[master] add libns and remove liblwres

4708.   [cleanup]       Legacy Windows builds (i.e. for XP and earlier)
                        are no longer supported. [RT #45186]

4707.	[func]		The lightweight resolver daemon and library (lwresd
			and liblwres) have been removed. [RT #45186]

4706.	[func]		Code implementing name server query processing has
			been moved from bin/named to a new library "libns".
			Functions remaining in bin/named are now prefixed
			with "named_" rather than "ns_".  This will make it
			easier to write unit tests for name server code, or
			link name server functionality into new tools.
			[RT #45186]

lib/ns/include/Makefile.in

@@ -0,0 +1,14 @@
+# Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	nserv
+TARGETS =
+
+@BIND9_MAKE_RULES@

lib/ns/include/ns/Makefile.in

@@ -0,0 +1,32 @@
+# Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	client.h interfacemgr.h lib.h listenlist.h log.h \
+		notify.h query.h server.h sortlist.h stats.h \
+		types.h update.h version.h xfrout.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/ns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/ns ; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/ns/$$i ; \
+	done

lib/ns/include/ns/client.h

@@ -0,0 +1,418 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_CLIENT_H
+#define NS_CLIENT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * This module defines two objects, ns_client_t and ns_clientmgr_t.
+ *
+ * An ns_client_t object handles incoming DNS requests from clients
+ * on a given network interface.
+ *
+ * Each ns_client_t object can handle only one TCP connection or UDP
+ * request at a time.  Therefore, several ns_client_t objects are
+ * typically created to serve each network interface, e.g., one
+ * for handling TCP requests and a few (one per CPU) for handling
+ * UDP requests.
+ *
+ * Incoming requests are classified as queries, zone transfer
+ * requests, update requests, notify requests, etc, and handed off
+ * to the appropriate request handler.  When the request has been
+ * fully handled (which can be much later), the ns_client_t must be
+ * notified of this by calling one of the following functions
+ * exactly once in the context of its task:
+ * \code
+ *   ns_client_send()	(sending a non-error response)
+ *   ns_client_sendraw() (sending a raw response)
+ *   ns_client_error()	(sending an error response)
+ *   ns_client_next()	(sending no response)
+ *\endcode
+ * This will release any resources used by the request and
+ * and allow the ns_client_t to listen for the next request.
+ *
+ * A ns_clientmgr_t manages a number of ns_client_t objects.
+ * New ns_client_t objects are created by calling
+ * ns_clientmgr_createclients(). They are destroyed by
+ * destroying their manager.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+#include <isc/quota.h>
+#include <isc/queue.h>
+#include <isc/platform.h>
+
+#include <dns/db.h>
+#include <dns/ecs.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/tcpmsg.h>
+#include <dns/types.h>
+
+#include <ns/query.h>
+#include <ns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*% nameserver client structure */
+struct ns_client {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	ns_server_t *		sctx;
+	ns_clientmgr_t *	manager;
+	int			state;
+	int			newstate;
+	int			naccepts;
+	int			nreads;
+	int			nsends;
+	int			nrecvs;
+	int			nupdates;
+	int			nctls;
+	int			references;
+	isc_boolean_t		needshutdown; 	/*
+						 * Used by clienttest to get
+						 * the client to go from
+						 * inactive to free state
+						 * by shutting down the
+						 * client's task.
+						 */
+	unsigned int		attributes;
+	isc_task_t *		task;
+	dns_view_t *		view;
+	dns_dispatch_t *	dispatch;
+	isc_socket_t *		udpsocket;
+	isc_socket_t *		tcplistener;
+	isc_socket_t *		tcpsocket;
+	unsigned char *		tcpbuf;
+	dns_tcpmsg_t		tcpmsg;
+	isc_boolean_t		tcpmsg_valid;
+	isc_timer_t *		timer;
+	isc_timer_t *		delaytimer;
+	isc_boolean_t 		timerset;
+	dns_message_t *		message;
+	isc_socketevent_t *	sendevent;
+	isc_socketevent_t *	recvevent;
+	unsigned char *		recvbuf;
+	dns_rdataset_t *	opt;
+	isc_uint16_t		udpsize;
+	isc_uint16_t		extflags;
+	isc_int16_t		ednsversion;	/* -1 noedns */
+	void			(*next)(ns_client_t *);
+	void			(*shutdown)(void *arg, isc_result_t result);
+	void 			*shutdown_arg;
+	ns_query_t		query;
+	isc_time_t		requesttime;
+	isc_stdtime_t		now;
+	isc_time_t		tnow;
+	dns_name_t		signername;   /*%< [T]SIG key name */
+	dns_name_t *		signer;	      /*%< NULL if not valid sig */
+	isc_boolean_t		mortal;	      /*%< Die after handling request */
+	isc_boolean_t		pipelined;   /*%< TCP queries not in sequence */
+	isc_quota_t		*tcpquota;
+	isc_quota_t		*recursionquota;
+	ns_interface_t		*interface;
+
+	isc_sockaddr_t		peeraddr;
+	isc_boolean_t		peeraddr_valid;
+	isc_netaddr_t		destaddr;
+
+	dns_ecs_t		ecs;   /*%< EDNS client subnet sent by client */
+
+	struct in6_pktinfo	pktinfo;
+	isc_dscp_t		dscp;
+	isc_event_t		ctlevent;
+#ifdef ALLOW_FILTER_AAAA
+	dns_aaaa_t		filter_aaaa;
+#endif
+	/*%
+	 * Information about recent FORMERR response(s), for
+	 * FORMERR loop avoidance.  This is separate for each
+	 * client object rather than global only to avoid
+	 * the need for locking.
+	 */
+	struct {
+		isc_sockaddr_t		addr;
+		isc_stdtime_t		time;
+		dns_messageid_t		id;
+	} formerrcache;
+
+	/*% Callback function to send a response when unit testing */
+	void			(*sendcb)(isc_buffer_t *buf);
+
+	ISC_LINK(ns_client_t)	link;
+	ISC_LINK(ns_client_t)	rlink;
+	ISC_QLINK(ns_client_t)	ilink;
+	unsigned char		cookie[8];
+	isc_uint32_t		expire;
+};
+
+typedef ISC_QUEUE(ns_client_t) client_queue_t;
+typedef ISC_LIST(ns_client_t) client_list_t;
+
+#define NS_CLIENT_MAGIC			ISC_MAGIC('N','S','C','c')
+#define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
+
+#define NS_CLIENTATTR_TCP		0x00001
+#define NS_CLIENTATTR_RA		0x00002 /*%< Client gets recursive service */
+#define NS_CLIENTATTR_PKTINFO		0x00004 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST		0x00008 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x00010 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID		0x00020 /*%< include nameserver ID */
+#ifdef ALLOW_FILTER_AAAA
+#define NS_CLIENTATTR_FILTER_AAAA	0x00040 /*%< suppress AAAAs */
+#define NS_CLIENTATTR_FILTER_AAAA_RC	0x00080 /*%< recursing for A against AAAA */
+#endif
+#define NS_CLIENTATTR_WANTAD		0x00100 /*%< want AD in response if possible */
+#define NS_CLIENTATTR_WANTCOOKIE	0x00200 /*%< return a COOKIE */
+#define NS_CLIENTATTR_HAVECOOKIE	0x00400 /*%< has a valid COOKIE */
+#define NS_CLIENTATTR_WANTEXPIRE	0x00800 /*%< return seconds to expire */
+#define NS_CLIENTATTR_HAVEEXPIRE	0x01000 /*%< return seconds to expire */
+#define NS_CLIENTATTR_WANTOPT		0x02000 /*%< add opt to reply */
+#define NS_CLIENTATTR_HAVEECS		0x04000 /*%< received an ECS option */
+#define NS_CLIENTATTR_WANTPAD		0x08000 /*%< pad reply */
+#define NS_CLIENTATTR_USEKEEPALIVE	0x10000 /*%< use TCP keepalive */
+
+#define NS_CLIENTATTR_NOSETFC		0x20000 /*%< don't set servfail cache */
+
+/*
+ * Flag to use with the SERVFAIL cache to indicate
+ * that a query had the CD bit set.
+ */
+#define NS_FAILCACHE_CD		0x01
+
+LIBNS_EXTERNAL_DATA extern unsigned int ns_client_requests;
+
+/***
+ *** Functions
+ ***/
+
+/*
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
+ */
+
+void
+ns_client_send(ns_client_t *client);
+/*%<
+ * Finish processing the current client request and
+ * send client->message as a response.
+ * \brief
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
+ */
+
+void
+ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
+/*%<
+ * Finish processing the current client request and
+ * send msg as a response using client->message->id for the id.
+ */
+
+void
+ns_client_error(ns_client_t *client, isc_result_t result);
+/*%<
+ * Finish processing the current client request and return
+ * an error response to the client.  The error response
+ * will have an RCODE determined by 'result'.
+ */
+
+void
+ns_client_next(ns_client_t *client, isc_result_t result);
+/*%<
+ * Finish processing the current client request,
+ * return no response to the client.
+ */
+
+isc_boolean_t
+ns_client_shuttingdown(ns_client_t *client);
+/*%<
+ * Return ISC_TRUE iff the client is currently shutting down.
+ */
+
+void
+ns_client_attach(ns_client_t *source, ns_client_t **target);
+/*%<
+ * Attach '*targetp' to 'source'.
+ */
+
+void
+ns_client_detach(ns_client_t **clientp);
+/*%<
+ * Detach '*clientp' from its client.
+ */
+
+isc_result_t
+ns_client_replace(ns_client_t *client);
+/*%<
+ * Try to replace the current client with a new one, so that the
+ * current one can go off and do some lengthy work without
+ * leaving the dispatch/socket without service.
+ */
+
+void
+ns_client_settimeout(ns_client_t *client, unsigned int seconds);
+/*%<
+ * Set a timer in the client to go off in the specified amount of time.
+ */
+
+isc_result_t
+ns_clientmgr_create(isc_mem_t *mctx, ns_server_t *sctx, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
+/*%<
+ * Create a client manager.
+ */
+
+void
+ns_clientmgr_destroy(ns_clientmgr_t **managerp);
+/*%<
+ * Destroy a client manager and all ns_client_t objects
+ * managed by it.
+ */
+
+isc_result_t
+ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
+			   ns_interface_t *ifp, isc_boolean_t tcp);
+/*%<
+ * Create up to 'n' clients listening on interface 'ifp'.
+ * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
+ * otherwise for UDP requests.
+ */
+
+isc_sockaddr_t *
+ns_client_getsockaddr(ns_client_t *client);
+/*%<
+ * Get the socket address of the client whose request is
+ * currently being processed.
+ */
+
+isc_result_t
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
+			 dns_acl_t *acl, isc_boolean_t default_allow);
+
+/*%<
+ * Convenience function for client request ACL checking.
+ *
+ * Check the current client request against 'acl'.  If 'acl'
+ * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
+ *
+ * Notes:
+ *\li	This is appropriate for checking allow-update,
+ * 	allow-query, allow-transfer, etc.  It is not appropriate
+ * 	for checking the blackhole list because we treat positive
+ * 	matches as "allow" and negative matches as "deny"; in
+ *	the case of the blackhole list this would be backwards.
+ *
+ * Requires:
+ *\li	'client' points to a valid client.
+ *\li	'netaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	if the request should be allowed
+ * \li	DNS_R_REFUSED	if the request should be denied
+ *\li	No other return values are possible.
+ */
+
+isc_result_t
+ns_client_checkacl(ns_client_t  *client,
+		   isc_sockaddr_t *sockaddr,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow,
+		   int log_level);
+/*%<
+ * Like ns_client_checkaclsilent, except the outcome of the check is
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
+ * Log messages will refer to the request as an 'opname' request.
+ *
+ * Requires:
+ *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
+ *\li	'opname' points to a null-terminated string.
+ */
+
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level,
+	      const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
+
+void
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
+
+void
+ns_client_aclmsg(const char *msg, const dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len);
+
+#define NS_CLIENT_ACLMSGSIZE(x) \
+	(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
+	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
+
+void
+ns_client_recursing(ns_client_t *client);
+/*%<
+ * Add client to end of th recursing list.
+ */
+
+void
+ns_client_killoldestquery(ns_client_t *client);
+/*%<
+ * Kill the oldest recursive query (recursing list head).
+ */
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
+/*%<
+ * Dump the outstanding recursive queries to 'f'.
+ */
+
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
+/*%<
+ * Replace the qname.
+ */
+
+isc_result_t
+ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp);
+
+isc_result_t
+ns_client_addopt(ns_client_t *client, dns_message_t *message,
+		 dns_rdataset_t **opt);
+
+isc_result_t
+ns__clientmgr_getclient(ns_clientmgr_t *manager, ns_interface_t *ifp,
+			isc_boolean_t tcp, ns_client_t **clientp);
+/*
+ * Get a client object from the inactive queue, or create one, as needed.
+ * (Not intended for use outside this module and associated tests.)
+ */
+
+void
+ns__client_request(isc_task_t *task, isc_event_t *event);
+/*
+ * Handle client requests.
+ * (Not intended for use outside this module and associated tests.)
+ */
+#endif /* NS_CLIENT_H */

lib/ns/include/ns/interfacemgr.h

@@ -0,0 +1,197 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_INTERFACEMGR_H
+#define NS_INTERFACEMGR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * The interface manager monitors the operating system's list
+ * of network interfaces, creating and destroying listeners
+ * as needed.
+ *
+ * Reliability:
+ *\li	No impact expected.
+ *
+ * Resources:
+ *
+ * Security:
+ * \li	The server will only be able to bind to the DNS port on
+ *	newly discovered interfaces if it is running as root.
+ *
+ * Standards:
+ *\li	The API for scanning varies greatly among operating systems.
+ *	This module attempts to hide the differences.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+
+#include <dns/geoip.h>
+#include <dns/result.h>
+
+#include <ns/listenlist.h>
+#include <ns/types.h>
+
+/***
+ *** Types
+ ***/
+
+#define IFACE_MAGIC		ISC_MAGIC('I',':','-',')')
+#define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
+
+#define NS_INTERFACEFLAG_ANYADDR	0x01U	/*%< bound to "any" address */
+#define MAX_UDP_DISPATCH 128		/*%< Maximum number of UDP dispatchers
+						     to start per interface */
+/*% The nameserver interface structure */
+struct ns_interface {
+	unsigned int		magic;		/*%< Magic number. */
+	ns_interfacemgr_t *	mgr;		/*%< Interface manager. */
+	isc_mutex_t		lock;
+	int			references;	/*%< Locked */
+	unsigned int		generation;     /*%< Generation number. */
+	isc_sockaddr_t		addr;           /*%< Address and port. */
+	unsigned int		flags;		/*%< Interface characteristics */
+	char 			name[32];	/*%< Null terminated. */
+	dns_dispatch_t *	udpdispatch[MAX_UDP_DISPATCH];
+						/*%< UDP dispatchers. */
+	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
+	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
+	int			ntcptarget;	/*%< Desired number of concurrent
+						     TCP accepts */
+	int			ntcpcurrent;	/*%< Current ditto, locked */
+	int			nudpdispatch;	/*%< Number of UDP dispatches */
+	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
+	ISC_LINK(ns_interface_t) link;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+ns_interfacemgr_create(isc_mem_t *mctx,
+		       ns_server_t *sctx,
+		       isc_taskmgr_t *taskmgr,
+		       isc_timermgr_t *timermgr,
+		       isc_socketmgr_t *socketmgr,
+		       dns_dispatchmgr_t *dispatchmgr,
+		       isc_task_t *task,
+		       unsigned int udpdisp,
+		       dns_geoip_databases_t *geoip,
+		       ns_interfacemgr_t **mgrp);
+/*%<
+ * Create a new interface manager.
+ *
+ * Initially, the new manager will not listen on any interfaces.
+ * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6()
+ * to set nonempty listen-on lists.
+ */
+
+void
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target);
+
+void
+ns_interfacemgr_detach(ns_interfacemgr_t **targetp);
+
+void
+ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
+
+void
+ns_interfacemgr_setbacklog(ns_interfacemgr_t *mgr, int backlog);
+/*%<
+ * Set the size of the listen() backlog queue.
+ */
+
+isc_boolean_t
+ns_interfacemgr_islistening(ns_interfacemgr_t *mgr);
+/*%<
+ * Return if the manager is listening on any interface. It can be called
+ * after a scan or adjust.
+ */
+
+isc_result_t
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
+/*%<
+ * Scan the operatings system's list of network interfaces
+ * and create listeners when new interfaces are discovered.
+ * Shut down the sockets for interfaces that go away.
+ *
+ * This should be called once on server startup and then
+ * periodically according to the 'interface-interval' option
+ * in named.conf.
+ */
+
+isc_result_t
+ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
+		       isc_boolean_t verbose);
+/*%<
+ * Similar to ns_interfacemgr_scan(), but this function also tries to see the
+ * need for an explicit listen-on when a list element in 'list' is going to
+ * override an already-listening a wildcard interface.
+ *
+ * This function does not update localhost and localnets ACLs.
+ *
+ * This should be called once on server startup, after configuring views and
+ * zones.
+ */
+
+void
+ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
+/*%<
+ * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
+ * The previous IPv4 listen-on list is freed.
+ */
+
+void
+ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
+/*%<
+ * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
+ * The previous IPv6 listen-on list is freed.
+ */
+
+dns_aclenv_t *
+ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr);
+
+void
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target);
+
+void
+ns_interface_detach(ns_interface_t **targetp);
+
+void
+ns_interface_shutdown(ns_interface_t *ifp);
+/*%<
+ * Stop listening for queries on interface 'ifp'.
+ * May safely be called multiple times.
+ */
+
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
+
+isc_boolean_t
+ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, const isc_sockaddr_t *addr);
+
+ns_interface_t *
+ns__interfacemgr_getif(ns_interfacemgr_t *mgr);
+ns_interface_t *
+ns__interfacemgr_nextif(ns_interface_t *ifp);
+/*
+ * Functions to allow external callers to walk the interfaces list.
+ * (Not intended for use outside this module and associated tests.)
+ */
+#endif /* NS_INTERFACEMGR_H */

lib/ns/include/ns/lib.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_LIB_H
+#define NS_LIB_H 1
+
+/*! \file ns/lib.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBNS_EXTERNAL_DATA extern unsigned int ns_pps;
+LIBNS_EXTERNAL_DATA extern isc_msgcat_t *ns_msgcat;
+
+isc_result_t
+ns_lib_init(void);
+/*%<
+ * A set of initialization procedures used in the NS library.
+ */
+
+void
+ns_lib_shutdown(void);
+/*%<
+ * Free temporary resources allocated in ns_lib_init().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NS_LIB_H */

lib/ns/include/ns/listenlist.h

@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_LISTENLIST_H
+#define NS_LISTENLIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * "Listen lists", as in the "listen-on" configuration statement.
+ */
+
+/***
+ *** Imports
+ ***/
+#include <isc/net.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct ns_listenelt ns_listenelt_t;
+typedef struct ns_listenlist ns_listenlist_t;
+
+struct ns_listenelt {
+	isc_mem_t *	       		mctx;
+	in_port_t			port;
+	isc_dscp_t			dscp;  /* -1 = not set, 0..63 */
+	dns_acl_t *	       		acl;
+	ISC_LINK(ns_listenelt_t)	link;
+};
+
+struct ns_listenlist {
+	isc_mem_t *			mctx;
+	int				refcount;
+	ISC_LIST(ns_listenelt_t)	elts;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
+		    dns_acl_t *acl, ns_listenelt_t **target);
+/*%<
+ * Create a listen-on list element.
+ */
+
+void
+ns_listenelt_destroy(ns_listenelt_t *elt);
+/*%<
+ * Destroy a listen-on list element.
+ */
+
+isc_result_t
+ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
+/*%<
+ * Create a new, empty listen-on list.
+ */
+
+void
+ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
+/*%<
+ * Attach '*target' to '*source'.
+ */
+
+void
+ns_listenlist_detach(ns_listenlist_t **listp);
+/*%<
+ * Detach 'listp'.
+ */
+
+isc_result_t
+ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
+		      isc_boolean_t enabled, ns_listenlist_t **target);
+/*%<
+ * Create a listen-on list with default contents, matching
+ * all addresses with port 'port' (if 'enabled' is ISC_TRUE),
+ * or no addresses (if 'enabled' is ISC_FALSE).
+ */
+
+#endif /* NS_LISTENLIST_H */
+
+

lib/ns/include/ns/log.h

@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_LOG_H
+#define NS_LOG_H 1
+
+/*! \file */
+
+#include <isc/log.h>
+#include <isc/types.h>
+
+LIBNS_EXTERNAL_DATA extern isc_log_t *ns_lctx;
+LIBNS_EXTERNAL_DATA extern isc_logcategory_t ns_categories[];
+LIBNS_EXTERNAL_DATA extern isc_logmodule_t ns_modules[];
+
+#define NS_LOGCATEGORY_CLIENT		(&ns_categories[0])
+#define NS_LOGCATEGORY_NETWORK		(&ns_categories[1])
+#define NS_LOGCATEGORY_UPDATE		(&ns_categories[2])
+#define NS_LOGCATEGORY_QUERIES		(&ns_categories[3])
+#define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_categories[4])
+#define NS_LOGCATEGORY_QUERY_ERRORS	(&ns_categories[5])
+
+/*
+ * Backwards compatibility.
+ */
+#define NS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
+
+#define NS_LOGMODULE_CLIENT		(&ns_modules[0])
+#define NS_LOGMODULE_QUERY		(&ns_modules[1])
+#define NS_LOGMODULE_INTERFACEMGR	(&ns_modules[2])
+#define NS_LOGMODULE_UPDATE		(&ns_modules[3])
+#define NS_LOGMODULE_XFER_IN		(&ns_modules[4])
+#define NS_LOGMODULE_XFER_OUT		(&ns_modules[5])
+#define NS_LOGMODULE_NOTIFY		(&ns_modules[6])
+
+void
+ns_log_init(isc_log_t *lctx);
+/*%<
+ * Make the libns categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	ns_log_init() is called only once.
+ *
+ * Ensures:
+ *\li	The categories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+void
+ns_log_setcontext(isc_log_t *lctx);
+/*%<
+ * Make the libns library use the provided context for logging internal
+ * messages.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ */
+#endif /* NS_LOG_H */

lib/ns/include/ns/notify.h

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_NOTIFY_H
+#define NS_NOTIFY_H 1
+
+#include <ns/client.h>
+
+/***
+ ***	Module Info
+ ***/
+
+/*! \file
+ * \brief
+ *	RFC1996
+ *	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
+ */
+
+/***
+ ***	Functions.
+ ***/
+
+void
+ns_notify_start(ns_client_t *client);
+
+/*%<
+ *	Examines the incoming message to determine appropriate zone.
+ *	Returns FORMERR if there is not exactly one question.
+ *	Returns REFUSED if we do not serve the listed zone.
+ *	Pass the message to the zone module for processing
+ *	and returns the return status.
+ *
+ * Requires
+ *\li	client to be valid.
+ */
+
+#endif /* NS_NOTIFY_H */
+

lib/ns/include/ns/query.h

@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_QUERY_H
+#define NS_QUERY_H 1
+
+/*! \file */
+
+#include <isc/types.h>
+#include <isc/buffer.h>
+#include <isc/netaddr.h>
+
+#include <dns/rdataset.h>
+#include <dns/rpz.h>
+#include <dns/types.h>
+
+#include <ns/types.h>
+
+/*% nameserver database version structure */
+typedef struct ns_dbversion {
+	dns_db_t			*db;
+	dns_dbversion_t			*version;
+	isc_boolean_t			acl_checked;
+	isc_boolean_t			queryok;
+	ISC_LINK(struct ns_dbversion)	link;
+} ns_dbversion_t;
+
+/*% nameserver query structure */
+struct ns_query {
+	unsigned int			attributes;
+	unsigned int			restarts;
+	isc_boolean_t			timerset;
+	dns_name_t *			qname;
+	dns_name_t *			origqname;
+	dns_rdatatype_t			qtype;
+	unsigned int			dboptions;
+	unsigned int			fetchoptions;
+	dns_db_t *			gluedb;
+	dns_db_t *			authdb;
+	dns_zone_t *			authzone;
+	isc_boolean_t			authdbset;
+	isc_boolean_t			isreferral;
+	isc_mutex_t			fetchlock;
+	dns_fetch_t *			fetch;
+	dns_fetch_t *			prefetch;
+	dns_rpz_st_t *			rpz_st;
+	isc_bufferlist_t		namebufs;
+	ISC_LIST(ns_dbversion_t)	activeversions;
+	ISC_LIST(ns_dbversion_t)	freeversions;
+	dns_rdataset_t *		dns64_aaaa;
+	dns_rdataset_t *		dns64_sigaaaa;
+	isc_boolean_t *			dns64_aaaaok;
+	unsigned int			dns64_aaaaoklen;
+	unsigned int			dns64_options;
+	unsigned int			dns64_ttl;
+	struct {
+		dns_db_t *      	db;
+		dns_zone_t *      	zone;
+		dns_dbnode_t *      	node;
+		dns_rdatatype_t   	qtype;
+		dns_name_t *		fname;
+		dns_fixedname_t		fixed;
+		isc_result_t		result;
+		dns_rdataset_t *	rdataset;
+		dns_rdataset_t *	sigrdataset;
+		isc_boolean_t		authoritative;
+		isc_boolean_t		is_zone;
+	} redirect;
+};
+
+#define NS_QUERYATTR_RECURSIONOK	0x0001
+#define NS_QUERYATTR_CACHEOK		0x0002
+#define NS_QUERYATTR_PARTIALANSWER	0x0004
+#define NS_QUERYATTR_NAMEBUFUSED	0x0008
+#define NS_QUERYATTR_RECURSING		0x0010
+#define NS_QUERYATTR_CACHEGLUEOK	0x0020
+#define NS_QUERYATTR_QUERYOKVALID	0x0040
+#define NS_QUERYATTR_QUERYOK		0x0080
+#define NS_QUERYATTR_WANTRECURSION	0x0100
+#define NS_QUERYATTR_SECURE		0x0200
+#define NS_QUERYATTR_NOAUTHORITY	0x0400
+#define NS_QUERYATTR_NOADDITIONAL	0x0800
+#define NS_QUERYATTR_CACHEACLOKVALID	0x1000
+#define NS_QUERYATTR_CACHEACLOK		0x2000
+#define NS_QUERYATTR_DNS64		0x4000
+#define NS_QUERYATTR_DNS64EXCLUDE	0x8000
+#define NS_QUERYATTR_RRL_CHECKED	0x10000
+#define NS_QUERYATTR_REDIRECT		0x20000
+
+isc_result_t
+ns_query_init(ns_client_t *client);
+
+void
+ns_query_free(ns_client_t *client);
+
+void
+ns_query_start(ns_client_t *client);
+
+void
+ns_query_cancel(ns_client_t *client);
+
+#endif /* NS_QUERY_H */

lib/ns/include/ns/server.h

@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_SERVER_H
+#define NS_SERVER_H 1
+
+/*! \file */
+
+#include <isc/log.h>
+#include <isc/fuzz.h>
+#include <isc/magic.h>
+#include <isc/quota.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <dns/acl.h>
+#include <dns/types.h>
+
+#include <ns/types.h>
+
+#define NS_EVENT_CLIENTCONTROL	(ISC_EVENTCLASS_NS + 0)
+
+#define NS_SERVER_LOGQUERIES	0x00000001U	/*%< log queries */
+#define NS_SERVER_NOAA		0x00000002U	/*%< -T noaa */
+#define NS_SERVER_NOSOA		0x00000004U	/*%< -T nosoa */
+#define NS_SERVER_NONEAREST	0x00000008U	/*%< -T nonearest */
+#define NS_SERVER_CLIENTTEST	0x00000010U	/*%< -T clienttest */
+#define NS_SERVER_NOEDNS	0x00000020U	/*%< -T noedns */
+#define NS_SERVER_DROPEDNS	0x00000040U	/*%< -T dropedns */
+#define NS_SERVER_NOTCP		0x00000080U	/*%< -T notcp */
+#define NS_SERVER_DISABLE4	0x00000100U	/*%< -6 */
+#define NS_SERVER_DISABLE6	0x00000100U	/*%< -4 */
+
+/*%
+ * Type for callback function to get hostname.
+ */
+typedef isc_result_t
+(*ns_hostnamecb_t)(char *buf, size_t len);
+
+/*%
+ * Type for callback function to signal the fuzzer thread
+ * when built with AFL.
+ */
+typedef void
+(*ns_fuzzcb_t)(void);
+
+/*%
+ * Type for callback function to get the view that can answer a query.
+ */
+typedef isc_result_t
+(*ns_matchview_t)(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
+		  dns_message_t *message, dns_ecs_t *ecs,
+		  isc_result_t *sigresultp, dns_view_t **viewp);
+
+/*%
+ * Server context.
+ */
+struct ns_server {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+
+	isc_refcount_t		references;
+
+	/*% Server cookie secret and algorithm */
+	unsigned char		secret[32];
+	ns_cookiealg_t		cookiealg;
+	ns_altsecretlist_t	altsecrets;
+
+	/*% Quotas */
+	isc_quota_t		recursionquota;
+	isc_quota_t		tcpquota;
+	isc_quota_t		xfroutquota;
+
+	/*% Test options and other configurables */
+	isc_uint32_t		options;
+	unsigned int		delay;
+
+	unsigned int		initialtimo;
+	unsigned int		idletimo;
+	unsigned int		keepalivetimo;
+	unsigned int		advertisedtimo;
+
+	dns_acl_t		*blackholeacl;
+	dns_acl_t		*keepresporder;
+	isc_uint16_t		udpsize;
+	isc_uint16_t		transfer_tcp_message_size;
+	isc_boolean_t		interface_auto;
+	dns_tkeyctx_t *		tkeyctx;
+
+	/*% Server id for NSID */
+	char *			server_id;
+	ns_hostnamecb_t		gethostname;
+
+	/*% Fuzzer callback */
+	isc_fuzztype_t		fuzztype;
+	ns_fuzzcb_t		fuzznotify;
+
+	/*% Callback to find a matching view for a query */
+	ns_matchview_t		matchingview;
+
+	/*% Stats counters */
+	ns_stats_t *		nsstats;
+	dns_stats_t *		rcvquerystats;
+	dns_stats_t *		opcodestats;
+	dns_stats_t *		rcodestats;
+
+	isc_stats_t *		udpinstats4;
+	isc_stats_t *		udpoutstats4;
+	isc_stats_t *		udpinstats6;
+	isc_stats_t *		udpoutstats6;
+
+	isc_stats_t *		tcpinstats4;
+	isc_stats_t *		tcpoutstats4;
+	isc_stats_t *		tcpinstats6;
+	isc_stats_t *		tcpoutstats6;
+};
+
+struct ns_altsecret {
+	ISC_LINK(ns_altsecret_t) link;
+	unsigned char		secret[32];
+};
+
+isc_result_t
+ns_server_create(isc_mem_t *mctx, isc_entropy_t *entropy,
+		 ns_matchview_t matchingview, ns_server_t **sctxp);
+/*%<
+ * Create a server context object with default settings.
+ */
+
+void
+ns_server_attach(ns_server_t *src, ns_server_t **dest);
+/*%<
+ * Attach a server context.
+ *
+ * Requires:
+ *\li	'src' is valid.
+ */
+
+void
+ns_server_detach(ns_server_t **sctxp);
+/*%<
+ * Detach from a server context.  If its reference count drops to zero, destroy
+ * it, freeing its memory.
+ *
+ * Requires:
+ *\li	'*sctxp' is valid.
+ * Ensures:
+ *\li	'*sctxp' is NULL on return.
+ */
+
+isc_result_t
+ns_server_setserverid(ns_server_t *sctx, const char *serverid);
+/*%<
+ * Set sctx->server_id to 'serverid'. If it was set previously, free the memory.
+ *
+ * Requires:
+ *\li	'sctx' is valid.
+ */
+
+void
+ns_server_settimeouts(ns_server_t *sctx, unsigned int initial,
+		      unsigned int idle, unsigned int keepalive,
+		      unsigned int advertised);
+void
+ns_server_gettimeouts(ns_server_t *sctx, unsigned int *initial,
+		      unsigned int *idle, unsigned int *keepalive,
+		      unsigned int *advertised);
+/*%<
+ * Set/get tcp-timeout values.
+ *
+ * Requires:
+ *\li	'sctx' is valid.
+ */
+
+void
+ns_server_setoption(ns_server_t *sctx, unsigned int option,
+		    isc_boolean_t value);
+/*%<
+ *	Set the given options on (if 'value' == #ISC_TRUE)
+ *	or off (if 'value' == #ISC_FALSE).
+ *
+ * Requires:
+ *\li	'sctx' is valid
+ */
+
+isc_boolean_t
+ns_server_getoption(ns_server_t *sctx, unsigned int option);
+/*%<
+ *	Returns the current value of the specified server option.
+ *
+ * Requires:
+ *\li	'sctx' is valid.
+ */
+#endif /* NS_SERVER_H */

lib/ns/include/ns/sortlist.h

@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_SORTLIST_H
+#define NS_SORTLIST_H 1
+
+/*! \file */
+
+#include <isc/types.h>
+
+#include <dns/acl.h>
+#include <dns/types.h>
+
+/*%
+ * Type for callback functions that rank addresses.
+ */
+typedef int
+(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
+
+/*%
+ * Return value type for setup_sortlist.
+ */
+typedef enum {
+	NS_SORTLISTTYPE_NONE,
+	NS_SORTLISTTYPE_1ELEMENT,
+	NS_SORTLISTTYPE_2ELEMENT
+} ns_sortlisttype_t;
+
+ns_sortlisttype_t
+ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env,
+		  isc_netaddr_t *clientaddr, const void **argp);
+/*%<
+ * Find the sortlist statement in 'acl' (for ACL environment 'env')
+ * that applies to 'clientaddr', if any.
+ *
+ * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
+ * make '*argp' point to the matching subelement.
+ *
+ * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
+ * make '*argp' point to ACL that forms the second element.
+ *
+ * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
+ * to NULL.
+ */
+
+int
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
+/*%<
+ * Find the sort order of 'addr' in 'arg', the matching element
+ * of a 1-element top-level sortlist statement.
+ */
+
+int
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
+/*%<
+ * Find the sort order of 'addr' in 'arg', a topology-like
+ * ACL forming the second element in a 2-element top-level
+ * sortlist statement.
+ */
+
+void
+ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, dns_aclenv_t *env,
+			isc_netaddr_t *client_addr,
+			dns_addressorderfunc_t *orderp,
+			const void **argp);
+/*%<
+ * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
+ * If a sortlist statement applies, return in '*orderp' a pointer to a function
+ * for ranking network addresses based on that sortlist statement, and in
+ * '*argp' an argument to pass to said function.  If no sortlist statement
+ * applies, set '*orderp' and '*argp' to NULL.
+ */
+
+#endif /* NS_SORTLIST_H */

lib/ns/include/ns/stats.h

@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_STATS_H
+#define NS_STATS_H 1
+
+/*! \file ns/stats.h */
+
+#include <ns/types.h>
+
+/*%
+ * Server statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	ns_statscounter_requestv4 = 0,
+	ns_statscounter_requestv6 = 1,
+	ns_statscounter_edns0in = 2,
+	ns_statscounter_badednsver = 3,
+	ns_statscounter_tsigin = 4,
+	ns_statscounter_sig0in = 5,
+	ns_statscounter_invalidsig = 6,
+	ns_statscounter_requesttcp = 7,
+
+	ns_statscounter_authrej = 8,
+	ns_statscounter_recurserej = 9,
+	ns_statscounter_xfrrej = 10,
+	ns_statscounter_updaterej = 11,
+
+	ns_statscounter_response = 12,
+	ns_statscounter_truncatedresp = 13,
+	ns_statscounter_edns0out = 14,
+	ns_statscounter_tsigout = 15,
+	ns_statscounter_sig0out = 16,
+
+	ns_statscounter_success = 17,
+	ns_statscounter_authans = 18,
+	ns_statscounter_nonauthans = 19,
+	ns_statscounter_referral = 20,
+	ns_statscounter_nxrrset = 21,
+	ns_statscounter_servfail = 22,
+	ns_statscounter_formerr = 23,
+	ns_statscounter_nxdomain = 24,
+	ns_statscounter_recursion = 25,
+	ns_statscounter_duplicate = 26,
+	ns_statscounter_dropped = 27,
+	ns_statscounter_failure = 28,
+
+	ns_statscounter_xfrdone = 29,
+
+	ns_statscounter_updatereqfwd = 30,
+	ns_statscounter_updaterespfwd = 31,
+	ns_statscounter_updatefwdfail = 32,
+	ns_statscounter_updatedone = 33,
+	ns_statscounter_updatefail = 34,
+	ns_statscounter_updatebadprereq = 35,
+
+	ns_statscounter_recursclients = 36,
+
+	ns_statscounter_dns64 = 37,
+
+	ns_statscounter_ratedropped = 38,
+	ns_statscounter_rateslipped = 39,
+
+	ns_statscounter_rpz_rewrites = 40,
+
+	ns_statscounter_udp = 41,
+	ns_statscounter_tcp = 42,
+
+	ns_statscounter_nsidopt = 43,
+	ns_statscounter_expireopt = 44,
+	ns_statscounter_otheropt = 45,
+	ns_statscounter_ecsopt = 46,
+	ns_statscounter_padopt = 47,
+	ns_statscounter_keepaliveopt = 48,
+
+	ns_statscounter_nxdomainredirect = 49,
+	ns_statscounter_nxdomainredirect_rlookup = 50,
+
+	ns_statscounter_cookiein = 51,
+	ns_statscounter_cookiebadsize = 52,
+	ns_statscounter_cookiebadtime = 53,
+	ns_statscounter_cookienomatch = 54,
+	ns_statscounter_cookiematch = 55,
+	ns_statscounter_cookienew = 56,
+	ns_statscounter_badcookie = 57,
+
+	ns_statscounter_nxdomainsynth = 58,
+	ns_statscounter_nodatasynth = 59,
+	ns_statscounter_wildcardsynth = 60,
+
+	ns_statscounter_trystale = 61,
+	ns_statscounter_usedstale = 62,
+
+	ns_statscounter_max = 63
+};
+
+void
+ns_stats_attach(ns_stats_t *stats, ns_stats_t **statsp);
+
+void
+ns_stats_detach(ns_stats_t **statsp);
+
+isc_result_t
+ns_stats_create(isc_mem_t *mctx, int ncounters, ns_stats_t **statsp);
+
+void
+ns_stats_increment(ns_stats_t *stats, isc_statscounter_t counter);
+
+void
+ns_stats_decrement(ns_stats_t *stats, isc_statscounter_t counter);
+
+isc_stats_t *
+ns_stats_get(ns_stats_t *stats);
+
+#endif /* NS_STATS_H */

lib/ns/include/ns/types.h

@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_TYPES_H
+#define NS_TYPES_H 1
+
+/*! \file */
+
+typedef struct ns_altsecret		ns_altsecret_t;
+typedef ISC_LIST(ns_altsecret_t)	ns_altsecretlist_t;
+typedef struct ns_client		ns_client_t;
+typedef struct ns_clientmgr		ns_clientmgr_t;
+typedef struct ns_interface 		ns_interface_t;
+typedef struct ns_interfacemgr		ns_interfacemgr_t;
+typedef struct ns_query			ns_query_t;
+typedef struct ns_server		ns_server_t;
+typedef struct ns_stats			ns_stats_t;
+
+typedef enum {
+	ns_cookiealg_aes,
+	ns_cookiealg_sha1,
+	ns_cookiealg_sha256
+} ns_cookiealg_t;
+
+#endif /* NS_TYPES_H */

lib/ns/include/ns/update.h

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_UPDATE_H
+#define NS_UPDATE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * RFC2136 Dynamic Update
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+/***
+ *** Types.
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+void
+ns_update_start(ns_client_t *client, isc_result_t sigresult);
+
+#endif /* NS_UPDATE_H */

lib/ns/include/ns/version.h

@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/*! \file ns/version.h */
+
+#include <isc/platform.h>
+
+LIBNS_EXTERNAL_DATA extern const char ns_version[];
+
+LIBNS_EXTERNAL_DATA extern const unsigned int ns_libinterface;
+LIBNS_EXTERNAL_DATA extern const unsigned int ns_librevision;
+LIBNS_EXTERNAL_DATA extern const unsigned int ns_libage;

lib/ns/include/ns/xfrout.h

@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef NS_XFROUT_H
+#define NS_XFROUT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * Outgoing zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Functions
+ ***/
+
+void
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
+
+#endif /* NS_XFROUT_H */