NetBSD: distinfo,v 1.6 2012/10/08 13:58:48 he Exp $
 
 SHA1 (ldns-1.6.13.tar.gz) = 859f633d10b763f06b602e2113828cbbd964c7eb
 RMD160 (ldns-1.6.13.tar.gz) = c01c30699be2df5712a397516cd1a17bd8b155be
 Size (ldns-1.6.13.tar.gz) = 1066139 bytes
+SHA1 (patch-aa) = 3bbfcea6f44b49526451286590eac5de62841e72
+SHA1 (patch-ab) = 706e5edcf6982337b7360051f9964d77ad8716c2
diff --git a/net/drill/patches/patch-aa b/net/drill/patches/patch-aa
new file mode 100644
index 00000000000..6e6148c9053
--- /dev/null
+++ b/net/drill/patches/patch-aa
@@ -0,0 +1,43 @@
+$NetBSD: patch-aa,v 1.1 2012/10/08 13:58:48 he Exp $
+
+For compatibility with dig, if neither -k <key> nor -D is specified,
+read /etc/trusted-key.key if it exists, and if successful, turn on
+DNSSEC handling.
+
+--- drill.c.orig	2012-01-20 10:18:41.000000000 +0000
++++ drill.c
+@@ -10,6 +10,8 @@
+ #include "drill.h"
+ #include <ldns/ldns.h>
+ 
++#include <sys/stat.h>
++
+ #ifdef HAVE_SSL
+ #include <openssl/err.h>
+ #endif
+@@ -397,6 +399,25 @@ main(int argc, char *argv[])
+ 	argc -= optind;
+ 	argv += optind;
+ 
++	/* 
++	 * If DNSSEC isn't enabled already, and /etc/trusted-key.key
++	 * exists, try to read it and turn on DNSSEC handling if successful.
++	 */
++	{
++		struct stat sb;
++
++		if (stat("/etc/trusted-key.key", &sb) == 0) {
++			if (qdnssec != true) {
++				status = read_key_file("/etc/trusted-key.key", key_list);
++				if (status != LDNS_STATUS_OK) {
++					error("Could not parse the key file /etc/trusted-key.key: %s", ldns_get_errorstr_by_id(status));
++				} else {
++					qdnssec = true; /* enable that too */
++				}
++			}
++		}
++	}
++
+ 	/* do a secure trace when requested */
+ 	if (PURPOSE == DRILL_TRACE && qdnssec) {
+ #ifdef HAVE_SSL
diff --git a/net/drill/patches/patch-ab b/net/drill/patches/patch-ab
new file mode 100644
index 00000000000..5053edbeeed
--- /dev/null
+++ b/net/drill/patches/patch-ab
@@ -0,0 +1,20 @@
+$NetBSD: patch-ab,v 1.1 2012/10/08 13:58:48 he Exp $
+
+Document the automatic probing for /etc/trusted-key.key.
+
+--- drill.1.orig	2010-08-06 07:09:45.000000000 +0000
++++ drill.1
+@@ -161,6 +161,13 @@ given \fBdrill\fR tries to validate the 
+ key. No chasing is done. When \fBdrill\fR is doing a secure trace, this
+ key will be used as trust anchor. Can contain a DNSKEY or a DS record.
+ 
++Alternatively, if
++\fB-k\fR
++is not specified, and
++\fI/etc/trusted-key.key\fR
++exists and contains a valid DNSKEY or DS record, it will be used
++as the trust anchor.
++
+ .TP
+ \fB\-o \fImnemonic\fR
+ Use this option to set or unset specific header bits. A bit is