regen v9_12

Remove UNSPEC rrtype

See merge request isc-projects/bind9!1933

.clang-format

@@ -1,83 +0,0 @@
-BasedOnStyle: LLVM
-IndentWidth: 8
-UseTab: Always
-BreakBeforeBraces: Custom
-BraceWrapping:
-  AfterClass:      false
-  AfterEnum:       false
-  AfterStruct:     false
-  AfterUnion:      false
-  AfterControlStatement: MultiLine
-  AfterFunction:   false # should also be MultiLine, but not yet supported
-  AfterExternBlock: false
-  BeforeElse:      false
-  BeforeWhile:     false
-  IndentBraces:    false
-  SplitEmptyFunction: true
-AllowShortIfStatementsOnASingleLine: false
-IndentCaseLabels: false
-AlwaysBreakAfterReturnType: All
-Cpp11BracedListStyle: false
-ColumnLimit: 80
-AlignAfterOpenBracket: Align
-AlignConsecutiveBitFields: true
-AlignConsecutiveDeclarations: false
-AlignConsecutiveMacros: true
-AlignTrailingComments: true
-AllowAllArgumentsOnNextLine: true
-AlwaysBreakBeforeMultilineStrings: false
-BreakBeforeBinaryOperators: None
-BreakBeforeTernaryOperators: true
-AlignEscapedNewlines: Left
-DerivePointerAlignment: false
-PointerAlignment: Right
-PointerBindsToType: false
-IncludeBlocks: Regroup
-IncludeCategories:
-  - Regex:           '^<(urcu\.h|urcu/urcu-|urcu-)'
-    Priority:        2
-  - Regex:           '^<urcu/'
-    Priority:        3
-  - Regex:           '^<isc/'
-    Priority:        5
-  - Regex:           '^<(pk11|pkcs11)/'
-    Priority:        10
-  - Regex:           '^<dns/'
-    Priority:        15
-  - Regex:           '^<dst/'
-    Priority:        20
-  - Regex:           '^<isccc/'
-    Priority:        25
-  - Regex:           '^<isccfg/'
-    Priority:        30
-  - Regex:           '^<ns/'
-    Priority:        35
-  - Regex:           '^<irs/'
-    Priority:        40
-  - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
-    Priority:        50
-  - Regex:           '^<dlz_'
-    Priority:        55
-  - Regex:           '^".*"'
-    Priority:        99
-  - Regex:           '^<tests/'
-    Priority:        100
-  - Regex:           '<openssl/'
-    Priority:        4
-  - Regex:           '<(mysql|protobuf-c)/'
-    Priority:        4
-  - Regex:           '.*'
-    Priority:        0
-IndentExternBlock: NoIndent
-KeepEmptyLinesAtTheStartOfBlocks: false
-MaxEmptyLinesToKeep: 1
-PenaltyBreakAssignment: 30
-PenaltyBreakComment: 10
-PenaltyBreakFirstLessLess: 0
-PenaltyBreakString: 80
-PenaltyExcessCharacter: 100
-Standard: Cpp11
-ContinuationIndentWidth: 8
-ForEachMacros: [ 'cds_lfs_for_each', 'cds_lfs_for_each_safe', 'cds_list_for_each_entry_safe', 'ISC_LIST_FOREACH', 'ISC_LIST_FOREACH_SAFE', 'ISC_LIST_FOREACH_REV', 'ISC_LIST_FOREACH_REV_SAFE' ]
-RemoveParentheses: ReturnStatement
-RemoveSemicolon: true

.clang-format.headers

@@ -1,82 +0,0 @@
-BasedOnStyle: LLVM
-IndentWidth: 8
-UseTab: Always
-BreakBeforeBraces: Custom
-BraceWrapping:
-  AfterClass:      false
-  AfterEnum:       false
-  AfterStruct:     false
-  AfterUnion:      false
-  AfterControlStatement: MultiLine
-  AfterFunction:   false # should also be MultiLine, but not yet supported
-  AfterExternBlock: false
-  BeforeElse:      false
-  BeforeWhile:     false
-  IndentBraces:    false
-  SplitEmptyFunction: true
-AllowShortIfStatementsOnASingleLine: false
-IndentCaseLabels: false
-AlwaysBreakAfterReturnType: All
-Cpp11BracedListStyle: false
-ColumnLimit: 80
-AlignAfterOpenBracket: Align
-AlignConsecutiveBitFields: true
-AlignConsecutiveDeclarations: true
-AlignConsecutiveMacros: true
-AlignTrailingComments: true
-AllowAllArgumentsOnNextLine: true
-AlwaysBreakBeforeMultilineStrings: false
-BreakBeforeBinaryOperators: None
-BreakBeforeTernaryOperators: true
-AlignEscapedNewlines: Left
-DerivePointerAlignment: false
-PointerAlignment: Right
-PointerBindsToType: false
-IncludeBlocks: Regroup
-IncludeCategories:
-  - Regex:           '^<(urcu/urcu-|urcu-)'
-    Priority:        2
-  - Regex:           '^<urcu/'
-    Priority:        3
-  - Regex:           '^<isc/'
-    Priority:        5
-  - Regex:           '^<(pk11|pkcs11)/'
-    Priority:        10
-  - Regex:           '^<dns/'
-    Priority:        15
-  - Regex:           '^<dst/'
-    Priority:        20
-  - Regex:           '^<isccc/'
-    Priority:        25
-  - Regex:           '^<isccfg/'
-    Priority:        30
-  - Regex:           '^<ns/'
-    Priority:        35
-  - Regex:           '^<irs/'
-    Priority:        40
-  - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
-    Priority:        50
-  - Regex:           '^<dlz_'
-    Priority:        55
-  - Regex:           '^".*"'
-    Priority:        99
-  - Regex:           '^<tests/'
-    Priority:        100
-  - Regex:           '<openssl/'
-    Priority:        4
-  - Regex:           '<(mysql|protobuf-c)/'
-    Priority:        4
-  - Regex:           '.*'
-    Priority:        0
-IndentExternBlock: NoIndent
-KeepEmptyLinesAtTheStartOfBlocks: false
-MaxEmptyLinesToKeep: 1
-PenaltyBreakAssignment: 30
-PenaltyBreakComment: 10
-PenaltyBreakFirstLessLess: 0
-PenaltyBreakString: 80
-PenaltyExcessCharacter: 100
-Standard: Cpp11
-ContinuationIndentWidth: 8
-RemoveParentheses: ReturnStatement
-RemoveSemicolon: true

.dir-locals.el

@@ -1,121 +0,0 @@
-;;; Directory Local Variables
-;;; For more information see (info "(emacs) Directory Variables")
-
-((c-mode .
-  ((eval .
-	 (set (make-local-variable 'directory-of-current-dir-locals-file)
-	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
-	      )
-	 )
-   (eval .
-	 (set (make-local-variable 'include-directories)
-	      (list
-
-	       ;; top directory
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "./"))
-
-	       ;; libisc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/netmgr"))
-
-	       ;; libdns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns"))
-
-	       ;; libisccc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
-
-	       ;; libisccfg
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
-
-	       ;; libns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/ns/include"))
-
-	       ;; libirs
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/irs/include"))
-
-	       ;; libbind9
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
-
-	       ;; libtest
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "tests/include"))
-
-	       ;; bin
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/check"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dig/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dnssec/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-
-	       (expand-file-name "/usr/include/libxml2")
-	       (expand-file-name "/usr/include/json-c")
-
-	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
-	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")
-	       (expand-file-name "/usr/local/include")
-	       )
-	      )
-	 )
-
-   (eval setq flycheck-clang-include-path include-directories)
-   (eval setq flycheck-cppcheck-include-path include-directories)
-   (eval setq flycheck-gcc-include-path include-directories)
-   (eval setq flycheck-clang-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-gcc-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-cppcheck-args
-	 (list
-	  "--enable=all"
-	  "--suppress=missingIncludeSystem"
-	  "--suppress=nullPointerRedundantCheck"
-	  "--suppress=preprocessorErrorDirective"
-	  "--suppress=unknownMacro"
-	  "--suppress=unmatchedSuppression"
-	  (concat "-include=" (expand-file-name
-			       (concat directory-of-current-dir-locals-file "config.h")))
-	  )
-	 )
-   )
-  ))

.editorconfig

@@ -1,5 +0,0 @@
-[*.sh{,.in}]
-indent_style = space
-indent_size = 2
-binary_next_line   = true
-switch_case_indent = true

.gitattributes

@@ -1,13 +1,3 @@
 *.sln.in eol=crlf
-*.vcxproj.* eol=crlf
-
-/fuzz/dns_rdata_fromwire_text.in/input-* -text
-
-.gitignore			 export-ignore
-/conftools			 export-ignore
-/doc/design			 export-ignore
-/doc/dev			 export-ignore
-/util/**			 export-ignore
-/util/bindkeys.pl		-export-ignore
-/util/check-make-install.in	-export-ignore
-/util/dtrace.sh		-export-ignore
+*.vcxproj.in eol=crlf
+*.vcxproj.filters.in eol=crlf

.gitchangelog.rc

@@ -1 +0,0 @@
-contrib/gitchangelog/changelog.rc.py

.github/workflows/codeql.yml

@@ -1,55 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "bind-9.16", "bind-9.18", "main" ]
-  schedule:
-    - cron: '39 8 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      uses: awalsh128/cache-apt-pkgs-action@latest
-      with:
-        packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
-        version: 1.0
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"

.github/workflows/lockdown.yml

@@ -1,15 +0,0 @@
-name: 'Lock down mirror repository'
-
-on:
-  issues:
-    types: opened
-  pull_request:
-    types: opened
-
-jobs:
-  lockdown:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: dessant/repo-lockdown@v2
-        with:
-          github-token: ${{ github.token }}

.github/workflows/sonarcloud.yml

@@ -1,50 +0,0 @@
-name: SonarCloud
-
-on:
-  push:
-    branches: [ "bind-9.16", "bind-9.18", "main" ]
-  schedule:
-    - cron: '39 8 * * 3'
-
-jobs:
-  build:
-    name: Build and analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
-    env:
-      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      uses: awalsh128/cache-apt-pkgs-action@latest
-      with:
-        packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
-        version: 1.0
-
-    - name: Install sonar-scanner and build-wrapper
-      uses: SonarSource/sonarcloud-github-c-cpp@v1
-
-    - name: Run build-wrapper
-      run: |
-        autoreconf -fi
-        ./configure
-        build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all
-
-    - name: Run sonar-scanner
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      run: |
-        sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"

.gitignore

@@ -4,18 +4,13 @@
 *.gcno
 *.la
 *.lo
-*.log
-*.log.txt
 *.o
 *.orig
 *.plist/ # ccc-analyzer store its results in .plist directories
 *.rej
 *.so
-*.trs
 *_test
-*.ipch # vscode/intellisense precompiled header
 *~
-__pycache__/
 .ccache/
 .cproject
 .deps/
@@ -40,6 +35,7 @@ __pycache__/
 /depcomp
 /install-sh
 /isc-config.sh
+/libltdl/*
 /libtool
 /ltmain.sh
 /m4/libtool.m4
@@ -54,50 +50,9 @@ __pycache__/
 /stamp-h1
 /test-driver
 Makefile
-Makefile.in
-Makefile.user
 ans.run
 gen.dSYM/
+kyua.log
 named.memstats
 named.run
 timestamp
-/compile_commands.json
-# Gets generated by Build Ear (bear)
-/compile_commands.commands.json
-/tsan
-/util/check-make-install
-/INSTALL
-doc/man/dnssec-cds.8in
-doc/man/dnssec-checkds.8in
-doc/man/dnssec-coverage.8in
-doc/man/dnssec-dsfromkey.8in
-doc/man/dnssec-importkey.8in
-doc/man/dnssec-keyfromlabel.8in
-doc/man/dnssec-keygen.8in
-doc/man/dnssec-keymgr.8in
-doc/man/dnssec-ksr.8in
-doc/man/dnssec-revoke.8in
-doc/man/dnssec-settime.8in
-doc/man/dnssec-signzone.8in
-doc/man/dnssec-verify.8in
-doc/man/named-checkconf.8in
-doc/man/named-checkzone.8in
-doc/man/named-journalprint.8in
-doc/man/named-nzd2nzf.8in
-doc/man/nsec3hash.8in
-doc/man/pkcs11-destroy.8in
-doc/man/pkcs11-keygen.8in
-doc/man/pkcs11-list.8in
-doc/man/pkcs11-tokens.8in
-# clangd index directory
-/\.cache/
-/\.*_clangd/
-# GNU Global index files
-/GPATH
-/GRTAGS
-/GTAGS
-TAGS
-# Emacs specific files
-\.dir-locals-2.el
-/emacs.desktop
-/emacs.desktop-lock

.gitlab/issue_templates/Bug.md

@@ -1,63 +0,0 @@
-<!--
-If the bug you are reporting is potentially security-related - for example,
-if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please make sure that you make the new issue
-confidential by clicking the checkbox at the bottom!
--->
-
-### Summary
-
-<!-- Concisely summarize the bug encountered. -->
-
-### BIND version affected
-<!--
-Make sure you are testing with the **latest** supported version of BIND
-for a given branch. Many bugs have been fixed over time!
-
-See https://kb.isc.org/docs/supported-platforms for the current list.
-The latest source is available from https://www.isc.org/download/#BIND
-
-Paste the output of `named -V` here.
--->
-
-### Steps to reproduce
-
-<!--
-This is extremely important! Be precise and use itemized lists, please.
-
-Even if a default configuration is affected, please include the full configuration
-files _you were testing with_.
-
-Example:
-1. Use _attached_ configuration file
-2. Start BIND server with command: `named -g -c named.conf ...`
-3. Simulate legitimate clients using command `dnsperf -S1 -d legit-queries ...`
-4. Simulate attack traffic using command `dnsperf -S1 -d attack-queries ...`
--->
-
-1.
-2.
-3.
-
-### What is the current *bug* behavior?
-
-<!-- What actually happens. -->
-
-### What is the expected *correct* behavior?
-
-<!-- What you should see instead. -->
-
-### Relevant configuration files
-
-<!-- Paste any relevant configuration files here - please use code blocks (```)
-to format console output. If submitting the contents of your
-configuration file in a non-confidential issue, it is advisable to
-obscure key secrets; this can be done automatically by using
-`named-checkconf -px`. -->
-
-### Relevant logs
-
-<!-- Paste any relevant logs here - please use code blocks (```) to format console
-output, logs, and code, as it's very hard to read otherwise. -->
-
-/label ~Bug

.gitlab/issue_templates/Default.md

@@ -1,8 +0,0 @@
-Hi and thanks for filing an issue! It will be read with care by human beings.
-
-It would be a tremendous help if you could follow these steps first:
-- [ ] Search the existing issues in GitLab (both open and closed) to see if your report might be a duplicate. We have a large database here and many issues have already been fixed in the latest versions!
-- [ ] Make sure this is **not** a support question. If you have specific trouble configuring or debugging your setup, please use the bind-users mailing list: https://lists.isc.org/mailman/listinfo/bind-users
-- [ ] You have read and understood the "out in the open" support policy: https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ . Even though it was written by the PowerDNS folks, we follow it as well!
-
-Before continuing, **please select the appropriate issue template in the drop-down menu above, under the heading _Description_**.

.gitlab/issue_templates/Feature_Request.md

@@ -1,11 +0,0 @@
-### Description
-
-(Describe the problem, use cases, benefits, and/or goals.)
-
-### Request
-
-(Describe the solution you'd like to see.)
-
-### Links / references
-
-/label ~Feature

.gitlab/issue_templates/Internal_use_only-CVE.md

@@ -1,129 +0,0 @@
-<!--
-THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
-
-If the bug you are reporting is potentially security-related - for example,
-if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please make sure that you make the new issue
-confidential!
--->
-| Quick Links              | :link:                               |
-| ------------------------ | ------------------------------------ |
-| Incident Manager:        | @user                                |
-| Deputy Incident Manager: | @user                                |
-| Public Disclosure Date:  | YYYY-MM-DD                           |
-| CVSS Score:              | [0.0][cvss_score]                    |
-| CWE:                     | [CWE-NNN][cwe_category]
-| Security Advisory:       | isc-private/printing-press!NNN       |
-| Mattermost Channel:      | [CVE-YYYY-NNNN][mattermost_url]      |
-| Support Ticket:          | [URL]                                |
-| Release Checklist:       | #NNNN                                |
-
-[cvss_score]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1
-[cwe_category]: https://cwe.mitre.org/data/definitions/NNN.html
-[mattermost_url]:
-
-:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.**
-
-[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations
-
-### Earlier Than T-5
-
-  - [ ] [:link:][step_deputy]            **(IM)** Pick a Deputy Incident Manager
-  - [ ] [:link:][step_respond]           **(IM)** Respond to the bug reporter
-  - [ ] [:link:][step_public_mrs]        **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
-  - [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary)
-  - [ ] [:link:][step_assign_cve_id]     **(IM)** Assign a CVE identifier
-  - [ ] [:link:][step_note_cve_info]     **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category
-  - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
-  - [ ] [:link:][step_workarounds]       **(SwEng)** Determine whether workarounds for the problem exist
-  - [ ] [:link:][step_earliest_prepare]  **(Support)** Prepare "earliest" notification text
-  - [ ] [:link:][step_earliest_send]     **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers
-  - [ ] [:link:][step_advisory_mr]       **(Support)** Create a merge request for the Security Advisory and include all readily available information in it
-  - [ ] [:link:][step_reproducer_mr]     **(SwEng)** Prepare a private merge request containing a system test reproducing the problem
-  - [ ] [:link:][step_notify_support]    **(SwEng)** Notify Support when a reproducer is ready
-  - [ ] [:link:][step_code_analysis]     **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem
-  - [ ] [:link:][step_fix_mr]            **(SwEng)** Prepare a private merge request with the fix
-  - [ ] [:link:][step_review_fix]        **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions
-  - [ ] [:link:][step_review_docs]       **(Support)** Review the documentation changes introduced by the merge request with the fix
-  - [ ] [:link:][step_backports]         **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
-  - [ ] [:link:][step_finish_advisory]   **(Support)** Finish preparing the Security Advisory
-  - [ ] [:link:][step_meta_issue]        **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
-  - [ ] [:link:][step_coordinate_check]  **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon
-  - [ ] [:link:][step_merge_fixes]       **(QA)** Merge the CVE fixes in CVE identifier order
-  - [ ] [:link:][step_patches]           **(QA)** Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
-  - [ ] [:link:][step_asn_releases]      **(QA)** Prepare ASN releases (as outlined in the Release Checklist)
-
-### At T-5
-
-  - [ ] [:link:][step_asn_links]         **(Marketing)** (BIND 9 only) Update the BIND -S information document in the support portal with download links to the new versions
-  - [ ] [:link:][step_asn_send]          **(Support)** Notify eligible customers by adding a ticket to the 5 Day queue in RT with the text of the advisory (earliest, and T-5)
-  - [ ] [:link:][step_preannouncement]   **(Marketing)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
-
-### At T-3
-  - [ ] [:link:][step_asn_send]          **(Support)** Notify eligible customers by adding a ticket to the 3 Day queue in RT with the text of the advisory (T-3)
-
-### At T-1
-
-  - [ ] [:link:][step_packager_emails]   **(First IM)** Send notifications to OS packagers
-
-### On the Day of Public Disclosure
-
-  - [ ] [:link:][step_clearance]         **(IM)** Grant QA & Marketing clearance to proceed with public release
-  - [ ] [:link:][step_matrix]            **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
-  - [ ] [:link:][step_bump_advisory]     **(Support)** Bump Document Version for the Security Advisory in Printing Press
-  - [ ] [:link:][step_publish_advisory]  **(Support)** Publish the Security Advisory in the Knowledge Base
-  - [ ] [:link:][step_publish]           **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
-  - [ ] [:link:][step_notifications]     **(First IM)** Send notification emails to third parties
-  - [ ] [:link:][step_mitre]             **(First IM)** Advise MITRE about the disclosed CVEs
-  - [ ] [:link:][step_merge_advisory]    **(First IM)** Merge the Security Advisory merge request
-  - [ ] [:link:][step_embargo_end]       **(IM)** Inform original reporter (if external) that the security disclosure process is complete
-  - [ ] [:link:][step_asn_clear]         **(Support)** Update the tickets in the ASN queues in RT that the embargo is lifted
-  - [ ] [:link:][step_customers]         **(Marketing)** Open a ticket in the appropriate announce queue in RT that the release is published
-
-### After Public Disclosure
-
-  - [ ] [:link:][step_regression]        **(QA)** Merge a regression test reproducing the bug into all affected (and still maintained) branches
-
-[step_deputy]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
-[step_respond]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter
-[step_public_mrs]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue
-[step_coordinate_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#check-if-we-need-to-coordinate-with-other-vendors-an-industry-wide-cve-identifier-might-be-necessary
-[step_assign_cve_id]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#assign-a-cve-identifier
-[step_note_cve_info]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-this-issue-with-the-assigned-cve-identifier-the-cvss-score-and-the-cwe-category
-[step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition
-[step_workarounds]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist
-[step_earliest_prepare]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-earliest-notification-text
-[step_earliest_send]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-earliest-notification-ticket-in-support-portal-earliest-queue-which-will-notify-earliest-customers
-[step_advisory_mr]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it
-[step_reproducer_mr]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem
-[step_notify_support]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready
-[step_code_analysis]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-detailed-explanation-of-the-code-flow-triggering-the-problem
-[step_fix_mr]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-with-the-fix
-[step_review_fix]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-the-merge-request-with-the-fix-is-reviewed-and-has-no-outstanding-discussions
-[step_review_docs]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#review-the-documentation-changes-introduced-by-the-merge-request-with-the-fix
-[step_backports]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-backports-of-the-merge-request-addressing-the-problem-for-all-affected-and-still-maintained-branches-of-a-given-product
-[step_finish_advisory]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#finish-preparing-the-security-advisory
-[step_meta_issue]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-or-update-the-private-issue-containing-links-to-fixes-reproducers-for-all-cves-fixed-in-a-given-release-cycle
-[step_coordinate_check]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#make-sure-other-vendors-are-able-to-release-on-the-date-that-was-previously-agreed-upon
-[step_merge_fixes]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order
-[step_patches]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch
-[step_asn_releases]:      https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist
-[step_asn_links]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-update-the-bind-s-information-document-in-the-support-portal-with-download-links-to-the-new-versions
-[step_asn_send]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-eligible-customers-by-adding-a-ticket-to-the-5-day-queue-in-rt-with-the-text-of-the-advisory-earliest-and-t-5
-[step_preannouncement]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes
-[step_asn_send]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-eligible-customers-by-adding-a-ticket-to-the-3-day-queue-in-rt-with-the-text-of-the-advisory-t-3
-[step_packager_emails]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers
-[step_clearance]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-qa-marketing-clearance-to-proceed-with-public-release
-[step_matrix]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-add-the-new-cves-to-the-vulnerability-matrix-in-the-knowledge-base
-[step_bump_advisory]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-in-printing-press
-[step_publish_advisory]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-security-advisory-in-the-knowledge-base
-[step_publish]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist
-[step_notifications]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notification-emails-to-third-parties
-[step_mitre]:             https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves
-[step_merge_advisory]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request
-[step_embargo_end]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete
-[step_asn_clear]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-tickets-in-the-asn-queues-in-rt-that-the-embargo-is-lifted
-[step_customers]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#open-a-ticket-in-the-appropriate-announce-queue-in-rt-that-the-release-is-published
-[step_regression]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches
-
-/confidential

.gitlab/issue_templates/Security_issue.md

@@ -1,139 +0,0 @@
-### Summary
-<!--
-Concisely summarize the bug encountered,
-preferably in one paragraph or less.
--->
-
-### BIND versions affected
-<!--
-Make sure you are testing with the **latest** supported version of BIND.
-See https://kb.isc.org/docs/supported-platforms for the current list.
-The latest source is available from https://www.isc.org/download/#BIND
-
-Paste the output of `named -V` here.
--->
-
-### Preconditions and assumptions
-<!--
-Is a specific setup needed?
-
-Please check the BIND Security Assumptions chapter in the ARM:
-https://bind9.readthedocs.io/en/latest/chapter7.html#security-assumptions
-
-E.g. DNSSEC validation must be disabled, etc.
-E.g. Resolver must be configured to forward to attacker's server via DNS-over-TLS, etc.
-E.g. Authoritative server must be configured to transfer specific primary zone.
-E.g. Attacker must be in posession of a key authorized to modify at least one zone.
-E.g. Attacker can affect system clock on the server running BIND.
--->
-
-### Attacker's abilities
-<!--
-What resources does an attacker need to have under their control to mount this attack?
-
-E.g. If attacking an authoritative server, does the attacked have to have prior
-relationship with it? "The authoritative server under attack needs to
-transfer a malicious zone from attacker's authoritative server via TLS."
-
-E.g. If attacking a resolver, does the attacker need the ability to send
-arbitrary queries to the resolver under attack? Do they need to _also_ control
-an authoritative server at the same time?
--->
-
-
-### Impact
-<!--
-Who or what is the victim of the attack and what is the impact?
-
-Is a third party receiving many packets generated by a reflection attack?
-
-If the affected party is the BIND server itself, please quantify the impact
-on legitimate clients:
-E.g. After launching the attack, the answers-per-second metric for legitimate
-traffic drops to 1/1000 within the first minute of the attack.
--->
-
-
-### Steps to reproduce
-<!--
-This is extremely important! Be precise and use itemized lists, please.
-
-Even if a default configuration is affected, please include the full configuration
-files _you were testing with_.
-
-Example:
-1. Use the _attached_ configuration file
-2. Start the BIND server with command: `named -g -c named.conf ...`
-3. Simulate legitimate clients using the command `dnsperf -S1 -d legit-queries ...`
-4. Simulate attack traffic using the command `dnsperf -S1 -d attack-queries ...`
--->
-
-1.
-2.
-3.
-
-### What is the current *bug* behavior?
-
-<!--
-Examples:
-Legitimate QPS drops 1000x.
-Memory consumption increases out of bounds and the server crashes.
-The server crashes immediately.
--->
-
-### What is the expected *correct* behavior?
-
-<!--
-If the attack causes resource exhaustion, what do you think the correct
-behavior should be? Should BIND refuse to process more requests?
-
-What heuristic do you propose to distinguish legitimate and attack traffic?
--->
-
-### Relevant logs
-<!--
-Please provide log files from your testing. Include full named logs and also
-the output from any testing tools (e.g. dnsperf, DNS Shotgun, kxdpgun, etc.)
-
-If multiple log files are needed, make sure all the files have matching timestamps
-so we can correlate log events across log files.
-
-In the case of resource exhaustion attacks, please _also_ include system monitoring
-data. You can use https://gitlab.isc.org/isc-projects/resource-monitor/ to
-gather system-wide statistics.
--->
-
-### Coordination
-- Does this issue affect multiple implementations?
-<!--
-Issues affecting multiple implementations require very careful coordination. We
-have to make sure the information does not leak to the public until vendors are ready to
-release fixed versions. If it is a multi-vendor issue, we need to know about the situation
-as soon as possible to start the (confidential!) coordination process within
-DNS-OARC and other suitable fora.
-
-Please list implementations you have tested.
--->
-
-- Have you shared the information with anyone else?
-<!--
-Have you informed other affected vendors? Or maybe submitted a paper for
-review?
--->
-
-- What is your plan to publicize this issue?
-<!--
-E.g. we plan to go public during conference XYZ on 20XX-XX-XX
--->
-
-### Acknowledgements
-<!--
-Please specify whether and how you would like to be publicly credited with
-discovering the issue. We normally use the format:
-First_name Last_name, Company_or_Team.
--->
-
-<!-- DO NOT modify the following two lines. -->
-
-/label ~Bug ~Security
-/confidential

.mailmap

@@ -1,27 +0,0 @@
-Alan Clegg <aclegg@isc.org>
-Alessio Podda <alessio@isc.org>
-Aram Sargsyan <aram@isc.org>
-Artem Boldariev <artem@isc.org> <artem@boldariev.com>
-Curtis Blackburn <ckb@isc.org> <ckb@freebsd11.local>
-Curtis Blackburn <ckb@isc.org> <ckb@isc.org>
-Diego Fronza <diego@isc.org>
-Evan Hunt <each@isc.org> Evan Hunt <fanf@isc.org>
-Håvard Eidnes <he@uninett.no>
-Jeremy C. Reed <jreed@isc.org> <jreed@docs.lab.isc.org>
-Jeremy C. Reed <jreed@isc.org> <jreed@ISC.org>
-Joey Salazar <joey@isc.org>
-John H. DuBois III <johnd>
-Mark Andrews <marka@isc.org>
-Mark Andrews <marka@isc.org> <marka@daemon.lab.isc.org>
-Mark Andrews <marka@isc.org> <marka@newdocs.lab.isc.org>
-Matthijs Mekking <matthijs@isc.org> <github@pletterpet.nl>
-Nicki Křížek <nicki@isc.org> <tkrizek@isc.org>
-Ondřej Surý <ondrej@isc.org>
-Ondřej Surý <ondrej@isc.org> <ondrej@openbsd-6-9.home.sury.org>
-Ondřej Surý <ondrej@isc.org> <ondrej@sury.org>
-Petr Menšík <pemensik@redhat.com>
-Petr Menšík <pemensik@redhat.com> <pmensik@redhat.com>
-Robert Edmonds <edmonds>
-Tatuya JINMEI 神明達哉 <jinmei@isc.org>
-Witold Kręcicki <wpk@isc.org>
-Witold Kręcicki <wpk@isc.org> <wpk@culm.net>

.pylintrc

@@ -1,28 +0,0 @@
-[IMPORTS]
-
-deprecated-modules=
-    dns.resolver,
-
-[MESSAGES CONTROL]
-
-disable=
-    C0103, # invalid-name
-    C0114, # missing-module-docstring
-    C0115, # missing-class-docstring
-    C0116, # missing-function-docstring
-    C0209, # consider-using-f-string
-    C0301, # line-too-long, handled better by black
-    C0302, # too-many-lines
-    C0415, # import-outside-toplevel
-    R0801, # duplicate-code
-    R0901, # too-many-ancestors
-    R0902, # too-many-instance-attributes
-    R0903, # too-few-public-methods
-    R0904, # too-many-public-methods
-    R0911, # too-many-return-statements
-    R0912, # too-many-branches
-    R0913, # too-many-arguments
-    R0914, # too-many-locals
-    R0915, # too-many-statements
-    R0916, # too-many-boolean-expressions
-    R0917, # too-many-positional-arguments

.readthedocs.yaml

@@ -1,18 +0,0 @@
-# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
-
-version: 2
-
-build:
-  os: ubuntu-22.04
-  tools:
-    python: "3.11"
-  jobs:
-    pre_build:
-      - python -m pip install -r https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/requirements.txt
-
-# Build documentation in doc/arm/ with Sphinx
-sphinx:
-  configuration: doc/arm/conf.py
-
-# Build all formats
-formats: all

.reuse/dep5

@@ -1,231 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: BIND 9
-Upstream-Contact: Internet Systems Consortium, Inc. ("ISC") <info@isc.org>
-Source: https://gitlab.isc.org/isc-projects/bind9/
-
-#
-# Build system, data files from tests, and misc cruft
-#
-Files: **/*.after*
-       **/*.bad
-       **/*.batch
-       **/*.before*
-       **/*.ccache
-       **/*.good
-       **/*.key
-       **/*.pem
-       **/*.private
-       **/*.raw
-       **/*.saved
-       **/*.zonelist
-       **/*dig.out*
-       **/Makefile
-       **/Makefile.*
-       **/testdata/*
-       .github/*
-       .gitlab/*
-       .mailmap
-       AUTHORS
-       COPYRIGHT
-       Makefile
-       Makefile.*
-       bin/tests/system/checkzone/zones/bad-caa-rr.db
-       bin/tests/system/checkzone/zones/bad1.db
-       bin/tests/system/checkzone/zones/crashzone.db
-       bin/tests/system/dnstap/large-answer.fstrm
-       bin/tests/system/doth/CA/CA.cfg
-       bin/tests/system/doth/CA/README
-       bin/tests/system/doth/CA/index.txt
-       bin/tests/system/doth/CA/index.txt.attr
-       bin/tests/system/doth/CA/serial
-       bin/tests/system/formerr/badnsec3owner
-       bin/tests/system/formerr/badrecordname
-       bin/tests/system/formerr/dupans
-       bin/tests/system/formerr/dupquestion
-       bin/tests/system/formerr/keyclass
-       bin/tests/system/formerr/malformeddeltype
-       bin/tests/system/formerr/malformedrrsig
-       bin/tests/system/formerr/nametoolong
-       bin/tests/system/formerr/noquestions
-       bin/tests/system/formerr/optwrongname
-       bin/tests/system/formerr/qtypeasanswer
-       bin/tests/system/formerr/questionclass
-       bin/tests/system/formerr/shortquestion
-       bin/tests/system/formerr/shortrecord
-       bin/tests/system/formerr/tsignotlast
-       bin/tests/system/formerr/tsigwrongclass
-       bin/tests/system/formerr/twoquestionnames
-       bin/tests/system/formerr/twoquestiontypes
-       bin/tests/system/formerr/wrongclass
-       bin/tests/system/forward/CA/CA.cfg
-       bin/tests/system/forward/CA/README
-       bin/tests/system/forward/CA/index.txt
-       bin/tests/system/forward/CA/index.txt.attr
-       bin/tests/system/forward/CA/serial
-       bin/tests/system/isctest/vars/.ac_vars/*
-       bin/tests/system/journal/ns1/managed-keys.bind.in
-       bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
-       bin/tests/system/journal/ns2/managed-keys.bind.in
-       bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
-       bin/tests/system/keepalive/expected
-       bin/tests/system/legacy/ns6/edns512.db.signed
-       bin/tests/system/legacy/ns7/edns512-notcp.db.signed
-       bin/tests/system/masterfile/knowngood.include
-       bin/tests/system/masterfile/knowngood.ttl1
-       bin/tests/system/masterfile/knowngood.ttl2
-       bin/tests/system/notify/CA/CA.cfg
-       bin/tests/system/notify/CA/README
-       bin/tests/system/notify/CA/index.txt
-       bin/tests/system/notify/CA/index.txt.attr
-       bin/tests/system/notify/CA/serial
-       bin/tests/system/notify/ns4/named.port.in
-       bin/tests/system/nsupdate/CA/CA.cfg
-       bin/tests/system/nsupdate/CA/README
-       bin/tests/system/nsupdate/CA/index.txt
-       bin/tests/system/nsupdate/CA/index.txt.attr
-       bin/tests/system/nsupdate/CA/serial
-       bin/tests/system/nsupdate/commandlist
-       bin/tests/system/nsupdate/verylarge.in
-       bin/tests/system/org.isc.bind.system.plist
-       bin/tests/system/pipelined/input
-       bin/tests/system/pipelined/inputb
-       bin/tests/system/pipelined/ref
-       bin/tests/system/pipelined/refb
-       bin/tests/system/rsabigexponent/ns2/dsset-example.in
-       bin/tests/system/run.gdb
-       bin/tests/system/runtime/ctrl-chars
-       bin/tests/system/runtime/long-cmd-line
-       bin/tests/system/statschannel/traffic.expect.1
-       bin/tests/system/statschannel/traffic.expect.2
-       bin/tests/system/statschannel/traffic.expect.4
-       bin/tests/system/statschannel/traffic.expect.5
-       bin/tests/system/statschannel/traffic.expect.6
-       bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt
-       bin/tests/system/tsig/badlocation
-       bin/tests/system/tsig/badtime
-       bin/tests/system/unknown/large.out
-       bin/tests/system/xfer/ans5/badkeydata
-       bin/tests/system/xfer/ans5/badmessageid
-       bin/tests/system/xfer/ans5/ednsformerr
-       bin/tests/system/xfer/ans5/ednsnotimp
-       bin/tests/system/xfer/ans5/goodaxfr
-       bin/tests/system/xfer/ans5/ixfrnotimp
-       bin/tests/system/xfer/ans5/partial
-       bin/tests/system/xfer/ans5/soamismatch
-       bin/tests/system/xfer/ans5/unknownkey
-       bin/tests/system/xfer/ans5/unsigned
-       bin/tests/system/xfer/ans5/wrongkey
-       bin/tests/system/xfer/ans5/wrongname
-       bin/tests/system/xfer/knowngood.mapped
-       cocci/*.cocci
-       cocci/*.disabled
-       cocci/*.spatch
-       doc/arm/*.dia
-       doc/arm/*.png
-       doc/arm/isc-logo.pdf
-       doc/arm/requirements.txt
-       doc/man/*.1in
-       doc/man/*.5in
-       doc/man/*.8in
-       fuzz/*.in/*
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: MPL-2.0
-
-#
-# DNSSEC Guide images
-#
-Files: doc/dnssec-guide/img/*.png
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: MPL-2.0
-
-#
-# Libtool Files
-#
-Files: m4/libtool.m4
-       m4/ltoptions.m4
-       m4/ltsugar.m4
-       m4/ltversion.m4
-       m4/ltversion.m4
-       m4/lt~obsolete.m4
-Copyright: Free Software Foundation, Inc.
-License:
- This file is free software; the Free Software Foundation gives unlimited
- permission to copy and/or distribute it, with or without modifications, as long
- as this notice is preserved.
-
-#
-# DLZ Modules
-#
-Files: contrib/dlz/modules/*/testing/*
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-	   Stichting NLnet, Netherlands
-License: ISC and MPL-2.0
-
-#
-# Stuff that's basically uncopyrightable (configuration, generated files),
-# use CC0-1.0 for clarity that we don't care
-#
-Files: **/.clang-format
-       **/.clang-format.headers
-       **/.dir-locals.el
-       **/.gitattributes
-       **/.gitignore
-       **/named*.args
-       **/named.dropedns
-       **/named.ednsformerr
-       **/named.ednsnotimp
-       **/named.ednsrefused
-       **/named.maxudp1460
-       **/named.maxudp512
-       **/named.noaa
-       **/named.noedns
-       **/named.nosoa
-       **/named.notcp
-       **/startme
-       .clang-format
-       .clang-format.headers
-       .dir-locals.el
-       .editorconfig
-       .git-blame-ignore-revs
-       .gitattributes
-       .gitignore
-       .gitlab-ci.yml
-       .lgtm.yml
-       .pylintrc
-       .readthedocs.yaml
-       .tsan-suppress
-       .uncrustify.cfg
-       contrib/gitchangelog/changelog.rc.py
-       contrib/gitchangelog/relnotes.rc.py
-       doc/misc/*.zoneopt
-       doc/misc/options
-       doc/misc/rndc.grammar
-       sonar-project.properties
-       tests/bench/names.csv
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: CC0-1.0
-
-#
-# geoip2 test files (mmdb is generated from json)
-#
-Files: bin/tests/system/geoip2/data/*.json
-       bin/tests/system/geoip2/data/*.mmdb
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: CC0-1.0
-
-#
-# files that may be left over from other branches.
-#
-# in a newly cloned branch or after running "git clean", these
-# files don't exist, but they can be left lying around after
-# checking out an older branch. we explicitly ignore them so they
-# won't clutter up the output when running "reuse lint" by hand
-# in a working source tree.
-#
-Files: **/platform.h
-       bin/python/*
-       bin/tests/optional/*
-       make/*
-       unit/unittest.sh
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: CC0-1.0

.reuse/templates/isc.jinja2

@@ -1,16 +0,0 @@
-{% for copyright_line in copyright_lines %}
-{{ copyright_line }}
-{% endfor %}
-
-{% for expression in spdx_expressions %}
-SPDX-License-Identifier: {{ expression }}
-{% endfor %}
-
-{% if "MPL-2.0" in spdx_expressions %}
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
-{% endif %}

.tsan-suppress

@@ -1,3 +0,0 @@
-# Uninstrumented libraries
-called_from_lib:libfstrm.so
-race:dummyrpz

AUTHORS

@@ -1,54 +0,0 @@
-Mark Andrews
-Andreas Gustafsson
-Evan Hunt
-Brian Wellington
-Bob Halley
-David Lawrence
-Michael Graff
-Michael Sawyer
-Ondřej Surý
-James Brister
-Tatuya JINMEI 神明達哉
-Francis Dupont
-Michał Kępień
-Danny Mayer
-Mukund Sivaraman
-Jeremy C. Reed
-William King
-Stephen Morris
-Witold Kręcicki
-Curtis Blackburn
-Scott Mann
-Rob Austein
-Jim Reid
-Eric Luce
-Olafur Gudmundsson
-Stephen Jacob
-Damien Neil
-Tony Finch
-Jakob Schlyter
-Petr Menšík
-Vernon Schryver
-Matt Nelson
-Shane Kerr
-Paul Ebersman
-Ray Bellis
-Shawn Routhier
-Ben Cottrell
-Tomas Hozza
-johnd
-Bill Parker
-李昶
-Kevin Chen
-Jonathan Casey
-Mary Stahl
-Mathieu Arnold
-David Hankins
-Paul Hoffman
-Paul Vixie
-Brian Conry
-Anay Panvalkar
-colleen
-Robert Edmonds
-João Damas
-Artem Boldariev (Артем Болдарєв)

CODE_OF_CONDUCT.md

@@ -1,84 +0,0 @@
-<!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
--->
-
-# BIND 9 Code of Conduct
-
-Like the technical community as a whole, the BIND 9 team and community is made
-up of a mixture of professionals and volunteers from all over the world, working
-on every aspect of the mission - including mentorship, teaching, and connecting
-people.
-
-Diversity is one of our huge strengths, but it can also lead to communication
-issues and unhappiness. To that end, we have a few ground rules that we ask
-people to adhere to. This code applies equally to the core development team,
-open source contributors and those seeking help and guidance.
-
-This isn't an exhaustive list of things that you can't do. Rather, take it in
-the spirit in which it's intended - a guide to make it easier to enrich all of
-us and the technical communities in which we participate.
-
-This code of conduct applies to all spaces managed by the BIND 9 project or
-Internet Systems Consortium. This includes chat, the mailing lists, the issue
-tracker, and any other fora created by the project team which the
-community uses for communication. In addition, violations of this code outside
-these spaces may affect a person's ability to participate within them.
-
-If you believe someone is violating the code of conduct, we ask that you report
-it by emailing [conduct@isc.org](conduct@isc.org). For more details please see
-our [Reporting Guidelines](https://www.isc.org/conductreporting/).
-
-* **Be friendly and patient.**
-* **Be welcoming.** We strive to be a community that welcomes and supports
-  people of all backgrounds and identities. This includes, but is not limited to
-  members of any race, ethnicity, culture, national origin, colour, immigration
-  status, social and economic class, educational level, sex, sexual orientation,
-  gender identity and expression, age, size, family status, political belief,
-  religion, and mental and physical ability.
-* **Be considerate.** Your work will be used by other people, and you in turn
-  will depend on the work of others. Any decision you take will affect users and
-  colleagues, and you should take those consequences into account when making
-  decisions. Remember that we're a world-wide community, so you might not be
-  communicating in someone else's primary language.
-* **Be respectful.** Not all of us will agree all the time, but disagreement is
-  no excuse for poor behavior and poor manners. We might all experience some
-  frustration now and then, but we cannot allow that frustration to turn into a
-  personal attack. It's important to remember that a community where people feel
-  uncomfortable or threatened is not a productive one. Members of the BIND 9
-  community should be respectful when dealing with other members as well as with
-  people outside the BIND 9 community.
-* **Be careful in the words that you choose.** We are a community of
-  professionals, and we conduct ourselves professionally. Be kind to others. Do
-  not insult or put down other participants. Harassment and other exclusionary
-  behavior aren't acceptable. This includes, but is not limited to:
-  * Violent threats or language directed against another person.
-  * Discriminatory jokes and language.
-  * Posting sexually explicit or violent material.
-  * Posting (or threatening to post) other people's personally identifying
-    information ("doxing").
-  * Personal insults, especially those using racist or sexist terms.
-  * Unwelcome sexual attention.
-  * Advocating for, or encouraging, any of the above behavior.
-  * Repeated harassment of others. In general, if someone asks you to stop, then
-    stop.
-* **When we disagree, try to understand why.** Disagreements, both social and
-  technical, happen all the time and BIND 9 is no exception. It is important
-  that we resolve disagreements and differing views constructively. Remember
-  that we're different. The strength of BIND 9 comes from its varied community,
-  people from a wide range of backgrounds. Different people have different
-  perspectives on issues. Being unable to understand why someone holds a
-  viewpoint doesn't mean that they're wrong. Don't forget that it is human to
-  err and blaming each other doesn't get us anywhere. Instead, focus on helping
-  to resolve issues and learning from mistakes.
-
-Original text courtesy of the [Django Code of Conduct](https://www.djangoproject.com/conduct/)
-project.

CONTRIBUTING

@@ -0,0 +1,186 @@
+BIND Source Access and Contributor Guidelines
+
+Feb 22, 2018
+
+Contents
+
+ 1. Access to source code
+ 2. Reporting bugs
+ 3. Contributing code
+
+Introduction
+
+Thank you for using BIND!
+
+BIND is open source software that implements the Domain Name System (DNS)
+protocols for the Internet. It is a reference implementation of those
+protocols, but it is also production-grade software, suitable for use in
+high-volume and high-reliability applications. It is by far the most
+widely used DNS software, providing a robust and stable platform on top of
+which organizations can build distributed computing systems with the
+knowledge that those systems are fully compliant with published DNS
+standards.
+
+BIND is and will always remain free and openly available. It can be used
+and modified in any way by anyone.
+
+BIND is maintained by the Internet Systems Consortium, a public-benefit
+501(c)(3) nonprofit, using a "managed open source" approach: anyone can
+see the source, but only ISC employees have commit access. Until recently,
+the source could only be seen once ISC had published a release: read
+access to the source repository was restricted just as commit access was.
+That's now changing, with the opening of a public git mirror to the BIND
+source tree (see below).
+
+Access to source code
+
+Public BIND releases are always available from the ISC FTP site.
+
+A public-access GIT repository is also available at https://gitlab.isc.org
+. This repository is a mirror, updated several times per day, of the
+source repository maintained by ISC. It contains all the public release
+branches; upcoming releases can be viewed in their current state at any
+time. It does not contain development branches or unreviewed work in
+progress. Commits which address security vulnerablilities are withheld
+until after public disclosure.
+
+You can browse the source online via https://gitlab.isc.org/isc-projects/
+bind9
+
+To clone the repository, use:
+
+      $ git clone https://gitlab.isc.org/isc-projects/bind9.git
+
+Release branch names are of the form v9_X, where X represents the second
+number in the BIND 9 version number. So, to check out the BIND 9.12
+branch, use:
+
+      $ git checkout v9_12
+
+Whenever a branch is ready for publication, a tag will be placed of the
+form v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
+
+The branch in which the next major release is being developed is called
+master.
+
+Reporting bugs
+
+Reports of flaws in the BIND package, including software bugs, errors in
+the documentation, missing files in the tarball, suggested changes or
+requests for new features, etc, can be filed using https://gitlab.isc.org/
+isc-projects/bind9/issues.
+
+Due to a large ticket backlog, we are sometimes slow to respond,
+especially if a bug is cosmetic or if a feature request is vague or low in
+priority, but we will try at least to acknowledge legitimate bug reports
+within a week.
+
+ISC's ticketing system is publicly readable; however, you must have an
+account to file a new issue. You can either register locally or use
+credentials from an existing account at GitHub, GitLab, Google, Twitter,
+or Facebook.
+
+Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the ISC Security Officer public key.
+
+Do not discuss undisclosed security vulnerabilites on any public mailing
+list. ISC has a long history of handling reported vulnerabilities promptly
+and effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at https://
+kb.isc.org/article/AA-00861/0.
+
+If you have a crash, you may want to consult ?What to do if your BIND or
+DHCP server has crashed.?
+
+Contributing code
+
+BIND is licensed under the Mozilla Public License 2.0. Earier versions
+(BIND 9.10 and earlier) were licensed under the ISC License
+
+ISC does not require an explicit copyright assignment for patch
+contributions. However, by submitting a patch to ISC, you implicitly
+certify that you are the author of the code, that you intend to reliquish
+exclusive copyright, and that you grant permission to publish your work
+under the open source license used for the BIND version(s) to which your
+patch will be applied.
+
+BIND code
+
+Patches for BIND may be submitted directly via merge requests in ISC's
+Gitlab source repository for BIND.
+
+Patches can also be submitted as diffs against a specific version of BIND
+-- preferably the current top of the master branch. Diffs may be generated
+using either git format-patch or git diff.
+
+Those wanting to write code for BIND may be interested in the developer
+information page, which includes information about BIND design and coding
+practices, including discussion of internal APIs and overall system
+architecture. (This is a work in progress, and still quite preliminary.)
+
+Every patch submitted will be reviewed by ISC engineers following our code
+review process before it is merged.
+
+It may take considerable time to review patch submissions, especially if
+they don't meet ISC style and quality guidelines. If a patch is a good
+idea, we can and will do additional work to bring it up to par, but if
+we're busy with other work, it may take us a long time to get to it.
+
+To ensure your patch is acted on as promptly as possible, please:
+
+  * Try to adhere to the BIND 9 coding style.
+  * Run make check to ensure your change hasn't caused any functional
+    regressions.
+  * Document your work, both in the patch itself and in the accompanying
+    email.
+  * In patches that make non-trivial functional changes, include system
+    tests if possible; when introducing or substantially altering a
+    library API, include unit tests. See Testing for more information.
+
+Changes to configure
+
+If you need to make changes to configure, you should not edit it directly;
+instead, edit configure.in, then run autoconf. Similarly, instead of
+editing config.h.in directly, edit configure.in and run autoheader.
+
+When submitting a patch as a diff, it's fine to omit the configure diffs
+to save space. Just send the configure.in diffs and we'll generate the new
+configure during the review process.
+
+Documentation
+
+All functional changes should be documented. There are three types of
+documentation in the BIND source tree:
+
+  * Man pages are kept alongside the source code for the commands they
+    document, in files ending in .docbook; for example, the named man page
+    is bin/named/named.docbook.
+  * The BIND 9 Administrator Reference Manual is mostly in doc/arm/
+    Bv9ARM-book.xml, plus a few other XML files that are included in it.
+  * API documentation is in the header file describing the API, in
+    Doxygen-formatted comments.
+
+It is not necessary to edit any documentation files other than these; all
+PDF, HTML, and nroff-format man page files will be updated automatically
+from the docbook and XML files after merging.
+
+Patches to improve existing documentation are also very welcome!
+
+Tests
+
+BIND is a large and complex project. We rely heavily on continuous
+automated testing and cannot merge new code without adequate test
+coverage. Please see the 'Testing' section of doc/dev/dev.md for more
+information.
+
+Thanks
+
+Thank you for your interest in contributing to the ongoing development of
+BIND.

CONTRIBUTING.md

@@ -1,17 +1,15 @@
 <!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
 -->
-## BIND 9 Source Access and Contributor Guidelines
-*Nov 26, 2024*
+## BIND Source Access and Contributor Guidelines
+*Feb 22, 2018*
 
 ### Contents
 
@@ -21,12 +19,12 @@ information regarding copyright ownership.
 
 ### Introduction
 
-Thank you for using BIND 9!
+Thank you for using BIND!
 
 BIND is open source software that implements the Domain Name System (DNS)
 protocols for the Internet. It is a reference implementation of those
 protocols, but it is also production-grade software, suitable for use in
-high-volume and high-reliability applications.  It is very
+high-volume and high-reliability applications.  It is by far the most
 widely used DNS software, providing a robust and stable platform on top of
 which organizations can build distributed computing systems with the
 knowledge that those systems are fully compliant with published DNS
@@ -35,34 +33,27 @@ standards.
 BIND is and will always remain free and openly available.  It can be
 used and modified in any way by anyone.
 
-BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
+BIND is maintained by the [Internet Systems Consortium](https://www.isc.org),
 a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
 anyone can see the source, but only ISC employees have commit access.
-In the past, the source could only be seen once ISC had published
-a release; read access to the source repository was restricted just
-as commit access was.  That has changed, as ISC now provides a
-public git repository of the BIND source tree (see below).
-
-At ISC, we're committed to
-building communities that are welcoming and inclusive: environments where people
-are encouraged to share ideas, treat each other with respect, and collaborate
-towards the best solutions. To reinforce our commitment, ISC
-has adopted a slightly modified version of the Django
-[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
-for the BIND 9 project, as well as for the conduct of our developers throughout
-the industry.
+Until recently, the source could only be seen once ISC had published
+a release: read access to the source repository was restricted just
+as commit access was.  That's now changing, with the opening of a
+public git mirror to the BIND source tree (see below).
 
 ### <a name="access"></a>Access to source code
 
 Public BIND releases are always available from the
 [ISC FTP site](ftp://ftp.isc.org/isc/bind9).
 
-A public-access git repository is also available at
-[https://gitlab.isc.org](https://gitlab.isc.org).  This repository
-contains all public release branches. Upcoming releases can be viewed in
-their current state at any time.  Short-lived development branches
-contain unreviewed work in progress.  Commits which address security
-vulnerablilities are withheld until after public disclosure.
+A public-access GIT repository is also available at
+[https://gitlab.isc.org](https://gitlab.isc.org).
+This repository is a mirror, updated several times per day, of the
+source repository maintained by ISC.  It contains all the public release
+branches; upcoming releases can be viewed in their current state at any
+time.  It does *not* contain development branches or unreviewed work in
+progress.  Commits which address security vulnerablilities are withheld
+until after public disclosure.
 
 You can browse the source online via
 [https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
@@ -71,49 +62,61 @@ To clone the repository, use:
 
 >       $ git clone https://gitlab.isc.org/isc-projects/bind9.git
 
-Release branch names are of the form `bind-9.X`, where X represents the second
-number in the BIND 9 version number.  So, to check out the BIND 9.20
+Release branch names are of the form `v9_X`, where X represents the second
+number in the BIND 9 version number.  So, to check out the BIND 9.12
 branch, use:
 
->       $ git checkout bind-9.20
+>       $ git checkout v9_12
 
-Whenever a branch is ready for publication, a tag is placed of the
-form `v9.X.Y`.  The 9.20.0 release, for instance, is tagged as `v9.20.0`.
+Whenever a branch is ready for publication, a tag will be placed of the
+form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
-`main`.
+`master`.
 
 ### <a name="bugs"></a>Reporting bugs
 
 Reports of flaws in the BIND package, including software bugs, errors
 in the documentation, missing files in the tarball, suggested changes
-or requests for new features, etc., can be filed using
+or requests for new features, etc, can be filed using
 [https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
 
 Due to a large ticket backlog, we are sometimes slow to respond,
 especially if a bug is cosmetic or if a feature request is vague or
-low in priority, but we try at least to acknowledge legitimate
+low in priority, but we will try at least to acknowledge legitimate
 bug reports within a week.
 
-ISC's GitLab system is publicly readable; however, you must have
-an account to create a new issue. You can either register locally or
+ISC's ticketing system is publicly readable; however, you must have
+an account to file a new issue. You can either register locally or
 use credentials from an existing account at GitHub, GitLab, Google,
 Twitter, or Facebook.
 
 ### Reporting possible security issues
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
 
-See `SECURITY.md`.
+Do not discuss undisclosed security vulnerabilites on any public mailing list.
+ISC has a long history of handling reported vulnerabilities promptly and
+effectively and we respect and acknowledge responsible reporters.
 
-### <a name="contrib"></a>Contributing code
+ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
+
+If you have a crash, you may want to consult
+[‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
+
+### <a name="bugs"></a>Contributing code
 
 BIND is licensed under the
-[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
-Earlier versions (BIND 9.10 and earlier) were licensed under the
-[ISC License](https://www.isc.org/licenses/)
+[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
+Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
-certify that you are the author of the code, that you intend to relinquish
+certify that you are the author of the code, that you intend to reliquish
 exclusive copyright, and that you grant permission to publish your work
 under the open source license used for the BIND version(s) to which your
 patch will be applied.
@@ -121,20 +124,20 @@ patch will be applied.
 #### <a name="bind"></a>BIND code
 
 Patches for BIND may be submitted directly via merge requests in
-[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source repository for
-BIND. Please contact ISC and provide your GitLab username in order to be allowed
-to fork the project and submit merge requests.
+[ISC's Gitlab](https://gitlab.isc.org/isc-projects/bind9/) source
+repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
-BIND -- preferably the current top of the `main` branch.  Diffs may
+BIND -- preferably the current top of the `master` branch.  Diffs may
 be generated using either `git format-patch` or `git diff`.
 
 Those wanting to write code for BIND may be interested in the
 [developer information](doc/dev/dev.md) page, which includes information
 about BIND design and coding practices, including discussion of internal
-APIs and overall system architecture.
+APIs and overall system architecture.  (This is a work in progress, and
+still quite preliminary.)
 
-Every patch submitted is reviewed by ISC engineers following our
+Every patch submitted will be reviewed by ISC engineers following our
 [code review process](doc/dev/dev.md#reviews) before it is merged.
 
 It may take considerable time to review patch submissions, especially if
@@ -145,8 +148,8 @@ we're busy with other work, it may take us a long time to get to it.
 To ensure your patch is acted on as promptly as possible, please:
 
 * Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
-* Run unit and system tests to ensure your change hasn't caused any
-  functional regressions (these can be checked in the CI pipeline).
+* Run `make` `check` to ensure your change hasn't caused any
+  functional regressions.
 * Document your work, both in the patch itself and in the
   accompanying email.
 * In patches that make non-trivial functional changes, include system
@@ -157,12 +160,12 @@ To ensure your patch is acted on as promptly as possible, please:
 ##### Changes to `configure`
 
 If you need to make changes to `configure`, you should not edit it
-directly; instead, edit `configure.ac`, then run `autoconf`.  Similarly,
-instead of editing `config.h.in` directly, edit `configure.ac` and run
+directly; instead, edit `configure.in`, then run `autoconf`.  Similarly,
+instead of editing `config.h.in` directly, edit `configure.in` and run
 `autoheader`.
 
 When submitting a patch as a diff, it's fine to omit the `configure`
-diffs to save space.  Just send the `configure.ac` diffs and we'll
+diffs to save space.  Just send the `configure.in` diffs and we'll
 generate the new `configure` during the review process.
 
 ##### Documentation
@@ -171,24 +174,28 @@ All functional changes should be documented. There are three types
 of documentation in the BIND source tree:
 
 * Man pages are kept alongside the source code for the commands
-  they document, in files ending in `.rst`: for example, the
-  `named` man page is `bin/named/named.rst`.
-* The *BIND 9 Administrator Reference Manual* is in the .rst files in
-  `doc/arm/`; the HTML version is automatically generated from
-  the `.rst` files.
+  they document, in files ending in `.docbook`; for example, the
+  `named` man page is `bin/named/named.docbook`.
+* The *BIND 9 Administrator Reference Manual* is mostly in
+  `doc/arm/Bv9ARM-book.xml`, plus a few other XML files that are included
+  in it.
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.
 
+It is not necessary to edit any documentation files other than these;
+all PDF, HTML, and `nroff`-format man page files will be updated
+automatically from the `docbook` and `XML` files after merging.
+
 Patches to improve existing documentation are also very welcome!
 
 ##### Tests
 
 BIND is a large and complex project. We rely heavily on continuous
 automated testing and cannot merge new code without adequate test coverage.
-Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
+Please see [the 'Testing' section of doc/dev/dev.md](doc/dev/dev.md#testing)
 for more information.
 
 #### Thanks
 
 Thank you for your interest in contributing to the ongoing development
-of BIND 9.
+of BIND.

COPYING

@@ -1 +0,0 @@
-LICENSE

COPYRIGHT

@@ -1,8 +1,8 @@
-Copyright (C) 1996-2023  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
  -----------------------------------------------------------------------------
 
@@ -133,7 +133,7 @@ modification, are permitted provided that the following conditions are met:
 3. Neither the name of the University nor the names of its contributors may
    be used to endorse or promote products derived from this software
    without specific prior written permission.
-
+ 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -149,28 +149,54 @@ POSSIBILITY OF SUCH DAMAGE.
  -----------------------------------------------------------------------------
 
 Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden).
+(Royal Institute of Technology, Stockholm, Sweden). 
+All rights reserved. 
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions 
+are met: 
+
+1. Redistributions of source code must retain the above copyright 
+   notice, this list of conditions and the following disclaimer. 
+
+2. Redistributions in binary form must reproduce the above copyright 
+   notice, this list of conditions and the following disclaimer in the 
+   documentation and/or other materials provided with the distribution. 
+
+3. Neither the name of the Institute nor the names of its contributors 
+   may be used to endorse or promote products derived from this software 
+   without specific prior written permission. 
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+SUCH DAMAGE. 
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1998 Doug Rabson
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
-
 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
-
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 
-3. Neither the name of the Institute nor the names of its contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -181,6 +207,41 @@ SUCH DAMAGE.
 
  -----------------------------------------------------------------------------
 
+Copyright ((c)) 2002, Rice University
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+    copyright notice, this list of conditions and the following
+    disclaimer in the documentation and/or other materials provided
+    with the distribution.
+
+    * Neither the name of Rice University (RICE) nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+
+This software is provided by RICE and the contributors on an "as is"
+basis, without any representations or warranties of any kind, express
+or implied including, but not limited to, representations or
+warranties of non-infringement, merchantability or fitness for a
+particular purpose. In no event shall RICE or contributors be liable
+for any direct, indirect, incidental, special, exemplary, or
+consequential damages (including, but not limited to, procurement of
+substitute goods or services; loss of use, data, or profits; or
+business interruption) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence
+or otherwise) arising in any way out of the use of this software, even
+if advised of the possibility of such damage.
+
+ -----------------------------------------------------------------------------
+
 Copyright (c) 1993 by Digital Equipment Corporation.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -201,6 +262,61 @@ SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Copyright 2000 Aaron D. Gifford.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+ 
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1998 Doug Rabson.
+Copyright (c) 2001 Jake Burkholder.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
 Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 All rights reserved.
 
@@ -247,6 +363,49 @@ SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Copyright (c) 2000-2002 Japan Network Information Center.  All rights reserved.
+ 
+By using this file, you agree to the terms and conditions set forth bellow.
+
+                        LICENSE TERMS AND CONDITIONS 
+
+The following License Terms and Conditions apply, unless a different
+license is obtained from Japan Network Information Center ("JPNIC"),
+a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda,
+Chiyoda-ku, Tokyo 101-0047, Japan.
+
+1. Use, Modification and Redistribution (including distribution of any
+   modified or derived work) in source and/or binary forms is permitted
+   under this License Terms and Conditions.
+
+2. Redistribution of source code must retain the copyright notices as they
+   appear in each source code file, this License Terms and Conditions.
+
+3. Redistribution in binary form must reproduce the Copyright Notice,
+   this License Terms and Conditions, in the documentation and/or other
+   materials provided with the distribution.  For the purposes of binary
+   distribution the "Copyright Notice" refers to the following language:
+   "Copyright (c) 2000-2002 Japan Network Information Center.  All rights
+   reserved."
+
+4. The name of JPNIC may not be used to endorse or promote products
+   derived from this Software without specific prior written approval of
+   JPNIC.
+
+5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC
+   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL JPNIC BE LIABLE
+   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+   BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+   OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+   ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ -----------------------------------------------------------------------------
+
 Copyright (C) 2004  Nominet, Ltd.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -263,6 +422,24 @@ PERFORMANCE OF THIS SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Portions Copyright RSA Security Inc.
+
+License to copy and use this software is granted provided that it is
+identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+(Cryptoki)" in all material mentioning or referencing this software.
+
+License is also granted to make and use derivative works provided that
+such works are identified as "derived from the RSA Security Inc. PKCS #11
+Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+referencing the derived work.
+
+RSA Security Inc. makes no representations concerning either the
+merchantability of this software or the suitability of this software for
+any particular purpose. It is provided "as is" without express or implied
+warranty of any kind.
+
+ -----------------------------------------------------------------------------
+
 Copyright (c) 1996, David Mazieres <dm@uun.org>
 Copyright (c) 2008, Damien Miller <djm@openbsd.org>
 
@@ -280,6 +457,54 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 -----------------------------------------------------------------------------
 
+Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. All advertising materials mentioning features or use of this
+   software must display the following acknowledgment:
+   "This product includes software developed by the OpenSSL Project
+   for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+
+4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+   endorse or promote products derived from this software without
+   prior written permission. For written permission, please contact
+   licensing@OpenSSL.org.
+
+5. Products derived from this software may not be called "OpenSSL"
+   nor may "OpenSSL" appear in their names without prior written
+   permission of the OpenSSL Project.
+
+6. Redistributions of any form whatsoever must retain the following
+   acknowledgment:
+   "This product includes software developed by the OpenSSL Project
+   for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+
+THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-----------------------------------------------------------------------------
+
 Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc.
 All rights reserved.
 
@@ -367,25 +592,3 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-
------------------------------------------------------------------------------
-
-Copyright Joyent, Inc. and other Node contributors. All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-IN THE SOFTWARE.

ChangeLog

@@ -1 +0,0 @@
-doc/arm/changelog.rst

HISTORY

@@ -0,0 +1,524 @@
+Functional enhancements from prior major releases of BIND 9
+
+BIND 9.11
+
+BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+releases. New features include:
+
+  * Added support for Catalog Zones, a new method for provisioning
+    servers: a list of zones to be served is stored in a DNS zone, along
+    with their configuration parameters. Changes to the catalog zone are
+    propagated to slaves via normal AXFR/IXFR, whereupon the zones that
+    are listed in it are automatically added, deleted or reconfigured.
+  * Added support for ?dnstap?, a fast and flexible method of capturing
+    and logging DNS traffic.
+  * Added support for ?dyndb?, a new API for loading zone data from an
+    external database, developed by Red Hat for the FreeIPA project.
+  * ?fetchlimit? quotas are now compiled in by default. These are for the
+    use of recursive resolvers that are are under high query load for
+    domains whose authoritative servers are nonresponsive or are
+    experiencing a denial of service attack:
+      + ?fetches-per-server? limits the number of simultaneous queries
+        that can be sent to any single authoritative server. The
+        configured value is a starting point; it is automatically adjusted
+        downward if the server is partially or completely non-responsive.
+        The algorithm used to adjust the quota can be configured via the
+        ?fetch-quota-params? option.
+      + ?fetches-per-zone? limits the number of simultaneous queries that
+        can be sent for names within a single domain. (Note: Unlike
+        ?fetches-per-server?, this value is not self-tuning.)
+      + New stats counters have been added to count queries spilled due to
+        these quotas.
+  * Added a new ?dnssec-keymgr? key mainenance utility, which can generate
+    or update keys as needed to ensure that a zone?s keys match a defined
+    DNSSEC policy.
+  * The experimental ?SIT? feature in BIND 9.10 has been renamed ?COOKIE?
+    and is no longer optional. EDNS COOKIE is a mechanism enabling clients
+    to detect off-path spoofed responses, and servers to detect
+    spoofed-source queries. Clients that identify themselves using COOKIE
+    options are not subject to response rate limiting (RRL) and can
+    receive larger UDP responses.
+  * SERVFAIL responses can now be cached for a limited time (defaulting to
+    1 second, with an upper limit of 30). This can reduce the frequency of
+    retries when a query is persistently failing.
+  * Added an ?nsip-wait-recurse? switch to RPZ. This causes NSIP rules to
+    be skipped if a name server IP address isn?t in the cache yet; the
+    address will be looked up and the rule will be applied on future
+    queries.
+  * Added a Python RNDC module. This allows multiple commands to sent over
+    a persistent RNDC channel, which saves time.
+  * The ?controls? block in named.conf can now grant read-only ?rndc?
+    access to specified clients or keys. Read-only clients could, for
+    example, check ?rndc status? but could not reconfigure or shut down
+    the server.
+  * ?rndc? commands can now return arbitrarily large amounts of text to
+    the caller.
+  * The zone serial number of a dynamically updatable zone can now be set
+    via ?rndc signing -serial ?. This allows inline-signing zones to be
+    set to a specific serial number.
+  * The new ?rndc nta? command can be used to set a Negative Trust Anchor
+    (NTA), disabling DNSSEC validation for a specific domain; this can be
+    used when responses from a domain are known to be failing validation
+    due to administrative error rather than because of a spoofing attack.
+    Negative trust anchors are strictly temporary; by default they expire
+    after one hour, but can be configured to last up to one week.
+  * ?rndc delzone? can now be used on zones that were not originally
+    created by ?rndc addzone?.
+  * ?rndc modzone? reconfigures a single zone, without requiring the
+    entire server to be reconfigured.
+  * ?rndc showzone? displays the current configuration of a zone.
+  * ?rndc managed-keys? can be used to check the status of RFC 5001
+    managed trust anchors, or to force trust anchors to be refreshed.
+  * ?max-cache-size? can now be set to a percentage of available memory.
+    The default is 90%.
+  * Update forwarding performance has been improved by allowing a single
+    TCP connection to be shared by multiple updates.
+  * The EDNS Client Subnet (ECS) option is now supported for authoritative
+    servers; if a query contains an ECS option then ACLs containing
+    ?geoip? or ?ecs? elements can match against the the address encoded in
+    the option. This can be used to select a view for a query, so that
+    different answers can be provided depending on the client network.
+  * The EDNS EXPIRE option has been implemented on the client side,
+    allowing a slave server to set the expiration timer correctly when
+    transferring zone data from another slave server.
+  * The key generation and manipulation tools (dnssec-keygen,
+    dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
+    ?-Psync? and ?-Dsync? options to set the publication and deletion
+    times of CDS and CDNSKEY parent-synchronization records. Both named
+    and dnssec-signzone can now publish and remove these records at the
+    scheduled times.
+  * A new ?minimal-any? option reduces the size of UDP responses for query
+    type ANY by returning a single arbitrarily selected RRset instead of
+    all RRsets.
+  * A new ?masterfile-style? zone option controls the formatting of text
+    zone files: When set to ?full?, a zone file is dumped in
+    single-line-per-record format.
+  * ?serial-update-method? can now be set to ?date?. On update, the serial
+    number will be set to the current date in YYYYMMDDNN format.
+  * ?dnssec-signzone -N date? sets the serial number to YYYYMMDDNN.
+  * ?named -L ? causes named to send log messages to the specified file by
+    default instead of to the system log.
+  * ?dig +ttlunits? prints TTL values with time-unit suffixes: w, d, h, m,
+    s for weeks, days, hours, minutes, and seconds.
+  * ?dig +unknownformat? prints dig output in RFC 3597 ?unknown record?
+    presentation format.
+  * ?dig +ednsopt? allows dig to set arbitrary EDNS options on requests.
+  * ?dig +ednsflags? allows dig to set yet-to-be-defined EDNS flags on
+    requests.
+  * ?mdig? is an alternate version of dig which sends multiple pipelined
+    TCP queries to a server. Instead of waiting for a response after
+    sending a query, it sends all queries immediately and displays
+    responses in the order received.
+  * ?serial-query-rate? no longer controls NOTIFY messages. These are
+    separately controlled by ?notify-rate? and ?startup-notify-rate?.
+  * ?nsupdate? now performs ?check-names? processing by default on records
+    to be added. This can be disabled with ?check-names no?.
+  * The statistics channel now supports DEFLATE compression, reducing the
+    size of the data sent over the network when querying statistics.
+  * New counters have been added to the statistics channel to track the
+    sizes of incoming queries and outgoing responses in histogram buckets,
+    as specified in RSSAC002.
+  * A new NXDOMAIN redirect method (option ?nxdomain-redirect?) has been
+    added, allowing redirection to a specified DNS namespace instead of a
+    single redirect zone.
+  * When starting up, named now ensures that no other named process is
+    already running.
+  * Files created by named to store information, including ?mkeys? and
+    ?nzf? files, are now named after their corresponding views unless the
+    view name contains characters incompatible with use as a filename. Old
+    style filenames (based on the hash of the view name) will still work.
+
+BIND 9.10.0
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases. New features include:
+
+  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+    reflection and amplification attacks, is always compiled in and no
+    longer requires a compile-time option to enable it.
+  * An experimental ?Source Identity Token? (SIT) EDNS option is now
+    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
+    these are designed to enable clients to detect off-path spoofed
+    responses, and to enable servers to detect spoofed-source queries.
+    Servers can be configured to send smaller responses to clients that
+    have not identified themselves using a SIT option, reducing the
+    effectiveness of amplification attacks. RRL processing has also been
+    updated; clients proven to be legitimate via SIT are not subject to
+    rate limiting. Use ?configure ?enable-sit? to enable this feature in
+    BIND.
+  * A new zone file format, ?map?, stores zone data in a format that can
+    be mapped directly into memory, allowing significantly faster zone
+    loading.
+  * ?delv? (domain entity lookup and validation) is a new tool with
+    dig-like semantics for looking up DNS data and performing internal
+    DNSSEC validation. This allows easy validation in environments where
+    the resolver may not be trustworthy, and assists with troubleshooting
+    of DNSSEC problems. (NOTE: In previous development releases of BIND
+    9.10, this utility was called ?delve?. The spelling has been changed
+    to avoid confusion with the ?delve? utility included with the Xapian
+    search engine.)
+  * Improved EDNS(0) processing for better resolver performance and
+    reliability over slow or lossy connections.
+  * A new ?configure ?with-tuning=large? option tunes certain compiled-in
+    constants and default settings to values better suited to large
+    servers with abundant memory. This can improve performance on such
+    servers, but will consume more memory and may degrade performance on
+    smaller systems.
+  * Substantial improvement in response-policy zone (RPZ) performance. Up
+    to 32 response-policy zones can be configured with minimal performance
+    loss.
+  * To improve recursive resolver performance, cache records which are
+    still being requested by clients can now be automatically refreshed
+    from the authoritative server before they expire, reducing or
+    eliminating the time window in which no answer is available in the
+    cache.
+  * New ?rpz-client-ip? triggers and drop policies allowing response
+    policies based on the IP address of the client.
+  * ACLs can now be specified based on geographic location using the
+    MaxMind GeoIP databases. Use ?configure ?with-geoip? to enable.
+  * Zone data can now be shared between views, allowing multiple views to
+    serve the same zones authoritatively without storing multiple copies
+    in memory.
+  * New XML schema (version 3) for the statistics channel includes many
+    new statistics and uses a flattened XML tree for faster parsing. The
+    older schema is now deprecated.
+  * A new stylesheet, based on the Google Charts API, displays XML
+    statistics in charts and graphs on javascript-enabled browsers.
+  * The statistics channel can now provide data in JSON format as well as
+    XML.
+  * New stats counters track TCP and UDP queries received per zone, and
+    EDNS options received in total.
+  * The internal and export versions of the BIND libraries (libisc,
+    libdns, etc) have been unified so that external library clients can
+    use the same libraries as BIND itself.
+  * A new compile-time option, ?configure ?enable-native-pkcs11?, allows
+    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
+    BIND can drive a cryptographic hardware service module (HSM) directly
+    instead of using a modified OpenSSL as an intermediary. (Note: This
+    feature requires an HSM to have a full implementation of the PKCS#11
+    API; many current HSMs only have partial implementations. The new
+    ?pkcs11-tokens? command can be used to check API completeness. Native
+    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
+    version 2 from the Open DNSSEC project.)
+  * The new ?max-zone-ttl? option enforces maximum TTLs for zones. This
+    can simplify the process of rolling DNSSEC keys by guaranteeing that
+    cached signatures will have expired within the specified amount of
+    time.
+  * ?dig +subnet? sends an EDNS CLIENT-SUBNET option when querying.
+  * ?dig +expire? sends an EDNS EXPIRE option when querying. When this
+    option is sent with an SOA query to a server that supports it, it will
+    report the expiry time of a slave zone.
+  * New ?dnssec-coverage? tool to check DNSSEC key coverage for a zone and
+    report if a lapse in signing coverage has been inadvertently
+    scheduled.
+  * Signing algorithm flexibility and other improvements for the ?rndc?
+    control channel.
+  * ?named-checkzone? and ?named-compilezone? can now read journal files,
+    allowing them to process dynamic zones.
+  * Multiple DLZ databases can now be configured. Individual zones can be
+    configured to be served from a specific DLZ database. DLZ databases
+    now serve zones of type ?master? and ?redirect?.
+  * ?rndc zonestatus? reports information about a specified zone.
+  * ?named? now listens on IPv6 as well as IPv4 interfaces by default.
+  * ?named? now preserves the capitalization of names when responding to
+    queries: for instance, a query for ?example.com? may be answered with
+    ?example.COM? if the name was configured that way in the zone file.
+    Some clients have a bug causing them to depend on the older behavior,
+    in which the case of the answer always matched the case of the query,
+    rather than the case of the name configured in the DNS. Such clients
+    can now be specified in the new ?no-case-compress? ACL; this will
+    restore the older behavior of ?named? for those clients only.
+  * new ?dnssec-importkey? command allows the use of offline DNSSEC keys
+    with automatic DNSKEY management.
+  * New ?named-rrchecker? tool to verify the syntactic correctness of
+    individual resource records.
+  * When re-signing a zone, the new ?dnssec-signzone -Q? option drops
+    signatures from keys that are still published but are no longer
+    active.
+  * ?named-checkconf -px? will print the contents of configuration files
+    with the shared secrets obscured, making it easier to share
+    configuration (e.g. when submitting a bug report) without revealing
+    private information.
+  * ?rndc scan? causes named to re-scan network interfaces for changes in
+    local addresses.
+  * On operating systems with support for routing sockets, network
+    interfaces are re-scanned automatically whenever they change.
+  * ?tsig-keygen? is now available as an alternate command name to use for
+    ?ddns-confgen?.
+
+BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
+
+  * Inline signing, allowing automatic DNSSEC signing of master zones
+    without modification of the zonefile, or ?bump in the wire? signing in
+    slaves.
+  * NXDOMAIN redirection.
+  * New ?rndc flushtree? command clears all data under a given name from
+    the DNS cache.
+  * New ?rndc sync? command dumps pending changes in a dynamic zone to
+    disk without a freeze/thaw cycle.
+  * New ?rndc signing? command displays or clears signing status records
+    in ?auto-dnssec? zones.
+  * NSEC3 parameters for ?auto-dnssec? zones can now be set prior to
+    signing, eliminating the need to initially sign with NSEC.
+  * Startup time improvements on large authoritative servers.
+  * Slave zones are now saved in raw format by default.
+  * Several improvements to response policy zones (RPZ).
+  * Improved hardware scalability by using multiple threads to listen for
+    queries and using finer-grained client locking
+  * The ?also-notify? option now takes the same syntax as ?masters?, so it
+    can used named masterlists and TSIG keys.
+  * ?dnssec-signzone -D? writes an output file containing only DNSSEC
+    data, which can be included by the primary zone file.
+  * ?dnssec-signzone -R? forces removal of signatures that are not expired
+    but were created by a key which no longer exists.
+  * ?dnssec-signzone -X? allows a separate expiration date to be specified
+    for DNSKEY signatures from other signatures.
+  * New ?-L? option to dnssec-keygen, dnssec-settime, and
+    dnssec-keyfromlabel sets the default TTL for the key.
+  * dnssec-dsfromkey now supports reading from standard input, to make it
+    easier to convert DNSKEY to DS.
+  * RFC 1918 reverse zones have been added to the empty-zones table per
+    RFC 6303.
+  * Dynamic updates can now optionally set the zone?s SOA serial number to
+    the current UNIX time.
+  * DLZ modules can now retrieve the source IP address of the querying
+    client.
+  * ?request-ixfr? option can now be set at the per-zone level.
+  * ?dig +rrcomments? turns on comments about DNSKEY records, indicating
+    their key ID, algorithm and function
+  * Simplified nsupdate syntax and added readline support
+
+BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
+
+  * Built-in trust anchor for the root zone, which can be switched on via
+    ?dnssec-validation auto;?
+  * Support for DNS64.
+  * Support for response policy zones (RPZ).
+  * Support for writable DLZ zones.
+  * Improved ease of configuration of GSS/TSIG for interoperability with
+    Active Directory
+  * Support for GOST signing algorithm for DNSSEC.
+  * Removed RTT Banding from server selection algorithm.
+  * New ?static-stub? zone type.
+  * Allow configuration of resolver timeouts via ?resolver-query-timeout?
+    option.
+  * The DLZ ?dlopen? driver is now built by default.
+  * Added a new include file with function typedefs for the DLZ ?dlopen?
+    driver.
+  * Made ??with-gssapi? default.
+  * More verbose error reporting from DLZ LDAP.
+
+BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
+
+  * Fully automatic signing of zones by ?named?.
+  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+  * Simplified configuration of Dynamic DNS, using the ?ddns-confgen?
+    command line tool or the ?local? update-policy option. (As a side
+    effect, this also makes it easier to configure automatic zone
+    re-signing.)
+  * New named option ?attach-cache? that allows multiple views to share a
+    single cache.
+  * DNS rebinding attack prevention.
+  * New default values for dnssec-keygen parameters.
+  * Support for RFC 5011 automated trust anchor maintenance
+  * Smart signing: simplified tools for zone signing and key maintenance.
+  * The ?statistics-channels? option is now available on Windows.
+  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+  * On some platforms, named and other binaries can now print out a stack
+    backtrace on assertion failure, to aid in debugging.
+  * A ?tools only? installation mode on Windows, which only installs dig,
+    host, nslookup and nsupdate.
+  * Improved PKCS#11 support, including Keyper support and explicit
+    OpenSSL engine selection.
+
+BIND 9.6.0
+
+  * Full NSEC3 support
+  * Automatic zone re-signing
+  * New update-policy methods tcp-self and 6to4-self
+  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+    distribution and is now available as a separate download.
+  * Change the default pid file location from /var/run to /var/run/
+    {named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+  * GSS-TSIG support (RFC 3645).
+  * DHCID support.
+  * Experimental http server and statistics support for named via xml.
+  * More detailed statistics counters including those supported in BIND 8.
+  * Faster ACL processing.
+  * Use Doxygen to generate internal documentation.
+  * Efficient LRU cache-cleaning mechanism.
+  * NSID support.
+
+BIND 9.4.0
+
+  * Implemented ?additional section caching (or acache)?, an internal
+    cache framework for additional section content to improve response
+    performance. Several configuration options were provided to control
+    the behavior.
+  * New notify type ?master-only?. Enable notify for master zones only.
+  * Accept ?notify-source? style syntax for query-source.
+  * rndc now allows addresses to be set in the server clauses.
+  * New option ?allow-query-cache?. This lets ?allow-query? be used to
+    specify the default zone access level rather than having to have every
+    zone override the global value. ?allow-query-cache? can be set at both
+    the options and view levels. If ?allow-query-cache? is not set then
+    ?allow-recursion? is used if set, otherwise ?allow-query? is used if
+    set unless ?recursion no;? is set in which case ?none;? is used,
+    otherwise the default (localhost; localnets;) is used.
+  * rndc: the source address can now be specified.
+  * ixfr-from-differences now takes master and slave in addition to yes
+    and no at the options and view levels.
+  * Allow the journal?s name to be changed via named.conf.
+  * ?rndc notify zone [class [view]]? resend the NOTIFY messages for the
+    specified zone.
+  * ?dig +trace? now randomly selects the next servers to try. Report if
+    there is a bad delegation.
+  * Improve check-names error messages.
+  * Make public the function to read a key file, dst_key_read_public().
+  * dig now returns the byte count for axfr/ixfr.
+  * allow-update is now settable at the options / view level.
+  * named-checkconf now checks the logging configuration.
+  * host now can turn on memory debugging flags with ?-m?.
+  * Don?t send notify messages to self.
+  * Perform sanity checks on NS records which refer to ?in zone? names.
+  * New zone option ?notify-delay?. Specify a minimum delay between sets
+    of NOTIFY messages.
+  * Extend adjusting TTL warning messages.
+  * Named and named-checkzone can now both check for non-terminal wildcard
+    records.
+  * ?rndc freeze/thaw? now freezes/thaws all zones.
+  * named-checkconf now check acls to verify that they only refer to
+    existing acls.
+  * The server syntax has been extended to support a range of servers.
+  * Report differences between hints and real NS rrset and associated
+    address records.
+  * Preserve the case of domain names in rdata during zone transfers.
+  * Restructured the data locking framework using architecture dependent
+    atomic operations (when available), improving response performance on
+    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+    and mips are currently supported.
+  * UNIX domain controls are now supported.
+  * Add support for additional zone file formats for improving loading
+    performance. The masterfile-format option in named.conf can be used to
+    specify a non-default format. A separate command named-compilezone was
+    provided to generate zone files in the new format. Additionally, the
+    -I and -O options for dnssec-signzone specify the input and output
+    formats.
+  * dnssec-signzone can now randomize signature end times (dnssec-signzone
+    -j jitter).
+  * Add support for CH A record.
+  * Add additional zone data constancy checks. named-checkzone has
+    extended checking of NS, MX and SRV record and the hosts they
+    reference. named has extended post zone load checks. New zone options:
+    check-mx and integrity-check.
+  * edns-udp-size can now be overridden on a per server basis.
+  * dig can now specify the EDNS version when making a query.
+  * Added framework for handling multiple EDNS versions.
+  * Additional memory debugging support to track size and mctx arguments.
+  * Detect duplicates of UDP queries we are recursing on and drop them.
+    New stats category ?duplicates?.
+  * ?USE INTERNAL MALLOC? is now runtime selectable.
+  * The lame cache is now done on a <qname,qclass,qtype> basis as some
+    servers only appear to be lame for certain query types.
+  * Limit the number of recursive clients that can be waiting for a single
+    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
+    and max-clients-per-query.
+  * dig: report the number of extra bytes still left in the packet after
+    processing all the records.
+  * Support for IPSECKEY rdata type.
+  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
+  * x86 and x86_64 now have seperate atomic locking implementations.
+  * named-checkconf now validates update-policy entries.
+  * Attempt to make the amount of work performed in a iteration self
+    tuning. The covers nodes clean from the cache per iteration, nodes
+    written to disk when rewriting a master file and nodes destroyed per
+    iteration when destroying a zone or a cache.
+  * ISC string copy API.
+  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+    1918 zones are not yet covered by this but are likely to be in a
+    future release.
+  * New options: empty-server, empty-contact, empty-zones-enable and
+    disable-empty-zone.
+  * dig now has a ?-q queryname? and ?+showsearch? options.
+  * host/nslookup now continue (default)/fail on SERVFAIL.
+  * dig now warns if ?RA? is not set in the answer when ?RD? was set in
+    the query. host/nslookup skip servers that fail to set ?RA? when ?RD?
+    is set unless a server is explicitly set.
+  * Integrate contibuted DLZ code into named.
+  * Integrate contibuted IDN code from JPNIC.
+  * libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+  * DNSSEC is now DS based (RFC 3658).
+  * DNSSEC lookaside validation.
+  * check-names is now implemented.
+  * rrset-order is more complete.
+  * IPv4/IPv6 transition support, dual-stack-servers.
+  * IXFR deltas can now be generated when loading master files,
+    ixfr-from-differences.
+  * It is now possible to specify the size of a journal, max-journal-size.
+  * It is now possible to define a named set of master servers to be used
+    in masters clause, masters.
+  * The advertised EDNS UDP size can now be set, edns-udp-size.
+  * allow-v6-synthesis has been obsoleted.
+  * Zones containing MD and MF will now be rejected.
+  * dig, nslookup name. now report ?Not Implemented? as NOTIMP rather than
+    NOTIMPL. This will have impact on scripts that are looking for
+    NOTIMPL.
+  * libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+  * The size of the cache can now be limited using the ?max-cache-size?
+    option.
+  * The server can now automatically convert RFC1886-style recursive
+    lookup requests into RFC2874-style lookups, when enabled using the new
+    option ?allow-v6-synthesis?. This allows stub resolvers that support
+    AAAA records but not A6 record chains or binary labels to perform
+    lookups in domains that make use of these IPv6 DNS features.
+  * Performance has been improved.
+  * The man pages now use the more portable ?man? macros rather than the
+    ?mandoc? macros, and are installed by ?make install?.
+  * The named.conf parser has been completely rewritten. It now supports
+    ?include? directives in more places such as inside ?view? statements,
+    and it no longer has any reserved words.
+  * The ?rndc status? command is now implemented.
+  * rndc can now be configured automatically.
+  * A BIND 8 compatible stub resolver library is now included in lib/bind.
+  * OpenSSL has been removed from the distribution. This means that to use
+    DNSSEC, OpenSSL must be installed and the ?with-openssl option must be
+    supplied to configure. This does not apply to the use of TSIG, which
+    does not require OpenSSL.
+  * The source distribution now builds on Windows. See win32utils/
+    readme1.txt and win32utils/win32-build.txt for details.
+  * This distribution also includes a new lightweight stub resolver
+    library and associated resolver daemon that fully support forward and
+    reverse lookups of both IPv4 and IPv6 addresses. This library is
+    considered experimental and is not a complete replacement for the BIND
+    8 resolver library. Applications that use the BIND 8 res_* functions
+    to perform DNS lookups or dynamic updates still need to be linked
+    against the BIND 8 libraries. For DNS lookups, they can also use the
+    new ?getrrsetbyname()? API.
+  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+    secured zones. This functionality is believed to be stable and
+    complete except for lacking support for verifications involving
+    wildcard records in secure zones.
+  * When acting as a caching server, BIND 9.2 can be configured to perform
+    DNSSEC secure resolution on behalf of its clients. This part of the
+    DNSSEC implementation is still considered experimental. For detailed
+    information about the state of the DNSSEC implementation, see the file
+    doc/misc/dnssec.

HISTORY.md

@@ -0,0 +1,542 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+### Functional enhancements from prior major releases of BIND 9
+
+#### BIND 9.11
+
+BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+releases.  New features include:
+
+- Added support for Catalog Zones, a new method for provisioning servers: a
+  list of zones to be served is stored in a DNS zone, along with their
+  configuration parameters. Changes to the catalog zone are propagated to
+  slaves via normal AXFR/IXFR, whereupon the zones that are listed in it
+  are automatically added, deleted or reconfigured.
+- Added support for "dnstap", a fast and flexible method of capturing and
+  logging DNS traffic.
+- Added support for "dyndb", a new API for loading zone data from an
+  external database, developed by Red Hat for the FreeIPA project.
+- "fetchlimit" quotas are now compiled in by default.  These are for the
+  use of recursive resolvers that are are under high query load for domains
+  whose authoritative servers are nonresponsive or are experiencing a
+  denial of service attack:
+    - "fetches-per-server" limits the number of simultaneous queries that
+      can be sent to any single authoritative server.  The configured value
+      is a starting point; it is automatically adjusted downward if the
+      server is partially or completely non-responsive. The algorithm used
+      to adjust the quota can be configured via the "fetch-quota-params"
+      option.
+    - "fetches-per-zone" limits the number of simultaneous queries that can
+      be sent for names within a single domain.  (Note: Unlike
+      "fetches-per-server", this value is not self-tuning.)
+    - New stats counters have been added to count queries spilled due to
+      these quotas.
+- Added a new "dnssec-keymgr" key mainenance utility, which can generate or
+  update keys as needed to ensure that a zone's keys match a defined DNSSEC
+  policy.
+- The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
+  is no longer optional. EDNS COOKIE is a mechanism enabling clients to
+  detect off-path spoofed responses, and servers to detect spoofed-source
+  queries.  Clients that identify themselves using COOKIE options are not
+  subject to response rate limiting (RRL) and can receive larger UDP
+  responses.
+- SERVFAIL responses can now be cached for a limited time (defaulting to 1
+  second, with an upper limit of 30).  This can reduce the frequency of
+  retries when a query is persistently failing.
+- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to be
+  skipped if a name server IP address isn't in the cache yet; the address
+  will be looked up and the rule will be applied on future queries.
+- Added a Python RNDC module. This allows multiple commands to sent over a
+  persistent RNDC channel, which saves time.
+- The "controls" block in named.conf can now grant read-only "rndc" access
+  to specified clients or keys. Read-only clients could, for example, check
+  "rndc status" but could not reconfigure or shut down the server.
+- "rndc" commands can now return arbitrarily large amounts of text to the
+  caller.
+- The zone serial number of a dynamically updatable zone can now be set via
+  "rndc signing -serial <number> <zonename>".  This allows inline-signing
+  zones to be set to a specific serial number.
+- The new "rndc nta" command can be used to set a Negative Trust Anchor
+  (NTA), disabling DNSSEC validation for a specific domain; this can be
+  used when responses from a domain are known to be failing validation due
+  to administrative error rather than because of a spoofing attack.
+  Negative trust anchors are strictly temporary; by default they expire
+  after one hour, but can be configured to last up to one week.
+- "rndc delzone" can now be used on zones that were not originally created
+  by "rndc addzone".
+- "rndc modzone" reconfigures a single zone, without requiring the entire
+  server to be reconfigured.
+- "rndc showzone" displays the current configuration of a zone.
+- "rndc managed-keys" can be used to check the status of RFC 5001 managed
+  trust anchors, or to force trust anchors to be refreshed.
+- "max-cache-size" can now be set to a percentage of available memory. The
+  default is 90%.
+- Update forwarding performance has been improved by allowing a single TCP
+  connection to be shared by multiple updates.
+- The EDNS Client Subnet (ECS) option is now supported for authoritative
+  servers; if a query contains an ECS option then ACLs containing "geoip"
+  or "ecs" elements can match against the the address encoded in the
+  option.  This can be used to select a view for a query, so that different
+  answers can be provided depending on the client network.
+- The EDNS EXPIRE option has been implemented on the client side, allowing
+  a slave server to set the expiration timer correctly when transferring
+  zone data from another slave server.
+- The key generation and manipulation tools (dnssec-keygen, dnssec-settime,
+  dnssec-importkey, dnssec-keyfromlabel) now take "-Psync" and "-Dsync"
+  options to set the publication and deletion times of CDS and CDNSKEY
+  parent-synchronization records.  Both named and dnssec-signzone can now
+  publish and remove these records at the scheduled times.
+- A new "minimal-any" option reduces the size of UDP responses for query
+  type ANY by returning a single arbitrarily selected RRset instead of all
+  RRsets.
+- A new "masterfile-style" zone option controls the formatting of text zone
+  files:  When set to "full", a zone file is dumped in
+  single-line-per-record format.
+- "serial-update-method" can now be set to "date". On update, the serial
+  number will be set to the current date in YYYYMMDDNN format.
+- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
+- "named -L <filename>" causes named to send log messages to the specified
+  file by default instead of to the system log.
+- "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, s
+  for weeks, days, hours, minutes, and seconds.
+- "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
+  presentation format.
+- "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
+- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
+  requests.
+- "mdig" is an alternate version of dig which sends multiple pipelined TCP
+  queries to a server.  Instead of waiting for a response after sending a
+  query, it sends all queries immediately and displays responses in the
+  order received.
+- "serial-query-rate" no longer controls NOTIFY messages.  These are
+  separately controlled by "notify-rate" and "startup-notify-rate".
+- "nsupdate" now performs "check-names" processing by default on records to
+  be added.  This can be disabled with "check-names no".
+- The statistics channel now supports DEFLATE compression, reducing the
+  size of the data sent over the network when querying statistics.
+- New counters have been added to the statistics channel to track the sizes
+  of incoming queries and outgoing responses in histogram buckets, as
+  specified in RSSAC002.
+- A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
+  added, allowing redirection to a specified DNS namespace instead of a
+  single redirect zone.
+- When starting up, named now ensures that no other named process is
+  already running.
+- Files created by named to store information, including "mkeys" and "nzf"
+  files, are now named after their corresponding views unless the view name
+  contains characters incompatible with use as a filename. Old style
+  filenames (based on the hash of the view name) will still work.
+
+#### BIND 9.10.0
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases.  New features include:
+
+ - DNS Response-rate limiting (DNS RRL), which blunts the
+   impact of reflection and amplification attacks, is always
+   compiled in and no longer requires a compile-time option
+   to enable it.
+ - An experimental "Source Identity Token" (SIT) EDNS option
+   is now available.  Similar to DNS Cookies as invented by
+   Donald Eastlake 3rd, these are designed to enable clients
+   to detect off-path spoofed responses, and to enable servers
+   to detect spoofed-source queries.  Servers can be configured
+   to send smaller responses to clients that have not identified
+   themselves using a SIT option, reducing the effectiveness of
+   amplification attacks.  RRL processing has also been updated;
+   clients proven to be legitimate via SIT are not subject to
+   rate limiting.  Use "configure --enable-sit" to enable this
+   feature in BIND.
+ - A new zone file format, "map", stores zone data in a
+   format that can be mapped directly into memory, allowing
+   significantly faster zone loading.
+ - "delv" (domain entity lookup and validation) is a new tool
+   with dig-like semantics for looking up DNS data and performing
+   internal DNSSEC validation.  This allows easy validation in
+   environments where the resolver may not be trustworthy, and
+   assists with troubleshooting of DNSSEC problems. (NOTE:
+   In previous development releases of BIND 9.10, this utility
+   was called "delve". The spelling has been changed to avoid
+   confusion with the "delve" utility included with the Xapian
+   search engine.)
+ - Improved EDNS(0) processing for better resolver performance
+   and reliability over slow or lossy connections.
+ - A new "configure --with-tuning=large" option tunes certain
+   compiled-in constants and default settings to values better
+   suited to large servers with abundant memory.  This can
+   improve performance on such servers, but will consume more
+   memory and may degrade performance on smaller systems.
+ - Substantial improvement in response-policy zone (RPZ)
+   performance.  Up to 32 response-policy zones can be
+   configured with minimal performance loss.
+ - To improve recursive resolver performance, cache records
+   which are still being requested by clients can now be
+   automatically refreshed from the authoritative server
+   before they expire, reducing or eliminating the time
+   window in which no answer is available in the cache.
+ - New "rpz-client-ip" triggers and drop policies allowing
+   response policies based on the IP address of the client.
+ - ACLs can now be specified based on geographic location
+   using the MaxMind GeoIP databases.  Use "configure
+   --with-geoip" to enable.
+ - Zone data can now be shared between views, allowing
+   multiple views to serve the same zones authoritatively
+   without storing multiple copies in memory.
+ - New XML schema (version 3) for the statistics channel
+   includes many new statistics and uses a flattened XML tree
+   for faster parsing. The older schema is now deprecated.
+ - A new stylesheet, based on the Google Charts API, displays
+   XML statistics in charts and graphs on javascript-enabled
+   browsers.
+ - The statistics channel can now provide data in JSON
+   format as well as XML.
+ - New stats counters track TCP and UDP queries received
+   per zone, and EDNS options received in total.
+ - The internal and export versions of the BIND libraries
+   (libisc, libdns, etc) have been unified so that external
+   library clients can use the same libraries as BIND itself.
+ - A new compile-time option, "configure --enable-native-pkcs11",
+   allows BIND 9 cryptography functions to use the PKCS#11 API
+   natively, so that BIND can drive a cryptographic hardware
+   service module (HSM) directly instead of using a modified
+   OpenSSL as an intermediary. (Note: This feature requires an
+   HSM to have a full implementation of the PKCS#11 API; many
+   current HSMs only have partial implementations. The new
+   "pkcs11-tokens" command can be used to check API completeness.
+   Native PKCS#11 is known to work with the Thales nShield HSM
+   and with SoftHSM version 2 from the Open DNSSEC project.)
+ - The new "max-zone-ttl" option enforces maximum TTLs for
+   zones. This can simplify the process of rolling DNSSEC keys
+   by guaranteeing that cached signatures will have expired
+   within the specified amount of time.
+ - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
+   querying.
+ - "dig +expire" sends an EDNS EXPIRE option when querying.
+   When this option is sent with an SOA query to a server
+   that supports it, it will report the expiry time of
+   a slave zone.
+ - New "dnssec-coverage" tool to check DNSSEC key coverage
+   for a zone and report if a lapse in signing coverage has
+   been inadvertently scheduled.
+ - Signing algorithm flexibility and other improvements
+   for the "rndc" control channel.
+ - "named-checkzone" and "named-compilezone" can now read
+   journal files, allowing them to process dynamic zones.
+ - Multiple DLZ databases can now be configured.  Individual
+   zones can be configured to be served from a specific DLZ
+   database.  DLZ databases now serve zones of type "master"
+   and "redirect".
+ - "rndc zonestatus" reports information about a specified zone.
+ - "named" now listens on IPv6 as well as IPv4 interfaces
+   by default.
+ - "named" now preserves the capitalization of names
+   when responding to queries: for instance, a query for
+   "example.com" may be answered with "example.COM" if the
+   name was configured that way in the zone file.  Some
+   clients have a bug causing them to depend on the older
+   behavior, in which the case of the answer always matched
+   the case of the query, rather than the case of the name
+   configured in the DNS.  Such clients can now be specified
+   in the new "no-case-compress" ACL; this will restore the
+   older behavior of "named" for those clients only.
+ - new "dnssec-importkey" command allows the use of offline
+   DNSSEC keys with automatic DNSKEY management.
+ - New "named-rrchecker" tool to verify the syntactic
+   correctness of individual resource records.
+ - When re-signing a zone, the new "dnssec-signzone -Q" option
+   drops signatures from keys that are still published but are
+   no longer active.
+ - "named-checkconf -px" will print the contents of configuration
+   files with the shared secrets obscured, making it easier to
+   share configuration (e.g. when submitting a bug report)
+   without revealing private information.
+ - "rndc scan" causes named to re-scan network interfaces for
+   changes in local addresses.
+ - On operating systems with support for routing sockets,
+   network interfaces are re-scanned automatically whenever
+   they change.
+ - "tsig-keygen" is now available as an alternate command
+   name to use for "ddns-confgen".
+
+#### BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases.  New features include:
+
+- Inline signing, allowing automatic DNSSEC signing of
+  master zones without modification of the zonefile, or
+  "bump in the wire" signing in slaves.
+- NXDOMAIN redirection.
+- New 'rndc flushtree' command clears all data under a given
+  name from the DNS cache.
+- New 'rndc sync' command dumps pending changes in a dynamic
+  zone to disk without a freeze/thaw cycle.
+- New 'rndc signing' command displays or clears signing status
+  records in 'auto-dnssec' zones.
+- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
+  to signing, eliminating the need to initially sign with NSEC.
+- Startup time improvements on large authoritative servers.
+- Slave zones are now saved in raw format by default.
+- Several improvements to response policy zones (RPZ).
+- Improved hardware scalability by using multiple threads
+  to listen for queries and using finer-grained client locking
+- The 'also-notify' option now takes the same syntax as
+  'masters', so it can used named masterlists and TSIG keys.
+- 'dnssec-signzone -D' writes an output file containing only DNSSEC
+  data, which can be included by the primary zone file.
+- 'dnssec-signzone -R' forces removal of signatures that are
+  not expired but were created by a key which no longer exists.
+- 'dnssec-signzone -X' allows a separate expiration date to
+  be specified for DNSKEY signatures from other signatures.
+- New '-L' option to dnssec-keygen, dnssec-settime, and
+  dnssec-keyfromlabel sets the default TTL for the key.
+- dnssec-dsfromkey now supports reading from standard input,
+  to make it easier to convert DNSKEY to DS.
+- RFC 1918 reverse zones have been added to the empty-zones
+  table per RFC 6303.
+- Dynamic updates can now optionally set the zone's SOA serial
+  number to the current UNIX time.
+- DLZ modules can now retrieve the source IP address of
+  the querying client.
+- 'request-ixfr' option can now be set at the per-zone level.
+- 'dig +rrcomments' turns on comments about DNSKEY records,
+  indicating their key ID, algorithm and function
+- Simplified nsupdate syntax and added readline support
+
+#### BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases.  New features include:
+
+- Built-in trust anchor for the root zone, which can be
+  switched on via "dnssec-validation auto;"
+- Support for DNS64.
+- Support for response policy zones (RPZ).
+- Support for writable DLZ zones.
+- Improved ease of configuration of GSS/TSIG for
+  interoperability with Active Directory
+- Support for GOST signing algorithm for DNSSEC.
+- Removed RTT Banding from server selection algorithm.
+- New "static-stub" zone type.
+- Allow configuration of resolver timeouts via
+  "resolver-query-timeout" option.
+- The DLZ "dlopen" driver is now built by default.
+- Added a new include file with function typedefs
+  for the DLZ "dlopen" driver.
+- Made "--with-gssapi" default.
+- More verbose error reporting from DLZ LDAP.
+
+#### BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases.  Most are intended to simplify DNSSEC configuration.
+New features include:
+
+- Fully automatic signing of zones by "named".
+- Simplified configuration of DNSSEC Lookaside Validation (DLV).
+- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+  command line tool or the "local" update-policy option.  (As a side
+  effect, this also makes it easier to configure automatic zone
+  re-signing.)
+- New named option "attach-cache" that allows multiple views to
+  share a single cache.
+- DNS rebinding attack prevention.
+- New default values for dnssec-keygen parameters.
+- Support for RFC 5011 automated trust anchor maintenance
+- Smart signing: simplified tools for zone signing and key
+  maintenance.
+- The "statistics-channels" option is now available on Windows.
+- A new DNSSEC-aware libdns API for use by non-BIND9 applications
+- On some platforms, named and other binaries can now print out
+  a stack backtrace on assertion failure, to aid in debugging.
+- A "tools only" installation mode on Windows, which only installs
+  dig, host, nslookup and nsupdate.
+- Improved PKCS#11 support, including Keyper support and explicit
+  OpenSSL engine selection.
+
+#### BIND 9.6.0
+
+- Full NSEC3 support
+- Automatic zone re-signing
+- New update-policy methods tcp-self and 6to4-self
+- The BIND 8 resolver library, libbind, has been removed from the BIND 9
+  distribution and is now available as a separate download.
+- Change the default pid file location from /var/run to
+  /var/run/{named,lwresd} for improved chroot/setuid support.
+
+#### BIND 9.5.0
+
+- GSS-TSIG support (RFC 3645).
+- DHCID support.
+- Experimental http server and statistics support for named via xml.
+- More detailed statistics counters including those supported in BIND 8.
+- Faster ACL processing.
+- Use Doxygen to generate internal documentation.
+- Efficient LRU cache-cleaning mechanism.
+- NSID support.
+
+BIND 9.4.0
+
+- Implemented "additional section caching (or acache)", an internal cache
+  framework for additional section content to improve response performance.
+  Several configuration options were provided to control the behavior.
+- New notify type 'master-only'.  Enable notify for master zones only.
+- Accept 'notify-source' style syntax for query-source.
+- rndc now allows addresses to be set in the server clauses.
+- New option "allow-query-cache".  This lets "allow-query" be used to
+  specify the default zone access level rather than having to have every
+  zone override the global value.  "allow-query-cache" can be set at both
+  the options and view levels.  If "allow-query-cache" is not set then
+  "allow-recursion" is used if set, otherwise "allow-query" is used if set
+  unless "recursion no;" is set in which case "none;" is used, otherwise
+  the default (localhost; localnets;) is used.
+- rndc: the source address can now be specified.
+- ixfr-from-differences now takes master and slave in addition to yes and
+  no at the options and view levels.
+- Allow the journal's name to be changed via named.conf.
+- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+  specified zone.
+- 'dig +trace' now randomly selects the next servers to try.  Report if
+  there is a bad delegation.
+- Improve check-names error messages.
+- Make public the function to read a key file, dst_key_read_public().
+- dig now returns the byte count for axfr/ixfr.
+- allow-update is now settable at the options / view level.
+- named-checkconf now checks the logging configuration.
+- host now can turn on memory debugging flags with '-m'.
+- Don't send notify messages to self.
+- Perform sanity checks on NS records which refer to 'in zone' names.
+- New zone option "notify-delay".  Specify a minimum delay between sets of
+  NOTIFY messages.
+- Extend adjusting TTL warning messages.
+- Named and named-checkzone can now both check for non-terminal wildcard
+  records.
+- "rndc freeze/thaw" now freezes/thaws all zones.
+- named-checkconf now check acls to verify that they only refer to existing
+  acls.
+- The server syntax has been extended to support a range of servers.
+- Report differences between hints and real NS rrset and associated address
+  records.
+- Preserve the case of domain names in rdata during zone transfers.
+- Restructured the data locking framework using architecture dependent
+  atomic operations (when available), improving response performance on
+  multi-processor machines significantly.  x86, x86_64, alpha, powerpc, and
+  mips are currently supported.
+- UNIX domain controls are now supported.
+- Add support for additional zone file formats for improving loading
+  performance.  The masterfile-format option in named.conf can be used to
+  specify a non-default format.  A separate command named-compilezone was
+  provided to generate zone files in the new format.  Additionally, the -I
+  and -O options for dnssec-signzone specify the input and output formats.
+- dnssec-signzone can now randomize signature end times (dnssec-signzone -j
+  jitter).
+- Add support for CH A record.
+- Add additional zone data constancy checks.  named-checkzone has extended
+  checking of NS, MX and SRV record and the hosts they reference.  named
+  has extended post zone load checks.  New zone options: check-mx and
+  integrity-check.
+- edns-udp-size can now be overridden on a per server basis.
+- dig can now specify the EDNS version when making a query.
+- Added framework for handling multiple EDNS versions.
+- Additional memory debugging support to track size and mctx arguments.
+- Detect duplicates of UDP queries we are recursing on and drop them.  New
+  stats category "duplicates".
+- "USE INTERNAL MALLOC" is now runtime selectable.
+- The lame cache is now done on a <qname,qclass,qtype> basis as some
+  servers only appear to be lame for certain query types.
+- Limit the number of recursive clients that can be waiting for a single
+  query (<qname,qtype,qclass>) to resolve.  New options clients-per-query
+  and max-clients-per-query.
+- dig: report the number of extra bytes still left in the packet after
+  processing all the records.
+- Support for IPSECKEY rdata type.
+- Raise the UDP recieve buffer size to 32k if it is less than 32k.
+- x86 and x86_64 now have seperate atomic locking implementations.
+- named-checkconf now validates update-policy entries.
+- Attempt to make the amount of work performed in a iteration self tuning.
+  The covers nodes clean from the cache per iteration, nodes written to
+  disk when rewriting a master file and nodes destroyed per iteration when
+  destroying a zone or a cache.
+- ISC string copy API.
+- Automatic empty zone creation for D.F.IP6.ARPA and friends.  Note: RFC
+  1918 zones are not yet covered by this but are likely to be in a future
+  release.
+- New options: empty-server, empty-contact, empty-zones-enable and
+  disable-empty-zone.
+- dig now has a '-q queryname' and '+showsearch' options.
+- host/nslookup now continue (default)/fail on SERVFAIL.
+- dig now warns if 'RA' is not set in the answer when 'RD' was set in the
+  query.  host/nslookup skip servers that fail to set 'RA' when 'RD' is set
+  unless a server is explicitly set.
+- Integrate contibuted DLZ code into named.
+- Integrate contibuted IDN code from JPNIC.
+- libbind: corresponds to that from BIND 8.4.7.
+
+#### BIND 9.3.0
+
+- DNSSEC is now DS based (RFC 3658).
+- DNSSEC lookaside validation.
+- check-names is now implemented.
+- rrset-order is more complete.
+- IPv4/IPv6 transition support, dual-stack-servers.
+- IXFR deltas can now be generated when loading master files,
+  ixfr-from-differences.
+- It is now possible to specify the size of a journal, max-journal-size.
+- It is now possible to define a named set of master servers to be used in
+  masters clause, masters.
+- The advertised EDNS UDP size can now be set, edns-udp-size.
+- allow-v6-synthesis has been obsoleted.
+- Zones containing MD and MF will now be rejected.
+- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+  NOTIMPL.  This will have impact on scripts that are looking for NOTIMPL.
+- libbind: corresponds to that from BIND 8.4.5.
+
+#### BIND 9.2.0
+
+- The size of the cache can now be limited using the "max-cache-size"
+  option.
+- The server can now automatically convert RFC1886-style recursive lookup
+  requests into RFC2874-style lookups, when enabled using the new option
+  "allow-v6-synthesis".  This allows stub resolvers that support AAAA
+  records but not A6 record chains or binary labels to perform lookups in
+  domains that make use of these IPv6 DNS features.
+- Performance has been improved.
+- The man pages now use the more portable "man" macros rather than the
+  "mandoc" macros, and are installed by "make install".
+- The named.conf parser has been completely rewritten.  It now supports
+  "include" directives in more places such as inside "view" statements, and
+  it no longer has any reserved words.
+- The "rndc status" command is now implemented.
+- rndc can now be configured automatically.
+- A BIND 8 compatible stub resolver library is now included in lib/bind.
+- OpenSSL has been removed from the distribution.  This means that to use
+  DNSSEC, OpenSSL must be installed and the --with-openssl option must be
+  supplied to configure.  This does not apply to the use of TSIG, which
+  does not require OpenSSL.
+- The source distribution now builds on Windows.  See
+  win32utils/readme1.txt and win32utils/win32-build.txt for details.
+- This distribution also includes a new lightweight stub resolver library
+  and associated resolver daemon that fully support forward and reverse
+  lookups of both IPv4 and IPv6 addresses.  This library is considered
+  experimental and is not a complete replacement for the BIND 8 resolver
+  library.  Applications that use the BIND 8 `res_*` functions to perform
+  DNS lookups or dynamic updates still need to be linked against the BIND 8
+  libraries.  For DNS lookups, they can also use the new "getrrsetbyname()"
+  API.
+- BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+  secured zones.  This functionality is believed to be stable and complete
+  except for lacking support for verifications involving wildcard records
+  in secure zones.
+- When acting as a caching server, BIND 9.2 can be configured to perform
+  DNSSEC secure resolution on behalf of its clients.  This part of the
+  DNSSEC implementation is still considered experimental.  For detailed
+  information about the state of the DNSSEC implementation, see the file
+  doc/misc/dnssec.

Kyuafile

@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('lib/Kyuafile')

LICENSE

@@ -346,7 +346,7 @@ Exhibit A - Source Code Form License Notice
       2.0. If a copy of the MPL was not
       distributed with this file, You can
       obtain one at
-      https://mozilla.org/MPL/2.0/.
+      http://mozilla.org/MPL/2.0/.
 
 If it is not possible or desirable to put the notice in a particular file,
 then You may include the notice in a location (such as a LICENSE file in a

LICENSES/Apache-2.0.txt

@@ -1,73 +0,0 @@
-Apache License
-Version 2.0, January 2004
-http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
-
-"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
-
-"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
-
-"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
-
-"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
-
-"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
-
-"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
-
-"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
-
-"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
-
-"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.
-
-2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
-
-3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
-
-4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
-
-     (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
-
-     (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
-
-     (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
-
-     (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
-
-     You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
-
-5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
-
-6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
-
-8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work.
-
-To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!)  The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
-
-Copyright [yyyy] [name of copyright owner]
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.

LICENSES/Autoconf-exception-3.0.txt

@@ -1,26 +0,0 @@
-AUTOCONF CONFIGURE SCRIPT EXCEPTION
-
-Version 3.0, 18 August 2009
-Copyright © 2009 Free Software Foundation, Inc. <http://fsf.org/>
-
-Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
-
-This Exception is an additional permission under section 7 of the GNU General Public License, version 3 ("GPLv3"). It applies to a given file that bears a notice placed by the copyright holder of the file stating that the file is governed by GPLv3 along with this Exception.
-
-The purpose of this Exception is to allow distribution of Autoconf's typical output under terms of the recipient's choice (including proprietary).
-
-0. Definitions.
-
-"Covered Code" is the source or object code of a version of Autoconf that is a covered work under this License.
-
-"Normally Copied Code" for a version of Autoconf means all parts of its Covered Code which that version can copy from its code (i.e., not from its input file) into its minimally verbose, non-debugging and non-tracing output.
-
-"Ineligible Code" is Covered Code that is not Normally Copied Code.
-
-1. Grant of Additional Permission.
-
-You have permission to propagate output of Autoconf, even if such propagation would otherwise violate the terms of GPLv3. However, if by modifying Autoconf you cause any Ineligible Code of the version you received to become Normally Copied Code of your modified version, then you void this Exception for the resulting covered work. If you convey that resulting covered work, you must remove this Exception in accordance with the second paragraph of Section 7 of GPLv3.
-
-2. No Weakening of Autoconf Copyleft.
-
-The availability of this Exception does not imply any general presumption that third-party software is unaffected by the copyleft requirements of the license of Autoconf.

LICENSES/Autoconf-exception-generic.txt

@@ -1 +0,0 @@
-As a special exception to the GNU General Public License, if you distribute this file as part of a program that contains a configuration script generated by Autoconf, you may include it under the same distribution terms that you use for the rest of that program.

LICENSES/BSD-2-Clause.txt

@@ -1,9 +0,0 @@
-Copyright (c) <year> <owner> All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/BSD-3-Clause.txt

@@ -1,11 +0,0 @@
-Copyright (c) <year> <owner>. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/CC0-1.0.txt

@@ -1,121 +0,0 @@
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
-    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
-    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
-    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
-    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
-    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
-    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
-    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
-    HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
-  i. the right to reproduce, adapt, distribute, perform, display,
-     communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
-     likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
-     subject to the limitations in paragraph 4(a), below;
-  v. rights protecting the extraction, dissemination, use and reuse of data
-     in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
-     European Parliament and of the Council of 11 March 1996 on the legal
-     protection of databases, and under any national implementation
-     thereof, including any amended or successor version of such
-     directive); and
-vii. other similar, equivalent or corresponding rights throughout the
-     world based on applicable law or treaty, and any national
-     implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
-    surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
-    warranties of any kind concerning the Work, express, implied,
-    statutory or otherwise, including without limitation warranties of
-    title, merchantability, fitness for a particular purpose, non
-    infringement, or the absence of latent or other defects, accuracy, or
-    the present or absence of errors, whether or not discoverable, all to
-    the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
-    that may apply to the Work or any use thereof, including without
-    limitation any person's Copyright and Related Rights in the Work.
-    Further, Affirmer disclaims responsibility for obtaining any necessary
-    consents, permissions or other rights required for any use of the
-    Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
-    party to this document and has no duty or obligation with respect to
-    this CC0 or use of the Work.

LICENSES/FSFAP.txt

@@ -1 +0,0 @@
-Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.  This file is offered as-is, without any warranty.

LICENSES/GPL-2.0-or-later.txt

@@ -1,117 +0,0 @@
-GNU GENERAL PUBLIC LICENSE
-Version 2, June 1991
-
-Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-
-Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
-
-Preamble
-
-The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too.
-
-When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
-
-To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
-
-For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
-
-We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
-
-Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
-
-Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
-
-The precise terms and conditions for copying, distribution and modification follow.
-
-TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
-
-1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
-
-2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
-
-     a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
-
-     b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
-
-     c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
-
-3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
-
-     a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-
-     b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-
-     c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
-
-If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
-
-4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
-
-5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
-
-6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
-
-7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
-
-It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
-
-This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
-
-8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
-
-9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
-
-10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
-
-NO WARRANTY
-
-11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-END OF TERMS AND CONDITIONS
-
-How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
-
-To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
-
-     one line to give the program's name and an idea of what it does. Copyright (C) yyyy name of author
-
-     This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-
-     This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
-
-     Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:
-
-     Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice

LICENSES/GPL-3.0-or-later.txt

@@ -1,232 +0,0 @@
-GNU GENERAL PUBLIC LICENSE
-Version 3, 29 June 2007
-
-Copyright © 2007 Free Software Foundation, Inc. <http://fsf.org/>
-
-Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
-
-Preamble
-
-The GNU General Public License is a free, copyleft license for software and other kinds of works.
-
-The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.
-
-When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.
-
-To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.
-
-For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
-
-Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
-
-For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.
-
-Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.
-
-Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.
-
-The precise terms and conditions for copying, distribution and modification follow.
-
-TERMS AND CONDITIONS
-
-0. Definitions.
-
-“This License” refers to version 3 of the GNU General Public License.
-
-“Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
-
-“The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations.
-
-To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work.
-
-A “covered work” means either the unmodified Program or a work based on the Program.
-
-To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
-
-To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
-
-An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.
-
-1. Source Code.
-The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.
-
-A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.
-
-The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
-
-The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
-
-The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.
-
-The Corresponding Source for a work in source code form is that same work.
-
-2. Basic Permissions.
-All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.
-
-You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.
-
-Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
-
-3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.
-
-When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
-
-4. Conveying Verbatim Copies.
-You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
-
-You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.
-
-5. Conveying Modified Source Versions.
-You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
-
-     a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
-
-     b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”.
-
-     c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
-
-     d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
-
-A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
-
-6. Conveying Non-Source Forms.
-You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
-
-     a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
-
-     b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
-
-     c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
-
-     d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
-
-     e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.
-
-A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.
-
-A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
-
-“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
-
-If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
-
-The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
-
-Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.
-
-7. Additional Terms.
-“Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
-
-When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
-
-Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
-
-     a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
-
-     b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
-
-     c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
-
-     d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
-
-     e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
-
-     f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
-
-All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
-
-If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
-
-Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.
-
-8. Termination.
-You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
-
-However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
-
-Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
-
-Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.
-
-9. Acceptance Not Required for Having Copies.
-You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
-
-10. Automatic Licensing of Downstream Recipients.
-Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.
-
-An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.
-
-You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.
-
-11. Patents.
-A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”.
-
-A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
-
-Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
-
-In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.
-
-If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.
-
-If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.
-
-A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
-
-Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.
-
-12. No Surrender of Others' Freedom.
-If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
-
-13. Use with the GNU Affero General Public License.
-Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
-
-14. Revised Versions of this License.
-The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.
-
-If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
-
-Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
-
-15. Disclaimer of Warranty.
-THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-16. Limitation of Liability.
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-17. Interpretation of Sections 15 and 16.
-If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.
-
-END OF TERMS AND CONDITIONS
-
-How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
-
-To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.
-
-     <one line to give the program's name and a brief idea of what it does.>
-     Copyright (C) <year>  <name of author>
-
-     This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
-
-     This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:
-
-     <program>  Copyright (C) <year>  <name of author>
-     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-     This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”.
-
-You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see <http://www.gnu.org/licenses/>.
-
-The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read <http://www.gnu.org/philosophy/why-not-lgpl.html>.

LICENSES/ISC.txt

@@ -1,8 +0,0 @@
-ISC License:
-
-Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC")
-Copyright (c) 1995-2003 by Internet Software Consortium
-
-Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

LICENSES/LLVM-exception.txt

@@ -1,15 +0,0 @@
----- LLVM Exceptions to the Apache 2.0 License ----
-
-   As an exception, if, as a result of your compiling your source code, portions
-   of this Software are embedded into an Object form of such source code, you
-   may redistribute such embedded portions in such Object form without complying
-   with the conditions of Sections 4(a), 4(b) and 4(d) of the License.
-
-   In addition, if you combine or link compiled forms of this Software with
-   software that is licensed under the GPLv2 ("Combined Software") and if a
-   court of competent jurisdiction determines that the patent provision (Section
-   3), the indemnity provision (Section 9) or other Section of the License
-   conflicts with the conditions of the GPLv2, you may retroactively and
-   prospectively choose to deem waived or otherwise exclude such Section(s) of
-   the License, but only in their entirety and only with respect to the Combined
-   Software.

LICENSES/MIT.txt

@@ -1,9 +0,0 @@
-MIT License
-
-Copyright (c) <year> <copyright holders>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

LICENSES/MPL-2.0.txt

@@ -1,144 +0,0 @@
-Mozilla Public License Version 2.0
-
-1. Definitions
-
-     1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.
-
-     1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.
-
-     1.3. "Contribution" means Covered Software of a particular Contributor.
-
-     1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.
-
-     1.5. "Incompatible With Secondary Licenses" means
-
-          (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or
-
-          (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.
-
-     1.6. "Executable Form" means any form of the work other than Source Code Form.
-
-     1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.
-
-     1.8. "License" means this document.
-
-     1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.
-
-     1.10. "Modifications" means any of the following:
-
-          (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or
-
-          (b) any new file in Source Code Form that contains any Covered Software.
-
-     1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.
-
-     1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.
-
-     1.13. "Source Code Form" means the form of the work preferred for making modifications.
-
-     1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
-
-2. License Grants and Conditions
-
-     2.1. Grants
-     Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:
-
-          (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and
-
-          (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.
-
-     2.2. Effective Date
-     The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.
-
-     2.3. Limitations on Grant Scope
-     The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:
-
-          (a) for any code that a Contributor has removed from Covered Software; or
-
-          (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or
-
-          (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.
-
-     This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).
-
-     2.4. Subsequent Licenses
-     No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).
-
-     2.5. Representation
-     Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.
-
-     2.6. Fair Use
-     This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.
-
-     2.7. Conditions
-     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.
-
-3. Responsibilities
-
-     3.1. Distribution of Source Form
-     All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.
-
-     3.2. Distribution of Executable Form
-     If You distribute Covered Software in Executable Form then:
-
-          (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and
-
-          (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.
-
-     3.3. Distribution of a Larger Work
-     You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).
-
-     3.4. Notices
-     You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.
-
-     3.5. Application of Additional Terms
-     You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.
-
-4. Inability to Comply Due to Statute or Regulation
-If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
-
-5. Termination
-
-     5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.
-
-     5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.
-
-     5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.
-
-6. Disclaimer of Warranty
-Covered Software is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.
-
-7. Limitation of Liability
-Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.
-
-8. Litigation
-Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.
-
-9. Miscellaneous
-This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.
-
-10. Versions of the License
-
-     10.1. New Versions
-     Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.
-
-     10.2. Effect of New Versions
-     You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.
-
-     10.3. Modified Versions
-     If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).
-
-     10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
-     If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.
-
-Exhibit A - Source Code Form License Notice
-
-     This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice.
-
-You may add additional accurate notices of copyright ownership.
-
-Exhibit B - "Incompatible With Secondary Licenses" Notice
-
-     This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0.

Makefile.am

@@ -1,30 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-SUBDIRS = . lib doc
-
-# build libtest before fuzz/* and bin/tests
-SUBDIRS += tests
-
-# run fuzz tests before system tests
-SUBDIRS += fuzz bin
-
-BUILT_SOURCES += bind.keys.h
-CLEANFILES += bind.keys.h
-
-bind.keys.h: bind.keys Makefile
-	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
-
-.PHONY: doc
-
-EXTRA_DIST =			\
-	bind.keys		\
-	util/bindkeys.pl	\
-	util/dtrace.sh		\
-	contrib			\
-	COPYRIGHT		\
-	LICENSE			\
-	*.md
-
-dist-hook:
-	find $(distdir) -type f -name .gitignore -delete
-	git rev-parse --short HEAD | cut -b1-7 > $(distdir)/srcid

Makefile.docs

@@ -1,59 +0,0 @@
-SPHINX_V = $(SPHINX_V_@AM_V@)
-SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
-SPHINX_V_0 = -q
-SPHINX_V_1 = -n
-SPHINX_W = -W
-
-AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
-AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
-AM_V_SPHINX_0 = @echo "  SPHINX   $@";
-
-SPHINXBUILDDIR = $(builddir)/_build
-
-LF = \n
-RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
-RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
-NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
-NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
-SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
-
-export RST_EPILOG = $(RNDC_CONF)$(LF)$(RNDC_KEY)$(LF)$(NAMED_CONF)$(LF)$(BIND_KEYS)$(LF)$(NAMED_PID)$(LF)$(SESSION_KEY)
-
-common_SPHINXOPTS =			\
-	$(SPHINX_W)			\
-	-c $(srcdir)			\
-	-a				\
-	$(SPHINX_V)
-
-ALLSPHINXOPTS =					\
-	$(common_SPHINXOPTS)			\
-	-D rst_epilog="$$(printf "$${RST_EPILOG}")"	\
-	$(SPHINXOPTS)				\
-	$(srcdir)
-
-_ = @
-man_RNDC_CONF = .. |rndc_conf| replace:: ``$(_)sysconfdir$(_)/rndc.conf``
-man_RNDC_KEY = .. |rndc_key| replace:: ``$(_)sysconfdir$(_)/rndc.key``
-man_NAMED_CONF = .. |named_conf| replace:: ``$(_)sysconfdir$(_)/named.conf``
-man_BIND_KEYS = .. |bind_keys| replace:: ``$(_)sysconfdir$(_)/bind.keys``
-man_NAMED_PID = .. |named_pid| replace:: ``$(_)runstatedir$(_)/named.pid``
-man_SESSION_KEY = .. |session_key| replace:: ``$(_)runstatedir$(_)/session.key``
-
-export man_RST_EPILOG = $(man_RNDC_CONF)$(LF)$(man_RNDC_KEY)$(LF)$(man_NAMED_CONF)$(LF)$(man_BIND_KEYS)$(LF)$(man_NAMED_PID)$(LF)$(man_SESSION_KEY)
-
-man_SPHINXOPTS =				\
-	$(common_SPHINXOPTS)			\
-	-D version="@""PACKAGE_VERSION@"	\
-	-D today="@""RELEASE_DATE@"		\
-	-D release="@""PACKAGE_VERSION@"	\
-	-D rst_epilog="$$(printf "$${man_RST_EPILOG}")"	\
-	$(SPHINXOPTS)				\
-	$(srcdir)
-
-AM_V_SED = $(AM_V_SED_@AM_V@)
-AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
-AM_V_SED_0 = @echo "  SED $@";
-
-AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
-AM_V_CFG_TEST_0 = @echo "  CFG_GEN $@";

Makefile.dtrace

@@ -1,20 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-AM_V_DTRACE = $(AM_V_DTRACE_@AM_V@)
-AM_V_DTRACE_ = $(AM_V_DTRACE_@AM_DEFAULT_V@)
-AM_V_DTRACE_0 = @echo "  DTRACE   $@";
-
-BUILT_SOURCES += probes.h
-CLEANFILES += probes.h probes.o
-
-probes.h: Makefile probes.d
-	$(AM_V_DTRACE)$(DTRACE) -s $(srcdir)/probes.d -h -o $@
-probes.lo: Makefile probes.d $(DTRACE_DEPS)
-	$(AM_V_DTRACE)$(LIBTOOL) --mode=compile --tag=CC $(DTRACE) -s $(srcdir)/probes.d -G -o $@ $(DTRACE_OBJS)
-
-if HAVE_DTRACE
-if !HOST_MACOS
-DTRACE_LIBADD = probes.lo
-endif
-endif

Makefile.in

@@ -0,0 +1,120 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+top_builddir =  @top_builddir@
+
+VERSION=@BIND9_VERSION@
+
+SUBDIRS =	make lib bin doc
+TARGETS =
+PREREQS =	bind.keys.h
+
+MANPAGES =	isc-config.sh.1
+
+HTMLPAGES =	isc-config.sh.html
+
+MANOBJS =	README HISTORY OPTIONS ${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+newrr:
+	cd lib/dns; ${MAKE} newrr
+
+bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
+	${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
+
+distclean::
+	rm -f config.cache config.h config.log config.status TAGS
+	rm -f libtool isc-config.sh configure.lineno
+	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
+
+# XXX we should clean libtool stuff too.  Only do this after we add rules
+# to make it.
+maintainer-clean::
+	rm -f configure
+	rm -f bind.keys.h
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+doc man:: ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
+	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+
+install:: isc-config.sh installdirs
+	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	@LN@ ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
+	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	@LN@ ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
+	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
+
+uninstall::
+	rm -f ${DESTDIR}${sysconfdir}/bind.keys
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	rm -f ${DESTDIR}${bindir}/isc-config.sh
+
+tags:
+	rm -f TAGS
+	find lib bin -name "*.[ch]" -print | @ETAGS@ -
+
+test check:
+	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
+	echo I: NOTE: The tests were not run because they require that; \
+	echo I:	the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
+	echo I:	as alias addresses on the loopback interface.  Please run; \
+	echo I:	\'bin/tests/system/ifconfig.sh up\' as root to configure; \
+	echo I:	them, then rerun the tests. Run make force-test to run the; \
+	echo I:	tests anyway.; \
+	exit 1; \
+	fi
+	${MAKE} test-force
+
+force-test: test-force
+
+test-force:
+	status=0; \
+	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
+	(test -f ${top_builddir}/unit/unittest.sh && \
+		$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
+	exit $$status
+
+README: README.md
+	${PANDOC} --email-obfuscation=none -s -t html README.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+HISTORY: HISTORY.md
+	${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+OPTIONS: OPTIONS.md
+	${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+CONTRIBUTING: CONTRIBUTING.md
+	${PANDOC} --email-obfuscation=none -s -t html CONTRIBUTING.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean::

Makefile.tests

@@ -1,28 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-unit-local: check
-
-if HAVE_CMOCKA
-TESTS = $(check_PROGRAMS)
-endif HAVE_CMOCKA
-
-LOG_COMPILER = $(top_builddir)/tests/unit-test-driver.sh
-
-AM_CFLAGS +=					\
-	-I$(top_srcdir)/tests/include		\
-	$(TEST_CFLAGS)
-
-AM_CPPFLAGS +=					\
-	$(CMOCKA_CFLAGS)			\
-	-DNAMED_PLUGINDIR=\"$(pkglibdir)\"	\
-	-DTESTS_DIR=\"$(abs_srcdir)\"
-
-LDADD +=						\
-	$(top_builddir)/tests/libtest/libtest.la	\
-	$(CMOCKA_LIBS)
-
-if HAVE_JEMALLOC
-AM_CFLAGS += $(JEMALLOC_CFLAGS)
-LDADD += $(JEMALLOC_LIBS)
-endif

Makefile.top

@@ -1,73 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
-
-AM_CFLAGS =					\
-	$(STD_CFLAGS)
-
-AM_CPPFLAGS =					\
-	$(STD_CPPFLAGS)				\
-	-include $(top_builddir)/config.h	\
-	-I$(srcdir)/include
-
-AM_LDFLAGS =					\
-	$(STD_LDFLAGS)
-LDADD =
-
-BUILT_SOURCES =
-CLEANFILES =
-
-if HOST_MACOS
-AM_LDFLAGS +=					\
-	-Wl,-flat_namespace
-endif HOST_MACOS
-
-if HAVE_JEMALLOC
-LIBISC_CFLAGS = $(JEMALLOC_CFLAGS)
-LIBISC_LIBS = $(JEMALLOC_LIBS)
-else
-LIBISC_CFLAGS =
-LIBISC_LIBS =
-endif
-
-LIBISC_CFLAGS +=						\
-	-I$(top_srcdir)/include				\
-	-I$(top_srcdir)/lib/isc/include			\
-	-I$(top_builddir)/lib/isc/include
-
-LIBISC_LIBS += $(top_builddir)/lib/isc/libisc.la
-if HAVE_DTRACE
-LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
-endif
-
-LIBDNS_CFLAGS = \
-	-I$(top_srcdir)/lib/dns/include			\
-	-I$(top_builddir)/lib/dns/include
-
-LIBDNS_LIBS = \
-	$(top_builddir)/lib/dns/libdns.la
-if HAVE_DTRACE
-LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
-endif
-
-LIBNS_CFLAGS = \
-	-I$(top_srcdir)/lib/ns/include
-
-LIBNS_LIBS = \
-	$(top_builddir)/lib/ns/libns.la
-if HAVE_DTRACE
-LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
-endif
-
-LIBISCCFG_CFLAGS = \
-	-I$(top_srcdir)/lib/isccfg/include
-
-LIBISCCFG_LIBS = \
-	$(top_builddir)/lib/isccfg/libisccfg.la
-
-LIBISCCC_CFLAGS = \
-	-I$(top_srcdir)/lib/isccc/include/
-
-LIBISCCC_LIBS = \
-	$(top_builddir)/lib/isccc/libisccc.la

NEWS

@@ -1 +0,0 @@
-doc/arm/changelog.rst

OPTIONS

@@ -0,0 +1,29 @@
+Setting the STD_CDEFINES environment variable before running configure can
+be used to enable certain compile-time options that are not explicitly
+defined in configure.
+
+Some of these settings are:
+
+         Setting                            Description
+                          Overwrite memory with tag values when allocating
+-DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
+                          makes debugging of memory problems easier.
+                          Don?t track memory allocations by file and line
+-DISC_MEM_TRACKLINES=0    number; this improves performance but makes
+                          debugging more difficult.
+-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
+-DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
+                          well-known ports:
+-DCHECK_SIBLING=0         Don?t check sibling glue in named-checkzone
+-DCHECK_LOCAL=0           Don?t check out-of-zone addresses in
+                          named-checkzone
+-DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
+                          rather than ${localstatedir}/run/named/
+                          Increase the maximum number of configurable
+-DNS_RPZ_MAX_ZONES=64     response policy zones from 32 to 64; this is the
+                          highest possible setting
+                          Disable the use of inline functions to implement
+-DISC_BUFFER_USEINLINE=0  the isc_buffer API: this reduces performance but
+                          may be useful when debugging
+-DISC_HEAP_CHECK          Test heap consistency after every heap
+                          operation; used when debugging

OPTIONS.md

@@ -1,28 +1,28 @@
 <!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
 -->
-Setting the `CPPFLAGS` environment variable before running `configure`
-can be used to enable certain compile-time options that are not
-explicitly defined in `configure`.
+Setting the `STD_CDEFINES` environment variable before running `configure`
+can be used to enable certain compile-time options that are not explicitly
+defined in `configure`.
 
 Some of these settings are:
 
-| Setting                      | Description                                                                                                                            |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
-| `-DCHECK_LOCAL=0`            | Don't check out-of-zone addresses in `named-checkzone`                                                                                 |
-| `-DCHECK_SIBLING=0`          | Don't check sibling glue in `named-checkzone`                                                                                          |
-| `-DISC_FACILITY=LOG_LOCAL0`  | Change the default syslog facility for `named`                                                                                         |
-| `-DISC_HEAP_CHECK`           | Test heap consistency after every heap operation; used when debugging                                                                  |
-| `-DISC_MEM_DEFAULTFILL=1`    | Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier |
-| `-DISC_MEM_TRACKLINES=0`     | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult                   |
-| `-DNAMED_RUN_PID_DIR=0`      | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`                                           |
-| `-DNS_CLIENT_DROPPORT=0`     | Disable dropping queries from particular well-known ports                                                                              |
+|Setting                            |Description |
+|-----------------------------------|----------------------------------------|
+|`-DISC_MEM_DEFAULTFILL=1`|Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier.|
+|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
+|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
+|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
+|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
+|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
+|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`|
+|`-DNS_RPZ_MAX_ZONES=64`|Increase the maximum number of configurable response policy zones from 32 to 64; this is the highest possible setting|
+|`-DISC_BUFFER_USEINLINE=0`|Disable the use of inline functions to implement the `isc_buffer` API: this reduces performance but may be useful when debugging |
+|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|

README

@@ -0,0 +1,400 @@
+BIND 9
+
+Contents
+
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.12 features
+ 5. Building BIND
+ 6. macOS
+ 7. Dependencies
+ 8. Compile-time options
+ 9. Automated testing
+10. Documentation
+11. Change log
+12. Acknowledgments
+
+Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
+
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
+(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licenced under the terms of the Mozilla Public License,
+version 2.0.
+
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
+
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
+
+Reporting bugs and getting help
+
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the ISC GitLab server at https://
+gitlab.isc.org/isc-projects/bind9.
+
+Please note that, unless you explicitly mark the newly created Issue as
+?confidential?, it will be publicly readable. Please do not include any
+information in bug reports that you consider to be confidential unless the
+issue has been marked as such. In particular, if submitting the contents
+of your configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+named-checkconf -px.
+
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in named, please do NOT use GitLab to
+report it. Instead, please send mail to security-officer@isc.org.
+
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
+
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
+
+If you?re planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
+
+Contributing to BIND
+
+ISC maintains a public git repository for BIND; details can be found at
+http://www.isc.org/git/.
+
+Information for BIND contributors can be found in the following files: -
+General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
+style.md - BIND architecture and developer guide: doc/dev/dev.md
+
+Patches for BIND may be submitted as Merge Requests in the ISC GitLab
+server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
+
+By default, external contributors don?t have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
+
+If you prefer, you may also submit code by opening a GitLab Issue and
+including your patch as an attachment, preferably generated by git
+format-patch.
+
+BIND 9.12 features
+
+BIND 9.12.0 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.11 and earlier releases. New features
+include:
+
+  * named and related libraries have been substantially refactored for
+    improved query performance ? particularly on delegation heavy zones ?
+    and for improved readability, maintainability, and testability.
+  * Code implementing the name server query processing logic has been
+    moved into a new libns library, for easier testing and use in tools
+    other than named.
+  * Cached, validated NSEC and other records can now be used to synthesize
+    NXDOMAIN responses.
+  * The DNS Response Policy Service API (DNSRPS) is now supported.
+  * Setting 'max-journal-size default' now limits the size of journal
+    files to twice the size of the zone.
+  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
+    message.
+  * dnstap output files can now be configured to roll automatically when
+    reaching a given size.
+  * Log file timestamps can now also be formatted in ISO 8601 (local) or
+    ISO 8601 (UTC) formats.
+  * Logging channels and dnstap output files can now be configured to use
+    a timestamp as the suffix when rolling to a new file.
+  * 'named-checkconf -l' lists zones found in named.conf.
+  * Added support for the EDNS Padding and Keepalive options.
+  * ?new-zones-directory? option sets the location where the configuration
+    data for zones added by rndc addzone is stored.
+  * The default key algorithm in rndc-confgen is now hmac-sha256.
+  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
+    default without a configure option.
+  * The obsolete isc-hmac-fixup command has been removed.
+
+BIND 9.12.1
+
+BIND 9.12.1 is a maintenance release.
+
+BIND 9.12.2
+
+BIND 9.12.2 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5736, CVE-2018-5737 and
+CVE-2018-5738.
+
+BIND 9.12.3
+
+BIND 9.12.3 is a maintenance release, and also addresses CVE-2018-5741 by
+correcting faulty documentation and introducing the following new feature:
+
+  * New krb5-selfsub and ms-selfsub rule types for update-policy
+    statements allow updating of subdomains based on a Kerberos or Active
+    Directory machine principal.
+
+BIND 9.12.4
+
+BIND 9.12.4 is a maintenance release, and addresses the security
+vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
+CVE-2019-6465.
+
+BIND 9.12.4-P1
+
+BIND 9.12.4-P1 addresses the security vulnerabilities disclosed in
+CVE-2018-5743 and CVE-2019-6467.
+
+Building BIND
+
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed
+on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
+Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
+HP-UX, AIX, SCO OpenServer, and OpenWRT.
+
+BIND is also available for Windows 2008 and higher. See win32utils/
+readme1st.txt for details on building for Windows systems.
+
+To build on a UNIX or Linux system, use:
+
+    $ ./configure
+    $ make
+
+If you?re planning on making changes to the BIND 9 source, you should run
+make depend. If you?re using Emacs, you might find make tags helpful.
+
+Several environment variables that can be set before running configure
+will affect compilation:
+
+   Variable                            Description
+CC             The C compiler to use. configure tries to figure out the
+               right one for supported systems.
+               C compiler flags. Defaults to include -g and/or -O2 as
+CFLAGS         supported by the compiler. Please include ?-g? if you need
+               to set CFLAGS.
+               System header file directories. Can be used to specify
+STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
+               Defaults to empty string.
+               Any additional preprocessor symbols you want defined.
+STD_CDEFINES   Defaults to empty string. For a list of possible settings,
+               see the file OPTIONS.
+LDFLAGS        Linker flags. Defaults to empty string.
+BUILD_CC       Needed when cross-compiling: the native C compiler to use
+               when building for the target system.
+BUILD_CFLAGS   Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
+
+macOS
+
+Building on macOS assumes that the ?Command Tools for Xcode? is installed.
+This can be downloaded from https://developer.apple.com/download/more/ or
+if you have Xcode already installed you can run ?xcode-select ?install?.
+This will add /usr/include to the system and install the compiler and
+other tools so that they can be easily found.
+
+Dependencies
+
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+?argparse? and ?ply? modules to be available. ?argparse? is a standard
+module as of Python 2.7 and Python 3.2. ?ply? is available from https://
+pypi.python.org/pypi/ply.
+
+Compile-time options
+
+To see a full list of configuration options, run configure --help.
+
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND?s behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
+To build shared libraries, specify --with-libtool on the configure command
+line.
+
+For the server to support DNSSEC, you need to build it with crypto
+support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
+installed. If the OpenSSL library is installed in a nonstandard location,
+specify the prefix using ??with-openssl=<PREFIX>? on the configure command
+line. To use a PKCS#11 hardware service module for cryptographic
+operations, specify the path to the PKCS#11 provider library using
+??with-pkcs11=<PREFIX>?, and configure BIND with ??enable-native-pkcs11?.
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following: libxml2 http://xmlsoft.org or json-c https://
+github.com/json-c. If these are installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+
+To support compression on the HTTP statistics channel, the server must be
+linked against libzlib. If this is installed in a nonstandard location,
+specify the prefix using --with-zlib=/prefix.
+
+To support storing configuration data for runtime-added zones in an LMDB
+database, the server must be linked with liblmdb. If this is installed in
+a nonstandard location, specify the prefix using ?with-lmdb=/prefix?.
+
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+??with-geoip?. If the library is installed in a nonstandard location, use
+specify the prefix using ??with-geoip=/prefix?.
+
+For DNSTAP packet logging, you must have installed libfstrm https://
+github.com/farsightsec/fstrm and libprotobuf-c https://
+developers.google.com/protocol-buffers, and BIND must be configured with
+--enable-dnstap.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB. This can be done by using
+--enable-largefile on the configure command line.
+
+Support for the ?fixed? rrset-order option can be enabled or disabled by
+specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
+command line. By default, fixed rrset-order is disabled to reduce memory
+footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically. If you have installed KAME IPv6 separately, use --with-kame
+[=PATH] to specify its location.
+
+The --enable-querytrace option causes named to log every step of
+processing every query. This should only be enabled when debugging,
+because it has a significant negative impact on query performance.
+
+make install will install named and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+--prefix option when running configure.
+
+You may specify the option --sysconfdir to set the directory where
+configuration files like named.conf go by default, and --localstatedir to
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by running the command bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the ?dnspython? module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using the CMocka unit testing framework. To
+build them, use configure --with-cmocka. Execution of tests is done by the
+Kyua test execution engine; if the kyua command is available, then unit
+tests can be run via make test or make unit.
+
+Documentation
+
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
+
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
+
+Additional information on various subjects can be found in other README
+files throughout the source tree.
+
+Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+   Category                            Description
+[func]         New feature
+[bug]          General bug fix
+[security]     Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+               the design are still in flux and may change
+[port]         Portability enhancement
+[maint]        Updates to built-in data such as root server addresses and
+               keys
+[tuning]       Changes to built-in configuration defaults and constants to
+               improve performance
+[performance]  Other changes to improve server performance
+[protocol]     Updates to the DNS protocol such as new RR types
+[test]         Changes to the automatic tests, not affecting server
+               functionality
+[cleanup]      Minor corrections and refactoring
+[doc]          Documentation
+[contrib]      Changes to the contributed tools and libraries in the
+               ?contrib? subdirectory
+               Used in the master development branch to reserve change
+[placeholder]  numbers for use in other branches, e.g. when fixing a bug
+               that only exists in older releases
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+Acknowledgments
+
+  * The original development of BIND 9 was underwritten by the following
+    organizations:
+
+      Sun Microsystems, Inc.
+      Hewlett Packard
+      Compaq Computer Corporation
+      IBM
+      Process Software Corporation
+      Silicon Graphics, Inc.
+      Network Associates, Inc.
+      U.S. Defense Information Systems Agency
+      USENIX Association
+      Stichting NLnet - NLnet Foundation
+      Nominum, Inc.
+
+  * This product includes software developed by the OpenSSL Project for
+    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
+  * This product includes cryptographic software written by Eric Young
+    (eay@cryptsoft.com)
+
+  * This product includes software written by Tim Hudson
+    (tjh@cryptsoft.com)

README.md

@@ -1,14 +1,12 @@
 <!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
 -->
 # BIND 9
 
@@ -17,68 +15,73 @@ information regarding copyright ownership.
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
+1. [BIND 9.12 features](#features)
 1. [Building BIND](#build)
+1. [macOS](#macos)
+1. [Dependencies](#dependencies)
+1. [Compile-time options](#opts)
 1. [Automated testing](#testing)
 1. [Documentation](#doc)
+1. [Change log](#changes)
 1. [Acknowledgments](#ack)
 
 ### <a name="intro"/> Introduction
 
 BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the Domain Name System (DNS) protocol.
+implementation of the DNS (Domain Name System) protocol.
 
-The BIND name server, `named`, can act as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
+The BIND name server, `named`, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously.  It
 implements views for split-horizon DNS, automatic DNSSEC zone signing and
 key management, catalog zones to facilitate provisioning of zone data
 throughout a name server constellation, response policy zones (RPZ) to
 protect clients from malicious data, response rate limiting (RRL) and
 recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
+and many other advanced DNS features.  BIND also includes a suite of
 administrative tools, including the `dig` and `delv` DNS lookup tools,
 `nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
 administration, and more.
 
-BIND 9 began as a complete rewrite of the BIND architecture that was
-used in versions 4 and 8.  Internet Systems Consortium
-([https://www.isc.org](https://www.isc.org)), a 501(c)(3) US public benefit
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8.  Internet Systems Consortium
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
 corporation dedicated to providing software and services in support of the
 Internet infrastructure, developed BIND 9 and is responsible for its
-ongoing maintenance and improvement. BIND is open source software
-licensed under the terms of the Mozilla Public License, version 2.0.
+ongoing maintenance and improvement.  BIND is open source software
+licenced under the terms of the Mozilla Public License, version 2.0.
+
+For a summary of features introduced in past major releases of BIND,
+see the file [HISTORY](HISTORY.md).
 
 For a detailed list of changes made throughout the history of BIND 9, see
-the [changelog](doc/arm/changelog.rst).
+the file [CHANGES](CHANGES). See [below](#changes) for details on the
+CHANGES file format.
 
-For up-to-date versions and release notes, see
-[https://www.isc.org/download/](https://www.isc.org/download/).
-
-For information about supported platforms, see the
-["Supported Platforms"](doc/arm/platforms.rst) section in the BIND 9
-Administrator Reference Manual.
+For up-to-date release notes and errata, see
+[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
 
 ### <a name="help"/> Reporting bugs and getting help
 
 To report non-security-sensitive bugs or request new features, you may
-open an issue in the BIND 9 project on the
+open an Issue in the BIND 9 project on the
 [ISC GitLab server](https://gitlab.isc.org) at
 [https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
 
-Please note that, unless you explicitly mark the newly created issue as
-"confidential," it will be publicly readable. Please do not include any
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable.  Please do not include any
 information in bug reports that you consider to be confidential unless
-the issue has been marked as such. In particular, if submitting the
-contents of your configuration file in a non-confidential issue, it is
-advisable to obscure key secrets; this can be done automatically by
+the issue has been marked as such.  In particular, if submitting the
+contents of your configuration file in a non-confidential Issue, it is
+advisable to obscure key secrets: this can be done automatically by
 using `named-checkconf -px`.
 
-For information about ISC's Security Vulnerability Disclosure Policy and
-information about reporting potential security issues, please see
-`SECURITY.md`.
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in `named`, please do *NOT* use GitLab to
+report it. Instead, please send mail to
+[security-officer@isc.org](mailto:security-officer@isc.org).
 
 Professional support and training for BIND are available from
-ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
-for more information.
+ISC at [https://www.isc.org/support](https://www.isc.org/support).
 
 To join the __BIND Users__ mailing list, or view the archives, visit
 [https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
@@ -90,95 +93,295 @@ may also want to join the __BIND Workers__ mailing list, at
 ### <a name="contrib"/> Contributing to BIND
 
 ISC maintains a public git repository for BIND; details can be found
-at [https://www.isc.org/sourceaccess/](https://www.isc.org/sourceaccess/).
+at [http://www.isc.org/git/](http://www.isc.org/git/).
 
 Information for BIND contributors can be found in the following files:
-- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
-- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
+- General information: [doc/dev/contrib.md](doc/dev/contrib.md)
 - BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
 - BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
 
 Patches for BIND may be submitted as
-[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
-on the [ISC GitLab server](https://gitlab.isc.org).
+[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
+in the [ISC GitLab server](https://gitlab.isc.org) at
+at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
 
-By default, external contributors do not have the ability to fork BIND on the
-GitLab server; if you wish to contribute code to BIND, you may request
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
 permission to do so. Thereafter, you can create git branches and directly
 submit requests that they be reviewed and merged.
 
 If you prefer, you may also submit code by opening a
-[GitLab issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
+[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="build"/> Building BIND 9
+### <a name="features"/> BIND 9.12 features
 
-For information about building BIND 9, see the
-["Building BIND 9"](doc/arm/build.inc.rst) section in the BIND 9
-Administrator Reference Manual.
+BIND 9.12.0 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.11 and earlier releases.  New features
+include:
+
+* `named` and related libraries have been substantially refactored for
+  improved query performance -- particularly on delegation heavy zones -- 
+  and for improved readability, maintainability, and testability.
+* Code implementing the name server query processing logic has been moved
+  into a new `libns` library, for easier testing and use in tools other
+  than `named`.
+* Cached, validated NSEC and other records can now be used to synthesize
+  NXDOMAIN responses.
+* The DNS Response Policy Service API (DNSRPS) is now supported.
+* Setting `'max-journal-size default'` now limits the size of journal files
+  to twice the size of the zone.
+* `dnstap-read -x` prints a hex dump of the wire format of each logged
+  DNS message.
+* `dnstap` output files can now be configured to roll automatically when
+  reaching a given size.
+* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
+  8601 (UTC) formats.
+* Logging channels and `dnstap` output files can now be configured to use a
+  timestamp as the suffix when rolling to a new file.
+* `'named-checkconf -l'` lists zones found in `named.conf`.
+* Added support for the EDNS Padding and Keepalive options.
+* 'new-zones-directory' option sets the location where the configuration
+  data for zones added by rndc addzone is stored.
+* The default key algorithm in `rndc-confgen` is now hmac-sha256.
+* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
+  by default without a configure option.
+* The obsolete `isc-hmac-fixup` command has been removed.
+
+#### BIND 9.12.1
+
+BIND 9.12.1 is a maintenance release.
+
+#### BIND 9.12.2
+
+BIND 9.12.2 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5736, CVE-2018-5737 and
+CVE-2018-5738.
+
+#### BIND 9.12.3
+
+BIND 9.12.3 is a maintenance release, and also addresses CVE-2018-5741
+by correcting faulty documentation and introducing the following new
+feature:
+
+* New `krb5-selfsub` and `ms-selfsub` rule types for `update-policy`
+  statements allow updating of subdomains based on a Kerberos or
+  Active Directory machine principal.
+
+#### BIND 9.12.4
+
+BIND 9.12.4 is a maintenance release, and addresses the security
+vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
+CVE-2019-6465.
+
+#### BIND 9.12.4-P1
+
+BIND 9.12.4-P1 addresses the security vulnerabilities disclosed in
+CVE-2018-5743 and CVE-2019-6467.
+
+### <a name="build"/> Building BIND
+
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed on
+many versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
+SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
+SCO OpenServer, and OpenWRT. 
+
+BIND is also available for Windows 2008 and higher.  See
+`win32utils/readme1st.txt` for details on building for Windows
+systems.
+
+To build on a UNIX or Linux system, use:
+
+		$ ./configure
+		$ make
+
+If you're planning on making changes to the BIND 9 source, you should run
+`make depend`.  If you're using Emacs, you might find `make tags` helpful.
+
+Several environment variables that can be set before running `configure` will
+affect compilation:
+
+|Variable|Description |
+|--------------------|-----------------------------------------------|
+|`CC`|The C compiler to use.  `configure` tries to figure out the right one for supported systems.|
+|`CFLAGS`|C compiler flags.  Defaults to include -g and/or -O2 as supported by the compiler.  Please include '-g' if you need to set `CFLAGS`. |
+|`STD_CINCLUDES`|System header file directories.  Can be used to specify where add-on thread or IPv6 support is, for example.  Defaults to empty string.|
+|`STD_CDEFINES`|Any additional preprocessor symbols you want defined.  Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
+|`LDFLAGS`|Linker flags. Defaults to empty string.|
+|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
+|`BUILD_CFLAGS`|Optional, used for cross-compiling|
+|`BUILD_CPPFLAGS`||
+|`BUILD_LDFLAGS`||
+|`BUILD_LIBS`||
+
+#### <a name="macos"> macOS
+
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from https://developer.apple.com/download/more/
+or if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and other
+tools so that they can be easily found.
+
+### <a name="dependencies"/> Dependencies
+
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' and 'ply' modules to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2.
+'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
+
+#### <a name="opts"/> Compile-time options
+
+To see a full list of configuration options, run `configure --help`.
+
+On most platforms, BIND 9 is built with multithreading support, allowing it
+to take advantage of multiple CPUs.  You can configure this by specifying
+`--enable-threads` or `--disable-threads` on the `configure` command line.
+The default is to enable threads, except on some older operating systems on
+which threads are known to have had problems in the past.  (Note: Prior to
+BIND 9.10, the default was to disable threads on Linux systems; this has
+now been reversed.  On Linux systems, the threaded build is known to change
+BIND's behavior with respect to file permissions; it may be necessary to
+specify a user with the -u option when running `named`.)
+
+To build shared libraries, specify `--with-libtool` on the `configure`
+command line.
+
+For the server to support DNSSEC, you need to build it with crypto support.
+To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
+OpenSSL library is installed in a nonstandard location, specify the prefix
+using "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a
+PKCS#11 hardware service module for cryptographic operations, specify the
+path to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and
+configure BIND with "--enable-native-pkcs11".
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following: libxml2
+[http://xmlsoft.org](http://xmlsoft.org) or json-c
+[https://github.com/json-c](https://github.com/json-c).  If these are
+installed at a nonstandard location, specify the prefix using
+`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
+
+To support compression on the HTTP statistics channel, the server must be
+linked against libzlib.  If this is installed in a nonstandard location,
+specify the prefix using `--with-zlib=/prefix`.
+
+To support storing configuration data for runtime-added zones in an LMDB
+database, the server must be linked with liblmdb. If this is installed in a
+nonstandard location, specify the prefix using "with-lmdb=/prefix".
+
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+"--with-geoip". If the library is installed in a nonstandard location, use
+specify the prefix using "--with-geoip=/prefix".
+
+For DNSTAP packet logging, you must have installed libfstrm
+[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
+and libprotobuf-c
+[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
+and BIND must be configured with `--enable-dnstap`.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying
+`--with-tuning=large` on the `configure` command line. This can improve
+performance on big servers, but will consume more memory and may degrade
+performance on smaller systems.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB.  This can be done by using
+`--enable-largefile` on the `configure` command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
+configure command line.  By default, fixed rrset-order is disabled to
+reduce memory footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically.  If you have installed KAME IPv6 separately, use
+`--with-kame[=PATH]` to specify its location.
+
+The `--enable-querytrace` option causes `named` to log every step of
+processing every query. This should only be enabled when debugging, because
+it has a significant negative impact on query performance.
+
+`make install` will install `named` and the various BIND 9 libraries.  By
+default, installation is into /usr/local, but this can be changed with the
+`--prefix` option when running `configure`.
+
+You may specify the option `--sysconfdir` to set the directory where
+configuration files like `named.conf` go by default, and `--localstatedir`
+to set the default parent directory of `run/named.pid`.   For backwards
+compatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
+`--localstatedir` defaults to `/var` if no `--prefix` option is given.  If
+there is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
+localstatedir defaults to `$prefix/var`.
 
 ### <a name="testing"/> Automated testing
 
-A system test suite can be run with `make check`. The system tests require
+A system test suite can be run with `make test`.  The system tests require
 you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with each other). These
+multiple servers to run locally and communicate with one another).  These
 IP addresses can be configured by running the command
 `bin/tests/system/ifconfig.sh up` as root.
 
-Some tests require Perl and the `Net::DNS` and/or `IO::Socket::IP` modules,
-and are skipped if these are not available. Some tests require Python
-and the `dnspython` module and are skipped if these are not available.
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework. To build
-them, use `configure --with-cmocka`. Execution of tests is done by the automake
-parallel test driver; unit tests are also run by `make check`.
+Unit tests are implemented using the CMocka unit testing framework.
+To build them, use `configure --with-cmocka`. Execution of tests is done
+by the Kyua test execution engine; if the `kyua` command is available,
+then unit tests can be run via `make test` or `make unit`.
 
 ### <a name="doc"/> Documentation
 
-The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
-distribution, and in .rst format, in the `doc/arm`
-directory. The HTML version is automatically generated and can
-be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
+The *BIND 9 Administrator Reference Manual* is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
+directory.
 
-The PDF version can be built by running:
-
-    cd doc/arm/
-    sphinx-build -b latex . pdf/
-    make -C pdf/ all-pdf
-
-The above requires TeX Live in order to work. The PDF will be written to
-`doc/arm/pdf/Bv9ARM.pdf`.
-
-Man pages for some of the programs in the BIND 9 distribution
-are also included in the BIND ARM.
+Some of the programs in the BIND 9 distribution have man pages in their
+directories.  In particular, the command line options of `named` are
+documented in `bin/named/named.8`.
 
 Frequently (and not-so-frequently) asked questions and their answers
-can be found in the ISC Knowledgebase at
+can be found in the ISC Knowledge Base at
 [https://kb.isc.org](https://kb.isc.org).
 
 Additional information on various subjects can be found in other
 `README` files throughout the source tree.
 
-#### Bug report identifiers
+### <a name="changes"/> Change log
 
-Most notes in the ARM Changelog appendix include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
-and referred to entries in the "bind9-bugs" RT database, which was not open
-to the public. More recent entries use the form `[GL #NNN]` or, less often,
-`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security-sensitive.
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first.  Change notes include tags indicating the category of
+the change that was made; these categories are:
 
-To look up a GitLab issue by its number, use the URL
-[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
-To look up a merge request, use
-[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
+|Category	|Description	        			|
+|--------------	|-----------------------------------------------|
+| [func] | New feature |
+| [bug] | General bug fix |
+| [security] | Fix for a significant security flaw |
+| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
+| [port] | Portability enhancement |
+| [maint] | Updates to built-in data such as root server addresses and keys |
+| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
+| [performance] | Other changes to improve server performance |
+| [protocol] | Updates to the DNS protocol such as new RR types |
+| [test] | Changes to the automatic tests, not affecting server functionality |
+| [cleanup] | Minor corrections and refactoring |
+| [doc] | Documentation |
+| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
+| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
 
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-GitLab instance, which is not visible to the public.
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero).  Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
 
 ### <a name="ack"/> Acknowledgments
 
@@ -199,7 +402,7 @@ GitLab instance, which is not visible to the public.
 
 * This product includes software developed by the OpenSSL Project for use
   in the OpenSSL Toolkit.
-  [https://www.OpenSSL.org/](https://www.OpenSSL.org/)
+  [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
 * This product includes cryptographic software written by Eric Young
-  (eay@cryptsoft.com).
-* This product includes software written by Tim Hudson (tjh@cryptsoft.com).
+  (eay@cryptsoft.com)
+* This product includes software written by Tim Hudson (tjh@cryptsoft.com)

SECURITY.md

@@ -1,35 +0,0 @@
-<!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
--->
-# Security Policy
-
-ISC's Security Vulnerability Disclosure Policy is documented in the
-relevant [ISC Knowledgebase article][1].
-
-## Reporting possible security issues
-
-If you think you may be seeing a potential security vulnerability in
-BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure),
-please report it immediately by [opening a confidential GitLab issue][2]
-(preferred) or emailing bind-security@isc.org.
-
-Please do not discuss undisclosed security vulnerabilities on any public
-mailing list. ISC has a long history of handling reported
-vulnerabilities promptly and effectively and we respect and acknowledge
-responsible reporters.
-
-If you have a crash, you may want to consult the Knowledgebase article
-entitled ["What to do if your BIND or DHCP server has crashed"][3].
-
-[1]: https://kb.isc.org/docs/aa-00861
-[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug
-[3]: https://kb.isc.org/docs/aa-00340

acconfig.h

@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** This file is not to be included by any public header files, because
+ *** it does not get installed.
+ ***/
+@TOP@
+
+/** define on DEC OSF to enable 4.4BSD style sa_len support */
+#undef _SOCKADDR_LEN
+
+/** define if your system needs pthread_init() before using pthreads */
+#undef NEED_PTHREAD_INIT
+
+/** define if your system has sigwait() */
+#undef HAVE_SIGWAIT
+
+/** define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
+/** define on Solaris to get sigwait() to work using pthreads semantics */
+#undef _POSIX_PTHREAD_SEMANTICS
+
+/** define if LinuxThreads is in use */
+#undef HAVE_LINUXTHREADS
+
+/** define if sysconf() is available */
+#undef HAVE_SYSCONF
+
+/** define if sysctlbyname() is available */
+#undef HAVE_SYSCTLBYNAME
+
+/** define if catgets() is available */
+#undef HAVE_CATGETS
+
+/** define if getifaddrs() exists */
+#undef HAVE_GETIFADDRS
+
+/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
+#undef HAVE_IFLIST_SYSCTL
+
+/** define if tzset() is available */
+#undef HAVE_TZSET
+
+/** define if struct addrinfo exists */
+#undef HAVE_ADDRINFO
+
+/** define if getaddrinfo() exists */
+#undef HAVE_GETADDRINFO
+
+/** define if gai_strerror() exists */
+#undef HAVE_GAISTRERROR
+
+/**
+ * define if pthread_setconcurrency() should be called to tell the
+ * OS how many threads we might want to run.
+ */
+#undef CALL_PTHREAD_SETCONCURRENCY
+
+/** define if IPv6 is not disabled */
+#undef WANT_IPV6
+
+/** define if flockfile() is available */
+#undef HAVE_FLOCKFILE
+
+/** define if getc_unlocked() is available */
+#undef HAVE_GETCUNLOCKED
+
+/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+
+/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+#undef SHUTUP_SIGWAIT
+#ifdef SHUTUP_SIGWAIT
+int sigwait(const unsigned int *set, int *sig);
+#endif
+
+/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+#undef SHUTUP_STDARG_CAST
+#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
+#include <stdarg.h>		/** Grr.  Must be included *every time*. */
+/**
+ * The silly continuation line is to keep configure from
+ * commenting out the #undef.
+ */
+
+#undef \
+	va_start
+#define	va_start(ap, last) \
+	do { \
+		union { const void *konst; long *var; } _u; \
+		_u.konst = &(last); \
+		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
+	} while (0)
+#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
+
+/** define if the system has a random number generating device */
+#undef PATH_RANDOMDEV
+
+/** define if pthread_attr_getstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
+
+/** define if pthread_attr_setstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
+
+/** define if you have strerror in the C library. */
+#undef HAVE_STRERROR
+
+/* Define if OpenSSL includes DSA support */
+#undef HAVE_OPENSSL_DSA
+
+/* Define if you have getpassphrase in the C library. */
+#undef HAVE_GETPASSPHRASE
+
+/* Define to the length type used by the socket API (socklen_t, size_t, int). */
+#undef ISC_SOCKADDR_LEN_T
+
+/* Define if threads need PTHREAD_SCOPE_SYSTEM */
+#undef NEED_PTHREAD_SCOPE_SYSTEM
+
+/* Define to 1 if you have the uname library function. */
+#undef HAVE_UNAME

aclocal.m4

@@ -0,0 +1,295 @@
+# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+
+# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# serial 12 (pkg-config-0.29.2)
+
+dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
+dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
+dnl
+dnl This program is free software; you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful, but
+dnl WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program; if not, write to the Free Software
+dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+dnl 02111-1307, USA.
+dnl
+dnl As a special exception to the GNU General Public License, if you
+dnl distribute this file as part of a program that contains a
+dnl configuration script generated by Autoconf, you may include it under
+dnl the same distribution terms that you use for the rest of that
+dnl program.
+
+dnl PKG_PREREQ(MIN-VERSION)
+dnl -----------------------
+dnl Since: 0.29
+dnl
+dnl Verify that the version of the pkg-config macros are at least
+dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
+dnl installed version of pkg-config, this checks the developer's version
+dnl of pkg.m4 when generating configure.
+dnl
+dnl To ensure that this macro is defined, also add:
+dnl m4_ifndef([PKG_PREREQ],
+dnl     [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])])
+dnl
+dnl See the "Since" comment for each macro you use to see what version
+dnl of the macros you require.
+m4_defun([PKG_PREREQ],
+[m4_define([PKG_MACROS_VERSION], [0.29.2])
+m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
+    [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
+])dnl PKG_PREREQ
+
+dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
+dnl ----------------------------------
+dnl Since: 0.16
+dnl
+dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
+dnl first found in the path. Checks that the version of pkg-config found
+dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
+dnl used since that's the first version where most current features of
+dnl pkg-config existed.
+AC_DEFUN([PKG_PROG_PKG_CONFIG],
+[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
+m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
+m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
+AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
+AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=m4_default([$1], [0.9.0])
+	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+		PKG_CONFIG=""
+	fi
+fi[]dnl
+])dnl PKG_PROG_PKG_CONFIG
+
+dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------------------------------
+dnl Since: 0.18
+dnl
+dnl Check to see whether a particular set of modules exists. Similar to
+dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
+dnl
+dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+dnl only at the first occurence in configure.ac, so if the first place
+dnl it's called might be skipped (such as if it is within an "if", you
+dnl have to call PKG_CHECK_EXISTS manually
+AC_DEFUN([PKG_CHECK_EXISTS],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+if test -n "$PKG_CONFIG" && \
+    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
+  m4_default([$2], [:])
+m4_ifvaln([$3], [else
+  $3])dnl
+fi])
+
+dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
+dnl ---------------------------------------------
+dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting
+dnl pkg_failed based on the result.
+m4_define([_PKG_CONFIG],
+[if test -n "$$1"; then
+    pkg_cv_[]$1="$$1"
+ elif test -n "$PKG_CONFIG"; then
+    PKG_CHECK_EXISTS([$3],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes ],
+		     [pkg_failed=yes])
+ else
+    pkg_failed=untried
+fi[]dnl
+])dnl _PKG_CONFIG
+
+dnl _PKG_SHORT_ERRORS_SUPPORTED
+dnl ---------------------------
+dnl Internal check to see if pkg-config supports short errors.
+AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi[]dnl
+])dnl _PKG_SHORT_ERRORS_SUPPORTED
+
+
+dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+dnl   [ACTION-IF-NOT-FOUND])
+dnl --------------------------------------------------------------
+dnl Since: 0.4.0
+dnl
+dnl Note that if there is a possibility the first call to
+dnl PKG_CHECK_MODULES might not happen, you should be sure to include an
+dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
+AC_DEFUN([PKG_CHECK_MODULES],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
+AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
+
+pkg_failed=no
+AC_MSG_CHECKING([for $2])
+
+_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
+_PKG_CONFIG([$1][_LIBS], [libs], [$2])
+
+m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
+and $1[]_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.])
+
+if test $pkg_failed = yes; then
+        AC_MSG_RESULT([no])
+        _PKG_SHORT_ERRORS_SUPPORTED
+        if test $_pkg_short_errors_supported = yes; then
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
+        else
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
+
+	m4_default([$4], [AC_MSG_ERROR(
+[Package requirements ($2) were not met:
+
+$$1_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+_PKG_TEXT])[]dnl
+        ])
+elif test $pkg_failed = untried; then
+        AC_MSG_RESULT([no])
+	m4_default([$4], [AC_MSG_FAILURE(
+[The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+_PKG_TEXT
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
+        ])
+else
+	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
+	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+        AC_MSG_RESULT([yes])
+	$3
+fi[]dnl
+])dnl PKG_CHECK_MODULES
+
+
+dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+dnl   [ACTION-IF-NOT-FOUND])
+dnl ---------------------------------------------------------------------
+dnl Since: 0.29
+dnl
+dnl Checks for existence of MODULES and gathers its build flags with
+dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags
+dnl and VARIABLE-PREFIX_LIBS from --libs.
+dnl
+dnl Note that if there is a possibility the first call to
+dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to
+dnl include an explicit call to PKG_PROG_PKG_CONFIG in your
+dnl configure.ac.
+AC_DEFUN([PKG_CHECK_MODULES_STATIC],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+_save_PKG_CONFIG=$PKG_CONFIG
+PKG_CONFIG="$PKG_CONFIG --static"
+PKG_CHECK_MODULES($@)
+PKG_CONFIG=$_save_PKG_CONFIG[]dnl
+])dnl PKG_CHECK_MODULES_STATIC
+
+
+dnl PKG_INSTALLDIR([DIRECTORY])
+dnl -------------------------
+dnl Since: 0.27
+dnl
+dnl Substitutes the variable pkgconfigdir as the location where a module
+dnl should install pkg-config .pc files. By default the directory is
+dnl $libdir/pkgconfig, but the default can be changed by passing
+dnl DIRECTORY. The user can override through the --with-pkgconfigdir
+dnl parameter.
+AC_DEFUN([PKG_INSTALLDIR],
+[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
+m4_pushdef([pkg_description],
+    [pkg-config installation directory @<:@]pkg_default[@:>@])
+AC_ARG_WITH([pkgconfigdir],
+    [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
+    [with_pkgconfigdir=]pkg_default)
+AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
+m4_popdef([pkg_default])
+m4_popdef([pkg_description])
+])dnl PKG_INSTALLDIR
+
+
+dnl PKG_NOARCH_INSTALLDIR([DIRECTORY])
+dnl --------------------------------
+dnl Since: 0.27
+dnl
+dnl Substitutes the variable noarch_pkgconfigdir as the location where a
+dnl module should install arch-independent pkg-config .pc files. By
+dnl default the directory is $datadir/pkgconfig, but the default can be
+dnl changed by passing DIRECTORY. The user can override through the
+dnl --with-noarch-pkgconfigdir parameter.
+AC_DEFUN([PKG_NOARCH_INSTALLDIR],
+[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
+m4_pushdef([pkg_description],
+    [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
+AC_ARG_WITH([noarch-pkgconfigdir],
+    [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
+    [with_noarch_pkgconfigdir=]pkg_default)
+AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
+m4_popdef([pkg_default])
+m4_popdef([pkg_description])
+])dnl PKG_NOARCH_INSTALLDIR
+
+
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------
+dnl Since: 0.28
+dnl
+dnl Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])dnl PKG_CHECK_VAR
+
+m4_include([libtool.m4/libtool.m4])
+m4_include([libtool.m4/ltoptions.m4])
+m4_include([libtool.m4/ltsugar.m4])
+m4_include([libtool.m4/ltversion.m4])
+m4_include([libtool.m4/lt~obsolete.m4])

autogen.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Run this script after modifying configure.in to generate configure
+autoreconf -f -i

bin/Makefile.am

@@ -1 +0,0 @@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins

bin/Makefile.in

@@ -0,0 +1,18 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+TARGETS =
+
+@BIND9_MAKE_RULES@

bin/check/Makefile.am

@@ -1,32 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	$(LIBNS_CFLAGS)		\
-	$(LIBISCCFG_CFLAGS)
-
-AM_CPPFLAGS +=			\
-	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-
-noinst_LTLIBRARIES = libcheck-tool.la
-
-libcheck_tool_la_SOURCES =	\
-	check-tool.h		\
-	check-tool.c
-
-LDADD +=			\
-	libcheck-tool.la	\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)		\
-	$(LIBNS_LIBS)		\
-	$(LIBISCCFG_LIBS)
-
-bin_PROGRAMS = named-checkconf named-checkzone
-
-install-exec-hook:
-	ln -f $(DESTDIR)$(bindir)/named-checkzone \
-	      $(DESTDIR)$(bindir)/named-compilezone
-
-uninstall-hook:
-	-rm -f $(DESTDIR)$(bindir)/named-compilezone

bin/check/Makefile.in

@@ -0,0 +1,102 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${ISC_INCLUDES} @DST_OPENSSL_INC@
+
+CDEFINES = 	@CRYPTO@ -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+NSLIBS =	../../lib/ns/libns.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+NSDEPENDLIBS =	../../lib/ns/libns.@A@
+
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+# Alphabetically
+TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
+
+# Alphabetically
+SRCS =		named-checkconf.c named-checkzone.c check-tool.c
+
+MANPAGES =	named-checkconf.8 named-checkzone.8
+
+HTMLPAGES =	named-checkconf.html named-checkzone.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+named-checkconf.@O@: named-checkconf.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkconf.c
+
+named-checkzone.@O@: named-checkzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkzone.c
+
+named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
+	export LIBS0="${NSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${NSDEPENDLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
+	export LIBS0="${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
+	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
+
+uninstall::
+	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
+	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
+	rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
+
+clean distclean::
+	rm -f ${TARGETS} r1.htm

bin/check/check-tool.h

@@ -1,32 +1,34 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-#pragma once
+
+#ifndef CHECK_TOOL_H
+#define CHECK_TOOL_H
 
 /*! \file */
 
 #include <inttypes.h>
 #include <stdbool.h>
 
+#include <isc/lang.h>
 #include <isc/stdio.h>
 #include <isc/types.h>
 
 #include <dns/masterdump.h>
 #include <dns/types.h>
-#include <dns/zone.h>
+
+ISC_LANG_BEGINDECLS
 
 isc_result_t
-setup_logging(FILE *errout);
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
 
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
@@ -38,10 +40,20 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	  dns_masterformat_t fileformat, const dns_master_style_t *style,
 	  const uint32_t rawversion);
 
+#ifdef _WIN32
+void InitSockets(void);
+void DestroySockets(void);
+#endif
+
 extern int debug;
 extern const char *journal;
 extern bool nomerge;
 extern bool docheckmx;
 extern bool docheckns;
 extern bool dochecksrv;
-extern dns_zoneopt_t zone_options;
+extern unsigned int zone_options;
+extern unsigned int zone_options2;
+
+ISC_LANG_ENDDECLS
+
+#endif

bin/check/named-checkconf.8

@@ -0,0 +1,140 @@
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: named-checkconf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-10
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+named-checkconf \- named configuration file syntax checking tool
+.SH "SYNOPSIS"
+.HP \w'\fBnamed\-checkconf\fR\ 'u
+\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+.SH "DESCRIPTION"
+.PP
+\fBnamed\-checkconf\fR
+checks the syntax, but not the semantics, of a
+\fBnamed\fR
+configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
+/etc/named\&.conf
+is read by default\&.
+.PP
+Note: files that
+\fBnamed\fR
+reads in separate parser contexts, such as
+rndc\&.key
+and
+bind\&.keys, are not automatically read by
+\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
+\fBnamed\fR
+to fail to run, even if
+\fBnamed\-checkconf\fR
+was successful\&.
+\fBnamed\-checkconf\fR
+can be run on these files explicitly, however\&.
+.SH "OPTIONS"
+.PP
+\-h
+.RS 4
+Print the usage summary and exit\&.
+.RE
+.PP
+\-j
+.RS 4
+When loading a zonefile read the journal if it exists\&.
+.RE
+.PP
+\-l
+.RS 4
+List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
+.RE
+.PP
+\-p
+.RS 4
+Print out the
+named\&.conf
+and included files in canonical form if no errors were detected\&. See also the
+\fB\-x\fR
+option\&.
+.RE
+.PP
+\-t \fIdirectory\fR
+.RS 4
+Chroot to
+directory
+so that include directives in the configuration file are processed as if run by a similarly chrooted
+\fBnamed\fR\&.
+.RE
+.PP
+\-v
+.RS 4
+Print the version of the
+\fBnamed\-checkconf\fR
+program and exit\&.
+.RE
+.PP
+\-x
+.RS 4
+When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
+named\&.conf
+and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
+\fB\-p\fR\&.
+.RE
+.PP
+\-z
+.RS 4
+Perform a test load of all master zones found in
+named\&.conf\&.
+.RE
+.PP
+filename
+.RS 4
+The name of the configuration file to be checked\&. If not specified, it defaults to
+/etc/named\&.conf\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBnamed\-checkconf\fR
+returns an exit status of 1 if errors were detected and 0 otherwise\&.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnamed-checkzone\fR(8),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/check/named-checkconf.c

@@ -1,68 +1,70 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
+
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <stdbool.h>
-#include <stdio.h>
 #include <stdlib.h>
+#include <stdio.h>
 
-#include <isc/attributes.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
+#include <isc/entropy.h>
 #include <isc/hash.h>
-#include <isc/lib.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
 #include <dns/db.h>
 #include <dns/fixedname.h>
-#include <dns/lib.h>
+#include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
+#include <dns/result.h>
 #include <dns/rootns.h>
 #include <dns/zone.h>
 
-#include <isccfg/check.h>
-#include <isccfg/grammar.h>
-#include <isccfg/namedconf.h>
-
 #include "check-tool.h"
 
 static const char *program = "named-checkconf";
 
-#define CHECK(r)                             \
-	do {                                 \
-		result = (r);                \
+isc_log_t *logc = NULL;
+
+#define CHECK(r)\
+	do { \
+		result = (r); \
 		if (result != ISC_R_SUCCESS) \
-			goto cleanup;        \
+			goto cleanup; \
 	} while (0)
 
 /*% usage */
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr,
-		"usage: %s [-achijlvz] [-p [-x]] [-t directory] "
-		"[named.conf]\n",
-		program);
-	exit(EXIT_SUCCESS);
+	fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
+		"[named.conf]\n", program);
+	exit(1);
 }
 
 /*% directory callback */
@@ -82,25 +84,23 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	directory = cfg_obj_asstring(obj);
 	result = isc_dir_chdir(directory);
 	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s\n", directory,
-			    isc_result_totext(result));
-		return result;
+		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
+			    "change directory to '%s' failed: %s\n",
+			    directory, isc_result_totext(result));
+		return (result);
 	}
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static bool
 get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 	for (i = 0;; i++) {
-		if (maps[i] == NULL) {
-			return false;
-		}
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
-			return true;
-		}
+		if (maps[i] == NULL)
+			return (false);
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+			return (true);
 	}
 }
 
@@ -114,31 +114,25 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0;; i++) {
-		if (maps[i] == NULL) {
-			return false;
-		}
+		if (maps[i] == NULL)
+			return (false);
 		checknames = NULL;
 		result = cfg_map_get(maps[i], "check-names", &checknames);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			continue;
-		}
 		if (checknames != NULL && !cfg_obj_islist(checknames)) {
 			*obj = checknames;
-			return true;
+			return (true);
 		}
-		for (element = cfg_list_first(checknames); element != NULL;
-		     element = cfg_list_next(element))
-		{
+		for (element = cfg_list_first(checknames);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
 			value = cfg_listelt_value(element);
 			type = cfg_tuple_get(value, "type");
-			if ((strcasecmp(cfg_obj_asstring(type), "primary") !=
-			     0) &&
-			    (strcasecmp(cfg_obj_asstring(type), "master") != 0))
-			{
+			if (strcasecmp(cfg_obj_asstring(type), "master") != 0)
 				continue;
-			}
 			*obj = cfg_tuple_get(value, "mode");
-			return true;
+			return (true);
 		}
 	}
 }
@@ -150,38 +144,36 @@ configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
 	dns_rdataclass_t rdclass;
 	isc_textregion_t r;
 
-	if (zfile == NULL) {
-		return ISC_R_FAILURE;
-	}
+	if (zfile == NULL)
+		return (ISC_R_FAILURE);
 
-	r.base = UNCONST(zclass);
+	DE_CONST(zclass, r.base);
 	r.length = strlen(zclass);
 	result = dns_rdataclass_fromtext(&rdclass, &r);
-	if (result != ISC_R_SUCCESS) {
-		return result;
-	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
 	result = dns_rootns_create(mctx, rdclass, zfile, &db);
-	if (result != ISC_R_SUCCESS) {
-		return result;
-	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
 	dns_db_detach(&db);
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 /*% configure the zone */
 static isc_result_t
-configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
-	       const cfg_obj_t *vconfig, const cfg_obj_t *config,
-	       isc_mem_t *mctx, bool list) {
+configure_zone(const char *vclass, const char *view,
+	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+	       const cfg_obj_t *config, isc_mem_t *mctx, bool list)
+{
 	int i = 0;
 	isc_result_t result;
 	const char *zclass;
 	const char *zname;
 	const char *zfile = NULL;
 	const cfg_obj_t *maps[4];
-	const cfg_obj_t *primariesobj = NULL;
+	const cfg_obj_t *mastersobj = NULL;
 	const cfg_obj_t *inviewobj = NULL;
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *classobj = NULL;
@@ -198,22 +190,19 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 	classobj = cfg_tuple_get(zconfig, "class");
-	if (!cfg_obj_isstring(classobj)) {
+	if (!cfg_obj_isstring(classobj))
 		zclass = vclass;
-	} else {
+	else
 		zclass = cfg_obj_asstring(classobj);
-	}
 
 	zoptions = cfg_tuple_get(zconfig, "options");
 	maps[i++] = zoptions;
-	if (vconfig != NULL) {
+	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
-	}
 	if (config != NULL) {
 		cfg_map_get(config, "options", &obj);
-		if (obj != NULL) {
+		if (obj != NULL)
 			maps[i++] = obj;
-		}
 	}
 	maps[i] = NULL;
 
@@ -222,19 +211,17 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 		const char *inview = cfg_obj_asstring(inviewobj);
 		printf("%s %s %s in-view %s\n", zname, zclass, view, inview);
 	}
-	if (inviewobj != NULL) {
-		return ISC_R_SUCCESS;
-	}
+	if (inviewobj != NULL)
+		return (ISC_R_SUCCESS);
 
 	cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL) {
-		return ISC_R_FAILURE;
-	}
+	if (typeobj == NULL)
+		return (ISC_R_FAILURE);
 
 	if (list) {
 		const char *ztype = cfg_obj_asstring(typeobj);
 		printf("%s %s %s %s\n", zname, zclass, view, ztype);
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	/*
@@ -242,52 +229,40 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 	 */
 	cfg_map_get(zoptions, "database", &dbobj);
 	if (dbobj != NULL &&
-	    strcmp(ZONEDB_DEFAULT, cfg_obj_asstring(dbobj)) != 0)
-	{
-		return ISC_R_SUCCESS;
-	}
+	    strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
+	    strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0)
+		return (ISC_R_SUCCESS);
 
 	cfg_map_get(zoptions, "dlz", &dlzobj);
-	if (dlzobj != NULL) {
-		return ISC_R_SUCCESS;
-	}
+	if (dlzobj != NULL)
+		return (ISC_R_SUCCESS);
 
 	cfg_map_get(zoptions, "file", &fileobj);
-	if (fileobj != NULL) {
+	if (fileobj != NULL)
 		zfile = cfg_obj_asstring(fileobj);
-	}
 
 	/*
 	 * Check hints files for hint zones.
 	 * Skip loading checks for any type other than
 	 * master and redirect
 	 */
-	if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0) {
-		return configure_hint(zfile, zclass, mctx);
-	} else if ((strcasecmp(cfg_obj_asstring(typeobj), "primary") != 0) &&
-		   (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) &&
-		   (strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
-	{
-		return ISC_R_SUCCESS;
-	}
+	if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0)
+		return (configure_hint(zfile, zclass, mctx));
+	else if ((strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) &&
+		  (strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
+		return (ISC_R_SUCCESS);
 
 	/*
-	 * Is the redirect zone configured as a secondary?
+	 * Is the redirect zone configured as a slave?
 	 */
 	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
-		cfg_map_get(zoptions, "primaries", &primariesobj);
-		if (primariesobj == NULL) {
-			cfg_map_get(zoptions, "masters", &primariesobj);
-		}
-
-		if (primariesobj != NULL) {
-			return ISC_R_SUCCESS;
-		}
+		cfg_map_get(zoptions, "masters", &mastersobj);
+		if (mastersobj != NULL)
+			return (ISC_R_SUCCESS);
 	}
 
-	if (zfile == NULL) {
-		return ISC_R_FAILURE;
-	}
+	if (zfile == NULL)
+		return (ISC_R_FAILURE);
 
 	obj = NULL;
 	if (get_maps(maps, "check-dup-records", &obj)) {
@@ -301,7 +276,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
@@ -320,7 +296,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options &= ~DNS_ZONEOPT_CHECKMX;
 			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKMX;
@@ -329,14 +306,12 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 
 	obj = NULL;
 	if (get_maps(maps, "check-integrity", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
 			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-		} else {
+		else
 			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
-		}
-	} else {
+	} else
 		zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-	}
 
 	obj = NULL;
 	if (get_maps(maps, "check-mx-cname", &obj)) {
@@ -350,7 +325,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
@@ -369,7 +345,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
@@ -378,11 +355,10 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 
 	obj = NULL;
 	if (get_maps(maps, "check-sibling", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
 			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-		} else {
+		else
 			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-		}
 	}
 
 	obj = NULL;
@@ -392,34 +368,13 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKSPF;
 	}
 
-	obj = NULL;
-	if (get_maps(maps, "check-svcb", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
-			zone_options |= DNS_ZONEOPT_CHECKSVCB;
-		} else {
-			zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKSVCB;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-wildcard", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
-			zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-		} else {
-			zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-	}
-
 	obj = NULL;
 	if (get_checknames(maps, &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@@ -432,11 +387,12 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
-		zone_options |= DNS_ZONEOPT_CHECKNAMES;
-		zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
+	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
 	}
 
 	masterformat = dns_masterformat_text;
@@ -447,30 +403,33 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			masterformat = dns_masterformat_text;
 		} else if (strcasecmp(masterformatstr, "raw") == 0) {
 			masterformat = dns_masterformat_raw;
+		} else if (strcasecmp(masterformatstr, "map") == 0) {
+			masterformat = dns_masterformat_map;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	}
 
 	obj = NULL;
 	if (get_maps(maps, "max-zone-ttl", &obj)) {
-		maxttl = cfg_obj_asduration(obj);
-		zone_options |= DNS_ZONEOPT_CHECKTTL;
+		maxttl = cfg_obj_asuint32(obj);
+		zone_options2 |= DNS_ZONEOPT2_CHECKTTL;
 	}
 
-	result = load_zone(mctx, zname, zfile, masterformat, zclass, maxttl,
-			   NULL);
-	if (result != ISC_R_SUCCESS) {
+	result = load_zone(mctx, zname, zfile, masterformat,
+			   zclass, maxttl, NULL);
+	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
-			isc_result_totext(result));
-	}
-	return result;
+			dns_result_totext(result));
+	return (result);
 }
 
 /*% configure a view */
 static isc_result_t
 configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list) {
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list)
+{
 	const cfg_listelt_t *element;
 	const cfg_obj_t *voptions;
 	const cfg_obj_t *zonelist;
@@ -478,48 +437,48 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
 	isc_result_t tresult;
 
 	voptions = NULL;
-	if (vconfig != NULL) {
+	if (vconfig != NULL)
 		voptions = cfg_tuple_get(vconfig, "options");
-	}
 
 	zonelist = NULL;
-	if (voptions != NULL) {
+	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "zone", &zonelist);
-	} else {
+	else
 		(void)cfg_map_get(config, "zone", &zonelist);
-	}
 
-	for (element = cfg_list_first(zonelist); element != NULL;
+	for (element = cfg_list_first(zonelist);
+	     element != NULL;
 	     element = cfg_list_next(element))
 	{
 		const cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, vconfig, config,
-					 mctx, list);
-		if (tresult != ISC_R_SUCCESS) {
+		tresult = configure_zone(vclass, view, zconfig, vconfig,
+					 config, mctx, list);
+		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
-		}
 	}
-	return result;
+	return (result);
 }
 
 static isc_result_t
 config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		dns_rdataclass_t *classp) {
+		dns_rdataclass_t *classp)
+{
 	isc_textregion_t r;
 
 	if (!cfg_obj_isstring(classobj)) {
 		*classp = defclass;
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
-	r.base = UNCONST(cfg_obj_asstring(classobj));
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
 	r.length = strlen(r.base);
-	return dns_rdataclass_fromtext(classp, &r);
+	return (dns_rdataclass_fromtext(classp, &r));
 }
 
 /*% load zones from the configuration */
 static isc_result_t
 load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
-		      bool list_zones) {
+		      bool list_zones)
+{
 	const cfg_listelt_t *element;
 	const cfg_obj_t *views;
 	const cfg_obj_t *vconfig;
@@ -529,7 +488,8 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
 	views = NULL;
 
 	(void)cfg_map_get(config, "view", &views);
-	for (element = cfg_list_first(views); element != NULL;
+	for (element = cfg_list_first(views);
+	     element != NULL;
 	     element = cfg_list_next(element))
 	{
 		const cfg_obj_t *classobj;
@@ -538,48 +498,40 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
 		char buf[sizeof("CLASS65535")];
 
 		vconfig = cfg_listelt_value(element);
-		if (vconfig == NULL) {
+		if (vconfig == NULL)
 			continue;
-		}
 
 		classobj = cfg_tuple_get(vconfig, "class");
-		tresult = config_getclass(classobj, dns_rdataclass_in,
-					  &viewclass);
-		if (tresult != ISC_R_SUCCESS) {
-			CHECK(tresult);
-		}
-
-		if (dns_rdataclass_ismeta(viewclass)) {
+		CHECK(config_getclass(classobj, dns_rdataclass_in,
+					 &viewclass));
+		if (dns_rdataclass_ismeta(viewclass))
 			CHECK(ISC_R_FAILURE);
-		}
 
 		dns_rdataclass_format(viewclass, buf, sizeof(buf));
 		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		tresult = configure_view(buf, vname, config, vconfig, mctx,
 					 list_zones);
-		if (tresult != ISC_R_SUCCESS) {
+		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
-		}
 	}
 
 	if (views == NULL) {
 		tresult = configure_view("IN", "_default", config, NULL, mctx,
 					 list_zones);
-		if (tresult != ISC_R_SUCCESS) {
+		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
-		}
 	}
 
 cleanup:
-	return result;
+	return (result);
 }
 
 static void
 output(void *closure, const char *text, int textlen) {
+	UNUSED(closure);
 	if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
-		isc_result_t *result = closure;
 		perror("fwrite");
-		*result = ISC_R_FAILURE;
+		exit(1);
 	}
 }
 
@@ -591,36 +543,33 @@ main(int argc, char **argv) {
 	cfg_obj_t *config = NULL;
 	const char *conffile = NULL;
 	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t result;
+	int exit_status = 0;
+	isc_entropy_t *ectx = NULL;
 	bool load_zones = false;
 	bool list_zones = false;
 	bool print = false;
-	bool nodeprecate = false;
-	bool allconfigs = false;
 	unsigned int flags = 0;
-	unsigned int checkflags = BIND_CHECK_PLUGINS | BIND_CHECK_ALGORITHMS;
 
 	isc_commandline_errprint = false;
 
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "acdhijlm:nt:pvxz"
+#define CMDLINE_FLAGS "dhjlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
 			if (strcasecmp(isc_commandline_argument, "record") == 0)
-			{
 				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			}
 			if (strcasecmp(isc_commandline_argument, "trace") == 0)
-			{
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			}
 			if (strcasecmp(isc_commandline_argument, "usage") == 0)
-			{
 				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
 			break;
 		default:
 			break;
@@ -628,26 +577,14 @@ main(int argc, char **argv) {
 	}
 	isc_commandline_reset = true;
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
-		case 'a':
-			checkflags &= ~BIND_CHECK_ALGORITHMS;
-			break;
-
-		case 'c':
-			checkflags &= ~BIND_CHECK_PLUGINS;
-			break;
-
 		case 'd':
 			debug++;
 			break;
 
-		case 'i':
-			nodeprecate = true;
-			break;
-
 		case 'j':
 			nomerge = false;
 			break;
@@ -659,16 +596,12 @@ main(int argc, char **argv) {
 		case 'm':
 			break;
 
-		case 'n':
-			allconfigs = true;
-			break;
-
 		case 't':
 			result = isc_dir_chroot(isc_commandline_argument);
 			if (result != ISC_R_SUCCESS) {
 				fprintf(stderr, "isc_dir_chroot: %s\n",
 					isc_result_totext(result));
-				CHECK(result);
+				exit(1);
 			}
 			break;
 
@@ -677,9 +610,8 @@ main(int argc, char **argv) {
 			break;
 
 		case 'v':
-			printf("%s\n", PACKAGE_VERSION);
-			result = ISC_R_SUCCESS;
-			goto cleanup;
+			printf(VERSION "\n");
+			exit(0);
 
 		case 'x':
 			flags |= CFG_PRINTER_XKEY;
@@ -693,76 +625,84 @@ main(int argc, char **argv) {
 			break;
 
 		case '?':
-			if (isc_commandline_option != '?') {
+			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			}
-			FALLTHROUGH;
+			/* FALLTHROUGH */
 		case 'h':
-			isc_mem_detach(&mctx);
 			usage();
 
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			CHECK(ISC_R_FAILURE);
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
 	if (((flags & CFG_PRINTER_XKEY) != 0) && !print) {
 		fprintf(stderr, "%s: -x cannot be used without -p\n", program);
-		CHECK(ISC_R_FAILURE);
+		exit(1);
 	}
 	if (print && list_zones) {
 		fprintf(stderr, "%s: -l cannot be used with -p\n", program);
-		CHECK(ISC_R_FAILURE);
+		exit(1);
 	}
 
-	if (isc_commandline_index + 1 < argc) {
-		isc_mem_detach(&mctx);
+	if (isc_commandline_index + 1 < argc)
 		usage();
-	}
-	if (argv[isc_commandline_index] != NULL) {
+	if (argv[isc_commandline_index] != NULL)
 		conffile = argv[isc_commandline_index];
-	}
-	if (conffile == NULL || conffile[0] == '\0') {
+	if (conffile == NULL || conffile[0] == '\0')
 		conffile = NAMED_CONFFILE;
-	}
 
-	CHECK(setup_logging(stdout));
+#ifdef _WIN32
+	InitSockets();
+#endif
 
-	CHECK(cfg_parser_create(mctx, &parser));
+	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
+		      == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
 
-	if (nodeprecate) {
-		cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
-	}
-	if (allconfigs) {
-		cfg_parser_setflags(parser, CFG_PCTX_ALLCONFIGS, true);
-	}
 	cfg_parser_setcallback(parser, directory_callback, NULL);
 
-	CHECK(cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config));
-	CHECK(isccfg_check_namedconf(config, checkflags, mctx));
-	if (load_zones || list_zones) {
-		CHECK(load_zones_fromconfig(config, mctx, list_zones));
+	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
+	    ISC_R_SUCCESS)
+		exit(1);
+
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
+		exit_status = 1;
+
+	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
+		result = load_zones_fromconfig(config, mctx, list_zones);
+		if (result != ISC_R_SUCCESS)
+			exit_status = 1;
 	}
 
-	if (print) {
-		cfg_printx(config, flags, output, &result);
-	}
+	if (print && exit_status == 0)
+		cfg_printx(config, flags, output, NULL);
+	cfg_obj_destroy(parser, &config);
 
-cleanup:
-	if (config != NULL) {
-		cfg_obj_destroy(parser, &config);
-	}
+	cfg_parser_destroy(&parser);
 
-	if (parser != NULL) {
-		cfg_parser_destroy(&parser);
-	}
+	dns_name_destroy();
 
-	if (mctx != NULL) {
-		isc_mem_detach(&mctx);
-	}
+	isc_log_destroy(&logc);
 
-	return result == ISC_R_SUCCESS ? 0 : 1;
+	isc_hash_destroy();
+	isc_entropy_detach(&ectx);
+
+	isc_mem_destroy(&mctx);
+
+#ifdef _WIN32
+	DestroySockets();
+#endif
+
+	return (exit_status);
 }

bin/check/named-checkconf.docbook

@@ -0,0 +1,208 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
+  <info>
+    <date>2014-01-10</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkconf</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2009</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname><application>named-checkconf</application></refname>
+    <refpurpose>named configuration file syntax checking tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>named-checkconf</command>
+      <arg choice="opt" rep="norepeat"><option>-hjlvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p</option>
+	<arg choice="opt" rep="norepeat"><option>-x</option>
+      </arg></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>named-checkconf</command>
+      checks the syntax, but not the semantics, of a
+      <command>named</command> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <filename>/etc/named.conf</filename> is read
+      by default.
+    </para>
+    <para>
+      Note: files that <command>named</command> reads in separate
+      parser contexts, such as <filename>rndc.key</filename> and
+      <filename>bind.keys</filename>, are not automatically read
+      by <command>named-checkconf</command>.  Configuration
+      errors in these files may cause <command>named</command> to
+      fail to run, even if <command>named-checkconf</command> was
+      successful.  <command>named-checkconf</command> can be run
+      on these files explicitly, however.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+    <variablelist>
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+        <listitem>
+          <para>
+            When loading a zonefile read the journal if it exists.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l</term>
+        <listitem>
+          <para>
+            List all the configured zones. Each line of output
+            contains the zone name, class (e.g. IN), view, and type
+            (e.g. master or slave).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p</term>
+        <listitem>
+          <para>
+	    Print out the <filename>named.conf</filename> and included files
+	    in canonical form if no errors were detected.
+            See also the <option>-x</option> option.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Chroot to <filename>directory</filename> so that include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <command>named</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkconf</command>
+            program and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-x</term>
+        <listitem>
+          <para>
+	    When printing the configuration files in canonical
+            form, obscure shared secrets by replacing them with
+            strings of question marks ('?'). This allows the
+            contents of <filename>named.conf</filename> and related
+            files to be shared &mdash; for example, when submitting
+            bug reports &mdash; without compromising private data.
+            This option cannot be used without <option>-p</option>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-z</term>
+        <listitem>
+          <para>
+	    Perform a test load of all master zones found in
+	    <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+        <listitem>
+          <para>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <filename>/etc/named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para><command>named-checkconf</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+</refentry>

bin/check/named-checkconf.html

@@ -0,0 +1,166 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkconf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.named-checkconf"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">named-checkconf</span>
+     &#8212; named configuration file syntax checking tool
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-checkconf</code> 
+       [<code class="option">-hjlvz</code>]
+       [<code class="option">-p</code>
+	 [<code class="option">-x</code>
+      ]]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       {filename}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>named-checkconf</strong></span>
+      checks the syntax, but not the semantics, of a
+      <span class="command"><strong>named</strong></span> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <code class="filename">/etc/named.conf</code> is read
+      by default.
+    </p>
+    <p>
+      Note: files that <span class="command"><strong>named</strong></span> reads in separate
+      parser contexts, such as <code class="filename">rndc.key</code> and
+      <code class="filename">bind.keys</code>, are not automatically read
+      by <span class="command"><strong>named-checkconf</strong></span>.  Configuration
+      errors in these files may cause <span class="command"><strong>named</strong></span> to
+      fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
+      successful.  <span class="command"><strong>named-checkconf</strong></span> can be run
+      on these files explicitly, however.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-h</span></dt>
+<dd>
+          <p>
+            Print the usage summary and exit.
+          </p>
+        </dd>
+<dt><span class="term">-j</span></dt>
+<dd>
+          <p>
+            When loading a zonefile read the journal if it exists.
+          </p>
+        </dd>
+<dt><span class="term">-l</span></dt>
+<dd>
+          <p>
+            List all the configured zones. Each line of output
+            contains the zone name, class (e.g. IN), view, and type
+            (e.g. master or slave).
+          </p>
+        </dd>
+<dt><span class="term">-p</span></dt>
+<dd>
+          <p>
+	    Print out the <code class="filename">named.conf</code> and included files
+	    in canonical form if no errors were detected.
+            See also the <code class="option">-x</code> option.
+          </p>
+        </dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            Chroot to <code class="filename">directory</code> so that include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+          <p>
+            Print the version of the <span class="command"><strong>named-checkconf</strong></span>
+            program and exit.
+          </p>
+        </dd>
+<dt><span class="term">-x</span></dt>
+<dd>
+          <p>
+	    When printing the configuration files in canonical
+            form, obscure shared secrets by replacing them with
+            strings of question marks ('?'). This allows the
+            contents of <code class="filename">named.conf</code> and related
+            files to be shared &#8212; for example, when submitting
+            bug reports &#8212; without compromising private data.
+            This option cannot be used without <code class="option">-p</code>.
+          </p>
+        </dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+          <p>
+	    Perform a test load of all master zones found in
+	    <code class="filename">named.conf</code>.
+          </p>
+        </dd>
+<dt><span class="term">filename</span></dt>
+<dd>
+          <p>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <code class="filename">/etc/named.conf</code>.
+          </p>
+        </dd>
+</dl></div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>RETURN VALUES</h2>
+
+    <p><span class="command"><strong>named-checkconf</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named-checkzone</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+</div></body>
+</html>

bin/check/named-checkconf.rst

@@ -1,122 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. highlight: console
-
-.. iscman:: named-checkconf
-.. program:: named-checkconf
-.. _man_named-checkconf:
-
-named-checkconf - named configuration file syntax checking tool
----------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-checkconf` [**-achjlnvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
-
-Description
-~~~~~~~~~~~
-
-:program:`named-checkconf` checks the syntax, but not the semantics, of a
-:iscman:`named` configuration file. The file, along with all files included by it, is parsed and checked for syntax
-errors. If no file is specified,
-|named_conf| is read by default.
-
-Note: files that :iscman:`named` reads in separate parser contexts, such as
-``rndc.conf`` or ``rndc.key``, are not automatically read by
-:program:`named-checkconf`.  Configuration errors in these files may cause
-:iscman:`named` to fail to run, even if :program:`named-checkconf` was
-successful.  However, :program:`named-checkconf` can be run on these files
-explicitly.
-
-Options
-~~~~~~~
-
-.. option:: -a
-
-   Don't check the `dnssec-policy`'s DNSSEC key algorithms against
-   those supported by the crypto provider.  This is useful when checking
-   a `named.conf` intended to be run on another machine with possibly a
-   different set of supported DNSSEC key algorithms.
-
-.. option:: -h
-
-   This option prints the usage summary and exits.
-
-.. option:: -j
-
-   When loading a zonefile, this option instructs :iscman:`named` to read the journal if it exists.
-
-.. option:: -l
-
-   This option lists all the configured zones. Each line of output contains the zone
-   name, class (e.g. IN), view, and type (e.g. primary or secondary).
-
-.. option:: -c
-
-   This option specifies that only the "core" configuration should be checked. This suppresses the loading of
-   plugin modules, and causes all parameters to ``plugin`` statements to
-   be ignored.
-
-.. option:: -i
-
-   This option ignores warnings on deprecated options.
-
-.. option:: -n
-
-   Do not print errors when encountering options that are disabled in
-   this build. This allows checking of configuration files for other
-   builds, in which those options are enabled.
-
-.. option:: -p
-
-   This option prints out the :iscman:`named.conf` and included files in canonical form if
-   no errors were detected. See also the :option:`-x` option.
-
-.. option:: -t directory
-
-   This option instructs :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   :iscman:`named`.
-
-.. option:: -v
-
-   This option prints the version of the :program:`named-checkconf` program and exits.
-
-.. option:: -x
-
-   When printing the configuration files in canonical form, this option obscures
-   shared secrets by replacing them with strings of question marks
-   (``?``). This allows the contents of :iscman:`named.conf` and related files
-   to be shared - for example, when submitting bug reports -
-   without compromising private data. This option cannot be used without
-   :option:`-p`.
-
-.. option:: -z
-
-   This option performs a test load of all zones of type ``primary`` found in :iscman:`named.conf`.
-
-.. option:: filename
-
-   This indicates the name of the configuration file to be checked. If not specified,
-   it defaults to |named_conf|.
-
-Return Values
-~~~~~~~~~~~~~
-
-:program:`named-checkconf` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:iscman:`named(8) <named>`, :iscman:`named-checkzone(8) <named-checkzone>`, BIND 9 Administrator Reference Manual.

bin/check/named-checkzone.8

@@ -0,0 +1,329 @@
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: named-checkzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-19
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+named-checkzone, named-compilezone \- zone file validity checking or converting tool
+.SH "SYNOPSIS"
+.HP \w'\fBnamed\-checkzone\fR\ 'u
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+.HP \w'\fBnamed\-compilezone\fR\ 'u
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+.SH "DESCRIPTION"
+.PP
+\fBnamed\-checkzone\fR
+checks the syntax and integrity of a zone file\&. It performs the same checks as
+\fBnamed\fR
+does when loading a zone\&. This makes
+\fBnamed\-checkzone\fR
+useful for checking zone files before configuring them into a name server\&.
+.PP
+\fBnamed\-compilezone\fR
+is similar to
+\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
+\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
+\fBnamed\fR
+configuration file\&.
+.SH "OPTIONS"
+.PP
+\-d
+.RS 4
+Enable debugging\&.
+.RE
+.PP
+\-h
+.RS 4
+Print the usage summary and exit\&.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode \- exit code only\&.
+.RE
+.PP
+\-v
+.RS 4
+Print the version of the
+\fBnamed\-checkzone\fR
+program and exit\&.
+.RE
+.PP
+\-j
+.RS 4
+When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
+\&.jnl\&.
+.RE
+.PP
+\-J \fIfilename\fR
+.RS 4
+When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specify the class of the zone\&. If not specified, "IN" is assumed\&.
+.RE
+.PP
+\-i \fImode\fR
+.RS 4
+Perform post\-load zone integrity checks\&. Possible modes are
+\fB"full"\fR
+(default),
+\fB"full\-sibling"\fR,
+\fB"local"\fR,
+\fB"local\-sibling"\fR
+and
+\fB"none"\fR\&.
+.sp
+Mode
+\fB"full"\fR
+checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
+\fB"local"\fR
+only checks MX records which refer to in\-zone hostnames\&.
+.sp
+Mode
+\fB"full"\fR
+checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
+\fB"local"\fR
+only checks SRV records which refer to in\-zone hostnames\&.
+.sp
+Mode
+\fB"full"\fR
+checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
+\fB"local"\fR
+only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
+.sp
+Mode
+\fB"full\-sibling"\fR
+and
+\fB"local\-sibling"\fR
+disable sibling glue checks but are otherwise the same as
+\fB"full"\fR
+and
+\fB"local"\fR
+respectively\&.
+.sp
+Mode
+\fB"none"\fR
+disables the checks\&.
+.RE
+.PP
+\-f \fIformat\fR
+.RS 4
+Specify the format of the zone file\&. Possible formats are
+\fB"text"\fR
+(default),
+\fB"raw"\fR, and
+\fB"map"\fR\&.
+.RE
+.PP
+\-F \fIformat\fR
+.RS 4
+Specify the format of the output file specified\&. For
+\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
+.sp
+Possible formats are
+\fB"text"\fR
+(default), which is the standard textual representation of the zone, and
+\fB"map"\fR,
+\fB"raw"\fR, and
+\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
+\fBnamed\fR\&.
+\fB"raw=N"\fR
+specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
+\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
+.RE
+.PP
+\-k \fImode\fR
+.RS 4
+Perform
+\fB"check\-names"\fR
+checks with the specified failure mode\&. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-l \fIttl\fR
+.RS 4
+Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
+\fBmax\-zone\-ttl\fR
+option in
+named\&.conf\&.
+.RE
+.PP
+\-L \fIserial\fR
+.RS 4
+When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
+.RE
+.PP
+\-m \fImode\fR
+.RS 4
+Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-M \fImode\fR
+.RS 4
+Check if a MX record refers to a CNAME\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-n \fImode\fR
+.RS 4
+Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-o \fIfilename\fR
+.RS 4
+Write zone output to
+filename\&. If
+filename
+is
+\-
+then write to standard out\&. This is mandatory for
+\fBnamed\-compilezone\fR\&.
+.RE
+.PP
+\-r \fImode\fR
+.RS 4
+Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-s \fIstyle\fR
+.RS 4
+Specify the style of the dumped zone file\&. Possible styles are
+\fB"full"\fR
+(default) and
+\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
+\fBnamed\-checkzone\fR
+this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
+.RE
+.PP
+\-S \fImode\fR
+.RS 4
+Check if a SRV record refers to a CNAME\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-t \fIdirectory\fR
+.RS 4
+Chroot to
+directory
+so that include directives in the configuration file are processed as if run by a similarly chrooted
+\fBnamed\fR\&.
+.RE
+.PP
+\-T \fImode\fR
+.RS 4
+Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
+\fB"warn"\fR
+(default),
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-w \fIdirectory\fR
+.RS 4
+chdir to
+directory
+so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
+named\&.conf\&.
+.RE
+.PP
+\-D
+.RS 4
+Dump zone file in canonical format\&. This is always enabled for
+\fBnamed\-compilezone\fR\&.
+.RE
+.PP
+\-W \fImode\fR
+.RS 4
+Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+zonename
+.RS 4
+The domain name of the zone being checked\&.
+.RE
+.PP
+filename
+.RS 4
+The name of the zone file\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBnamed\-checkzone\fR
+returns an exit status of 1 if errors were detected and 0 otherwise\&.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnamed-checkconf\fR(8),
+RFC 1035,
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/check/named-checkzone.c

@@ -1,43 +1,46 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
+
 /*! \file */
 
-#include <inttypes.h>
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
+#include <inttypes.h>
 
-#include <isc/attributes.h>
+#include <isc/app.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
-#include <isc/file.h>
+#include <isc/entropy.h>
 #include <isc/hash.h>
-#include <isc/lib.h>
 #include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/print.h>
+#include <isc/socket.h>
 #include <isc/string.h>
+#include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
 #include <dns/fixedname.h>
-#include <dns/lib.h>
+#include <dns/log.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
+#include <dns/result.h>
 #include <dns/types.h>
 #include <dns/zone.h>
 
@@ -45,49 +48,50 @@
 
 static int quiet = 0;
 static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
 dns_zone_t *zone = NULL;
-dns_zonetype_t zonetype = dns_zone_primary;
+dns_zonetype_t zonetype = dns_zone_master;
 static int dumpzone = 0;
 static const char *output_filename;
 static const char *prog_name = NULL;
 static const dns_master_style_t *outputstyle = NULL;
 static enum { progmode_check, progmode_compile } progmode;
 
-#define ERRRET(result, function)                                              \
-	do {                                                                  \
-		if (result != ISC_R_SUCCESS) {                                \
-			if (!quiet)                                           \
-				fprintf(stderr, "%s() returned %s\n",         \
-					function, isc_result_totext(result)); \
-			return (result);                                      \
-		}                                                             \
+#define ERRRET(result, function) \
+	do { \
+		if (result != ISC_R_SUCCESS) { \
+			if (!quiet) \
+				fprintf(stderr, "%s() returned %s\n", \
+					function, dns_result_totext(result)); \
+			return (result); \
+		} \
 	} while (0)
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
 	fprintf(stderr,
 		"usage: %s [-djqvD] [-c class] "
 		"[-f inputformat] [-F outputformat] [-J filename] "
-		"[-s (full|relative)] [-t directory] [-w directory] "
-		"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
+		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
+		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-r (ignore|warn|fail)] "
 		"[-i (full|full-sibling|local|local-sibling|none)] "
 		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
 		"[-W (ignore|warn)] "
-		"%s zonename [ (filename|-) ]\n",
+		"%s zonename filename\n",
 		prog_name,
 		progmode == progmode_check ? "[-o filename]" : "-o filename");
-	exit(EXIT_FAILURE);
+	exit(1);
 }
 
 static void
 destroy(void) {
-	if (zone != NULL) {
+	if (zone != NULL)
 		dns_zone_detach(&zone);
-	}
+	dns_name_destroy();
 }
 
 /*% main processing routine */
@@ -95,7 +99,8 @@ int
 main(int argc, char **argv) {
 	int c;
 	char *origin = NULL;
-	const char *filename = NULL;
+	char *filename = NULL;
+	isc_log_t *lctx = NULL;
 	isc_result_t result;
 	char classname_in[] = "IN";
 	char *classname = classname_in;
@@ -120,21 +125,18 @@ main(int argc, char **argv) {
 	outputstyle = &dns_master_style_full;
 
 	prog_name = strrchr(argv[0], '/');
-	if (prog_name == NULL) {
+	if (prog_name == NULL)
 		prog_name = strrchr(argv[0], '\\');
-	}
-	if (prog_name != NULL) {
+	if (prog_name != NULL)
 		prog_name++;
-	} else {
+	else
 		prog_name = argv[0];
-	}
 	/*
 	 * Libtool doesn't preserve the program name prior to final
 	 * installation.  Remove the libtool prefix ("lt-").
 	 */
-	if (strncmp(prog_name, "lt-", 3) == 0) {
+	if (strncmp(prog_name, "lt-", 3) == 0)
 		prog_name += 3;
-	}
 
 #define PROGCMP(X) \
 	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
@@ -144,25 +146,30 @@ main(int argc, char **argv) {
 	} else if (PROGCMP("named-compilezone")) {
 		progmode = progmode_compile;
 	} else {
-		UNREACHABLE();
+		INSIST(0);
+		ISC_UNREACHABLE();
 	}
 
-	/* When compiling, disable checks by default */
+	/* Compilation specific defaults */
 	if (progmode == progmode_compile) {
-		zone_options = 0;
-		docheckmx = false;
-		docheckns = false;
-		dochecksrv = false;
-	}
+		zone_options |= (DNS_ZONEOPT_CHECKNS |
+				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF |
+				 DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKNAMES |
+				 DNS_ZONEOPT_CHECKNAMESFAIL |
+				 DNS_ZONEOPT_CHECKWILDCARD);
+	} else
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKSPF);
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
 	isc_commandline_errprint = false;
 
 	while ((c = isc_commandline_parse(argc, argv,
-					  "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:C:"
-					  "DF:M:R:S:T:W:")) != EOF)
-	{
+			       "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
+	       != EOF) {
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
@@ -206,7 +213,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -i: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -240,7 +247,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -k: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -251,35 +258,36 @@ main(int argc, char **argv) {
 			if (*endp != '\0') {
 				fprintf(stderr, "source serial number "
 						"must be numeric");
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
 		case 'l':
-			zone_options |= DNS_ZONEOPT_CHECKTTL;
+			zone_options2 |= DNS_ZONEOPT2_CHECKTTL;
 			endp = NULL;
 			maxttl = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0') {
 				fprintf(stderr, "maximum TTL "
 						"must be numeric");
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
+
 		case 'n':
 			if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNS |
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
 						  DNS_ZONEOPT_FATALNS);
 			} else if (ARGCMP("warn")) {
 				zone_options |= DNS_ZONEOPT_CHECKNS;
 				zone_options &= ~DNS_ZONEOPT_FATALNS;
 			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS |
+				zone_options |= DNS_ZONEOPT_CHECKNS|
 						DNS_ZONEOPT_FATALNS;
 			} else {
 				fprintf(stderr, "invalid argument to -n: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -296,7 +304,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -m: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -321,32 +329,20 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -r: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
-			}
-			break;
-
-		case 'R':
-			if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_LOGREPORTS;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~DNS_ZONEOPT_LOGREPORTS;
-			} else {
-				fprintf(stderr, "invalid argument to -R: %s\n",
-					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
 		case 's':
-			if (ARGCMP("full")) {
+			if (ARGCMP("full"))
 				outputstyle = &dns_master_style_full;
-			} else if (ARGCMP("relative")) {
+			else if (ARGCMP("relative")) {
 				outputstyle = &dns_master_style_default;
 			} else {
 				fprintf(stderr,
 					"unknown or unsupported style: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -356,30 +352,18 @@ main(int argc, char **argv) {
 				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
 					isc_commandline_argument,
 					isc_result_totext(result));
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
 		case 'v':
-			printf("%s\n", PACKAGE_VERSION);
-			exit(EXIT_SUCCESS);
+			printf(VERSION "\n");
+			exit(0);
 
 		case 'w':
 			workdir = isc_commandline_argument;
 			break;
 
-		case 'C':
-			if (ARGCMP("check-svcb:fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKSVCB;
-			} else if (ARGCMP("check-svcb:ignore")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
-			} else {
-				fprintf(stderr, "invalid argument to -C: %s\n",
-					isc_commandline_argument);
-				exit(EXIT_FAILURE);
-			}
-			break;
-
 		case 'D':
 			dumpzone++;
 			break;
@@ -397,7 +381,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -M: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -414,7 +398,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -S: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -426,56 +410,56 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -T: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
 		case 'W':
-			if (ARGCMP("warn")) {
+			if (ARGCMP("warn"))
 				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-			} else if (ARGCMP("ignore")) {
+			else if (ARGCMP("ignore"))
 				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
-			}
 			break;
 
 		case '?':
-			if (isc_commandline_option != '?') {
+			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
-			}
-			FALLTHROUGH;
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
-				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				prog_name, isc_commandline_option);
+			exit(1);
 		}
 	}
 
 	if (workdir != NULL) {
 		result = isc_dir_chdir(workdir);
 		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "isc_dir_chdir: %s: %s\n", workdir,
-				isc_result_totext(result));
-			exit(EXIT_FAILURE);
+			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
+				workdir, isc_result_totext(result));
+			exit(1);
 		}
 	}
 
 	if (inputformatstr != NULL) {
-		if (strcasecmp(inputformatstr, "text") == 0) {
+		if (strcasecmp(inputformatstr, "text") == 0)
 			inputformat = dns_masterformat_text;
-		} else if (strcasecmp(inputformatstr, "raw") == 0) {
+		else if (strcasecmp(inputformatstr, "raw") == 0)
 			inputformat = dns_masterformat_raw;
-		} else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
+		else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
 			inputformat = dns_masterformat_raw;
-			fprintf(stderr, "WARNING: input format raw, version "
-					"ignored\n");
+			fprintf(stderr,
+				"WARNING: input format raw, version ignored\n");
+		} else if (strcasecmp(inputformatstr, "map") == 0) {
+			inputformat = dns_masterformat_map;
 		} else {
 			fprintf(stderr, "unknown file format: %s\n",
-				inputformatstr);
-			exit(EXIT_FAILURE);
+			    inputformatstr);
+			exit(1);
 		}
 	}
 
@@ -490,67 +474,65 @@ main(int argc, char **argv) {
 			outputformat = dns_masterformat_raw;
 			rawversion = strtol(outputformatstr + 4, &end, 10);
 			if (end == outputformatstr + 4 || *end != '\0' ||
-			    rawversion > 1U)
-			{
-				fprintf(stderr, "unknown raw format version\n");
-				exit(EXIT_FAILURE);
+			    rawversion > 1U) {
+				fprintf(stderr,
+					"unknown raw format version\n");
+				exit(1);
 			}
+		} else if (strcasecmp(outputformatstr, "map") == 0) {
+			outputformat = dns_masterformat_map;
 		} else {
 			fprintf(stderr, "unknown file format: %s\n",
 				outputformatstr);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
 	if (progmode == progmode_compile) {
-		dumpzone = 1; /* always dump */
+		dumpzone = 1;	/* always dump */
 		logdump = !quiet;
 		if (output_filename == NULL) {
-			fprintf(stderr, "output file required, but not "
-					"specified\n");
+			fprintf(stderr,
+				"output file required, but not specified\n");
 			usage();
 		}
 	}
 
-	if (output_filename != NULL) {
+	if (output_filename != NULL)
 		dumpzone = 1;
-	}
 
 	/*
-	 * If we are printing to stdout then send the informational
+	 * If we are outputing to stdout then send the informational
 	 * output to stderr.
 	 */
 	if (dumpzone &&
-	    (output_filename == NULL || strcmp(output_filename, "-") == 0 ||
+	    (output_filename == NULL ||
+	     strcmp(output_filename, "-") == 0 ||
 	     strcmp(output_filename, "/dev/fd/1") == 0 ||
-	     strcmp(output_filename, "/dev/stdout") == 0))
-	{
+	     strcmp(output_filename, "/dev/stdout") == 0)) {
 		errout = stderr;
 		logdump = false;
 	}
 
-	if (argc - isc_commandline_index < 1 ||
-	    argc - isc_commandline_index > 2)
-	{
+	if (isc_commandline_index + 2 != argc)
 		usage();
-	}
 
-	isc_mem_create(&mctx);
-	if (!quiet) {
-		RUNTIME_CHECK(setup_logging(errout) == ISC_R_SUCCESS);
-	}
+#ifdef _WIN32
+	InitSockets();
+#endif
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+	if (!quiet)
+		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
+			      == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
+		      == ISC_R_SUCCESS);
+
+	dns_result_register();
 
 	origin = argv[isc_commandline_index++];
-
-	if (isc_commandline_index == argc) {
-		/* "-" will be interpreted as stdin */
-		filename = "-";
-	} else {
-		filename = argv[isc_commandline_index];
-	}
-
-	isc_commandline_index++;
-
+	filename = argv[isc_commandline_index++];
 	result = load_zone(mctx, origin, filename, inputformat, classname,
 			   maxttl, &zone);
 
@@ -566,18 +548,22 @@ main(int argc, char **argv) {
 			fprintf(errout, "dump zone to %s...", output_filename);
 			fflush(errout);
 		}
-		result = dump_zone(origin, zone, output_filename, outputformat,
-				   outputstyle, rawversion);
-		if (logdump) {
+		result = dump_zone(origin, zone, output_filename,
+				   outputformat, outputstyle, rawversion);
+		if (logdump)
 			fprintf(errout, "done\n");
-		}
 	}
 
-	if (!quiet && result == ISC_R_SUCCESS) {
+	if (!quiet && result == ISC_R_SUCCESS)
 		fprintf(errout, "OK\n");
-	}
 	destroy();
-	isc_mem_detach(&mctx);
-
-	return (result == ISC_R_SUCCESS) ? 0 : 1;
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+	isc_hash_destroy();
+	isc_entropy_detach(&ectx);
+	isc_mem_destroy(&mctx);
+#ifdef _WIN32
+	DestroySockets();
+#endif
+	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }

bin/check/named-checkzone.docbook

@@ -0,0 +1,528 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
+  <info>
+    <date>2014-02-19</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkzone</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname><application>named-checkzone</application></refname>
+    <refname><application>named-compilezone</application></refname>
+    <refpurpose>zone file validity checking or converting tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>named-checkzone</command>
+      <arg choice="opt" rep="norepeat"><option>-d</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">zonename</arg>
+      <arg choice="req" rep="norepeat">filename</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>named-compilezone</command>
+      <arg choice="opt" rep="norepeat"><option>-d</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">zonename</arg>
+      <arg choice="req" rep="norepeat">filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>named-checkzone</command>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <command>named</command> does when loading a
+      zone.  This makes <command>named-checkzone</command> useful for
+      checking zone files before configuring them into a name server.
+    </para>
+    <para>
+        <command>named-compilezone</command> is similar to
+	<command>named-checkzone</command>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <command>named</command>.
+	When manually specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<command>named</command> configuration file.
+     </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+        <term>-d</term>
+        <listitem>
+          <para>
+            Enable debugging.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-q</term>
+        <listitem>
+          <para>
+            Quiet mode - exit code only.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkzone</command>
+            program and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+        <listitem>
+          <para>
+            When loading a zone file, read the journal if it exists.
+            The journal file name is assumed to be the zone file name
+	    appended with the string <filename>.jnl</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-J <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+            When loading the zone file read the journal from the given
+            file, if it exists. (Implies -j.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specify the class of the zone.  If not specified, "IN" is assumed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Perform post-load zone integrity checks.  Possible modes are
+	      <command>"full"</command> (default),
+	      <command>"full-sibling"</command>,
+	      <command>"local"</command>,
+	      <command>"local-sibling"</command> and
+	      <command>"none"</command>.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks MX records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue address records
+	      in the zone match those advertised by the child.
+	      Mode <command>"local"</command> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </para>
+	  <para>
+	      Mode <command>"full-sibling"</command> and
+	      <command>"local-sibling"</command> disable sibling glue
+	      checks but are otherwise the same as <command>"full"</command>
+	      and <command>"local"</command> respectively.
+	  </para>
+	  <para>
+	      Mode <command>"none"</command> disables the checks.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f <replaceable class="parameter">format</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the format of the zone file.
+	    Possible formats are <command>"text"</command> (default),
+	    <command>"raw"</command>, and <command>"map"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-F <replaceable class="parameter">format</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the format of the output file specified.
+	    For <command>named-checkzone</command>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	  </para>
+	  <para>
+	    Possible formats are <command>"text"</command> (default),
+	    which is the standard textual representation of the zone,
+	    and <command>"map"</command>, <command>"raw"</command>,
+            and <command>"raw=N"</command>, which store the zone in a
+            binary format for rapid loading by <command>named</command>.
+            <command>"raw=N"</command> specifies the format version of
+            the raw zone file: if N is 0, the raw file can be read by
+            any version of <command>named</command>; if N is 1, the file
+            can be read by release 9.9.0 or higher; the default is 1.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Perform <command>"check-names"</command> checks with the
+	    specified failure mode.
+            Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Sets a maximum permissible TTL for the input file.
+            Any record with a TTL higher than this value will cause
+            the zone to be rejected.  This is similar to using the
+            <command>max-zone-ttl</command> option in
+            <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-L <replaceable class="parameter">serial</replaceable></term>
+        <listitem>
+          <para>
+            When compiling a zone to "raw" or "map" format, set the
+            "source serial" value in the header to the specified serial
+            number.  (This is expected to be used primarily for testing
+            purposes.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-m <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-M <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+            Write zone output to <filename>filename</filename>.
+	    If <filename>filename</filename> is <filename>-</filename> then
+	    write to standard out.
+	    This is mandatory for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">style</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <command>"full"</command> (default)
+	    and <command>"relative"</command>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <command>named-checkzone</command>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-S <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Chroot to <filename>directory</filename> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <command>named</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	    Check if Sender Policy Framework (SPF) records exist
+	    and issues a warning if an SPF-formatted TXT record is
+	    not also present.  Possible modes are <command>"warn"</command>
+	    (default), <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            chdir to <filename>directory</filename> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+        <listitem>
+          <para>
+            Dump zone file in canonical format.
+	    This is always enabled for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-W <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <command>"warn"</command> (default)
+            and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonename</term>
+        <listitem>
+          <para>
+            The domain name of the zone being checked.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+        <listitem>
+          <para>
+            The name of the zone file.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para><command>named-checkzone</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC 1035</citetitle>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/check/named-checkzone.html

@@ -0,0 +1,429 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.named-checkzone"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">named-checkzone</span>, 
+    <span class="application">named-compilezone</span>
+     &#8212; zone file validity checking or converting tool
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-checkzone</code> 
+       [<code class="option">-d</code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-j</code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
+       {zonename}
+       {filename}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-compilezone</code> 
+       [<code class="option">-d</code>]
+       [<code class="option">-j</code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
+       {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
+       {zonename}
+       {filename}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>named-checkzone</strong></span>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <span class="command"><strong>named</strong></span> does when loading a
+      zone.  This makes <span class="command"><strong>named-checkzone</strong></span> useful for
+      checking zone files before configuring them into a name server.
+    </p>
+    <p>
+        <span class="command"><strong>named-compilezone</strong></span> is similar to
+	<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <span class="command"><strong>named</strong></span>.
+	When manually specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<span class="command"><strong>named</strong></span> configuration file.
+     </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-d</span></dt>
+<dd>
+          <p>
+            Enable debugging.
+          </p>
+        </dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+          <p>
+            Print the usage summary and exit.
+          </p>
+        </dd>
+<dt><span class="term">-q</span></dt>
+<dd>
+          <p>
+            Quiet mode - exit code only.
+          </p>
+        </dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+          <p>
+            Print the version of the <span class="command"><strong>named-checkzone</strong></span>
+            program and exit.
+          </p>
+        </dd>
+<dt><span class="term">-j</span></dt>
+<dd>
+          <p>
+            When loading a zone file, read the journal if it exists.
+            The journal file name is assumed to be the zone file name
+	    appended with the string <code class="filename">.jnl</code>.
+          </p>
+        </dd>
+<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
+<dd>
+          <p>
+            When loading the zone file read the journal from the given
+            file, if it exists. (Implies -j.)
+          </p>
+        </dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+          <p>
+            Specify the class of the zone.  If not specified, "IN" is assumed.
+          </p>
+        </dd>
+<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	      Perform post-load zone integrity checks.  Possible modes are
+	      <span class="command"><strong>"full"</strong></span> (default),
+	      <span class="command"><strong>"full-sibling"</strong></span>,
+	      <span class="command"><strong>"local"</strong></span>,
+	      <span class="command"><strong>"local-sibling"</strong></span> and
+	      <span class="command"><strong>"none"</strong></span>.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full"</strong></span> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
+	      checks MX records which refer to in-zone hostnames.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue address records
+	      in the zone match those advertised by the child.
+	      Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full-sibling"</strong></span> and
+	      <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
+	      checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
+	      and <span class="command"><strong>"local"</strong></span> respectively.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"none"</strong></span> disables the checks.
+	  </p>
+	</dd>
+<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the format of the zone file.
+	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
+	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the format of the output file specified.
+	    For <span class="command"><strong>named-checkzone</strong></span>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	  </p>
+	  <p>
+	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
+	    which is the standard textual representation of the zone,
+	    and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
+            and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
+            binary format for rapid loading by <span class="command"><strong>named</strong></span>.
+            <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
+            the raw zone file: if N is 0, the raw file can be read by
+            any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
+            can be read by release 9.9.0 or higher; the default is 1.
+	  </p>
+	</dd>
+<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Perform <span class="command"><strong>"check-names"</strong></span> checks with the
+	    specified failure mode.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>
+	    (default for <span class="command"><strong>named-compilezone</strong></span>),
+            <span class="command"><strong>"warn"</strong></span>
+	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd>
+          <p>
+            Sets a maximum permissible TTL for the input file.
+            Any record with a TTL higher than this value will cause
+            the zone to be rejected.  This is similar to using the
+            <span class="command"><strong>max-zone-ttl</strong></span> option in
+            <code class="filename">named.conf</code>.
+          </p>
+        </dd>
+<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
+<dd>
+          <p>
+            When compiling a zone to "raw" or "map" format, set the
+            "source serial" value in the header to the specified serial
+            number.  (This is expected to be used primarily for testing
+            purposes.)
+          </p>
+        </dd>
+<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+        </dd>
+<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <span class="command"><strong>"fail"</strong></span>
+	    (default for <span class="command"><strong>named-compilezone</strong></span>),
+            <span class="command"><strong>"warn"</strong></span>
+	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
+<dd>
+          <p>
+            Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
+	    This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+        </dd>
+<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <span class="command"><strong>"full"</strong></span> (default)
+	    and <span class="command"><strong>"relative"</strong></span>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <span class="command"><strong>named-checkzone</strong></span>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </p>
+	</dd>
+<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+        </dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            Chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	    Check if Sender Policy Framework (SPF) records exist
+	    and issues a warning if an SPF-formatted TXT record is
+	    not also present.  Possible modes are <span class="command"><strong>"warn"</strong></span>
+	    (default), <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            chdir to <code class="filename">directory</code> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <code class="filename">named.conf</code>.
+          </p>
+        </dd>
+<dt><span class="term">-D</span></dt>
+<dd>
+          <p>
+            Dump zone file in canonical format.
+	    This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
+            and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">zonename</span></dt>
+<dd>
+          <p>
+            The domain name of the zone being checked.
+          </p>
+        </dd>
+<dt><span class="term">filename</span></dt>
+<dd>
+          <p>
+            The name of the zone file.
+          </p>
+        </dd>
+</dl></div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>RETURN VALUES</h2>
+
+    <p><span class="command"><strong>named-checkzone</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named-checkconf</span>(8)
+      </span>,
+      <em class="citetitle">RFC 1035</em>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/check/named-checkzone.rst

@@ -1,241 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. highlight: console
-
-.. BEWARE: Do not forget to edit also named-compilezone.rst!
-
-.. iscman:: named-checkzone
-.. program:: named-checkzone
-.. _man_named-checkzone:
-
-named-checkzone - zone file validation tool
--------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-R** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
-
-Description
-~~~~~~~~~~~
-
-:program:`named-checkzone` checks the syntax and integrity of a zone file. It
-performs the same checks as :iscman:`named` does when loading a zone. This
-makes :program:`named-checkzone` useful for checking zone files before
-configuring them into a name server.
-
-Options
-~~~~~~~
-
-.. option:: -d
-
-   This option enables debugging.
-
-.. option:: -h
-
-   This option prints the usage summary and exits.
-
-.. option:: -q
-
-   This option sets quiet mode, which only sets an exit code to indicate
-   successful or failed completion.
-
-.. option:: -v
-
-   This option prints the version of the :program:`named-checkzone` program and exits.
-
-.. option:: -j
-
-   When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal
-   file name is assumed to be the zone file name with the
-   string ``.jnl`` appended.
-
-.. option:: -J filename
-
-   When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if
-   it exists. This implies :option:`-j`.
-
-.. option:: -c class
-
-   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
-
-.. option:: -C mode
-
-   This option controls check mode on zone files when loading.
-   Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
-
-   ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
-   records and ``check-svcb:ignore`` disables these checks.  The
-   default is ``check-svcb:fail``.
-
-.. option:: -i mode
-
-   This option performs post-load zone integrity checks. Possible modes are
-   ``full`` (the default), ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none``.
-
-   Mode ``full`` checks that MX records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks MX records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that SRV records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks SRV records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that a zone that has A or AAAA records it is served
-   by a server with the same type of address records.
-
-   Mode ``full`` checks that delegation NS records refer to A or AAAA
-   records (both in-zone and out-of-zone hostnames). It also checks that
-   glue address records in the zone match those advertised by the child.
-
-   Mode ``local`` only checks NS records which refer to in-zone
-   hostnames or verifies that some required glue exists, i.e., when the
-   name server is in a child zone.
-
-   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
-   checks, but are otherwise the same as ``full`` and ``local``,
-   respectively.
-
-   Mode ``none`` disables the checks.
-
-.. option:: -f format
-
-   This option specifies the format of the zone file. Possible formats are
-   ``text`` (the default), and ``raw``.
-
-.. option:: -F format
-
-   This option specifies the format of the output file specified. For
-   :program:`named-checkzone`, this does not have any effect unless it dumps
-   the zone contents.
-
-   Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``raw`` and ``raw=N``, which
-   store the zone in a binary format for rapid loading by :iscman:`named`.
-   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
-   0, the raw file can be read by any version of :iscman:`named`; if N is 1, the
-   file can only be read by release 9.9.0 or higher. The default is 1.
-
-.. option:: -k mode
-
-   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
-
-.. option:: -l ttl
-
-   This option sets a maximum permissible TTL for the input file. Any record with a
-   TTL higher than this value causes the zone to be rejected. This
-   is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`.
-
-.. option:: -L serial
-
-   When compiling a zone to ``raw`` format, this option sets the "source
-   serial" value in the header to the specified serial number. This is
-   expected to be used primarily for testing purposes.
-
-.. option:: -m mode
-
-   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and
-   ``ignore``.
-
-.. option:: -M mode
-
-   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
-
-.. option:: -n mode
-
-   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
-
-.. option:: -o filename
-
-   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output.
-
-.. option:: -r mode
-
-   This option checks for records that are treated as different by DNSSEC but are
-   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn`` (the default), and ``ignore``.
-
-.. option:: -R mode
-
-   This option checks whether a TXT wildcard record exists that
-   matches the name format for RFC 9567 error-reporting queries: ``*._er``.
-   Possible modes are ``fail`` and ``ignore`` (the default).
-
-.. option:: -s style
-
-   This option specifies the style of the dumped zone file. Possible styles are
-   ``full`` (the default) and ``relative``. The ``full`` format is most
-   suitable for processing automatically by a separate script.
-   The relative format is more human-readable and is thus
-   suitable for editing by hand. This does not have any effect unless it dumps
-   the zone contents. It also does not have any meaning if the output format
-   is not text.
-
-.. option:: -S mode
-
-   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
-
-.. option:: -t directory
-
-   This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   :iscman:`named`.
-
-.. option:: -T mode
-
-   This option checks whether Sender Policy Framework (SPF) records exist and issues a
-   warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` (the default) and ``ignore``.
-
-.. option:: -w directory
-
-   This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file
-   ``$INCLUDE`` directives work. This is similar to the directory clause in
-   :iscman:`named.conf`.
-
-.. option:: -D
-
-   This option dumps the zone file in canonical format.
-
-.. option:: -W mode
-
-   This option specifies whether to check for non-terminal wildcards. Non-terminal
-   wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
-   (the default) and ``ignore``.
-
-.. option:: zonename
-
-   This indicates the domain name of the zone being checked.
-
-.. option:: filename
-
-   This is the name of the zone file.
-
-Return Values
-~~~~~~~~~~~~~
-
-:program:`named-checkzone` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-compilezone(8) <named-compilezone>`, :rfc:`1035`, BIND 9 Administrator Reference
-Manual.

bin/check/named-compilezone.rst

@@ -1,245 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. highlight: console
-
-.. BEWARE: Do not forget to edit also named-checkzone.rst!
-
-.. iscman:: named-compilezone
-.. program:: named-compilezone
-.. _man_named-compilezone:
-
-named-compilezone - zone file converting tool
----------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-R** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
-
-Description
-~~~~~~~~~~~
-
-:program:`named-compilezone` checks the syntax and integrity of a zone file,
-and dumps the zone contents to a specified file in a specified format.
-
-Unlike :program:`named-checkzone`, zone contents are not strictly checked
-by default. If the output is to be used as an actual zone file to be loaded
-by :iscman:`named`, then the check levels should be manually configured to
-be at least as strict as those specified in the :iscman:`named` configuration
-file.
-
-Running :program:`named-checkzone` on the input prior to compiling will
-ensure that the zone compiles with the default requirements of
-:iscman:`named`.
-
-Options
-~~~~~~~
-
-.. option:: -d
-
-   This option enables debugging.
-
-.. option:: -h
-
-   This option prints the usage summary and exits.
-
-.. option:: -q
-
-   This option sets quiet mode, which only sets an exit code to indicate
-   successful or failed completion.
-
-.. option:: -v
-
-   This option prints the version of the :iscman:`named-checkzone` program and exits.
-
-.. option:: -j
-
-   When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal
-   file name is assumed to be the zone file name with the
-   string ``.jnl`` appended.
-
-.. option:: -J filename
-
-   When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if
-   it exists. This implies :option:`-j`.
-
-.. option:: -c class
-
-   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
-
-.. option:: -C mode
-
-   This option controls check mode on zone files when loading.
-   Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
-
-   ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
-   records and ``check-svcb:ignore`` disables these checks.  The
-   default is ``check-svcb:ignore``.
-
-.. option:: -i mode
-
-   This option performs post-load zone integrity checks. Possible modes are
-   ``full``, ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none`` (the default).
-
-   Mode ``full`` checks that MX records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks MX records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that SRV records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks SRV records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that delegation NS records refer to A or AAAA
-   records (both in-zone and out-of-zone hostnames). It also checks that
-   glue address records in the zone match those advertised by the child.
-   Mode ``local`` only checks NS records which refer to in-zone
-   hostnames or verifies that some required glue exists, i.e., when the
-   name server is in a child zone.
-
-   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
-   checks, but are otherwise the same as ``full`` and ``local``,
-   respectively.
-
-   Mode ``none`` disables the checks.
-
-.. option:: -f format
-
-   This option specifies the format of the zone file. Possible formats are
-   ``text`` (the default), and ``raw``.
-
-.. option:: -F format
-
-   This option specifies the format of the output file specified. For
-   :iscman:`named-checkzone`, this does not have any effect unless it dumps
-   the zone contents.
-
-   Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``raw`` and ``raw=N``, which
-   store the zone in a binary format for rapid loading by :iscman:`named`.
-   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
-   0, the raw file can be read by any version of :iscman:`named`; if N is 1, the
-   file can only be read by release 9.9.0 or higher. The default is 1.
-
-.. option:: -k mode
-
-   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail``, ``warn``, and ``ignore`` (the default).
-
-.. option:: -l ttl
-
-   This option sets a maximum permissible TTL for the input file. Any record with a
-   TTL higher than this value causes the zone to be rejected. This
-   is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`.
-
-.. option:: -L serial
-
-   When compiling a zone to ``raw`` format, this option sets the "source
-   serial" value in the header to the specified serial number. This is
-   expected to be used primarily for testing purposes.
-
-.. option:: -m mode
-
-   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn``, and
-   ``ignore`` (the default).
-
-.. option:: -M mode
-
-   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn``, and ``ignore`` (the default).
-
-.. option:: -n mode
-
-   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn``,  and
-   ``ignore`` (the default).
-
-.. option:: -o filename
-
-   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output. This is mandatory for :program:`named-compilezone`.
-
-.. option:: -r mode
-
-   This option checks for records that are treated as different by DNSSEC but are
-   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn``, and ``ignore`` (the default).
-
-.. option:: -R mode
-
-   This option checks whether a TXT wildcard record exists that
-   matches the name format for RFC 9567 error-reporting queries: ``*._er``.
-   Possible modes are ``fail`` and ``ignore`` (the default).
-
-.. option:: -s style
-
-   This option specifies the style of the dumped zone file. Possible styles are
-   ``full`` (the default) and ``relative``. The ``full`` format is most
-   suitable for processing automatically by a separate script.
-   The relative format is more human-readable and is thus
-   suitable for editing by hand.
-
-.. option:: -S mode
-
-   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn``, and ``ignore`` (the default).
-
-.. option:: -t directory
-
-   This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   :iscman:`named`.
-
-.. option:: -T mode
-
-   This option checks whether Sender Policy Framework (SPF) records exist and issues a
-   warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` and ``ignore`` (the default).
-
-.. option:: -w directory
-
-   This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file
-   ``$INCLUDE`` directives work. This is similar to the directory clause in
-   :iscman:`named.conf`.
-
-.. option:: -D
-
-   This option dumps the zone file in canonical format. This is always enabled for
-   :program:`named-compilezone`.
-
-.. option:: -W mode
-
-   This option specifies whether to check for non-terminal wildcards. Non-terminal
-   wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
-   and ``ignore`` (the default).
-
-.. option:: zonename
-
-   This indicates the domain name of the zone being checked.
-
-.. option:: filename
-
-   This is the name of the zone file.
-
-Return Values
-~~~~~~~~~~~~~
-
-:program:`named-compilezone` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-checkzone(8) <named-checkzone>`, :rfc:`1035`,
-BIND 9 Administrator Reference Manual.

bin/check/win32/checkconf.vcxproj.filters.in

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

bin/check/win32/checkconf.vcxproj.in

@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{03A96113-CB14-43AA-AEB2-48950E3915C5}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>checkconf</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkconf.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

bin/check/win32/checkconf.vcxproj.user

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>

bin/check/win32/checktool.vcxproj.filters.in

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\check-tool.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

bin/check/win32/checktool.vcxproj.in

@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\check-tool.c" />
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>checktool</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <OutDir>.\$(Configuration)\</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <OutDir>.\$(Configuration)\</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Lib>
+      <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Lib>
+      <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

bin/check/win32/checktool.vcxproj.user

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>

bin/check/win32/checkzone.vcxproj.filters.in

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkzone.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

bin/check/win32/checkzone.vcxproj.in

@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{66028555-7DD5-4016-B601-9EF9A1EE8BFA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>checkzone</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..\..\..\Build\$(Configuration)
+copy /Y named-checkzone.exe named-compilezone.exe
+copy /Y named-checkzone.ilk named-compilezone.ilk
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..\..\..\Build\$(Configuration)
+copy /Y named-checkzone.exe named-compilezone.exe
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkzone.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

bin/check/win32/checkzone.vcxproj.user

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>

bin/confgen/Makefile.am

@@ -1,30 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
-
-LDADD +=			\
-	libconfgen.la		\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)
-
-noinst_LTLIBRARIES = libconfgen.la
-
-libconfgen_la_SOURCES =		\
-	include/confgen/os.h	\
-	keygen.c		\
-	keygen.h		\
-	os.c			\
-	util.c			\
-	util.h
-
-sbin_PROGRAMS = tsig-keygen rndc-confgen
-
-install-exec-hook:
-	ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
-	      $(DESTDIR)$(sbindir)/ddns-confgen
-
-uninstall-hook:
-	-rm -f $(DESTDIR)$(sbindir)/ddns-confgen

bin/confgen/Makefile.in

@@ -0,0 +1,113 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS=		rndc-confgen.c ddns-confgen.c
+
+SUBDIRS =	unix
+
+TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
+
+MANPAGES =	rndc-confgen.8 ddns-confgen.8
+
+HTMLPAGES =	rndc-confgen.html ddns-confgen.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+UOBJS =		unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
+	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
+	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+# make a link in the build directory to assist with testing
+tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
+	rm -f tsig-keygen@EXEEXT@
+	${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
+	(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
+	(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
+
+uninstall::
+	rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
+	rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
+	rm -f ${DESTDIR}${mandir}/man8/ddns-confgen.8
+	rm -f ${DESTDIR}${mandir}/man8/rndc-confgen.8
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}

bin/confgen/ddns-confgen.8

@@ -0,0 +1,159 @@
+.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: ddns-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-03-06
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+ddns-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP \w'\fBtsig\-keygen\fR\ 'u
+\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [name]
+.HP \w'\fBddns\-confgen\fR\ 'u
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
+.SH "DESCRIPTION"
+.PP
+\fBtsig\-keygen\fR
+and
+\fBddns\-confgen\fR
+are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
+\fBrndc\fR
+command channel\&.
+.PP
+When run as
+\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
+\fBtsig\-key\fR\&.
+.PP
+When run as
+\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
+\fBnsupdate\fR
+and
+\fBnamed\fR
+when setting up dynamic DNS, including an example
+\fBupdate\-policy\fR
+statement\&. (This usage similar to the
+\fBrndc\-confgen\fR
+command for setting up command channel security\&.)
+.PP
+Note that
+\fBnamed\fR
+itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fR: it does this when a zone is configured with
+\fBupdate\-policy local;\fR\&.
+\fBddns\-confgen\fR
+is only needed when a more elaborate configuration is required: for instance, if
+\fBnsupdate\fR
+is to be used from a remote system\&.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of options and arguments\&.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the DDNS authentication key\&. The default is
+\fBddns\-key\fR
+when neither the
+\fB\-s\fR
+nor
+\fB\-z\fR
+option is specified; otherwise, the default is
+\fBddns\-key\fR
+as a separate label followed by the argument of the option, e\&.g\&.,
+\fBddns\-key\&.example\&.com\&.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
+.RE
+.PP
+\-q
+.RS 4
+(\fBddns\-confgen\fR
+only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
+\fBtsig\-keygen\fR\&.
+.RE
+.PP
+\-r \fIrandomfile\fR
+.RS 4
+Specifies a source of random data for generating the authorization\&. If the operating system does not provide a
+/dev/random
+or equivalent device, the default source of randomness is keyboard input\&.
+randomdev
+specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+keyboard
+indicates that keyboard input should be used\&.
+.RE
+.PP
+\-s \fIname\fR
+.RS 4
+(\fBddns\-confgen\fR
+only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
+\fBnamed\&.conf\fR
+text shows how to set an update policy for the specified
+\fIname\fR
+using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
+\fB\-z\fR
+option\&.
+.RE
+.PP
+\-z \fIzone\fR
+.RS 4
+(\fBddns\-confgen\fR
+only\&.) Generate configuration example to allow dynamic updates of a zone: The example
+\fBnamed\&.conf\fR
+text shows how to set an update policy for the specified
+\fIzone\fR
+using the "zonesub" nametype, allowing updates to all subdomain names within that
+\fIzone\fR\&. This option cannot be used with the
+\fB\-s\fR
+option\&.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1),
+\fBnamed.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/confgen/ddns-confgen.c

@@ -0,0 +1,306 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define KEYGEN_DEFAULT		"tsig-key"
+#define CONFGEN_DEFAULT		"ddns-key"
+
+static char program[256];
+const char *progname;
+static enum { progmode_keygen, progmode_confgen} progmode;
+bool verbose = false; /* needed by util.c but not used here */
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+	if (progmode == progmode_confgen) {
+		fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\
+  -k keyname:    name of the key as it will be used in named.conf\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s name:       domain name to be updated using the created key\n\
+  -z zone:       name of the zone as it will be used in named.conf\n\
+  -q:            quiet mode: print the key, with no explanatory text\n",
+			 progname);
+	} else {
+		fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-r randomfile] [keyname]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n",
+			 progname);
+	}
+
+	exit (status);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool show_final_mem = false;
+	bool quiet = false;
+	isc_buffer_t key_txtbuffer;
+	char key_txtsecret[256];
+	isc_mem_t *mctx = NULL;
+	const char *randomfile = NULL;
+	const char *keyname = NULL;
+	const char *zone = NULL;
+	const char *self_domain = NULL;
+	char *keybuf = NULL;
+	dns_secalg_t alg = DST_ALG_HMACSHA256;
+	const char *algname;
+	int keysize = 256;
+	int len = 0;
+	int ch;
+
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
+	dns_result_register();
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS)
+		memmove(program, "tsig-keygen", 11);
+	progname = program;
+
+	/*
+	 * Libtool doesn't preserve the program name prior to final
+	 * installation.  Remove the libtool prefix ("lt-").
+	 */
+	if (strncmp(progname, "lt-", 3) == 0)
+		progname += 3;
+
+#define PROGCMP(X) \
+	(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
+
+	if (PROGCMP("tsig-keygen")) {
+		progmode = progmode_keygen;
+		quiet = true;
+	} else if (PROGCMP("ddns-confgen")) {
+		progmode = progmode_confgen;
+	} else {
+		INSIST(0);
+		ISC_UNREACHABLE();
+	}
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:hk:Mmr:qs:y:z:")) != -1) {
+		switch (ch) {
+		case 'a':
+			algname = isc_commandline_argument;
+			alg = alg_fromtext(algname);
+			if (alg == DST_ALG_UNKNOWN)
+				fatal("Unsupported algorithm '%s'", algname);
+			keysize = alg_bits(alg);
+			break;
+		case 'h':
+			usage(0);
+		case 'k':
+		case 'y':
+			if (progmode == progmode_confgen)
+				keyname = isc_commandline_argument;
+			else
+				usage(1);
+			break;
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+		case 'm':
+			show_final_mem = true;
+			break;
+		case 'q':
+			if (progmode == progmode_confgen)
+				quiet = true;
+			else
+				usage(1);
+			break;
+		case 'r':
+			randomfile = isc_commandline_argument;
+			break;
+		case 's':
+			if (progmode == progmode_confgen)
+				self_domain = isc_commandline_argument;
+			else
+				usage(1);
+			break;
+		case 'z':
+			if (progmode == progmode_confgen)
+				zone = isc_commandline_argument;
+			else
+				usage(1);
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else
+				usage(0);
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (progmode == progmode_keygen)
+		keyname = argv[isc_commandline_index++];
+
+	POST(argv);
+
+	if (self_domain != NULL && zone != NULL)
+		usage(1);	/* -s and -z cannot coexist */
+
+	if (argc > isc_commandline_index)
+		usage(1);
+
+	/* Use canonical algorithm name */
+	algname = alg_totext(alg);
+
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+	if (keyname == NULL) {
+		const char *suffix = NULL;
+
+		keyname = ((progmode == progmode_keygen)
+			?  KEYGEN_DEFAULT
+			: CONFGEN_DEFAULT);
+		if (self_domain != NULL)
+			suffix = self_domain;
+		else if (zone != NULL)
+			suffix = zone;
+		if (suffix != NULL) {
+			len = strlen(keyname) + strlen(suffix) + 2;
+			keybuf = isc_mem_get(mctx, len);
+			if (keybuf == NULL)
+				fatal("failed to allocate memory for keyname");
+			snprintf(keybuf, len, "%s.%s", keyname, suffix);
+			keyname = (const char *) keybuf;
+		}
+	}
+
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+
+	if (!quiet)
+		printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+
+	printf("\
+key \"%s\" {\n\
+	algorithm %s;\n\
+	secret \"%.*s\";\n\
+};\n",
+	       keyname, algname,
+	       (int)isc_buffer_usedlength(&key_txtbuffer),
+	       (char *)isc_buffer_base(&key_txtbuffer));
+
+	if (!quiet) {
+		if (self_domain != NULL) {
+			printf("\n\
+# Then, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s name %s ANY;\n\
+};\n",
+			       self_domain, keyname, self_domain);
+		} else if (zone != NULL) {
+			printf("\n\
+# Then, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s zonesub ANY;\n\
+};\n",
+			       zone, keyname);
+		} else {
+			printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key.  For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+	grant %s zonesub ANY;\n\
+};\n",
+			       keyname);
+		}
+
+		printf("\n\
+# After the keyfile has been placed, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+
+	}
+
+	if (keybuf != NULL)
+		isc_mem_put(mctx, keybuf, len);
+
+	if (show_final_mem)
+		isc_mem_stats(mctx, stderr);
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}

bin/confgen/ddns-confgen.docbook

@@ -0,0 +1,230 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
+  <info>
+    <date>2014-03-06</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>ddns-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>ddns-confgen</application></refname>
+    <refpurpose>ddns key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>tsig-keygen</command>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat">name</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>ddns-confgen</command>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <group choice="opt" rep="norepeat">
+        <arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
+        <arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      <command>tsig-keygen</command> and <command>ddns-confgen</command>
+      are invocation methods for a utility that generates keys for use
+      in TSIG signing.  The resulting keys can be used, for example,
+      to secure dynamic DNS updates to a zone or for the
+      <command>rndc</command> command channel.
+    </para>
+
+    <para>
+      When run as <command>tsig-keygen</command>, a domain name
+      can be specified on the command line which will be used as
+      the name of the generated key.  If no name is specified,
+      the default is <constant>tsig-key</constant>.
+    </para>
+
+    <para>
+      When run as <command>ddns-confgen</command>, the generated
+      key is accompanied by configuration text and instructions
+      that can be used with <command>nsupdate</command> and
+      <command>named</command> when setting up dynamic DNS,
+      including an example <command>update-policy</command>
+      statement.  (This usage similar to the
+      <command>rndc-confgen</command> command for setting
+      up command channel security.)
+    </para>
+
+    <para>
+      Note that <command>named</command> itself can configure a
+      local DDNS key for use with <command>nsupdate -l</command>:
+      it does this when a zone is configured with
+      <command>update-policy local;</command>.
+      <command>ddns-confgen</command> is only needed when a
+      more elaborate configuration is required: for instance,
+      if <command>nsupdate</command> is to be used from a remote
+      system.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+            Options are case-insensitive, and the "hmac-" prefix
+            may be omitted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints a short summary of options and arguments.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-k <replaceable class="parameter">keyname</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <constant>ddns-key</constant> when neither
+	    the <option>-s</option> nor <option>-z</option> option is
+	    specified; otherwise, the default
+	    is <constant>ddns-key</constant> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <constant>ddns-key.example.com.</constant>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q</term>
+	<listitem>
+	  <para>
+	    (<command>ddns-confgen</command> only.) Quiet mode:  Print
+            only the key, with no explanatory text or usage examples;
+            This is essentially identical to <command>tsig-keygen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r <replaceable class="parameter">randomfile</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <filename>/dev/random</filename> or equivalent device, the
+            default source of randomness is keyboard input.
+            <filename>randomdev</filename> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard input
+            should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">name</replaceable></term>
+	<listitem>
+	  <para>
+            (<command>ddns-confgen</command> only.)
+	    Generate configuration example to allow dynamic updates
+            of a single hostname.  The example <command>named.conf</command>
+            text shows how to set an update policy for the specified
+            <replaceable class="parameter">name</replaceable>
+	    using the "name" nametype.  The default key name is
+	    ddns-key.<replaceable class="parameter">name</replaceable>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <option>-z</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-z <replaceable class="parameter">zone</replaceable></term>
+	<listitem>
+	  <para>
+            (<command>ddns-confgen</command> only.)
+	    Generate configuration example to allow dynamic updates
+            of a zone:  The example <command>named.conf</command> text
+            shows how to set an update policy for the specified
+	    <replaceable class="parameter">zone</replaceable>
+	    using the "zonesub" nametype, allowing updates to
+            all subdomain names within that
+            <replaceable class="parameter">zone</replaceable>.
+	    This option cannot be used with the <option>-s</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/confgen/ddns-confgen.html

@@ -0,0 +1,202 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">ddns-confgen</span>
+     &#8212; ddns key generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">tsig-keygen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
+       [name]
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">ddns-confgen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
+       [
+         -s <em class="replaceable"><code>name</code></em> 
+         |   -z <em class="replaceable"><code>zone</code></em> 
+      ]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
+      are invocation methods for a utility that generates keys for use
+      in TSIG signing.  The resulting keys can be used, for example,
+      to secure dynamic DNS updates to a zone or for the
+      <span class="command"><strong>rndc</strong></span> command channel.
+    </p>
+
+    <p>
+      When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
+      can be specified on the command line which will be used as
+      the name of the generated key.  If no name is specified,
+      the default is <code class="constant">tsig-key</code>.
+    </p>
+
+    <p>
+      When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
+      key is accompanied by configuration text and instructions
+      that can be used with <span class="command"><strong>nsupdate</strong></span> and
+      <span class="command"><strong>named</strong></span> when setting up dynamic DNS,
+      including an example <span class="command"><strong>update-policy</strong></span>
+      statement.  (This usage similar to the
+      <span class="command"><strong>rndc-confgen</strong></span> command for setting
+      up command channel security.)
+    </p>
+
+    <p>
+      Note that <span class="command"><strong>named</strong></span> itself can configure a
+      local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
+      it does this when a zone is configured with
+      <span class="command"><strong>update-policy local;</strong></span>.
+      <span class="command"><strong>ddns-confgen</strong></span> is only needed when a
+      more elaborate configuration is required: for instance,
+      if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
+      system.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+	  <p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+            Options are case-insensitive, and the "hmac-" prefix
+            may be omitted.
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints a short summary of options and arguments.
+	  </p>
+	</dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <code class="constant">ddns-key</code> when neither
+	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
+	    specified; otherwise, the default
+	    is <code class="constant">ddns-key</code> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <code class="constant">ddns-key.example.com.</code>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </p>
+	</dd>
+<dt><span class="term">-q</span></dt>
+<dd>
+	  <p>
+	    (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode:  Print
+            only the key, with no explanatory text or usage examples;
+            This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd>
+	  <p>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <code class="filename">/dev/random</code> or equivalent device, the
+            default source of randomness is keyboard input.
+            <code class="filename">randomdev</code> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard input
+            should be used.
+	  </p>
+	</dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd>
+	  <p>
+            (<span class="command"><strong>ddns-confgen</strong></span> only.)
+	    Generate configuration example to allow dynamic updates
+            of a single hostname.  The example <span class="command"><strong>named.conf</strong></span>
+            text shows how to set an update policy for the specified
+            <em class="replaceable"><code>name</code></em>
+	    using the "name" nametype.  The default key name is
+	    ddns-key.<em class="replaceable"><code>name</code></em>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <code class="option">-z</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd>
+	  <p>
+            (<span class="command"><strong>ddns-confgen</strong></span> only.)
+	    Generate configuration example to allow dynamic updates
+            of a zone:  The example <span class="command"><strong>named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>zone</code></em>
+	    using the "zonesub" nametype, allowing updates to
+            all subdomain names within that
+            <em class="replaceable"><code>zone</code></em>.
+	    This option cannot be used with the <code class="option">-s</code> option.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">nsupdate</span>(1)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named.conf</span>(5)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/confgen/ddns-confgen.rst

@@ -1,96 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. highlight: console
-
-.. BEWARE: Do not forget to edit also tsig-keygen.rst!
-
-.. iscman:: ddns-confgen
-.. program:: ddns-confgen
-.. _man_ddns-confgen:
-
-ddns-confgen - TSIG key generation tool
----------------------------------------
-
-Synopsis
-~~~~~~~~
-:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone]
-
-Description
-~~~~~~~~~~~
-
-:program:`ddns-confgen` is an utility that generates keys for use in TSIG signing.
-The resulting keys can be used, for example, to secure dynamic DNS updates
-to a zone, or for the :iscman:`rndc` command channel.
-
-The key name can specified using :option:`-k` parameter and defaults to ``ddns-key``.
-The generated key is accompanied by configuration text and instructions that
-can be used with :iscman:`nsupdate` and :iscman:`named` when setting up dynamic DNS,
-including an example ``update-policy`` statement.
-(This usage is similar to the :iscman:`rndc-confgen` command for setting up
-command-channel security.)
-
-Note that :iscman:`named` itself can configure a local DDNS key for use with
-:option:`nsupdate -l`; it does this when a zone is configured with
-``update-policy local;``. :program:`ddns-confgen` is only needed when a more
-elaborate configuration is required: for instance, if :iscman:`nsupdate` is to
-be used from a remote system.
-
-Options
-~~~~~~~
-
-.. option:: -a algorithm
-
-   This option specifies the algorithm to use for the TSIG key. Available
-   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
-   and hmac-sha512. The default is hmac-sha256. Options are
-   case-insensitive, and the "hmac-" prefix may be omitted.
-
-.. option:: -h
-
-   This option prints a short summary of options and arguments.
-
-.. option:: -k keyname
-
-   This option specifies the key name of the DDNS authentication key. The
-   default is ``ddns-key`` when neither the :option:`-s` nor :option:`-z` option is
-   specified; otherwise, the default is ``ddns-key`` as a separate label
-   followed by the argument of the option, e.g., ``ddns-key.example.com.``
-   The key name must have the format of a valid domain name, consisting of
-   letters, digits, hyphens, and periods.
-
-.. option:: -q
-
-   This option enables quiet mode, which prints only the key, with no
-   explanatory text or usage examples. This is essentially identical to
-   :iscman:`tsig-keygen`.
-
-.. option:: -s name
-
-   This option generates a configuration example to allow dynamic updates
-   of a single hostname. The example :iscman:`named.conf` text shows how to set
-   an update policy for the specified name using the "name" nametype. The
-   default key name is ``ddns-key.name``. Note that the "self" nametype
-   cannot be used, since the name to be updated may differ from the key
-   name. This option cannot be used with the :option:`-z` option.
-
-.. option:: -z zone
-
-   This option generates a configuration example to allow
-   dynamic updates of a zone. The example :iscman:`named.conf` text shows how
-   to set an update policy for the specified zone using the "zonesub"
-   nametype, allowing updates to all subdomain names within that zone.
-   This option cannot be used with the :option:`-s` option.
-
-See Also
-~~~~~~~~
-
-:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.

bin/confgen/include/.clang-format

@@ -1 +0,0 @@
-../../../.clang-format.headers

bin/confgen/include/confgen/os.h

@@ -1,27 +1,33 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
+
 /*! \file */
 
-#pragma once
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
 
+#include <isc/lang.h>
 #include <stdio.h>
 
-int
-set_user(FILE *fd, const char *user);
+ISC_LANG_BEGINDECLS
+
+int set_user(FILE *fd, const char *user);
 /*%<
  * Set the owner of the file referenced by 'fd' to 'user'.
  * Returns:
  *   0 		success
  *   -1 	insufficient permissions, or 'user' does not exist.
  */
+
+ISC_LANG_ENDDECLS
+
+#endif

bin/confgen/keygen.c

@@ -1,37 +1,67 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
+
 /*! \file */
 
-#include "keygen.h"
-#include <stdarg.h>
+#include <config.h>
+
 #include <stdlib.h>
+#include <stdarg.h>
 
 #include <isc/base64.h>
 #include <isc/buffer.h>
+#include <isc/entropy.h>
 #include <isc/file.h>
+#include <isc/keyboard.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
 #include <dst/dst.h>
-
 #include <confgen/os.h>
 
 #include "util.h"
+#include "keygen.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+	switch (alg) {
+#ifndef PK11_MD5_DISABLE
+	    case DST_ALG_HMACMD5:
+		return "hmac-md5";
+#endif
+	    case DST_ALG_HMACSHA1:
+		return "hmac-sha1";
+	    case DST_ALG_HMACSHA224:
+		return "hmac-sha224";
+	    case DST_ALG_HMACSHA256:
+		return "hmac-sha256";
+	    case DST_ALG_HMACSHA384:
+		return "hmac-sha384";
+	    case DST_ALG_HMACSHA512:
+		return "hmac-sha512";
+	    default:
+		return "(unknown)";
+	}
+}
 
 /*%
  * Convert string to algorithm type.
@@ -39,28 +69,23 @@
 dns_secalg_t
 alg_fromtext(const char *name) {
 	const char *p = name;
-	if (strncasecmp(p, "hmac-", 5) == 0) {
+	if (strncasecmp(p, "hmac-", 5) == 0)
 		p = &name[5];
-	}
 
-	if (strcasecmp(p, "md5") == 0) {
+#ifndef PK11_MD5_DISABLE
+	if (strcasecmp(p, "md5") == 0)
 		return DST_ALG_HMACMD5;
-	}
-	if (strcasecmp(p, "sha1") == 0) {
+#endif
+	if (strcasecmp(p, "sha1") == 0)
 		return DST_ALG_HMACSHA1;
-	}
-	if (strcasecmp(p, "sha224") == 0) {
+	if (strcasecmp(p, "sha224") == 0)
 		return DST_ALG_HMACSHA224;
-	}
-	if (strcasecmp(p, "sha256") == 0) {
+	if (strcasecmp(p, "sha256") == 0)
 		return DST_ALG_HMACSHA256;
-	}
-	if (strcasecmp(p, "sha384") == 0) {
+	if (strcasecmp(p, "sha384") == 0)
 		return DST_ALG_HMACSHA384;
-	}
-	if (strcasecmp(p, "sha512") == 0) {
+	if (strcasecmp(p, "sha512") == 0)
 		return DST_ALG_HMACSHA512;
-	}
 	return DST_ALG_UNKNOWN;
 }
 
@@ -70,59 +95,86 @@ alg_fromtext(const char *name) {
 int
 alg_bits(dns_secalg_t alg) {
 	switch (alg) {
-	case DST_ALG_HMACMD5:
+	    case DST_ALG_HMACMD5:
 		return 128;
-	case DST_ALG_HMACSHA1:
+	    case DST_ALG_HMACSHA1:
 		return 160;
-	case DST_ALG_HMACSHA224:
+	    case DST_ALG_HMACSHA224:
 		return 224;
-	case DST_ALG_HMACSHA256:
+	    case DST_ALG_HMACSHA256:
 		return 256;
-	case DST_ALG_HMACSHA384:
+	    case DST_ALG_HMACSHA384:
 		return 384;
-	case DST_ALG_HMACSHA512:
+	    case DST_ALG_HMACSHA512:
 		return 512;
-	default:
+	    default:
 		return 0;
 	}
 }
 
 /*%
- * Generate a key of size 'keysize' and place it in 'key_txtbuffer'
+ * Generate a key of size 'keysize' using entropy source 'randomfile',
+ * and place it in 'key_txtbuffer'
  */
 void
-generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
-	     isc_buffer_t *key_txtbuffer) {
+generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+	     int keysize, isc_buffer_t *key_txtbuffer) {
 	isc_result_t result = ISC_R_SUCCESS;
+	isc_entropysource_t *entropy_source = NULL;
+	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+	int entropy_flags = 0;
+	isc_entropy_t *ectx = NULL;
 	isc_buffer_t key_rawbuffer;
 	isc_region_t key_rawregion;
 	char key_rawsecret[64];
 	dst_key_t *key = NULL;
 
 	switch (alg) {
-	case DST_ALG_HMACMD5:
-	case DST_ALG_HMACSHA1:
-	case DST_ALG_HMACSHA224:
-	case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 512) {
+#ifndef PK11_MD5_DISABLE
+	    case DST_ALG_HMACMD5:
+#endif
+	    case DST_ALG_HMACSHA1:
+	    case DST_ALG_HMACSHA224:
+	    case DST_ALG_HMACSHA256:
+		if (keysize < 1 || keysize > 512)
 			fatal("keysize %d out of range (must be 1-512)\n",
 			      keysize);
-		}
 		break;
-	case DST_ALG_HMACSHA384:
-	case DST_ALG_HMACSHA512:
-		if (keysize < 1 || keysize > 1024) {
+	    case DST_ALG_HMACSHA384:
+	    case DST_ALG_HMACSHA512:
+		if (keysize < 1 || keysize > 1024)
 			fatal("keysize %d out of range (must be 1-1024)\n",
 			      keysize);
-		}
 		break;
-	default:
+	    default:
 		fatal("unsupported algorithm %d\n", alg);
 	}
 
-	DO("generate key",
-	   dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
-			    dns_rdataclass_in, NULL, mctx, &key, NULL));
+
+	DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+	if (randomfile == NULL) {
+		isc_entropy_usehook(ectx, true);
+	}
+#endif
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+		randomfile = NULL;
+		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+	}
+	DO("start entropy source", isc_entropy_usebestsource(ectx,
+							     &entropy_source,
+							     randomfile,
+							     open_keyboard));
+
+	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+	DO("generate key", dst_key_generate(dns_rootname, alg,
+					    keysize, 0, 0,
+					    DNS_KEYPROTO_ANY,
+					    dns_rdataclass_in, mctx, &key));
 
 	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
 
@@ -130,12 +182,21 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
 
 	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
 
-	DO("base64 encode secret",
-	   isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer));
+	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+						     key_txtbuffer));
 
-	if (key != NULL) {
+	/*
+	 * Shut down the entropy source now so the "stop typing" message
+	 * does not muck with the output.
+	 */
+	if (entropy_source != NULL)
+		isc_entropy_destroysource(&entropy_source);
+
+	if (key != NULL)
 		dst_key_free(&key);
-	}
+
+	isc_entropy_detach(&ectx);
+	dst_lib_destroy();
 }
 
 /*%
@@ -144,30 +205,30 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
  * the name 'keyname' and the secret in the buffer 'secret'.
  */
 void
-write_key_file(const char *keyfile, const char *user, const char *keyname,
-	       isc_buffer_t *secret, dns_secalg_t alg) {
+write_key_file(const char *keyfile, const char *user,
+	       const char *keyname, isc_buffer_t *secret,
+	       dns_secalg_t alg) {
 	isc_result_t result;
-	const char *algname = dst_hmac_algorithm_totext(alg);
+	const char *algname = alg_totext(alg);
 	FILE *fd = NULL;
 
 	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
 
 	if (user != NULL) {
-		if (set_user(fd, user) == -1) {
+		if (set_user(fd, user) == -1)
 			fatal("unable to set file owner\n");
-		}
 	}
 
-	fprintf(fd,
-		"key \"%s\" {\n\talgorithm %s;\n"
+	fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
 		"\tsecret \"%.*s\";\n};\n",
-		keyname, algname, (int)isc_buffer_usedlength(secret),
+		keyname, algname,
+		(int)isc_buffer_usedlength(secret),
 		(char *)isc_buffer_base(secret));
 	fflush(fd);
-	if (ferror(fd)) {
+	if (ferror(fd))
 		fatal("write to %s failed\n", keyfile);
-	}
-	if (fclose(fd)) {
+	if (fclose(fd))
 		fatal("fclose(%s) failed\n", keyfile);
-	}
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
 }
+