win32/socket should use common isc_socket

.dir-locals.el

@@ -1,88 +0,0 @@
-;;; Directory Local Variables
-;;; For more information see (info "(emacs) Directory Variables")
-
-((c-mode .
-  ((eval .
-	 (set (make-local-variable 'directory-of-current-dir-locals-file)
-	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
-	      )
-	 )
-   (eval .
-	 (set (make-local-variable 'include-directories)
-	      (list
-
-	       ;; top directory
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "./"))
-
-	       ;; libisc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/pthreads/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/netmgr"))
-
-	       ;; libdns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns"))
-
-	       ;; libisccc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
-
-	       ;; libisccfg
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
-
-	       ;; libns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/ns/include"))
-
-	       ;; libirs
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/irs/include"))
-
-	       ;; libbind9
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
-
-	       ;; bin
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/check"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))	       
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dig/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dnssec/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-
-	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
-	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/include")
-	       )
-	      )
-	 )
-
-   (eval setq flycheck-clang-include-path include-directories)
-   (eval setq flycheck-cppcheck-include-path include-directories)
-   )
-  ))

.gitignore

@@ -1,58 +1,64 @@
-*-symtbl.c
-*.a
-*.gcda
-*.gcno
-*.la
-*.lo
-*.o
-*.orig
-*.plist/ # ccc-analyzer store its results in .plist directories
+Makefile
+config.log
+config.h
+config.cache
+config.status
+libtool
+/isc-config.sh
+/configure.lineno
+autom4te.cache/
 *.rej
+*.orig
+*.o
+*.lo
 *.so
+*.a
+*.la
+*.gcno
+*.gcda
 *_test
-*~
+*-symtbl.c
+timestamp
+ans.run
+named.run
+named.memstats
+gen.dSYM/
 .ccache/
-.cproject
 .deps/
 .dirstamp
 .libs/
+unit/atf-src/atf-c++/atf-c++.pc
+unit/atf-src/atf-c/atf-c.pc
+unit/atf-src/atf-c/defs.h
+unit/atf-src/atf-c/detail/process_helpers
+unit/atf-src/atf-config/atf-config
+unit/atf-src/atf-report/atf-report
+unit/atf-src/atf-report/fail_helper
+unit/atf-src/atf-report/misc_helpers
+unit/atf-src/atf-report/pass_helper
+unit/atf-src/atf-run/atf-run
+unit/atf-src/atf-run/bad_metadata_helper
+unit/atf-src/atf-run/expect_helpers
+unit/atf-src/atf-run/misc_helpers
+unit/atf-src/atf-run/pass_helper
+unit/atf-src/atf-run/several_tcs_helper
+unit/atf-src/atf-run/zero_tcs_helper
+unit/atf-src/atf-sh/atf-check
+unit/atf-src/atf-sh/atf-sh
+unit/atf-src/atf-sh/misc_helpers
+unit/atf-src/atf-version/atf-version
+unit/atf-src/atf-version/revision.h
+unit/atf-src/atf-version/revision.h.stamp
+unit/atf-src/bconfig.h
+unit/atf-src/bootstrap/atconfig
+unit/atf-src/doc/atf.7
+unit/atf-src/stamp-h1
+unit/atf-src/test-programs/c_helpers
+unit/atf-src/test-programs/cpp_helpers
+unit/atf-src/test-programs/sh_helpers
+# ccc-analyzer store its results in .plist directories
+*.plist/
+*~
 .project
+.cproject
 .settings
-/aclocal.m4
-/ar-lib
-/autom4te.cache/
-/bind.keys.h
-/compile
-/config.cache
-/config.guess
-/config.h
-/config.h.in
-/config.log
-/config.status
-/config.sub
-/configure
-/configure.lineno
-/depcomp
-/install-sh
-/isc-config.sh
-/libltdl/*
-/libtool
-/ltmain.sh
-/m4/libtool.m4
-/m4/ltargz.m4
-/m4/ltdl.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
-/missing
-/py-compile
-/stamp-h1
-/test-driver
-Makefile
-ans.run
-gen.dSYM/
-kyua.log
-named.memstats
-named.run
-timestamp

.gitlab/issue_templates/release.md

@@ -1,21 +1,19 @@
 ## Release Checklist
 
- - [ ] (Manager) Check for the presence of a milestone for the release:
+ - [ ] (Manager) Check for the presence of a milestone for the release.
     - If there is a milestone, are all the issues for the milestone resolved? (other than this checklist).
  - [ ] (Manager) Inform Support/Marketing of impending release (and give estimated release dates).
- - (SwEng) Prepare the sources for tarball generation:
-   - [ ] Check perflab to ensure there has been no unexplained drop in performance for the version being released.
+ - (SwEng) Prepare the sources for tarball generation.
    - [ ] Ensure that there are no outstanding merge requests in the private repository (subscription version only).
    - [ ] Update API files for libraries with new version information.
    - [ ] Change software version and library versions in configure.in (new major release only).
+   - [ ] Ensure Kyua and ATF files are correct.
    - [ ] Rebuild configure using autoconf on docs.isc.org.
    - [ ] Update CHANGES.
    - [ ] Update CHANGES.SE (subscription branch only).
    - [ ] Update "version".
    - [ ] Update "readme.md".
-   - Check the release notes are correct:
-     - [ ] Compare content with merge requests for the release.
-     - [ ] Check formatting.
+   - [ ] Ensure the release notes are correct for this release (content, formatting, etc.).
    - [ ] Build documentation on docs.isc.org.
    - [ ] Commit changes and make sure the gitlab-ci tests are passing.
    - [ ] Push the changes and tag ("alphatag" is an optional string such as "b1", "rc1" etc.). (```git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]```)
@@ -26,19 +24,8 @@
  - [ ] (QA) Request the signature on the tarballs.
  - [ ] (QA) Check signatures on tarballs.
  - [ ] (QA) Tell Support to handle notification of release.
- - [ ] (Manager) Inform Marketing of the release
- - [ ] (Manager) Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
+ - [ ] (Support) Make tarballs and signatures available to download.
+ - [ ] (Manager) Update [https://wiki.isc.org/bin/view/Main/BindReleaseDates](BIND release dates page) when public announcement has been made.
+ - [ ] (Manager) Inform marketing of the release
 
  - [ ] (SwEng) Update DEB and RPM packages
- - [ ] (SwEng) Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`)
-
-## Support
- - [ ] Make tarballs and signatures available to download.
- - [ ] Write release email to bind9-announce.
- - [ ] Write email to bind9-users (if a major release).
- - [ ] Update tickets in case of waiting support customers.
-
-## Marketing
- - [ ] Post short note to Twitter.
- - [ ] Update [Wikipedia entry for BIND](http://en.wikipedia.org/wiki/BIND).
- - [ ] Write blog article (if a major release).

Atffile

@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: lib

CHANGES

@@ -1,757 +1,3 @@
-	--- 9.14.7 released ---
-
-5299.	[security]	A flaw in DNSSEC verification when transferring
-			mirror zones could allow data to be incorrectly
-			marked valid. (CVE-2019-6475) [GL #16P]
-
-5298.	[security]	Named could assert if a forwarder returned a
-			referral, rather than resolving the query, when QNAME
-			minimization was enabled. (CVE-2019-6476) [GL #1051]
-
-5297.	[bug]		Check whether a previous QNAME minimization fetch
-			is still running before starting a new one; return
-			SERVFAIL and log an error if so. [GL #1191]
-
-5294.	[func]		Fallback to ACE name on output in locale, which does not
-			support converting it to unicode.  [GL #846]
-
-5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
-			statistics from it. [GL #1245]
-
-5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
-			zone changes. [GL #1205]
-
-	--- 9.14.6 released ---
-
-5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
-			[GL #1210]
-
-5286.	[contrib]	Address potential NULL pointer dereferences in
-			dlz_mysqldyn_mod.c. [GL #1207]
-
-5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
-
-5283.	[bug]		When a response-policy zone expires, ensure that
-			its policies are removed from the RPZ summary
-			database. [GL #1146]
-
-5282.	[bug]		Fixed a bug in searching for possible wildcard matches
-			for query names in the RPZ summary database. [GL #1146]
-
-5281.	[cleanup]	Don't escape commas when reporting named's command
-			line. [GL #1189]
-
-5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
-
-5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
-			RRsets at the zone apex if they would cause DNSSEC
-			validation failures if published in the parent zone
-			as the DS RRset.  [GL #1187]
-
-	--- 9.14.5 released ---
-
-5277.	[bug]		Cache DB statistics could underflow when serve-stale
-			was in use, because of a bug in counter maintenance
-			when RRsets become stale.
-
-			Functions for dumping statistics have been updated
-			to dump active, stale, and ancient statistic
-			counters.  Ancient RRset counters are prefixed
-			with '~'; stale RRset counters are still prefixed
-			with '#'. [GL #602]
-
-5275.	[bug]		Mark DS records included in referral messages
-			with trust level "pending" so that they can be
-			validated and cached immediately, with no need to
-			re-query. [GL #964]
-
-5274.	[bug]		Address potential use after free race when shutting
-			down rpz. [GL #1175]
-
-5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
-			[GL #1159]
-
-5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
-			non-blocking socket. [GL #1133]
-
-5268.	[bug]		named could crash during configuration if
-			configured to use "geoip continent" ACLs with
-			legacy GeoIP. [GL #1163]
-
-5266.	[bug]		named-checkconf failed to report dnstap-output
-			missing from named.conf when dnstap was specified.
-			[GL #1136]
-
-5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
-			[GL #1106]
-
-5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
-			to BIND 9. [GL #605]
-
-5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
-			and switch isc_hash_function() to use SipHash 2-4.
-			[GL #605]
-
-	--- 9.14.4 released ---
-
-5260.	[bug]		dnstap-read was producing malformed output for large
-			packets. [GL #1093]
-
-5258.	[func]		Added support for the GeoIP2 API from MaxMind,
-			when BIND is compiled using "configure --with-geoip2".
-			The legacy GeoIP API can be enabled by using
-			"configure --with-geoip" instead. These options
-			cannot be used together.
-
-			Certain geoip ACL settings that were available with
-			legacy GeoIP are not available when using GeoIP2.
-			See the ARM for details. [GL #182]
-
-5257.	[bug]		Some statistics data was not being displayed.
-			Add shading to the zone tables. [GL #1030]
-
-5256.	[bug]		Ensure that glue records are included in root
-			priming responses if "minimal-responses" is not
-			set to "yes". [GL #1092]
-
-5255.	[bug]		Errors encountered while reloading inline-signing
-			zones could be ignored, causing the zone content to
-			be left in an incompletely updated state rather than
-			reverted. [GL #1109]
-
-5254.	[func]		Collect metrics to report to the statistics-channel
-			DNSSEC signing operations (dnssec-sign) and refresh
-			operations (dnssec-refresh) per zone and per keytag.
-			[GL #513]
-
-5253.	[port]		Support platforms that don't define ULLONG_MAX.
-			[GL #1098]
-
-5251.	[bug]		Statistics were broken in x86 Windows builds.
-			[GL #1081]
-
-5249.	[bug]		Fix a possible underflow in recursion clients
-			statistics when hitting recursive clients
-			soft quota. [GL #1067]
-
-	--- 9.14.3 released ---
-
-5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
-			that could cause an assertion failure if a
-			significant number of incoming packets were
-			rejected. (CVE-2019-6471) [GL #942]
-
-5243.	[bug]		Fix a possible race between dispatcher and socket
-			code in a high-load cold-cache resolver scenario.
-			[GL #943]
-
-5242.	[bug]		In relaxed qname minimization mode, fall back to
-			normal resolution when encountering a lame
-			delegation, and use _.domain/A queries rather
-			than domain/NS. [GL #1055]
-
-5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
-			[GL #225]
-
-5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
-
-5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
-
-5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
-			[GL #1028]
-
-5234.	[port]		arm: just use the compiler's default support for
-			yield. [GL #981]
-
-	--- 9.14.2 released ---
-
-5233.	[bug]		Negative trust anchors did not work with "forward only;"
-			to validating resolvers. [GL #997]
-
-5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
-			[GL #960]
-
-5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
-
-5228.	[cleanup]	If trusted-keys and managed-keys are configured
-			simultaneously for the same name, the key cannot
-			be rolled automatically. This configuration now
-			logs a warning. [GL #868]
-
-5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
-
-5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
-			the hash table. [GL #1005]
-
-5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
-
-5221.	[test]		Enable parallel execution of system tests on
-			Windows. [GL !4101]
-
-5220.	[cleanup]	Refactor the isc_stat structure to take advantage
-			of stdatomic. [GL !1493]
-
-5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
-			trigger a crash when returning an instance object
-			to the memory pool. [GL #982]
-
-5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
-
-5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
-
-5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
-			when doing qname minimization. [GL #992]
-
-5215.	[bug]		Change #5124 was incomplete; named could still
-			return FORMERR instead of SERVFAIL in some cases.
-			[GL #990]
-
-5214.	[bug]		win32: named now removes its lock file upon shutdown.
-			[GL #979]
-
-5213.	[bug]		win32: Eliminated a race which allowed named.exe running
-			as a service to be killed prematurely during shutdown.
-			[GL #978]
-
-5211.	[bug]		Allow out-of-zone additional data to be included
-			in authoritative responses if recursion is allowed
-			and "minimal-responses" is disabled.  This behavior
-			was inadvertently removed in change #4605. [GL #817]
-
-5210.	[bug]		When dnstap is enabled and recursion is not
-			available, incoming queries are now logged
-			as "auth". Previously, this depended on whether
-			recursion was requested by the client, not on
-			whether recursion was available. [GL #963]
-
-5209.	[bug]		When update-check-ksk is true, add_sigs was not
-			considering offline keys, leaving record sets signed
-			with the incorrect type key. [GL #763]
-
-5208.	[test]		Run valid rdata wire encodings through totext+fromtext
-			and tofmttext+fromtext methods to check these methods.
-			[GL #899]
-
-5207.	[test]		Check delv and dig TTL values. [GL #965]
-
-5206.	[bug]		Delv could print out bad TTLs. [GL #965]
-
-5205.	[bug]		Enforce that a DS hash exists. [GL #899]
-
-5204.	[test]		Check that dns_rdata_fromtext() produces a record that
-			will be accepted by dns_rdata_fromwire(). [GL #852]
-
-5203.	[bug]		Enforce whether key rdata exists or not in KEY,
-			DNSKEY, CDNSKEY and RKEY. [GL #899]
-
-5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
-
-5190.	[bug]		Ignore trust anchors using disabled algorithms.
-			[GL #806]
-
-	--- 9.14.1 released ---
-
-5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
-
-5200.	[security]	tcp-clients settings could be exceeded in some cases,
-			which could lead to exhaustion of file descriptors.
-			(CVE-2018-5743) [GL #615]
-
-5199.	[security]	In certain configurations, named could crash
-			if nxdomain-redirect was in use and a redirected
-			query resulted in an NXDOMAIN from the cache.
-			(CVE-2019-6467) [GL #880]
-
-5198.	[bug]		If a fetch context was being shut down and, at the same
-			time, we returned from qname minimization, an INSIST
-			could be hit. [GL #966]
-
-5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
-			records. Similarly on multiple OPT and multiple TSIG
-			records. [GL #920]
-
-5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
-
-5195.	[bug]		"allow-update" and "allow-update-forwarding" were
-			treated as configuration errors if used at the
-			options or view level. [GL #913]
-
-5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
-
-5193.	[bug]		EID and NIMLOC failed to do multi-line output
-			correctly. [GL #899]
-
-5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
-
-5187.	[test]		Set time zone before running any tests in dnstap_test.
-			[GL #940]
-
-5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
-
-5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
-
-5183.	[bug]		Reinitialize ECS data before reusing client
-			structures. [GL #881]
-
-	--- 9.14.0 released ---
-
-	--- 9.14.0rc3 released ---
-
-5182.	[bug]		Fix a high-load race/crash in handling of
-			isc_socket_close() in resolver. [GL #834]
-
-5180.	[bug]		delv now honors the operating system's preferred
-			ephemeral port range. [GL #925]
-
-5179.	[cleanup]	Replace some vague type declarations with the more
-			specific dns_secalg_t and dns_dsdigest_t.
-			Thanks to Tony Finch. [GL !1498]
-
-5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
-			errors when writing files. [GL #902]
-
-5177.	[func]		Add the ability to specify in named.conf whether a
-			response-policy zone's SOA record should be added
-			to the additional section (add-soa yes/no). [GL #865]
-
-5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
-			redirect name. [GL #892]
-
-	--- 9.14.0rc2 released ---
-
-5176.	[tests]		Remove a dependency on libxml in statschannel system
-			test. [GL #926]
-
-5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
-			dnssec-coverage and dnssec-checkds when using
-			python3. [GL #882]
-
-5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
-
-5173.	[bug]		Fixed a race in socket code that could occur when
-			accept, send, or recv were called from an event
-			loop but the socket had been closed by another
-			thread. [RT #874]
-
-5172.	[bug]		nsupdate now honors the operating system's preferred
-			ephemeral port range. [GL #905]
-
-5171.	[func]		named plugins are now installed into a separate
-			directory.  Supplying a filename (a string without path
-			separators) in a "plugin" configuration stanza now
-			causes named to look for that plugin in that directory.
-			[GL #878]
-
-5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
-
-5169.	[bug]		The presence of certain types in an otherwise
-			empty node could cause a crash while processing a
-			type ANY query. [GL #901]
-
-	--- 9.14.0rc1 released ---
-
-5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
-			keep previous version of the database if RPZ fails to
-			load. [GL #813]
-
-5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
-			[GL #428]
-
-5164.	[bug]		Correct errno to result translation in dlz filesystem
-			modules. [GL #884]
-
-5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
-
-5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
-			[GL !1518]
-
-5161.	[bug]		Do not require the SEP bit to be set for mirror zone
-			trust anchors. [GL #873]
-
-5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
-			fixed a compilation bug affecting several DLZ
-			modules. [GL #872]
-
-5159.	[bug]		dnssec-coverage was incorrectly ignoring
-			names specified on the command line without
-			trailing dots. [GL !1478]
-
-5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
-
-5157.	[bug]		Nslookup now errors out if there are extra command
-			line arguments. [GL #207]
-
-5141.	[security]	Zone transfer controls for writable DLZ zones were
-			not effective as the allowzonexfr method was not being
-			called for such zones. (CVE-2019-6465) [GL #790]
-
-5118.	[security]	Named could crash if it is managing a key with
-			`managed-keys` and the authoritative zone is rolling
-			the key to an unsupported algorithm. (CVE-2018-5745)
-			[GL #780]
-
-5110.	[security]	Named leaked memory if there were multiple Key Tag
-			EDNS options present. (CVE-2018-5744) [GL #772]
-
-	--- 9.13.6 released ---
-
-5156.	[doc]		Extended and refined the section of the ARM describing
-			mirror zones. [GL #774]
-
-5155.	[func]		"named -V" now outputs the default paths to
-			named.conf, rndc.conf, bind.keys, and other
-			files used or created by named and other tools, so
-			that the correct paths to these files can quickly be
-			determined regardless of the configure settings
-			used when BIND was built. [GL #859]
-
-5154.	[bug]		dig: process_opt could be called twice on the same
-			message leading to a assertion failure. [GL #860]
-
-5153.	[func]		Zone transfer statistics (size, number of records, and
-			number of messages) are now logged for outgoing
-			transfers as well as incoming ones. [GL #513]
-
-5152.	[func]		Improved logging of DNSSEC key events:
-			- Zone signing and DNSKEY maintenance events are
-			  now logged to the "dnssec" category
-			- Messages are now logged when DNSSEC keys are
-			  published, activated, inactivated, deleted,
-			  or revoked.
-			[GL #714]
-
-5151.	[func]		Options that have been been marked as obsolete in
-			named.conf for a very long time are now fatal
-			configuration errors. [GL #358]
-
-5150.	[cleanup]	Remove the ability to compile BIND with assertions
-			disabled. [GL #735]
-
-5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
-			indicating how long the data will be retained in the
-			cache for emergency use. [GL #101]
-
-5148.	[bug]		named did not sign the TKEY response. [GL #821]
-
-5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
-			handle key events close to 'now'. [GL #848]
-
-5146.	[placeholder]
-
-5145.	[func]		Use atomics instead of locked variables for isc_quota
-			and isc_counter. [GL !1389]
-
-5144.	[bug]		dig now returns a non-zero exit code when a TCP
-			connection is prematurely closed by a peer more than
-			once for the same lookup.  [GL #820]
-
-5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
-			key files for zone names ending in ".". [GL #560]
-
-5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
-			"--disable-rpz-nsdname" options. "nsip-enable"
-			and "nsdname-enable" both now default to yes,
-			regardless of compile-time settings. [GL #824]
-
-5140.	[bug]		Don't immediately mark existing keys as inactive and
-			deleted when running dnssec-keymgr for the first
-			time. [GL #117]
-
-5139.	[bug]		If possible, don't use forwarders when priming.
-			This ensures we can get root server IP addresses
-			from priming query response glue, which may not
-			be present if the forwarding server is returning
-			minimal responses. [GL #752]
-
-5138.	[bug]		Under some circumstances named could hit an assertion
-			failure when doing qname minimization when using
-			forwarders. [GL #797]
-
-5137.	[func]		named now logs messages whenever a mirror zone becomes
-			usable or unusable for resolution purposes. [GL #818]
-
-5136.	[cleanup]	Check in named-checkconf that allow-update and
-			allow-update-forwarding are not set at the
-			view/options level; fix documentation. [GL #512]
-
-5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
-
-5134.	[bug]		win32: WSAStartup was not called before getservbyname
-			was called. [GL #590]
-
-5133.	[bug]		'rndc managed-keys' didn't handle class and view
-			correctly and failed to add new lines between each
-			view. [GL !1327]
-
-5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
-			[GL !1323]
-
-5131.	[cleanup]	Address Coverity warnings. [GL #801]
-
-5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
-
-5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
-			splitting the query string. [GL #798]
-
-5128.	[bug]		Refreshkeytime was not being updated for managed
-			keys zones. [GL #784]
-
-5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
-			regions. [GL #807]
-
-5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
-			fields when reading master files. [GL #807]
-
-5125.	[bug]		Allow for up to 100 records or 64k of data when caching
-			a negative response. [GL #804]
-
-5124.	[bug]		Named could incorrectly return FORMERR rather than
-			SERVFAIL. [GL #804]
-
-5123.	[bug]		dig could hang indefinitely after encountering an error
-			before creating a TCP socket. [GL #692]
-
-5122.	[bug]		In a "forward first;" configuration, a forwarder
-			timeout did not prevent that forwarder from being
-			queried again after falling back to full recursive
-			resolution. [GL #315]
-
-5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
-			matching zone names. [GL !1299]
-
-5120.	[placeholder]
-
-5119.	[placeholder]
-
-5117.	[placeholder]
-
-5116.	[bug]		Named/named-checkconf triggered a assertion when
-			a mirror zone's name is bad. [GL #778]
-
-5115.	[bug]		Allow unsupported algorithms in zone when not used for
-			signing with dnssec-signzone. [GL #783]
-
-5114.	[func]		Include a 'reconfig/reload in progress' status line
-			in rndc status, use it in tests.
-
-5113.	[port]		Fixed a Windows build error.
-
-5112.	[bug]		Named/named-checkconf could dump core if there was
-			a missing masters clause and a bad notify clause.
-			[GL #779]
-
-5111.	[bug]		Occluded DNSKEY records could make it into the
-			delegating NSEC/NSEC3 bitmap. [GL #742]
-
-5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
-
-	--- 9.13.5 released ---
-
-5108.	[bug]		Named could fail to determine bottom of zone when
-			removing out of date keys leading to invalid NSEC
-			and NSEC3 records being added to the zone. [GL #771]
-
-5107.	[bug]		'host -U' did not work. [GL #769]
-
-5106.	[experimental]	A new "plugin" mechanism has been added to allow
-			extension of query processing functionality through
-			the use of dynamically loadable libraries. A
-			"filter-aaaa.so" plugin has been implemented,
-			replacing the filter-aaaa feature that was formerly
-			implemented as a native part of BIND.
-
-			The "filter-aaaa", "filter-aaaa-on-v4" and
-			"filter-aaaa-on-v6" options can no longer be
-			configured using native named.conf syntax. However,
-			loading the filter-aaaa.so plugin and setting its
-			parameters provides identical functionality.
-
-			Note that the plugin API is a work in progress and
-			is likely to evolve as further plugins are
-			implemented. [GL #15]
-
-5105.	[bug]		Fix a race between process_fd and socketclose in
-			unix socket code. [GL #744]
-
-5104.	[cleanup]	Log clearer informational message when a catz zone
-			is overridden by a zone in named.conf.
-			Thanks to Tony Finch. [GL !1157]
-
-5103.	[bug]		Add missing design by contract tests to dns_catz*.
-			[GL #748]
-
-5102.	[bug]		dnssec-coverage failed to use the default TTL when
-			checking KSK deletion times leading to a exception.
-			[GL #585]
-
-5101.	[bug]		Fix default installation path for Python modules and
-			remove the dnspython dependency accidentally introduced
-			by change 4970. [GL #730]
-
-5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
-
-5099.	[func]		Failed mutex and conditional creations are always
-			fatal. [GL #674]
-
-	--- 9.13.4 released ---
-
-5098.	[func]		Failed memory allocations are now fatal. [GL #674]
-
-5097.	[cleanup]	Remove embedded ATF unit testing framework
-			from BIND source distribution.  [GL !875]
-
-5096.	[func]		Use multiple event loops in socket code, and
-			make network threads CPU-affinitive.  This
-			significantly improves performance on large
-			systems. [GL #666]
-
-5095.	[test]		Converted all unit tests from ATF to CMocka;
-			removed the source code for the ATF libraries.
-			Build with "configure --with-cmocka" to enable
-			unit testing. [GL #620]
-
-5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
-
-5093.	[bug]		Log lame qname-minimization servers only if they're
-			really lame. [GL #671]
-
-5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
-			GSS-TSIG. [GL #558]
-
-5091.	[func]		Two new global and per-view options min-cache-ttl
-			and min-ncache-ttl [GL #613]
-
-5090.	[bug]		dig and mdig failed to properly pre-parse dash value
-			pairs when value was a separate argument and started
-			with a dash. [GL #584]
-
-5089.	[bug]		Restore localhost fallback in dig and host which is
-			used when no nameserver addresses present in
-			/etc/resolv.conf are usable due to the requested
-			address family restrictions. [GL #433]
-
-5088.	[bug]		dig/host/nslookup could crash when interrupted close to
-			a query timeout. [GL #599]
-
-5087.	[test]		Check that result tables are complete. [GL #676]
-
-5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
-
-5085.	[bug]		win32: Restore looking up nameservers, search list,
-			etc. [GL #186]
-
-5084.	[placeholder]
-
-5083.	[func]		Add autoconf macro AX_POSIX_SHELL, so we
-			can use POSIX-compatible shell features
-			in the scripts.
-
-5082.	[bug]		Fixed a race that could cause a crash in
-			dig/host/nslookup. [GL #650]
-
-5081.	[func]		Use per-worker queues in task manager, make task
-			runners CPU-affine. [GL #659]
-
-5080.	[func]		Improvements to "rndc nta" user interface:
-			- catch and report invalid command line options
-			- when removing an NTA from all views, do not
-			  abort with an error if the NTA was not found
-			  in one of the views
-			- include the view name in "rndc nta -dump"
-			  output, for consistency with the add and remove
-			  actions
-			Thanks to Tony Finch. [GL !816]
-
-5079.	[func]		Disable IDN processing in dig and nslookup
-			when not on a tty. [GL #653]
-
-5078.	[cleanup]	Require python components to be explicitly disabled if
-			python is not available on unix platforms. [GL #601]
-
-5077.	[cleanup]	Remove ip6.int support (-i) from dig and mdig.
-			[GL !969]
-
-5076.	[bug]		"require-server-cookie" was not effective if
-			"rate-limit" was configured. [GL #617]
-
-5075.	[bug]		Refresh nameservers from cache when sending final
-			query in qname minimization. [GL #16]
-
-5074.	[cleanup]	Remove vector socket functions - isc_socket_recvv(),
-			isc_socket_sendtov(), isc_socket_sendtov2(),
-			isc_socket_sendv() - in order to simplify socket code.
-			[GL #645]
-
-5073.	[bug]		Destroy a task first when destroying rpzs and catzs.
-			[GL #84]
-
-5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
-			behavior for auto-reallocated buffers. [GL #644]
-
-5071.	[bug]		Comparison of NXT records was broken. [GL #631]
-
-5070.	[bug]		Record types which support a empty rdata field were
-			not handling the empty rdata field case. [GL #638]
-
-5069.	[bug]		Fix a hang on in RPZ when named is shutdown during RPZ
-			zone update. [GL !907]
-
-5068.	[bug]		Fix a race in RPZ with min-update-interval set to 0.
-			[GL #643]
-
-5067.	[bug]		Don't minimize qname when sending the query
-			to a forwarder. [GL #361]
-
-5066.	[cleanup]	Allow unquoted strings to be used as a zone names
-			in response-policy statements. [GL #641]
-
-5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
-
-5064.	[test]		Initialize TZ environment variable before calling
-			dns_test_begin in dnstap_test. [GL #624]
-
-5063.	[test]		In statschannel test try a few times before failing
-			when checking if the compressed output is the same as
-			uncompressed. [GL !909]
-
-5062.	[func]		Use non-crypto-secure PRNG to generate nonces for
-			cookies. [GL !887]
-
-5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
-
-5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
-			record format. [GL #627]
-
-5059.	[bug]		Display a per-view list of zones in the web interface.
-			[GL #427]
-
-5058.	[func]		Replace old message digest and hmac APIs with more
-			generic isc_md and isc_hmac APIs, and convert their
-			respective tests to cmocka. [GL #305]
-
-5057.	[protocol]	Add support for ATMA. [GL #619]
-
-5056.	[placeholder]
-
-5055.	[func]		A default list of primary servers for the root zone is
-			now built into named, allowing the "masters" statement
-			to be omitted when configuring an IANA root zone
-			mirror. [GL #564]
-
-5054.	[func]		Attempts to use mirror zones with recursion disabled
-			are now considered a configuration error. [GL #564]
-
-5053.	[func]		The only valid zone-level NOTIFY settings for mirror
-			zones are now "notify no;" and "notify explicit;".
-			[GL #564]
-
-5052.	[func]		Mirror zones are now configured using "type mirror;"
-			rather than "mirror yes;". [GL #564]
-
-5051.	[doc]		Documentation incorrectly stated that the
-			"server-addresses" static-stub zone option accepts
-			custom port numbers. [GL #582]
-
 5050.	[bug]		The libirs version of getaddrinfo() was unable to parse
 			scoped IPv6 addresses present in /etc/resolv.conf.
 			[GL #187]
@@ -933,9 +179,9 @@
 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
 
 5000.	[bug]		named_server_servestale() could leave the server in
-			exclusive mode if an error occurred. [GL #441]
+			exclusive mode if an error occured. [GL #441]
 
-4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
+4999.	[cleanup]	Remove custom printf implementaion in lib/isc/print.c.
 			[GL #261]
 
 4998.	[test]		Make resolver and cacheclean tests more civilized.

CONTRIBUTING

@@ -1,5 +1,3 @@
-CONTRIBUTING
-
 BIND Source Access and Contributor Guidelines
 
 Feb 22, 2018

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this

HISTORY

@@ -1,5 +1,3 @@
-HISTORY
-
 Functional enhancements from prior major releases of BIND 9
 
 BIND 9.11
@@ -433,11 +431,11 @@ BIND 9.4.0
   * Detect duplicates of UDP queries we are recursing on and drop them.
     New stats category "duplicates".
   * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a <qname,qclass,qtype> basis as some
-    servers only appear to be lame for certain query types.
+  * The lame cache is now done on a basis as some servers only appear to
+    be lame for certain query types.
   * Limit the number of recursive clients that can be waiting for a single
-    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
-    and max-clients-per-query.
+    query () to resolve. New options clients-per-query and
+    max-clients-per-query.
   * dig: report the number of extra bytes still left in the packet after
     processing all the records.
   * Support for IPSECKEY rdata type.

Makefile.in

@@ -14,7 +14,7 @@ top_builddir =  @top_builddir@
 
 VERSION=@BIND9_VERSION@
 
-SUBDIRS =	make lib fuzz bin doc
+SUBDIRS =	make unit lib fuzz bin doc
 TARGETS =
 PREREQS =	bind.keys.h
 
@@ -97,27 +97,27 @@ test-force:
 	exit $$status
 
 README: README.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
+	${PANDOC} --email-obfuscation=none -s -t html README.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 HISTORY: HISTORY.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
+	${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 OPTIONS: OPTIONS.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
+	${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 CONTRIBUTING: CONTRIBUTING.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
+	${PANDOC} --email-obfuscation=none -s -t html CONTRIBUTING.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 PLATFORMS: PLATFORMS.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
+	${PANDOC} --email-obfuscation=none -s -t html PLATFORMS.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 

OPTIONS

@@ -1,12 +1,10 @@
-OPTIONS
-
 Setting the STD_CDEFINES environment variable before running configure can
 be used to enable certain compile-time options that are not explicitly
 defined in configure.
 
 Some of these settings are:
 
-         Setting                            Description
+Setting                   Description
                           Overwrite memory with tag values when allocating
 -DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
                           makes debugging of memory problems easier.

PLATFORMS

@@ -1,5 +1,3 @@
-PLATFORMS
-
 Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
@@ -15,61 +13,49 @@ offer support on a "best effort" basis for some.
 
 Regularly tested platforms
 
-As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
-following systems:
+As of May 2018, BIND 9.13 is tested on the following systems:
 
-  * Debian 8, 9, 10
+  * Debian 8, 9
   * Ubuntu 16.04, 18.04
-  * Fedora 28, 29
-  * Red Hat Enterprise Linux / CentOS 6, 7
-  * FreeBSD 11.x
-  * OpenBSD 6.2, 6.3
+  * Fedora 27, 28
+  * Red Hat/CentOS 6, 7
+  * FreeBSD 10.x, 11.x
+  * OpenBSD 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully
 supported.
 
 Best effort
 
-The following are platforms on which BIND is known to build and run. ISC
-makes every effort to fix bugs on these platforms, but may be unable to do
-so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
+The following are platforms on which BIND is known to build and run, but
+on which it is not routinely tested. ISC makes every effort to fix bugs on
+these platforms, but may be unable to do so quickly due to lack of
+hardware, less familiarity on the part of engineering staff, and other
+constraints.
 
-  * Windows Server 2012 R2, 2016 / x64
   * Windows 10 / x64
+  * Windows Server 2012 R2, 2016 / x64
   * macOS 10.12+
-  * Solaris 11
-  * FreeBSD 10.x, 12.0+
-  * OpenBSD 6.4+
+  * Solaris 10
+  * FreeBSD 12+
+  * OpenBSD 6.2
   * NetBSD
-  * Other Linux distributions still supported by their vendors, such as:
+  * Older or less popular Linux distributions still supported by their
+    vendors, such as:
       + Ubuntu 14.04, 18.10+
       + Gentoo
-      + Arch Linux
+      + ArchLinux
       + Alpine Linux
-  * OpenWRT/LEDE 17.01+
+  * OpenWRT/LEDE 17.0
   * Other CPU architectures (mips, mipsel, sparc, ...)
 
 Unsupported platforms
 
-These are platforms on which BIND 9.14 is known not to build or run:
+These are platforms on which BIND is known not to build or run:
 
   * Platforms without at least OpenSSL 1.0.2
   * Windows 10 / x86
   * Windows Server 2012 and older
-  * Solaris 10 and older
   * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
   * Platforms that don't support atomic operations (via compiler or
     library)
-  * Linux without NPTL (Native POSIX Thread Library)
-
-Platform quirks
-
-NetBSD 6 i386
-
-The i386 build of NetBSD requires the libatomic library, available from
-the gcc5-libs package. Because this library is in a non-standard path, its
-location must be specified in the configure command line:
-
-LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure

PLATFORMS.md

@@ -23,61 +23,78 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
-following systems:
+As of May 2018, BIND 9.13 is tested on the following systems:
 
-* Debian 8, 9, 10
+* Debian 8, 9
 * Ubuntu 16.04, 18.04
-* Fedora 28, 29
-* Red Hat Enterprise Linux / CentOS 6, 7
-* FreeBSD 11.x
-* OpenBSD 6.2, 6.3
+* Fedora 27, 28
+* Red Hat/CentOS 6, 7
+* FreeBSD 10.x, 11.x
+* OpenBSD 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
 
 ### Best effort
 
-The following are platforms on which BIND is known to build and run.
-ISC makes every effort to fix bugs on these platforms, but may be unable to
-do so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
+The following are platforms on which BIND is known to build and run,
+but on which it is not routinely tested. ISC makes every effort to fix bugs
+on these platforms, but may be unable to do so quickly due to lack of
+hardware, less familiarity on the part of engineering staff, and other
+constraints.
 
-* Windows Server 2012 R2, 2016 / x64
 * Windows 10 / x64
+* Windows Server 2012 R2, 2016 / x64
 * macOS 10.12+
-* Solaris 11
-* FreeBSD 10.x, 12.0+
-* OpenBSD 6.4+
+* Solaris 10
+* FreeBSD 12+
+* OpenBSD 6.2
 * NetBSD
-* Other Linux distributions still supported by their vendors, such as:
+* Older or less popular Linux distributions still supported by their vendors, such as:
     * Ubuntu 14.04, 18.10+
     * Gentoo
-    * Arch Linux
+    * ArchLinux
     * Alpine Linux
-* OpenWRT/LEDE 17.01+
+* OpenWRT/LEDE 17.0
 * Other CPU architectures (mips, mipsel, sparc, ...)
 
 ## Unsupported platforms
 
-These are platforms on which BIND 9.14 is known *not* to build or run:
+These are platforms on which BIND is known *not* to build or run:
 
 * Platforms without at least OpenSSL 1.0.2
 * Windows 10 / x86
 * Windows Server 2012 and older
-* Solaris 10 and older
 * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
 * Platforms that don't support atomic operations (via compiler or library)
 * Linux without NPTL (Native POSIX Thread Library)
 
 ## Platform quirks
 
-### NetBSD 6 i386
+### ARM
 
-The i386 build of NetBSD requires the `libatomic` library, available from
-the `gcc5-libs` package.  Because this library is in a non-standard path,
-its location must be specified in the `configure` command line:
+If the compilation ends with following error:
 
 ```
-LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
+Error: selected processor does not support `yield' in ARM mode
+```
+
+You will need to set `-march` compiler option to `native`, so the compiler
+recognizes `yield` assembler instruction.  The proper way to set `-march=native`
+would be to put it into `CFLAGS`, e.g. run `./configure` like this:
+`CFLAGS="-march=native -Os -g" ./configure` plus your usual options.
+
+If that doesn't work, you can enforce the minimum CPU and FPU (taken from Debian
+armhf documentation):
+
+* The lowest worthwhile CPU implementation is Armv7-A, therefore the recommended
+  build option is `-march=armv7-a`.
+
+* FPU should be set at VFPv3-D16 as they represent the miminum specification of
+  the processors to support here, therefore the recommended build option is
+  `-mfpu=vfpv3-d16`.
+
+The configure command should look like this:
+
+```
+CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
 ```

README

@@ -1,5 +1,3 @@
-README
-
 BIND 9
 
 Contents
@@ -7,15 +5,14 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.14 features
+ 4. BIND 9.13 features
  5. Building BIND
  6. macOS
- 7. Dependencies
- 8. Compile-time options
- 9. Automated testing
-10. Documentation
-11. Change log
-12. Acknowledgments
+ 7. Compile-time options
+ 8. Automated testing
+ 9. Documentation
+10. Change log
+11. Acknowledgments
 
 Introduction
 
@@ -39,7 +36,7 @@ in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
 501(c)(3) public benefit corporation dedicated to providing software and
 services in support of the Internet infrastructure, developed BIND 9 and
 is responsible for its ongoing maintenance and improvement. BIND is open
-source software licensed under the terms of the Mozilla Public License,
+source software licenced under the terms of the Mozilla Public License,
 version 2.0.
 
 For a summary of features introduced in past major releases of BIND, see
@@ -71,9 +68,6 @@ If the bug you are reporting is a potential security issue, such as an
 assertion failure or other crash in named, please do NOT use GitLab to
 report it. Instead, please send mail to security-officer@isc.org.
 
-For a general overview of ISC security policies, read the Knowledge Base
-article at https://kb.isc.org/docs/aa-00861.
-
 Professional support and training for BIND are available from ISC at
 https://www.isc.org/support.
 
@@ -93,7 +87,7 @@ Information for BIND contributors can be found in the following files: -
 General information: CONTRIBUTING.md - BIND 9 code style: doc/dev/style.md
 - BIND architecture and developer guide: doc/dev/dev.md
 
-Patches for BIND may be submitted as merge requests in the ISC GitLab
+Patches for BIND may be submitted as Merge Requests in the ISC GitLab
 server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
 
 By default, external contributors don't have ability to fork BIND in the
@@ -105,19 +99,12 @@ If you prefer, you may also submit code by opening a GitLab Issue and
 including your patch as an attachment, preferably generated by git
 format-patch.
 
-BIND 9.14 features
+BIND 9.13 features
 
-BIND 9.14.0 is the first release from a new stable branch of BIND 9,
-incorporating all changes from the 9.13 development branch, updating the
-most recent stable branch, 9.12. These changes include:
+BIND 9.13 is the newest development branch of BIND 9. It includes a number
+of changes from BIND 9.12 and earlier releases. New features include:
 
-  * A new "plugin" mechanism has been added to allow query functionality
-    to be extended using dynamically loadable libraries. The "filter-aaaa"
-    feature has been removed from named and is now implemented as a
-    plugin.
   * QNAME minimization, as described in RFC 7816, is now supported.
-  * Socket and task code has been refactored to improve performance on
-    most modern machines.
   * "Root key sentinel" support, enabling validating resolvers to indicate
     via a special query which trust anchors are configured for the root
     zone.
@@ -130,8 +117,6 @@ most recent stable branch, 9.12. These changes include:
     which DNSSEC validation should not be performed.
   * The default value of "dnssec-validation" is now "auto".
   * IDNA2008 is now supported when linking with libidn2.
-  * "named -V" now outputs the default paths for files used by named and
-    other tools.
 
 In addition, workarounds that were formerly in place to enable resolution
 of domains whose authoritative servers did not respond to EDNS queries
@@ -140,54 +125,20 @@ have been removed. See https://dnsflagday.net for more details.
 Cryptographic support has been modernized. BIND now uses the best
 available pseudo-random number generator for the platform on which it's
 built. Very old versions of OpenSSL are no longer supported. Cryptography
-is now mandatory: building BIND without DNSSEC is no longer supported.
+is now mandatory: building BIND without DNSSEC is now longer supported.
 
 Special code to support certain legacy operating systems has also been
 removed; see the file PLATFORMS.md for details of supported platforms. In
 addition to OpenSSL, BIND now requires support for IPv6, threads, and
-standard atomic operations provided by the C compiler. Non-threaded builds
-are no longer supported.
-
-BIND 9.14.1
-
-BIND 9.14.1 is a maintenance release, and addresses security
-vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
-
-BIND 9.14.2
-
-BIND 9.14.2 is a maintenance release.
-
-BIND 9.14.3
-
-BIND 9.14.3 is a maintenance release, and addresses the security
-vulnerability disclosed in CVE-2019-6471.
-
-BIND 9.14.4
-
-BIND 9.14.4 is a maintenance release, and also adds support for the new
-MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
-
-BIND 9.14.5
-
-BIND 9.14.5 is a maintenance release.
-
-BIND 9.14.6
-
-BIND 9.14.6 is a maintenance release.
-
-BIND 9.14.7
-
-BIND 9.14.7 is a maintenance release, and also addresses the security
-vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+standard atomic operations provided by the C compiler.
 
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
 basic POSIX support, and a 64-bit integer type. Successful builds have
-been observed on many versions of Linux and UNIX, including RHEL/CentOS,
-Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
-NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
-OpenWRT.
+been observed on many versions of Linux and UNIX, including RedHat,
+Fedora, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS
+X, Solaris, HP-UX, and OpenWRT.
 
 BIND requires a cryptography provider library such as OpenSSL or a
 hardware service module supporting PKCS#11. On Linux, BIND requires the
@@ -196,8 +147,8 @@ overridden by disabling capability support at compile time. See
 Compile-time options below for details on other libraries that may be
 required to support optional features.
 
-BIND is also available for Windows Server 2008 and higher. See win32utils/
-build.txt for details on building for Windows systems.
+BIND is also available for Windows 2008 and higher. See win32utils/
+readme1st.txt for details on building for Windows systems.
 
 To build on a UNIX or Linux system, use:
 
@@ -210,7 +161,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
 Several environment variables that can be set before running configure
 will affect compilation:
 
-   Variable                            Description
+Variable       Description
 CC             The C compiler to use. configure tries to figure out the
                right one for supported systems.
                C compiler flags. Defaults to include -g and/or -O2 as
@@ -225,32 +176,43 @@ STD_CDEFINES   Defaults to empty string. For a list of possible settings,
 LDFLAGS        Linker flags. Defaults to empty string.
 BUILD_CC       Needed when cross-compiling: the native C compiler to use
                when building for the target system.
-BUILD_CFLAGS   CFLAGS for the target system during cross-compiling.
-BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
-BUILD_LDFLAGS  LDFLAGS for the target system during cross-compiling.
-BUILD_LIBS     LIBS for the target system during cross-compiling.
+BUILD_CFLAGS   Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
 
 macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
 This can be downloaded from https://developer.apple.com/download/more/ or
-if you have Xcode already installed you can run xcode-select --install.
-
-Dependencies
-
-Portions of BIND that are written in Python, including dnssec-keymgr,
-dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-argparse and ply modules to be available. argparse is a standard module as
-of Python 2.7 and Python 3.2. ply is available from https://
-pypi.python.org/pypi/ply.
+if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and
+other tools so that they can be easily found.
 
 Compile-time options
 
 To see a full list of configuration options, run configure --help.
 
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
 To build shared libraries, specify --with-libtool on the configure command
 line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto
 support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
 installed. If the OpenSSL library is installed in a nonstandard location,
@@ -260,12 +222,9 @@ operations, specify the path to the PKCS#11 provider library using
 --with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
 
 To support the HTTP statistics channel, the server must be linked with at
-least one of the following libraries: libxml2 http://xmlsoft.org or json-c
-https://github.com/json-c/json-c. If these are installed at a nonstandard
-location, then:
-
-  * for libxml2, specify the prefix using --with-libxml2=/prefix,
-  * for json-c, adjust PKG_CONFIG_PATH.
+least one of the following: libxml2 http://xmlsoft.org or json-c https://
+github.com/json-c. If these are installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
 
 To support compression on the HTTP statistics channel, the server must be
 linked against libzlib. If this is installed in a nonstandard location,
@@ -285,17 +244,16 @@ github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev
-or libcap-devel package. Process capability support can also be disabled
-by configuring with --disable-linux-caps.
+or libcap-devel module. Process capability support can also be disabled by
+configuring with --disable-linux-caps.
+
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+'argparse' and 'ply' modules to be available. 'argparse' is a standard
+module as of Python 2.7 and Python 3.2. 'ply' is available from https://
+pypi.python.org/pypi/ply.
 
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB. This can be done by using
@@ -306,10 +264,6 @@ specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
 command line. By default, fixed rrset-order is disabled to reduce memory
 footprint.
 
-The --enable-querytrace option causes named to log every step of
-processing every query. This should only be enabled when debugging,
-because it has a significant negative impact on query performance.
-
 make install will install named and the various BIND 9 libraries. By
 default, installation is into /usr/local, but this can be changed with the
 --prefix option when running configure.
@@ -332,18 +286,16 @@ ifconfig.sh up as root.
 
 Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
 and will be skipped if these are not available. Some tests require Python
-and the dnspython module and will be skipped if these are not available.
+and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework. To
-build them, use configure --with-cmocka. Execution of tests is done by the
-Kyua test execution engine; if the kyua command is available, then unit
-tests can be run via make test or make unit.
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
 
 Documentation
 
 The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
 directory.
 
 Some of the programs in the BIND 9 distribution have man pages in their
@@ -363,7 +315,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
 changes listed first. Change notes include tags indicating the category of
 the change that was made; these categories are:
 
-   Category                            Description
+Category       Description
 [func]         New feature
 [bug]          General bug fix
 [security]     Fix for a significant security flaw
@@ -391,46 +343,26 @@ releases (i.e., those with version numbers ending in zero). Some new
 functionality may be backported to older releases on a case-by-case basis.
 All other change types may be applied to all currently-supported releases.
 
-Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form [RT #NNN] and
-referred to entries in the "bind9-bugs" RT database, which was not open to
-the public. More recent entries use the form [GL #NNN] or, less often, [GL
-!NNN], which, respectively, refer to issues or merge requests in the
-GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security sensitive.
-
-To look up a GitLab issue by its number, use the URL https://
-gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
-use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-GitLab instance, which is not visible to the public.
-
 Acknowledgments
 
   * The original development of BIND 9 was underwritten by the following
     organizations:
 
-      Sun Microsystems, Inc.
-      Hewlett Packard
-      Compaq Computer Corporation
-      IBM
-      Process Software Corporation
-      Silicon Graphics, Inc.
-      Network Associates, Inc.
-      U.S. Defense Information Systems Agency
-      USENIX Association
-      Stichting NLnet - NLnet Foundation
-      Nominum, Inc.
+    Sun Microsystems, Inc.
+    Hewlett Packard
+    Compaq Computer Corporation
+    IBM
+    Process Software Corporation
+    Silicon Graphics, Inc.
+    Network Associates, Inc.
+    U.S. Defense Information Systems Agency
+    USENIX Association
+    Stichting NLnet - NLnet Foundation
+    Nominum, Inc.
 
   * This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
-
   * This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
-
   * This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)

README.md

@@ -15,10 +15,9 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
-1. [BIND 9.14 features](#features)
+1. [BIND 9.13 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
-1. [Dependencies](#dependencies)
 1. [Compile-time options](#opts)
 1. [Automated testing](#testing)
 1. [Documentation](#doc)
@@ -48,7 +47,7 @@ used in versions 4 and 8.  Internet Systems Consortium
 corporation dedicated to providing software and services in support of the
 Internet infrastructure, developed BIND 9 and is responsible for its
 ongoing maintenance and improvement.  BIND is open source software
-licensed under the terms of the Mozilla Public License, version 2.0.
+licenced under the terms of the Mozilla Public License, version 2.0.
 
 For a summary of features introduced in past major releases of BIND,
 see the file [HISTORY](HISTORY.md).
@@ -82,9 +81,6 @@ assertion failure or other crash in `named`, please do *NOT* use GitLab to
 report it. Instead, please send mail to
 [security-officer@isc.org](mailto:security-officer@isc.org).
 
-For a general overview of ISC security policies, read the Knowledge Base
-article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
 Professional support and training for BIND are available from
 ISC at [https://www.isc.org/support](https://www.isc.org/support).
 
@@ -106,7 +102,7 @@ Information for BIND contributors can be found in the following files:
 - BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
 
 Patches for BIND may be submitted as
-[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
+[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
 in the [ISC GitLab server](https://gitlab.isc.org) at
 at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
 
@@ -120,18 +116,13 @@ If you prefer, you may also submit code by opening a
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="features"/> BIND 9.14 features
+### <a name="features"/> BIND 9.13 features
 
-BIND 9.14.0 is the first release from a new stable branch of BIND 9,
-incorporating all changes from the 9.13 development branch, updating
-the most recent stable branch, 9.12.  These changes include:
+BIND 9.13 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.12 and earlier releases.  New features
+include:
 
-* A new "plugin" mechanism has been added to allow query functionality
-  to be extended using dynamically loadable libraries. The "filter-aaaa"
-  feature has been removed from named and is now implemented as a plugin.
 * QNAME minimization, as described in RFC 7816, is now supported.
-* Socket and task code has been refactored to improve performance on most
-  modern machines.
 * "Root key sentinel" support, enabling validating resolvers to indicate
   via a special query which trust anchors are configured for the root zone.
 * Secondary zones can now be configured as "mirror" zones; their contents
@@ -143,8 +134,6 @@ the most recent stable branch, 9.12.  These changes include:
   DNSSEC validation should not be performed.
 * The default value of "dnssec-validation" is now "auto".
 * IDNA2008 is now supported when linking with `libidn2`.
-* "named -V" now outputs the default paths for files used by named
-  and other tools.
 
 In addition, workarounds that were formerly in place to enable resolution
 of domains whose authoritative servers did not respond to EDNS queries
@@ -154,55 +143,22 @@ for more details.
 Cryptographic support has been modernized. BIND now uses the
 best available pseudo-random number generator for the platform on which
 it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory: building BIND without DNSSEC is no
+Cryptography is now mandatory: building BIND without DNSSEC is now
 longer supported.
 
 Special code to support certain legacy operating systems has also
 been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
 of supported platforms. In addition to OpenSSL, BIND now requires
 support for IPv6, threads, and standard atomic operations provided
-by the C compiler. Non-threaded builds are no longer supported.
-
-#### BIND 9.14.1
-
-BIND 9.14.1 is a maintenance release, and addresses security
-vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
-
-#### BIND 9.14.2
-
-BIND 9.14.2 is a maintenance release.
-
-#### BIND 9.14.3
-
-BIND 9.14.3 is a maintenance release, and addresses the security
-vulnerability disclosed in CVE-2019-6471.
-
-#### BIND 9.14.4
-
-BIND 9.14.4 is a maintenance release, and also adds support for
-the new MaxMind GeoIP2 geolocation API when built with
-`configure --with-geoip2`.
-
-#### BIND 9.14.5
-
-BIND 9.14.5 is a maintenance release.
-
-#### BIND 9.14.6
-
-BIND 9.14.6 is a maintenance release.
-
-#### BIND 9.14.7
-
-BIND 9.14.7 is a maintenance release, and also addresses the security
-vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+by the C compiler.
 
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
 basic POSIX support, and a 64-bit integer type. Successful builds have been
-observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
-Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
-OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
+observed on many versions of Linux and UNIX, including RedHat, Fedora,
+Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X,
+Solaris, HP-UX, and OpenWRT.
 
 BIND requires a cryptography provider library such as OpenSSL or a
 hardware service module supporting PKCS#11. On Linux, BIND requires
@@ -211,8 +167,8 @@ can be overridden by disabling capability support at compile time.
 See [Compile-time options](#opts) below for details on other libraries
 that may be required to support optional features.
 
-BIND is also available for Windows Server 2008 and higher.  See
-`win32utils/build.txt` for details on building for Windows
+BIND is also available for Windows 2008 and higher.  See
+`win32utils/readme1st.txt` for details on building for Windows
 systems.
 
 To build on a UNIX or Linux system, use:
@@ -234,32 +190,44 @@ affect compilation:
 |`STD_CDEFINES`|Any additional preprocessor symbols you want defined.  Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
 |`LDFLAGS`|Linker flags. Defaults to empty string.|
 |`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
-|`BUILD_CFLAGS`|`CFLAGS` for the target system during cross-compiling.|
-|`BUILD_CPPFLAGS`|`CPPFLAGS` for the target system during cross-compiling.|
-|`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
-|`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
+|`BUILD_CFLAGS`|Optional, used for cross-compiling|
+|`BUILD_CPPFLAGS`||
+|`BUILD_LDFLAGS`||
+|`BUILD_LIBS`||
 
 #### <a name="macos"> macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
-This can be downloaded from [https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
-or if you have Xcode already installed you can run `xcode-select --install`.
+This can be downloaded from https://developer.apple.com/download/more/
+or if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and other
+tools so that they can be easily found.
 
-### <a name="dependencies"/> Dependencies
-
-Portions of BIND that are written in Python, including
-`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
-system tests, require the `argparse` and `ply` modules to be available.
-`argparse` is a standard module as of Python 2.7 and Python 3.2.
-`ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
 
 #### <a name="opts"/> Compile-time options
 
 To see a full list of configuration options, run `configure --help`.
 
+On most platforms, BIND 9 is built with multithreading support, allowing it
+to take advantage of multiple CPUs.  You can configure this by specifying
+`--enable-threads` or `--disable-threads` on the `configure` command line.
+The default is to enable threads, except on some older operating systems on
+which threads are known to have had problems in the past.  (Note: Prior to
+BIND 9.10, the default was to disable threads on Linux systems; this has
+now been reversed.  On Linux systems, the threaded build is known to change
+BIND's behavior with respect to file permissions; it may be necessary to
+specify a user with the -u option when running `named`.)
+
 To build shared libraries, specify `--with-libtool` on the `configure`
 command line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying
+`--with-tuning=large` on the `configure` command line. This can improve
+performance on big servers, but will consume more memory and may degrade
+performance on smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto support.
 To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
@@ -269,16 +237,14 @@ path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
 configure BIND with `--enable-native-pkcs11`.
 
 To support the HTTP statistics channel, the server must be linked with at
-least one of the following libraries: `libxml2`
-[http://xmlsoft.org](http://xmlsoft.org) or `json-c`
-[https://github.com/json-c/json-c](https://github.com/json-c/json-c).
-If these are installed at a nonstandard location, then:
-
-* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`,
-* for `json-c`, adjust `PKG_CONFIG_PATH`.
+least one of the following: libxml2
+[http://xmlsoft.org](http://xmlsoft.org) or json-c
+[https://github.com/json-c](https://github.com/json-c).  If these are
+installed at a nonstandard location, specify the prefix using
+`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
 
 To support compression on the HTTP statistics channel, the server must be
-linked against `libzlib`.  If this is installed in a nonstandard location,
+linked against libzlib.  If this is installed in a nonstandard location,
 specify the prefix using `--with-zlib=/prefix`.
 
 To support storing configuration data for runtime-added zones in an LMDB
@@ -290,24 +256,23 @@ libGeoIP. This is not turned on by default; BIND must be configured with
 `--with-geoip`. If the library is installed in a nonstandard location,
 specify the prefix using `--with-geoip=/prefix`.
 
-For DNSTAP packet logging, you must have installed `libfstrm`
+For DNSTAP packet logging, you must have installed libfstrm
 [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
-and `libprotobuf-c`
+and libprotobuf-c
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
 and BIND must be configured with `--enable-dnstap`.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying
-`--with-tuning=large` on the `configure` command line. This can improve
-performance on big servers, but will consume more memory and may degrade
-performance on smaller systems.
-
 On Linux, process capabilities are managed in user space using
 the `libcap` library, which can be installed on most Linux systems via
-the `libcap-dev` or `libcap-devel` package. Process capability support can
+the `libcap-dev` or `libcap-devel` module. Process capability support can
 also be disabled by configuring with `--disable-linux-caps`.
 
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' and 'ply' modules to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2.
+'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
+
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB.  This can be done by using
 `--enable-largefile` on the `configure` command line.
@@ -317,10 +282,6 @@ specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
 configure command line.  By default, fixed rrset-order is disabled to
 reduce memory footprint.
 
-The `--enable-querytrace` option causes `named` to log every step of
-processing every query. This should only be enabled when debugging, because
-it has a significant negative impact on query performance.
-
 `make install` will install `named` and the various BIND 9 libraries.  By
 default, installation is into /usr/local, but this can be changed with the
 `--prefix` option when running `configure`.
@@ -341,21 +302,19 @@ multiple servers to run locally and communicate with one another).  These
 IP addresses can be configured by running the command
 `bin/tests/system/ifconfig.sh up` as root.
 
-Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
 and will be skipped if these are not available. Some tests require Python
-and the `dnspython` module and will be skipped if these are not available.
+and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
-To build them, use `configure --with-cmocka`. Execution of tests is done
-by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
-`kyua` command is available, then unit tests can be run via `make test`
-or `make unit`.
+Unit tests are implemented using Automated Testing Framework (ATF).
+To run them, use `configure --with-atf`, then run `make test` or
+`make unit`.
 
 ### <a name="doc"/> Documentation
 
 The *BIND 9 Administrator Reference Manual* is included with the source
-distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
+distribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
 directory.
 
 Some of the programs in the BIND 9 distribution have man pages in their
@@ -398,25 +357,6 @@ releases (i.e., those with version numbers ending in zero).  Some new
 functionality may be backported to older releases on a case-by-case basis.
 All other change types may be applied to all currently-supported releases.
 
-#### Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
-and referred to entries in the "bind9-bugs" RT database, which was not open
-to the public. More recent entries use the form `[GL #NNN]` or, less often,
-`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security sensitive.
-
-To look up a GitLab issue by its number, use the URL
-[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
-To look up a merge request, use
-[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-GitLab instance, which is not visible to the public.
-
 ### <a name="ack"/> Acknowledgments
 
 * The original development of BIND 9 was underwritten by the

aclocal.m4

@@ -289,10 +289,7 @@ AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
 m4_include([m4/ax_check_openssl.m4])
-m4_include([m4/ax_posix_shell.m4])
 m4_include([m4/ax_pthread.m4])
-m4_include([m4/ax_restore_flags.m4])
-m4_include([m4/ax_save_flags.m4])
 m4_include([m4/libtool.m4])
 m4_include([m4/ltoptions.m4])
 m4_include([m4/ltsugar.m4])

bin/Makefile.in

@@ -12,7 +12,7 @@ VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
 TARGETS =
 
 @BIND9_MAKE_RULES@

bin/check/Makefile.in

@@ -21,7 +21,7 @@ CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES}
 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
@@ -66,7 +66,7 @@ named-checkzone.@O@: named-checkzone.c
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
 	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
-	export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	export LIBS0="${NSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \

bin/check/named-checkconf.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
@@ -79,13 +79,6 @@ When loading a zonefile read the journal if it exists\&.
 List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
 .RE
 .PP
-\-c
-.RS 4
-Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
-\fBplugin\fR
-statements to be ignored\&.
-.RE
-.PP
 \-p
 .RS 4
 Print out the
@@ -143,5 +136,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkconf.c

@@ -46,8 +46,6 @@
 
 static const char *program = "named-checkconf";
 
-static bool loadplugins = true;
-
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -63,7 +61,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-chjlvz] [-p [-x]] [-t directory] "
+	fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }
@@ -284,10 +282,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
 		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
@@ -304,10 +300,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKMX;
 			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKMX;
 		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
@@ -333,10 +327,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
@@ -353,10 +345,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
@@ -376,10 +366,8 @@ configure_zone(const char *vclass, const char *view,
 			zone_options |= DNS_ZONEOPT_CHECKSPF;
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKSPF;
 	}
@@ -395,10 +383,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
 	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
@@ -408,16 +394,14 @@ configure_zone(const char *vclass, const char *view,
 	fmtobj = NULL;
 	if (get_maps(maps, "masterfile-format", &fmtobj)) {
 		const char *masterformatstr = cfg_obj_asstring(fmtobj);
-		if (strcasecmp(masterformatstr, "text") == 0) {
+		if (strcasecmp(masterformatstr, "text") == 0)
 			masterformat = dns_masterformat_text;
-		} else if (strcasecmp(masterformatstr, "raw") == 0) {
+		else if (strcasecmp(masterformatstr, "raw") == 0)
 			masterformat = dns_masterformat_raw;
-		} else if (strcasecmp(masterformatstr, "map") == 0) {
+		else if (strcasecmp(masterformatstr, "map") == 0)
 			masterformat = dns_masterformat_map;
-		} else {
+		else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	}
 
 	obj = NULL;
@@ -564,7 +548,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "cdhjlm:t:pvxz"
+#define CMDLINE_FLAGS "dhjlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -589,10 +573,6 @@ main(int argc, char **argv) {
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
-		case 'c':
-			loadplugins = false;
-			break;
-
 		case 'd':
 			debug++;
 			break;
@@ -683,10 +663,9 @@ main(int argc, char **argv) {
 	    ISC_R_SUCCESS)
 		exit(1);
 
-	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
 		exit_status = 1;
-	}
 
 	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
 		result = load_zones_fromconfig(config, mctx, list_zones);

bin/check/named-checkconf.docbook

@@ -40,7 +40,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -53,7 +52,7 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>named-checkconf</command>
-      <arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-hjlvz</option></arg>
       <arg choice="opt" rep="norepeat"><option>-p</option>
 	<arg choice="opt" rep="norepeat"><option>-x</option>
       </arg></arg>
@@ -115,17 +114,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-c</term>
-        <listitem>
-          <para>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <command>plugin</command> statements to be ignored.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-p</term>
         <listitem>

bin/check/named-checkconf.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,7 +33,7 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">named-checkconf</code> 
-       [<code class="option">-chjlvz</code>]
+       [<code class="option">-hjlvz</code>]
        [<code class="option">-p</code>
 	 [<code class="option">-x</code>
       ]]
@@ -88,14 +88,6 @@
             (e.g. master or slave).
           </p>
         </dd>
-<dt><span class="term">-c</span></dt>
-<dd>
-          <p>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
-          </p>
-        </dd>
 <dt><span class="term">-p</span></dt>
 <dd>
           <p>

bin/check/named-checkzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkzone.c

@@ -139,14 +139,12 @@ main(int argc, char **argv) {
 #define PROGCMP(X) \
 	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
 
-	if (PROGCMP("named-checkzone")) {
+	if (PROGCMP("named-checkzone"))
 		progmode = progmode_check;
-	} else if (PROGCMP("named-compilezone")) {
+	else if (PROGCMP("named-compilezone"))
 		progmode = progmode_compile;
-	} else {
+	else
 		INSIST(0);
-		ISC_UNREACHABLE();
-	}
 
 	/* Compilation specific defaults */
 	if (progmode == progmode_compile) {

bin/check/named-checkzone.docbook

@@ -43,7 +43,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/check/named-checkzone.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/check/win32/checkconf.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{03A96113-CB14-43AA-AEB2-48950E3915C5}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>checkconf</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/check/win32/checktool.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -17,21 +17,18 @@
     <ProjectGuid>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>checktool</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/check/win32/checkzone.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{66028555-7DD5-4016-B601-9EF9A1EE8BFA}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>checkzone</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -65,15 +62,15 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
@@ -98,7 +95,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -107,8 +104,8 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
     <PostBuildEvent>

bin/confgen/Makefile.in

@@ -29,7 +29,7 @@ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -144,5 +144,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.c

@@ -125,12 +125,10 @@ main(int argc, char **argv) {
 	if (PROGCMP("tsig-keygen")) {
 		progmode = progmode_keygen;
 		quiet = true;
-	} else if (PROGCMP("ddns-confgen")) {
+	} else if (PROGCMP("ddns-confgen"))
 		progmode = progmode_confgen;
-	} else {
+	else
 		INSIST(0);
-		ISC_UNREACHABLE();
-	}
 
 	isc_commandline_errprint = false;
 

bin/confgen/ddns-confgen.docbook

@@ -37,7 +37,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -206,5 +206,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.docbook

@@ -44,7 +44,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/rndc-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/win32/confgentool.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{64964B03-4815-41F0-9057-E766A94AF197}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>confgentool</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>ddnsconfgen</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{1E2C1635-3093-4D59-80E7-4743AC10F22F}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>rndcconfgen</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/delv/Makefile.in

@@ -23,7 +23,7 @@ CDEFINES =	-DVERSION=\"${VERSION}\" \
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@

bin/delv/delv.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -437,5 +437,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/delv/delv.c

@@ -743,8 +743,8 @@ setup_dnsseckeys(dns_client_t *client) {
 
 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
 		isc_buffer_add(&b, sizeof(anchortext) - 1);
-		result = cfg_parse_buffer(parser, &b, NULL, 0,
-					  &cfg_type_bindkeys, 0, &bindkeys);
+		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
+					  &bindkeys);
 		if (result != ISC_R_SUCCESS)
 			fatal("Unable to parse built-in keys");
 	}
@@ -765,14 +765,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (dlv_validation)
 		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
 
-
  cleanup:
-	if (bindkeys != NULL) {
-		cfg_obj_destroy(parser, &bindkeys);
-	}
-	if (parser != NULL) {
-		cfg_parser_destroy(&parser);
-	}
 	if (result != ISC_R_SUCCESS)
 		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
 			  isc_result_totext(result));
@@ -1174,8 +1167,6 @@ plus_option(char *option) {
  * options: "46a:b:c:d:himp:q:t:vx:";
  */
 static const char *single_dash_opts = "46himv";
-static const char *dash_opts = "46abcdhimpqtvx";
-
 static bool
 dash_option(char *option, char *next, bool *open_type_class) {
 	char opt, *value;
@@ -1233,7 +1224,6 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			/* NOTREACHED */
 		default:
 			INSIST(0);
-			ISC_UNREACHABLE();
 		}
 		if (strlen(option) > 1U)
 			option = &option[1];
@@ -1377,10 +1367,8 @@ preparse_args(int argc, char **argv) {
 	char *option;
 
 	for (argc--, argv++; argc > 0; argc--, argv++) {
-		if (argv[0][0] != '-') {
+		if (argv[0][0] != '-')
 			continue;
-		}
-
 		option = &argv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
@@ -1403,27 +1391,6 @@ preparse_args(int argc, char **argv) {
 			}
 			option = &option[1];
 		}
-
-		if (strlen(option) == 0U) {
-			continue;
-		}
-
-		/* Look for dash value option. */
-		if (strpbrk(option, dash_opts) != &option[0] ||
-		    strlen(option) > 1U)
-		{
-			/* Error or value in option. */
-			continue;
-		}
-
-		/* Dash value is next argument so we need to skip it. */
-		argc--;
-		argv++;
-
-		/* Handle missing argument */
-		if (argc == 0) {
-			break;
-		}
 	}
 }
 

bin/delv/delv.docbook

@@ -39,7 +39,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/delv/delv.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/delv/win32/delv.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>delv</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/dig/Makefile.in

@@ -25,7 +25,7 @@ CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@

bin/dig/dig.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -74,9 +74,7 @@ will perform an NS query for "\&." (the root)\&.
 It is possible to set per\-user defaults for
 \fBdig\fR
 via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
-\fB\-r\fR
-option disables this feature, for scripts that need predictable behaviour\&.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
 .PP
 The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
 \fB\-t\fR
@@ -176,6 +174,11 @@ reads a list of lookup requests to process from the given
 using the command\-line interface\&.
 .RE
 .PP
+\-i
+.RS 4
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
+.RE
+.PP
 \-k \fIkeyfile\fR
 .RS 4
 Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
@@ -205,12 +208,6 @@ The domain name to query\&. This is useful to distinguish the
 from other arguments\&.
 .RE
 .PP
-\-r
-.RS 4
-Do not read options from
-${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
-.RE
-.PP
 \-t \fItype\fR
 .RS 4
 The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
@@ -249,7 +246,9 @@ arguments\&.
 \fBdig\fR
 automatically performs a lookup for a name like
 94\&.2\&.0\&.192\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
+\fB\-i\fR
+option)\&.
 .RE
 .PP
 \-y \fI[hmac:]\fR\fIkeyname:secret\fR
@@ -361,20 +360,14 @@ Display [do not display] the CLASS when printing the record\&.
 .PP
 \fB+[no]cmd\fR
 .RS 4
-Toggles the printing of the initial comment in the output, identifying the version of
+Toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
-and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
+and the query options that have been applied\&. This comment is printed by default\&.
 .RE
 .PP
 \fB+[no]comments\fR
 .RS 4
-Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
-.sp
-Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
-\fB+[no]cmd\fR,
-\fB+[no]question\fR,
-\fB+[no]stats\fR, and
-\fB+[no]rrcomments\fR\&.
+Toggle the display of comment lines in the output\&. The default is to print comments\&.
 .RE
 .PP
 \fB+[no]cookie\fR\fB[=####]\fR
@@ -475,16 +468,12 @@ option is enabled\&. If short form answers are requested, the default is not to
 .PP
 \fB+[no]idnin\fR
 .RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
 .RE
 .PP
 \fB+[no]idnout\fR
 .RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
 .RE
 .PP
 \fB+[no]ignore\fR
@@ -567,12 +556,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size
 .PP
 \fB+[no]qr\fR
 .RS 4
-Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
+Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
 .RE
 .PP
 \fB+[no]question\fR
 .RS 4
-Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
+Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
 .RE
 .PP
 \fB+[no]raflag\fR
@@ -590,11 +579,11 @@ A synonym for
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
 \fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when using the
+normally sends recursive queries\&. Recursion is automatically disabled when the
 \fI+nssearch\fR
-option, and when using
+or
 \fI+trace\fR
-except for an initial recursive query to get the list of root servers\&.
+query options are used\&.
 .RE
 .PP
 \fB+retry=T\fR
@@ -625,7 +614,7 @@ determines if the name will be treated as relative or not and hence whether a se
 .PP
 \fB+[no]short\fR
 .RS 4
-Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
+Provide a terse answer\&. The default is to print the answer in a verbose form\&.
 .RE
 .PP
 \fB+[no]showsearch\fR
@@ -655,7 +644,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
 .PP
 \fB+[no]stats\fR
 .RS 4
-Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
+This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
 .RE
 .PP
 \fB+[no]subnet=addr[/prefix\-length]\fR
@@ -806,10 +795,7 @@ has been built with IDN (internationalized domain name) support, it can accept a
 appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
 \fI+noidnin\fR
 and
-\fI+noidnout\fR
-or define the
-\fBIDN_DISABLE\fR
-environment variable\&.
+\fI+noidnout\fR\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -830,5 +816,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/dig.c

@@ -65,8 +65,8 @@ static char domainopt[DNS_NAME_MAXTEXT];
 static char hexcookie[81];
 
 static bool short_form = false, printcmd = true,
-	plusquest = false, pluscomm = false,
-	ipv4only = false, ipv6only = false, digrc = true;
+	ip6_int = false, plusquest = false, pluscomm = false,
+	ipv4only = false, ipv6only = false;
 static uint32_t splitwidth = 0xffffffff;
 
 /*% opcode text */
@@ -153,11 +153,11 @@ help(void) {
 "                 -b address[#port]   (bind to source address/port)\n"
 "                 -c class            (specify query class)\n"
 "                 -f filename         (batch mode)\n"
+"                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
 "                 -k keyfile          (specify tsig key file)\n"
 "                 -m                  (enable memory usage debugging)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
-"                 -r                  (do not read ~/.digrc)\n"
 "                 -t type             (specify query type)\n"
 "                 -u                  (display times in usec instead of msec)\n"
 "                 -x dot-notation     (shortcut for reverse lookups)\n"
@@ -175,13 +175,11 @@ help(void) {
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +[no]cdflag         (Set checking disabled flag in query)\n"
 "                 +[no]class          (Control display of class in records)\n"
-"                 +[no]cmd            (Control display of command line -\n"
-"                                      global option)\n"
-"                 +[no]comments       (Control display of packet header\n"
-"                                      and section name comments)\n"
+"                 +[no]cmd            (Control display of command line)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]cookie         (Add a COOKIE option to the request)\n"
-"                 +[no]crypto         (Control display of cryptographic\n"
-"                                      fields in records)\n"
+"                 +[no]crypto         (Control display of cryptographic "
+				       "fields in records)\n"
 "                 +[no]defname        (Use search list (+[no]search))\n"
 "                 +[no]dnssec         (Request DNSSEC records)\n"
 "                 +domain=###         (Set default domainname)\n"
@@ -195,15 +193,11 @@ help(void) {
 "                 +[no]fail           (Don't try next server on SERVFAIL)\n"
 "                 +[no]header-only    (Send query without a question section)\n"
 "                 +[no]identify       (ID responders in short answers)\n"
-#ifdef HAVE_LIBIDN2
-"                 +[no]idnin          (Parse IDN names [default=on on tty])\n"
-"                 +[no]idnout         (Convert IDN response "
-					"[default=on on tty])\n"
-#endif
+"                 +[no]idnin          (Parse IDN names)\n"
+"                 +[no]idnout         (Convert IDN response)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)\n"
 "                 +[no]keepalive      (Request EDNS TCP keepalive)\n"
-"                 +[no]keepopen       (Keep the TCP socket open between "
-					"queries)\n"
+"                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
 "                 +[no]mapped         (Allow mapped IPv4 over IPv6)\n"
 "                 +[no]multiline      (Print records in an expanded format)\n"
 "                 +ndots=###          (Set search NDOTS value)\n"
@@ -222,7 +216,7 @@ help(void) {
 					"comments)\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
 "                 +[no]short          (Display nothing except short\n"
-"                                      form of answers - global option)\n"
+"                                      form of answer)\n"
 "                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
 "                 +[no]stats          (Control display of statistics)\n"
@@ -230,13 +224,11 @@ help(void) {
 "                 +[no]tcflag         (Set TC flag in query (+[no]tcflag))\n"
 "                 +[no]tcp            (TCP mode (+[no]vc))\n"
 "                 +timeout=###        (Set query timeout) [5]\n"
-"                 +[no]trace          (Trace delegation down from root "
-					"[+dnssec])\n"
+"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
 "                 +tries=###          (Set number of UDP attempts) [3]\n"
 "                 +[no]ttlid          (Control display of ttls in records)\n"
 "                 +[no]ttlunits       (Display TTLs in human-readable units)\n"
-"                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" "
-					"format)\n"
+"                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" format)\n"
 "                 +[no]vc             (TCP mode (+[no]tcp))\n"
 "                 +[no]zflag          (Set Z flag in query)\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
@@ -508,9 +500,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	check_result(result, "dns_master_stylecreate");
 
 	if (query->lookup->cmdline[0] != 0) {
-		if (!short_form && printcmd) {
+		if (!short_form)
 			fputs(query->lookup->cmdline, stdout);
-		}
 		query->lookup->cmdline[0]=0;
 	}
 	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
@@ -533,7 +524,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	check_result(result, "isc_buffer_allocate");
 
 	if (query->lookup->comments && !short_form) {
-		if (query->lookup->cmdline[0] != 0 && printcmd)
+		if (query->lookup->cmdline[0] != 0)
 			printf("; %s\n", query->lookup->cmdline);
 		if (msg == query->lookup->sendmsg)
 			printf(";; Sending:\n");
@@ -1452,7 +1443,7 @@ plus_option(char *option, bool is_batchfile,
 				lookup->trace = state;
 				lookup->trace_root = state;
 				if (state) {
-					lookup->recurse = true;
+					lookup->recurse = false;
 					lookup->identify = true;
 					lookup->comments = false;
 					lookup->rrcomments = 0;
@@ -1551,8 +1542,8 @@ plus_option(char *option, bool is_batchfile,
 /*%
  * #true returned if value was used
  */
-static const char *single_dash_opts = "46dhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static const char *single_dash_opts = "46dhimnuv";
+static const char *dash_opts = "46bcdfhikmnptvyx";
 static bool
 dash_option(char *option, char *next, dig_lookup_t **lookup,
 	    bool *open_type_class, bool *need_clone,
@@ -1615,7 +1606,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			exit(0);
 			break;
 		case 'i':
-			/* deprecated */
+			ip6_int = true;
 			break;
 		case 'm': /* memdebug */
 			/* memdebug is handled in preparse_args() */
@@ -1623,10 +1614,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		case 'n':
 			/* deprecated */
 			break;
-		case 'r':
-			debug("digrc (late)");
-			digrc = false;
-			break;
 		case 'u':
 			(*lookup)->use_usec = true;
 			break;
@@ -1800,12 +1787,13 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			*lookup = clone_lookup(default_lookup, true);
 		*need_clone = true;
 		if (get_reverse(textname, sizeof(textname), value,
-				false) == ISC_R_SUCCESS) {
+				ip6_int, false) == ISC_R_SUCCESS) {
 			strlcpy((*lookup)->textname, textname,
 				sizeof((*lookup)->textname));
 			debug("looking up %s", (*lookup)->textname);
 			(*lookup)->trace_root = ((*lookup)->trace  ||
 						 (*lookup)->ns_search_only);
+			(*lookup)->ip6_int = ip6_int;
 			if (!(*lookup)->rdtypeset)
 				(*lookup)->rdtype = dns_rdatatype_ptr;
 			if (!(*lookup)->rdclassset)
@@ -1853,23 +1841,11 @@ preparse_args(int argc, char **argv) {
 		option = &rv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
-			case 'd':
-				/* For debugging early startup */
-				debugging = true;
-				break;
 			case 'm':
 				memdebugging = true;
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
 					ISC_MEM_DEBUGRECORD;
 				break;
-			case 'r':
-				/*
-				 * Must be done early, because ~/.digrc
-				 * is read before command line parsing
-				 */
-				debug("digrc (early)");
-				digrc = false;
-				break;
 			case '4':
 				if (ipv6only)
 					fatal("only one of -4 and -6 allowed");
@@ -1883,20 +1859,6 @@ preparse_args(int argc, char **argv) {
 			}
 			option = &option[1];
 		}
-		if (strlen(option) == 0U) {
-			continue;
-		}
-		/* Look for dash value option. */
-		if (strpbrk(option, dash_opts) != &option[0] ||
-		    strlen(option) > 1U) {
-			/* Error or value in option. */
-			continue;
-		}
-		/* Dash value is next argument so we need to skip it. */
-		rc--, rv++;
-		/* Handle missing argument */
-		if (rc == 0)
-			break;
 	}
 }
 
@@ -1963,9 +1925,8 @@ parse_args(bool is_batchfile, bool config_only,
 		 */
 		INSIST(batchfp == NULL);
 		homedir = getenv("HOME");
-		if (homedir != NULL && digrc) {
+		if (homedir != NULL) {
 			unsigned int n;
-			debug("digrc (open)");
 			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
 				     homedir);
 			if (n < sizeof(rcfile)) {

bin/dig/dig.docbook

@@ -52,7 +52,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -132,10 +131,9 @@
 
     <para>
       It is possible to set per-user defaults for <command>dig</command> via
-      <filename>${HOME}/.digrc</filename>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <option>-r</option> option disables this feature, for
-      scripts that need predictable behaviour.
+      <filename>${HOME}/.digrc</filename>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </para>
 
     <para>
@@ -273,6 +271,17 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-k <replaceable class="parameter">keyfile</replaceable></term>
 	<listitem>
@@ -325,16 +334,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-r</term>
-	<listitem>
-	  <para>
-	    Do not read options from <filename>${HOME}/.digrc</filename>.
-	    This is useful for scripts that need predictable behaviour.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-t <replaceable class="parameter">type</replaceable></term>
 	<listitem>
@@ -395,7 +394,8 @@
 	    <literal>94.2.0.192.in-addr.arpa</literal> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <option>-i</option>
+	    option).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -593,11 +593,9 @@
 	  <listitem>
 	    <para>
 	      Toggles the printing of the initial comment in the
-	      output, identifying the version of <command>dig</command>
-	      and the query options that have been applied.  This option
-	      always has global effect; it cannot be set globally
-	      and then overridden on a per-lookup basis.  The default
-	      is to print this comment.
+	      output identifying the version of <command>dig</command>
+	      and the query options that have been applied.  This
+	      comment is printed by default.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -606,18 +604,8 @@
 	  <term><option>+[no]comments</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the display of some comment lines in the output,
-	      containing information about the packet header and
-	      OPT pseudosection, and the names of the response
-	      section.  The default is to print these comments.
-	    </para>
-	    <para>
-	      Other types of comments in the output are not affected by
-	      this option, but can be controlled using other command
-	      line switches. These include <command>+[no]cmd</command>,
-	      <command>+[no]question</command>,
-	      <command>+[no]stats</command>, and
-	      <command>+[no]rrcomments</command>.
+	      Toggle the display of comment lines in the output.
+	      The default is to print comments.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -801,13 +789,7 @@
 	    <para>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </para>
-	    <para>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -818,13 +800,7 @@
 	    <para>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </para>
-	    <para>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -967,8 +943,8 @@
 	  <term><option>+[no]qr</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the display of the query message as it is sent.
-	      By default, the query is not printed.
+	      Print [do not print] the query as it is sent.  By
+	      default, the query is not printed.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -977,7 +953,7 @@
 	  <term><option>+[no]question</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the display of the question section of a query
+	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
 	    </para>
@@ -1012,10 +988,8 @@
 	      in the query.  This bit is set by default, which means
 	      <command>dig</command> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      using the <parameter>+nssearch</parameter> option, and
-	      when using <parameter>+trace</parameter> except for
-	      an initial recursive query to get the list of root
-	      servers.
+	      the <parameter>+nssearch</parameter> or
+	      <parameter>+trace</parameter> query options are used.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1068,9 +1042,7 @@
 	  <listitem>
 	    <para>
 	      Provide a terse answer.  The default is to print the
-	      answer in a verbose form.  This option always has global
-	      effect; it cannot be set globally and then overridden on
-	      a per-lookup basis.
+	      answer in a verbose form.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1115,9 +1087,10 @@
 	  <term><option>+[no]stats</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the printing of statistics: when the query was made,
-	      the size of the reply and so on.  The default behavior is to
-	      print the query statistics as a comment after each lookup.
+	      This query option toggles the printing of statistics:
+	      when the query was made, the size of the reply and
+	      so on.  The default behavior is to print the query
+	      statistics.
 	    </para>
 	  </listitem>
 	</varlistentry>

bin/dig/dig.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -106,10 +106,9 @@
 
     <p>
       It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
-      <code class="filename">${HOME}/.digrc</code>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <code class="option">-r</code> option disables this feature, for
-      scripts that need predictable behaviour.
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </p>
 
     <p>
@@ -228,6 +227,14 @@
 	    <span class="command"><strong>dig</strong></span> using the command-line interface.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </p>
+	</dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
 <dd>
 	  <p>
@@ -267,13 +274,6 @@
 	    the <em class="parameter"><code>name</code></em> from other arguments.
 	  </p>
 	</dd>
-<dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
-	    Do not read options from <code class="filename">${HOME}/.digrc</code>.
-	    This is useful for scripts that need predictable behaviour.
-	  </p>
-	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
@@ -324,7 +324,8 @@
 	    <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <code class="option">-i</code>
+	    option).
 	  </p>
 	</dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
@@ -481,28 +482,16 @@
 <dd>
 	    <p>
 	      Toggles the printing of the initial comment in the
-	      output, identifying the version of <span class="command"><strong>dig</strong></span>
-	      and the query options that have been applied.  This option
-	      always has global effect; it cannot be set globally
-	      and then overridden on a per-lookup basis.  The default
-	      is to print this comment.
+	      output identifying the version of <span class="command"><strong>dig</strong></span>
+	      and the query options that have been applied.  This
+	      comment is printed by default.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the display of some comment lines in the output,
-	      containing information about the packet header and
-	      OPT pseudosection, and the names of the response
-	      section.  The default is to print these comments.
-	    </p>
-	    <p>
-	      Other types of comments in the output are not affected by
-	      this option, but can be controlled using other command
-	      line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
-	      <span class="command"><strong>+[no]question</strong></span>,
-	      <span class="command"><strong>+[no]stats</strong></span>, and
-	      <span class="command"><strong>+[no]rrcomments</strong></span>.
+	      Toggle the display of comment lines in the output.
+	      The default is to print comments.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
@@ -642,13 +631,7 @@
 	    <p>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
@@ -656,13 +639,7 @@
 	    <p>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
@@ -769,14 +746,14 @@
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the display of the query message as it is sent.
-	      By default, the query is not printed.
+	      Print [do not print] the query as it is sent.  By
+	      default, the query is not printed.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the display of the question section of a query
+	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
 	    </p>
@@ -802,10 +779,8 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      using the <em class="parameter"><code>+nssearch</code></em> option, and
-	      when using <em class="parameter"><code>+trace</code></em> except for
-	      an initial recursive query to get the list of root
-	      servers.
+	      the <em class="parameter"><code>+nssearch</code></em> or
+	      <em class="parameter"><code>+trace</code></em> query options are used.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
@@ -846,9 +821,7 @@
 <dd>
 	    <p>
 	      Provide a terse answer.  The default is to print the
-	      answer in a verbose form.  This option always has global
-	      effect; it cannot be set globally and then overridden on
-	      a per-lookup basis.
+	      answer in a verbose form.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
@@ -881,9 +854,10 @@
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the printing of statistics: when the query was made,
-	      the size of the reply and so on.  The default behavior is to
-	      print the query statistics as a comment after each lookup.
+	      This query option toggles the printing of statistics:
+	      when the query was made, the size of the reply and
+	      so on.  The default behavior is to print the query
+	      statistics.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
@@ -1087,9 +1061,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <em class="parameter"><code>+noidnin</code></em> and
-      <em class="parameter"><code>+noidnout</code></em> or define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-
+      <em class="parameter"><code>+noidnout</code></em>.
     </p>
   </div>
 

bin/dig/dighost.c

@@ -312,7 +312,8 @@ reverse_octets(const char *in, char **p, char *end) {
 }
 
 isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict)
+get_reverse(char *reverse, size_t len, char *value, bool ip6_int,
+	    bool strict)
 {
 	int r;
 	isc_result_t result;
@@ -326,6 +327,8 @@ get_reverse(char *reverse, size_t len, char *value, bool strict)
 		dns_name_t *name;
 		unsigned int options = 0;
 
+		if (ip6_int)
+			options |= DNS_BYADDROPT_IPV6INT;
 		name = dns_fixedname_initname(&fname);
 		result = dns_byaddr_createptrname(&addr, options, name);
 		if (result != ISC_R_SUCCESS)
@@ -625,7 +628,7 @@ make_empty_lookup(void) {
 	looknew->ttlunits = false;
 	looknew->qr = false;
 #ifdef HAVE_LIBIDN2
-	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+	looknew->idnin = (getenv("IDN_DISABLE") == NULL);
 	looknew->idnout = looknew->idnin;
 #else
 	looknew->idnin = false;
@@ -649,6 +652,7 @@ make_empty_lookup(void) {
 	looknew->nsfound = 0;
 	looknew->tcp_mode = false;
 	looknew->tcp_mode_set = false;
+	looknew->ip6_int = false;
 	looknew->comments = true;
 	looknew->stats = true;
 	looknew->section_question = true;
@@ -1227,19 +1231,6 @@ create_search_list(irs_resconf_t *resconf) {
 	}
 }
 
-/*%
- * Append 'addr' to the list of servers to be queried.  This function is only
- * called when no server addresses are explicitly specified and either libirs
- * returns an empty list of servers to use or none of the addresses returned by
- * libirs are usable due to the specified address family restrictions.
- */
-static void
-add_fallback_nameserver(const char *addr) {
-	dig_server_t *server = make_server(addr, addr);
-	ISC_LINK_INIT(server, link);
-	ISC_LIST_APPEND(server_list, server, link);
-}
-
 /*%
  * Setup the system as a whole, reading key information and resolv.conf
  * settings.
@@ -1285,16 +1276,6 @@ setup_system(bool ipv4only, bool ipv6only) {
 		get_server_list(resconf);
 	}
 
-	/* If we don't find a nameserver fall back to localhost */
-	if (ISC_LIST_EMPTY(server_list)) {
-		if (have_ipv6) {
-			add_fallback_nameserver("::1");
-		}
-		if (have_ipv4) {
-			add_fallback_nameserver("127.0.0.1");
-		}
-	}
-
 	irs_resconf_destroy(&resconf);
 
 #ifdef HAVE_SETLOCALE
@@ -1390,7 +1371,8 @@ setup_libs(void) {
 	isc_mempool_setfreemax(commctx, 6);
 	isc_mempool_setfillcount(commctx, 2);
 
-	isc_mutex_init(&lookup_lock);
+	result = isc_mutex_init(&lookup_lock);
+	check_result(result, "isc_mutex_init");
 }
 
 typedef struct dig_ednsoptname {
@@ -1399,7 +1381,6 @@ typedef struct dig_ednsoptname {
 } dig_ednsoptname_t;
 
 dig_ednsoptname_t optnames[] = {
-	{ 1, "LLQ" },		/* draft-sekar-dns-llq */
 	{ 3, "NSID" },		/* RFC 5001 */
 	{ 5, "DAU" },		/* RFC 6975 */
 	{ 6, "DHU" },		/* RFC 6975 */
@@ -1412,8 +1393,6 @@ dig_ednsoptname_t optnames[] = {
 	{ 12, "PAD" },		/* shorthand */
 	{ 13, "CHAIN" },	/* RFC 7901 */
 	{ 14, "KEY-TAG" },	/* RFC 8145 */
-	{ 16, "CLIENT-TAG" },	/* draft-bellis-dnsop-edns-tags */
-	{ 17, "SERVER-TAG" },	/* draft-bellis-dnsop-edns-tags */
 	{ 26946, "DEVICEID" },	/* Brian Hartvigsen */
 };
 
@@ -1544,21 +1523,23 @@ clear_query(dig_query_t *query) {
 
 	debug("clear_query(%p)", query);
 
-	if (query->timer != NULL) {
+	if (query->timer != NULL)
 		isc_timer_detach(&query->timer);
-	}
 	lookup = query->lookup;
 
-	if (lookup->current_query == query) {
+	if (lookup->current_query == query)
 		lookup->current_query = NULL;
-	}
 
-	if (ISC_LINK_LINKED(query, link)) {
+	if (ISC_LINK_LINKED(query, link))
 		ISC_LIST_UNLINK(lookup->q, query, link);
-	}
-	if (ISC_LINK_LINKED(query, clink)) {
+	if (ISC_LINK_LINKED(query, clink))
 		ISC_LIST_UNLINK(lookup->connecting, query, clink);
-	}
+	if (ISC_LINK_LINKED(&query->recvbuf, link))
+		ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
+				 link);
+	if (ISC_LINK_LINKED(&query->lengthbuf, link))
+		ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
+				 link);
 	INSIST(query->recvspace != NULL);
 
 	if (query->sock != NULL) {
@@ -1567,16 +1548,12 @@ clear_query(dig_query_t *query) {
 		debug("sockcount=%d", sockcount);
 	}
 	isc_mempool_put(commctx, query->recvspace);
-	isc_mempool_put(commctx, query->tmpsendspace);
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_invalidate(&query->lengthbuf);
-
-	if (query->waiting_senddone) {
+	if (query->waiting_senddone)
 		query->pending_free = true;
-	} else {
-		query->magic = 0;
+	else
 		isc_mem_free(mctx, query);
-	}
 }
 
 /*%
@@ -2192,14 +2169,12 @@ setup_lookup(dig_lookup_t *lookup) {
 	lookup->sendmsg->id = (dns_messageid_t)isc_random16();
 	lookup->sendmsg->opcode = lookup->opcode;
 	lookup->msgcounter = 0;
-
 	/*
-	 * If this is a trace request, completely disallow recursion after
-	 * looking up the root name servers, since it's meaningless for traces.
+	 * If this is a trace request, completely disallow recursion, since
+	 * it's meaningless for traces.
 	 */
-	if ((lookup->trace || lookup->ns_search_only) && !lookup->trace_root) {
+	if (lookup->trace || (lookup->ns_search_only && !lookup->trace_root))
 		lookup->recurse = false;
-	}
 
 	if (lookup->recurse &&
 	    lookup->rdtype != dns_rdatatype_axfr &&
@@ -2318,7 +2293,7 @@ setup_lookup(dig_lookup_t *lookup) {
 
 		if (lookup->ecs_addr != NULL) {
 			uint8_t addr[16];
-			uint16_t family = 0;
+			uint16_t family;
 			uint32_t plen;
 			struct sockaddr *sa;
 			struct sockaddr_in *sin;
@@ -2375,7 +2350,6 @@ setup_lookup(dig_lookup_t *lookup) {
 				break;
 			default:
 				INSIST(0);
-				ISC_UNREACHABLE();
 			}
 
 			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
@@ -2487,14 +2461,13 @@ setup_lookup(dig_lookup_t *lookup) {
 
 	for (serv = ISC_LIST_HEAD(lookup->my_server_list);
 	     serv != NULL;
-	     serv = ISC_LIST_NEXT(serv, link))
-	{
+	     serv = ISC_LIST_NEXT(serv, link)) {
 		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
-		if (query == NULL) {
+		if (query == NULL)
 			fatal("memory allocation failure in %s:%d",
 			      __FILE__, __LINE__);
-		}
-		debug("create query %p linked to lookup %p", query, lookup);
+		debug("create query %p linked to lookup %p",
+		       query, lookup);
 		query->lookup = lookup;
 		query->timer = NULL;
 		query->waiting_connect = false;
@@ -2515,24 +2488,20 @@ setup_lookup(dig_lookup_t *lookup) {
 		query->msg_count = 0;
 		query->byte_count = 0;
 		query->ixfr_axfr = false;
+		ISC_LIST_INIT(query->recvlist);
+		ISC_LIST_INIT(query->lengthlist);
 		query->sock = NULL;
 		query->recvspace = isc_mempool_get(commctx);
-		query->tmpsendspace = isc_mempool_get(commctx);
-		if (query->recvspace == NULL) {
+		if (query->recvspace == NULL)
 			fatal("memory allocation failure");
-		}
 
 		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
 		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
-		isc_buffer_init(&query->tmpsendbuf, query->tmpsendspace,
-				COMMSIZE);
+		isc_buffer_init(&query->slbuf, query->slspace, 2);
 		query->sendbuf = lookup->renderbuf;
 
 		ISC_LINK_INIT(query, clink);
 		ISC_LINK_INIT(query, link);
-
-		query->magic = DIG_QUERY_MAGIC;
-
 		ISC_LIST_ENQUEUE(lookup->q, query, link);
 	}
 
@@ -2541,10 +2510,9 @@ setup_lookup(dig_lookup_t *lookup) {
 		extrabytes = 0;
 		dighost_printmessage(ISC_LIST_HEAD(lookup->q),
 				     lookup->sendmsg, true);
-		if (lookup->stats) {
+		if (lookup->stats)
 			printf(";; QUERY SIZE: %u\n\n",
 			       isc_buffer_usedlength(&lookup->renderbuf));
-		}
 	}
 	return (true);
 }
@@ -2555,6 +2523,8 @@ setup_lookup(dig_lookup_t *lookup) {
  */
 static void
 send_done(isc_task_t *_task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_buffer_t *b = NULL;
 	dig_query_t *query, *next;
 	dig_lookup_t *l;
 
@@ -2569,27 +2539,28 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	debug("sendcount=%d", sendcount);
 	INSIST(sendcount >= 0);
 
+	for  (b = ISC_LIST_HEAD(sevent->bufferlist);
+	      b != NULL;
+	      b = ISC_LIST_HEAD(sevent->bufferlist)) {
+		ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+		isc_mem_free(mctx, b);
+	}
+
 	query = event->ev_arg;
-	REQUIRE(DIG_VALID_QUERY(query));
 	query->waiting_senddone = false;
 	l = query->lookup;
 
-	if (!query->pending_free && l->ns_search_only &&
-	    !l->trace_root && !l->tcp_mode)
-	{
+	if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
 		debug("sending next, since searching");
 		next = ISC_LIST_NEXT(query, link);
-		if (next != NULL) {
+		if (next != NULL)
 			send_udp(next);
-		}
 	}
 
 	isc_event_free(&event);
 
-	if (query->pending_free) {
-		query->magic = 0;
+	if (query->pending_free)
 		isc_mem_free(mctx, query);
-	}
 
 	check_if_done();
 	UNLOCK_LOOKUP;
@@ -2607,7 +2578,6 @@ cancel_lookup(dig_lookup_t *lookup) {
 	debug("cancel_lookup()");
 	query = ISC_LIST_HEAD(lookup->q);
 	while (query != NULL) {
-		REQUIRE(DIG_VALID_QUERY(query));
 		next = ISC_LIST_NEXT(query, link);
 		if (query->sock != NULL) {
 			isc_socket_cancel(query->sock, global_task,
@@ -2627,7 +2597,6 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
 	dig_lookup_t *l;
 	unsigned int local_timeout;
 	isc_result_t result;
-	REQUIRE(DIG_VALID_QUERY(query));
 
 	debug("bringup_timer()");
 	/*
@@ -2692,7 +2661,6 @@ send_tcp_connect(dig_query_t *query) {
 	isc_result_t result;
 	dig_query_t *next;
 	dig_lookup_t *l;
-	REQUIRE(DIG_VALID_QUERY(query));
 
 	debug("send_tcp_connect(%p)", query);
 
@@ -2735,6 +2703,27 @@ send_tcp_connect(dig_query_t *query) {
 		return;
 	}
 
+	if (specified_source &&
+	    (isc_sockaddr_pf(&query->sockaddr) !=
+	     isc_sockaddr_pf(&bind_address))) {
+		printf(";; Skipping server %s, incompatible "
+		       "address family\n", query->servname);
+		query->waiting_connect = false;
+		if (ISC_LINK_LINKED(query, link))
+			next = ISC_LIST_NEXT(query, link);
+		else
+			next = NULL;
+		l = query->lookup;
+		clear_query(query);
+		if (next == NULL) {
+			printf(";; No acceptable nameservers\n");
+			check_next_lookup(l);
+			return;
+		}
+		send_tcp_connect(next);
+		return;
+	}
+
 	INSIST(query->sock == NULL);
 
 	if (keep != NULL && isc_sockaddr_equal(&keepaddr, &query->sockaddr)) {
@@ -2788,6 +2777,17 @@ send_tcp_connect(dig_query_t *query) {
 	}
 }
 
+static isc_buffer_t *
+clone_buffer(isc_buffer_t *source) {
+	isc_buffer_t *buffer;
+	buffer = isc_mem_allocate(mctx, sizeof(*buffer));
+	if (buffer == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
+	*buffer = *source;
+	return (buffer);
+}
+
 /*%
  * Send a UDP packet to the remote nameserver, possible starting the
  * recv action as well.  Also make sure that the timer is running and
@@ -2797,10 +2797,8 @@ static void
 send_udp(dig_query_t *query) {
 	dig_lookup_t *l = NULL;
 	isc_result_t result;
+	isc_buffer_t *sendbuf;
 	dig_query_t *next;
-	isc_region_t r;
-	isc_socketevent_t *sevent;
-	REQUIRE(DIG_VALID_QUERY(query));
 
 	debug("send_udp(%p)", query);
 
@@ -2861,60 +2859,32 @@ send_udp(dig_query_t *query) {
 		check_result(result, "isc_socket_bind");
 
 		query->recv_made = true;
-		isc_buffer_availableregion(&query->recvbuf, &r);
+		ISC_LINK_INIT(&query->recvbuf, link);
+		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf,
+				 link);
 		debug("recving with lookup=%p, query=%p, sock=%p",
 		      query->lookup, query, query->sock);
-		result = isc_socket_recv(query->sock, &r, 1,
-					 global_task, recv_done, query);
-		check_result(result, "isc_socket_recv");
+		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
+					  global_task, recv_done, query);
+		check_result(result, "isc_socket_recvv");
 		recvcount++;
 		debug("recvcount=%d", recvcount);
 	}
-	isc_buffer_usedregion(&query->sendbuf, &r);
+	ISC_LIST_INIT(query->sendlist);
+	sendbuf = clone_buffer(&query->sendbuf);
+	ISC_LIST_ENQUEUE(query->sendlist, sendbuf, link);
 	debug("sending a request");
 	TIME_NOW(&query->time_sent);
 	INSIST(query->sock != NULL);
 	query->waiting_senddone = true;
-	sevent = isc_socket_socketevent(mctx, query->sock,
-					ISC_SOCKEVENT_SENDDONE,
-					send_done, query);
-	result = isc_socket_sendto2(query->sock, &r,
-				    global_task, &query->sockaddr, NULL,
-				    sevent, ISC_SOCKFLAG_NORETRY);
-	check_result(result, "isc_socket_sendto2");
+	result = isc_socket_sendtov2(query->sock, &query->sendlist,
+				     global_task, send_done, query,
+				     &query->sockaddr, NULL,
+				     ISC_SOCKFLAG_NORETRY);
+	check_result(result, "isc_socket_sendtov");
 	sendcount++;
 }
 
-/*%
- * If there are more servers available for querying within 'lookup', initiate a
- * TCP or UDP query to the next available server and return true; otherwise,
- * return false.
- */
-static bool
-try_next_server(dig_lookup_t *lookup) {
-	dig_query_t *current_query, *next_query;
-
-	current_query = lookup->current_query;
-	if (current_query == NULL || !ISC_LINK_LINKED(current_query, link)) {
-		return (false);
-	}
-
-	next_query = ISC_LIST_NEXT(current_query, link);
-	if (next_query == NULL) {
-		return (false);
-	}
-
-	debug("trying next server...");
-
-	if (lookup->tcp_mode) {
-		send_tcp_connect(next_query);
-	} else {
-		send_udp(next_query);
-	}
-
-	return (true);
-}
-
 /*%
  * IO timeout handler, used for both connect and recv timeouts.  If
  * retries are still allowed, either resend the UDP packet or queue a
@@ -2923,7 +2893,7 @@ try_next_server(dig_lookup_t *lookup) {
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event) {
 	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL;
+	dig_query_t *query = NULL, *cq;
 
 	UNUSED(task);
 	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@@ -2932,25 +2902,23 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 
 	LOCK_LOOKUP;
 	query = event->ev_arg;
-	REQUIRE(DIG_VALID_QUERY(query));
 	l = query->lookup;
 	isc_event_free(&event);
 
 	INSIST(!free_now);
 
-	if (cancel_now) {
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	if (try_next_server(l)) {
-		if (l->tcp_mode) {
-			if (query->sock != NULL) {
+	if ((query != NULL) && (query->lookup->current_query != NULL) &&
+	    ISC_LINK_LINKED(query->lookup->current_query, link) &&
+	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
+		debug("trying next server...");
+		cq = query->lookup->current_query;
+		if (!l->tcp_mode)
+			send_udp(ISC_LIST_NEXT(cq, link));
+		else {
+			if (query->sock != NULL)
 				isc_socket_cancel(query->sock, NULL,
 						  ISC_SOCKCANCEL_ALL);
-			} else {
-				clear_query(query);
-			}
+			send_tcp_connect(ISC_LIST_NEXT(cq, link));
 		}
 		UNLOCK_LOOKUP;
 		return;
@@ -2996,27 +2964,6 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*%
- * Called when a peer closes a TCP socket prematurely.
- */
-static void
-requeue_or_update_exitcode(dig_lookup_t *lookup) {
-	if (lookup->eoferr == 0U) {
-		/*
-		 * Peer closed the connection prematurely for the first time
-		 * for this lookup.  Try again, keeping track of this failure.
-		 */
-		dig_lookup_t *requeued_lookup = requeue_lookup(lookup, true);
-		requeued_lookup->eoferr++;
-	} else {
-		/*
-		 * Peer closed the connection prematurely and it happened
-		 * previously for this lookup.  Indicate an error.
-		 */
-		exitcode = 9;
-	}
-}
-
 /*%
  * Event handler for the TCP recv which gets the length header of TCP
  * packets.  Start the next recv of length bytes.
@@ -3024,11 +2971,10 @@ requeue_or_update_exitcode(dig_lookup_t *lookup) {
 static void
 tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent;
-	isc_buffer_t b;
-	isc_region_t r;
+	isc_buffer_t *b = NULL;
 	isc_result_t result;
 	dig_query_t *query = NULL;
-	dig_lookup_t *l;
+	dig_lookup_t *l, *n;
 	uint16_t length;
 
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
@@ -3041,11 +2987,14 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	LOCK_LOOKUP;
 	sevent = (isc_socketevent_t *)event;
 	query = event->ev_arg;
-	REQUIRE(DIG_VALID_QUERY(query));
 
 	recvcount--;
 	INSIST(recvcount >= 0);
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b ==  &query->lengthbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
 	if (sevent->result == ISC_R_CANCELED) {
 		isc_event_free(&event);
 		l = query->lookup;
@@ -3067,8 +3016,9 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		sockcount--;
 		debug("sockcount=%d", sockcount);
 		INSIST(sockcount >= 0);
-		if (sevent->result == ISC_R_EOF) {
-			requeue_or_update_exitcode(l);
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, true);
+			n->eoferr++;
 		}
 		isc_event_free(&event);
 		clear_query(query);
@@ -3077,10 +3027,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
-	isc_buffer_init(&b, sevent->region.base, sevent->n);
-	isc_buffer_add(&b, sevent->n);
-	length = isc_buffer_getuint16(&b);
-
+	length = isc_buffer_getuint16(b);
 	if (length == 0) {
 		isc_event_free(&event);
 		launch_next_query(query, false);
@@ -3094,11 +3041,13 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	 */
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_init(&query->recvbuf, query->recvspace, length);
-	isc_buffer_availableregion(&query->recvbuf, &r);
+	ENSURE(ISC_LIST_EMPTY(query->recvlist));
+	ISC_LINK_INIT(&query->recvbuf, link);
+	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
 	debug("recving with lookup=%p, query=%p", query->lookup, query);
-	result = isc_socket_recv(query->sock, &r, length, task,
-				 recv_done, query);
-	check_result(result, "isc_socket_recv");
+	result = isc_socket_recvv(query->sock, &query->recvlist, length, task,
+				  recv_done, query);
+	check_result(result, "isc_socket_recvv");
 	recvcount++;
 	debug("resubmitted recv request with length %d, recvcount=%d",
 	      length, recvcount);
@@ -3114,8 +3063,7 @@ static void
 launch_next_query(dig_query_t *query, bool include_question) {
 	isc_result_t result;
 	dig_lookup_t *l;
-	isc_region_t r;
-	REQUIRE(DIG_VALID_QUERY(query));
+	isc_buffer_t *buffer;
 
 	INSIST(!free_now);
 
@@ -3134,28 +3082,35 @@ launch_next_query(dig_query_t *query, bool include_question) {
 		return;
 	}
 
+	isc_buffer_clear(&query->slbuf);
 	isc_buffer_clear(&query->lengthbuf);
-	isc_buffer_availableregion(&query->lengthbuf, &r);
-	result = isc_socket_recv(query->sock, &r, 0,
-				 global_task, tcp_length_done, query);
-	check_result(result, "isc_socket_recv");
+	isc_buffer_putuint16(&query->slbuf, (uint16_t) query->sendbuf.used);
+	ISC_LIST_INIT(query->sendlist);
+	ISC_LINK_INIT(&query->slbuf, link);
+	if (!query->first_soa_rcvd) {
+		buffer = clone_buffer(&query->slbuf);
+		ISC_LIST_ENQUEUE(query->sendlist, buffer, link);
+		if (include_question) {
+			buffer = clone_buffer(&query->sendbuf);
+			ISC_LIST_ENQUEUE(query->sendlist, buffer, link);
+		}
+	}
+
+	ISC_LINK_INIT(&query->lengthbuf, link);
+	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
+
+	result = isc_socket_recvv(query->sock, &query->lengthlist, 0,
+				  global_task, tcp_length_done, query);
+	check_result(result, "isc_socket_recvv");
 	recvcount++;
 	debug("recvcount=%d", recvcount);
 	if (!query->first_soa_rcvd) {
 		debug("sending a request in launch_next_query");
 		TIME_NOW(&query->time_sent);
 		query->waiting_senddone = true;
-		isc_buffer_clear(&query->tmpsendbuf);
-		isc_buffer_putuint16(&query->tmpsendbuf,
-				     isc_buffer_usedlength(&query->sendbuf));
-		if (include_question) {
-			isc_buffer_usedregion(&query->sendbuf, &r);
-			isc_buffer_copyregion(&query->tmpsendbuf, &r);
-		}
-		isc_buffer_usedregion(&query->tmpsendbuf, &r);
-		result = isc_socket_send(query->sock, &r,
-					 global_task, send_done, query);
-		check_result(result, "isc_socket_send");
+		result = isc_socket_sendv(query->sock, &query->sendlist,
+					  global_task, send_done, query);
+		check_result(result, "isc_socket_sendv");
 		sendcount++;
 		debug("sendcount=%d", sendcount);
 	}
@@ -3188,7 +3143,6 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 	LOCK_LOOKUP;
 	sevent = (isc_socketevent_t *)event;
 	query = sevent->ev_arg;
-	REQUIRE(DIG_VALID_QUERY(query));
 
 	INSIST(query->waiting_connect);
 
@@ -3427,7 +3381,7 @@ process_cookie(dig_lookup_t *l, dns_message_t *msg,
 	}
 
 	INSIST(msg->cc_ok == 0 && msg->cc_bad == 0);
-	if (len >= 8 && optlen >= 8U) {
+	if (optlen >= len && optlen >= 8U) {
 		if (isc_safe_memequal(isc_buffer_current(optbuf), sent, 8)) {
 			msg->cc_ok = 1;
 		} else {
@@ -3506,15 +3460,13 @@ ednsvers(dns_rdataset_t *opt) {
 static void
 recv_done(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = NULL;
-	isc_region_t r;
 	dig_query_t *query = NULL;
-	isc_buffer_t b;
+	isc_buffer_t *b = NULL;
 	dns_message_t *msg = NULL;
 	isc_result_t result;
 	dig_lookup_t *n, *l;
 	bool docancel = false;
 	bool match = true;
-	bool done_process_opt = false;
 	unsigned int parseflags;
 	dns_messageid_t id;
 	unsigned int msgflags;
@@ -3539,8 +3491,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	sevent = (isc_socketevent_t *)event;
 
-	isc_buffer_init(&b, sevent->region.base, sevent->n);
-	isc_buffer_add(&b, sevent->n);
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b == &query->recvbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
 
 	if ((l->tcp_mode) && (query->timer != NULL))
 		isc_timer_touch(query->timer);
@@ -3570,8 +3523,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			debug("sockcount=%d", sockcount);
 			INSIST(sockcount >= 0);
 		}
-		if (sevent->result == ISC_R_EOF) {
-			requeue_or_update_exitcode(l);
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, true);
+			n->eoferr++;
 		}
 		isc_event_free(&event);
 		clear_query(query);
@@ -3615,7 +3569,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-	result = dns_message_peekheader(&b, &id, &msgflags);
+	result = dns_message_peekheader(b, &id, &msgflags);
 	if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
 		match = false;
 		if (l->tcp_mode) {
@@ -3684,7 +3638,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
 		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
 	}
-	result = dns_message_parse(msg, &b, parseflags);
+	result = dns_message_parse(msg, b, parseflags);
 	if (result == DNS_R_RECOVERABLE) {
 		printf(";; Warning: Message parser reports malformed "
 		       "message packet.\n");
@@ -3692,7 +3646,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 	if (result != ISC_R_SUCCESS) {
 		printf(";; Got bad packet: %s\n", isc_result_totext(result));
-		hex_dump(&b);
+		hex_dump(b);
 		query->waiting_connect = false;
 		dns_message_destroy(&msg);
 		isc_event_free(&event);
@@ -3808,7 +3762,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			UNLOCK_LOOKUP;
 			return;
 		}
-		done_process_opt = true;
 	}
 	if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
 	    (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
@@ -3847,7 +3800,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (tsigkey != NULL) {
-		result = dns_tsig_verify(&b, msg, NULL, NULL);
+		result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
 		if (result != ISC_R_SUCCESS) {
 			printf(";; Couldn't verify signature: %s\n",
 			       isc_result_totext(result));
@@ -3863,7 +3816,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		check_result(result,"dns_message_getquerytsig");
 	}
 
-	extrabytes = isc_buffer_remaininglength(&b);
+	extrabytes = isc_buffer_remaininglength(b);
 
 	debug("after parse");
 	if (l->doing_xfr && l->xfr_q == NULL) {
@@ -3898,24 +3851,20 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-	if (!done_process_opt) {
-		if (l->cookie != NULL) {
-			if (msg->opt == NULL) {
-				printf(";; expected opt record in response\n");
-			} else {
-				process_opt(l, msg);
-			}
-		} else if (l->sendcookie && msg->opt != NULL) {
+	if (l->cookie != NULL) {
+		if (msg->opt == NULL)
+			printf(";; expected opt record in response\n");
+		else
 			process_opt(l, msg);
-		}
-	}
+	} else if (l->sendcookie && msg->opt != NULL)
+		process_opt(l, msg);
 	if (!l->doing_xfr || l->xfr_q == query) {
 		if (msg->rcode == dns_rcode_nxdomain &&
 		    (l->origin != NULL || l->need_search)) {
 			if (!next_origin(query->lookup) || showsearch) {
 				dighost_printmessage(query, msg, true);
-				dighost_received(isc_buffer_usedlength(&b),
-						 &sevent->address, query);
+				dighost_received(b->used, &sevent->address,
+						 query);
 			}
 		} else if (!l->trace && !l->ns_search_only) {
 			dighost_printmessage(query, msg, true);
@@ -3982,8 +3931,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	} else {
 
 		if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
-			dighost_received(isc_buffer_usedlength(&b),
-					 &sevent->address, query);
+			dighost_received(b->used, &sevent->address, query);
 		}
 
 		if (!query->lookup->ns_search_only)
@@ -4007,10 +3955,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
  udp_mismatch:
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
-	isc_buffer_availableregion(&query->recvbuf, &r);
-	result = isc_socket_recv(query->sock, &r, 1,
-				 global_task, recv_done, query);
-	check_result(result, "isc_socket_recv");
+	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+	result = isc_socket_recvv(query->sock, &query->recvlist, 1,
+				  global_task, recv_done, query);
+	check_result(result, "isc_socket_recvv");
 	recvcount++;
 	isc_event_free(&event);
 	UNLOCK_LOOKUP;
@@ -4085,7 +4033,6 @@ do_lookup(dig_lookup_t *lookup) {
 	lookup->pending = true;
 	query = ISC_LIST_HEAD(lookup->q);
 	if (query != NULL) {
-		REQUIRE(DIG_VALID_QUERY(query));
 		if (lookup->tcp_mode)
 			send_tcp_connect(query);
 		else
@@ -4233,7 +4180,7 @@ destroy_libs(void) {
 	}
 
 	UNLOCK_LOOKUP;
-	isc_mutex_destroy(&lookup_lock);
+	DESTROYLOCK(&lookup_lock);
 	debug("Removing log context");
 	isc_log_destroy(&lctx);
 
@@ -4379,20 +4326,9 @@ idn_ace_to_locale(const char *src, char **dst) {
 	 */
 	res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0);
 	if (res != IDN2_OK) {
-		static bool warned = false;
-
-		res = idn2_to_ascii_8z(utf8_src, &local_src, 0);
-		if (res != IDN2_OK) {
-			fatal("Cannot represent '%s' "
-			      "in the current locale nor ascii (%s), "
-			      "use +noidnout or a different locale",
-			      src, idn2_strerror(res));
-		} else if (!warned) {
-			fprintf(stderr, ";; Warning: cannot represent '%s' "
-			      "in the current locale",
-			      local_src);
-			warned = true;
-		}
+		fatal("Cannot represent '%s' in the current locale (%s), "
+		      "use +noidnout or a different locale",
+		      src, idn2_strerror(res));
 	}
 
 	/*

bin/dig/host.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -112,6 +112,11 @@ Print debugging traces\&. Equivalent to the
 verbose option\&.
 .RE
 .PP
+\-i
+.RS 4
+Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
+.RE
+.PP
 \-l
 .RS 4
 List zone: The
@@ -252,7 +257,7 @@ If
 \fBhost\fR
 has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
 \fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
 \fBIDN_DISABLE\fR
 environment variable\&. The IDN support is disabled if the variable is set when
 \fBhost\fR
@@ -269,5 +274,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/host.c

@@ -143,6 +143,7 @@ show_usage(void) {
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
+"       -i IP6.INT reverse lookups\n"
 "       -l lists all hosts in a domain, using AXFR\n"
 "       -m set memory debugging flag (trace|record|usage)\n"
 "       -N changes the number of dots allowed before root lookup is done\n"
@@ -151,7 +152,6 @@ show_usage(void) {
 "       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
-"       -U enables UDP mode\n"
 "       -v enables verbose output\n"
 "       -V print version number and exit\n"
 "       -w specifies to wait forever for a reply\n"
@@ -625,29 +625,28 @@ pre_parse_args(int argc, char **argv) {
 		case 'a': break;
 		case 'A': break;
 		case 'c': break;
-		case 'C': break;
 		case 'd': break;
-		case 'D':
-			if (debugging)
-				debugtiming = true;
-			debugging = true;
-			break;
 		case 'i': break;
 		case 'l': break;
 		case 'n': break;
-		case 'N': break;
 		case 'r': break;
-		case 'R': break;
 		case 's': break;
 		case 't': break;
-		case 'T': break;
-		case 'U': break;
 		case 'v': break;
 		case 'V':
 			  version();
 			  exit(0);
 			  break;
 		case 'w': break;
+		case 'C': break;
+		case 'D':
+			if (debugging)
+				debugtiming = true;
+			debugging = true;
+			break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
 		case 'W': break;
 		default:
 			show_usage();
@@ -763,7 +762,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			default_lookups = false;
 			break;
 		case 'i':
-			/* deprecated */
+			lookup->ip6_int = true;
 			break;
 		case 'n':
 			/* deprecated */
@@ -842,8 +841,8 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 		check_ra = true;
 
 	lookup->pending = false;
-	if (get_reverse(store, sizeof(store), hostname, true)
-	    == ISC_R_SUCCESS) {
+	if (get_reverse(store, sizeof(store), hostname,
+			lookup->ip6_int, true) == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = true;

bin/dig/host.docbook

@@ -47,7 +47,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -180,6 +179,18 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-l</term>
 	<listitem>

bin/dig/host.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -138,6 +138,15 @@
 	    Equivalent to the <code class="option">-v</code> verbose option.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </p>
+	</dd>
 <dt><span class="term">-l</span></dt>
 <dd>
 	  <p>
@@ -302,7 +311,7 @@
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
+      If you'd like to turn off the IDN support for some reason, defines
       the <code class="envar">IDN_DISABLE</code> environment variable.
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.

bin/dig/include/dig/dig.h

@@ -26,7 +26,6 @@
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/list.h>
-#include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/sockaddr.h>
@@ -82,11 +81,6 @@ typedef struct dig_server dig_server_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
-#define DIG_QUERY_MAGIC		ISC_MAGIC('D','i','g','q')
-
-#define DIG_VALID_QUERY(x)	ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
-
-
 /*% The dig_lookup structure */
 struct dig_lookup {
 	bool
@@ -109,6 +103,7 @@ struct dig_lookup {
 		trace_root, /*% initial query for either +trace or +nssearch */
 		tcp_mode,
 		tcp_mode_set,
+		ip6_int,
 		comments,
 		stats,
 		section_question,
@@ -190,7 +185,6 @@ struct dig_lookup {
 
 /*% The dig_query structure */
 struct dig_query {
-	unsigned int magic;
 	dig_lookup_t *lookup;
 	bool waiting_connect,
 		pending_free,
@@ -209,12 +203,15 @@ struct dig_query {
 	bool ixfr_axfr;
 	char *servname;
 	char *userarg;
+	isc_bufferlist_t sendlist,
+		recvlist,
+		lengthlist;
 	isc_buffer_t recvbuf,
 		lengthbuf,
-		tmpsendbuf,
-		sendbuf;
-	char *recvspace, *tmpsendspace,
-		lengthspace[4];
+		slbuf;
+	char *recvspace,
+		lengthspace[4],
+		slspace[4];
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
 	ISC_LINK(dig_query_t) clink;
@@ -222,6 +219,7 @@ struct dig_query {
 	isc_time_t time_sent;
 	isc_time_t time_recv;
 	uint64_t byte_count;
+	isc_buffer_t sendbuf;
 	isc_timer_t *timer;
 };
 
@@ -286,7 +284,8 @@ int
 getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
 
 isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict);
+get_reverse(char *reverse, size_t len, char *value, bool ip6_int,
+	    bool strict);
 
 ISC_PLATFORM_NORETURN_PRE void
 fatal(const char *format, ...)

bin/dig/nslookup.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -277,17 +277,6 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
 .PP
 \fBnslookup\fR
 returns with an exit status of 1 if any query failed, and 0 otherwise\&.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBnslookup\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBnslookup\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBnslookup\fR
-runs or when the standard output is not a tty\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -301,5 +290,5 @@ runs or when the standard output is not a tty\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/nslookup.c

@@ -772,7 +772,7 @@ addlookup(char *opt) {
 		rdclass = dns_rdataclass_in;
 	}
 	lookup = make_empty_lookup();
-	if (get_reverse(store, sizeof(store), opt, true)
+	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, true)
 	    == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
@@ -879,29 +879,12 @@ get_next_command(void) {
 	isc_mem_free(mctx, buf);
 }
 
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-    fprintf(stderr, "Usage:\n");
-    fprintf(stderr,
-"   nslookup [-opt ...]             # interactive mode using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] - server    # interactive mode using 'server'\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host        # just look up 'host' using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host server # just look up 'host' using 'server'\n");
-    exit(1);
-}
-
 static void
 parse_args(int argc, char **argv) {
 	bool have_lookup = false;
 
 	usesearch = true;
-	for (argc--, argv++; argc > 0 && argv[0] != NULL; argc--, argv++) {
+	for (argc--, argv++; argc > 0; argc--, argv++) {
 		debug("main parsing %s", argv[0]);
 		if (argv[0][0] == '-') {
 			if (strncasecmp(argv[0], "-ver", 4) == 0) {
@@ -917,9 +900,6 @@ parse_args(int argc, char **argv) {
 				in_use = true;
 				addlookup(argv[0]);
 			} else {
-				if (argv[1] != NULL) {
-					usage();
-				}
 				set_nameserver(argv[0]);
 				check_ra = false;
 			}
@@ -943,6 +923,12 @@ flush_lookup_list(void) {
 						  ISC_SOCKCANCEL_ALL);
 				isc_socket_detach(&q->sock);
 			}
+			if (ISC_LINK_LINKED(&q->recvbuf, link))
+				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
+						 link);
+			if (ISC_LINK_LINKED(&q->lengthbuf, link))
+				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
+						 link);
 			isc_buffer_invalidate(&q->recvbuf);
 			isc_buffer_invalidate(&q->lengthbuf);
 			qp = q;

bin/dig/nslookup.docbook

@@ -71,7 +71,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -490,8 +489,7 @@ nslookup -query=hinfo  -timeout=10
       If you'd like to turn off the IDN support for some reason, define
       the <envar>IDN_DISABLE</envar> environment variable.
       The IDN support is disabled if the variable is set when
-      <command>nslookup</command> runs or when the standard output is not
-      a tty.
+      <command>nslookup</command> runs.
     </para>
   </refsection>
 

bin/dig/nslookup.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -362,31 +362,14 @@ nslookup -query=hinfo  -timeout=10
   </div>
 
   <div class="refsection">
-<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
-      If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
-      a tty.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>FILES</h2>
+<a name="id-1.11"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/resolv.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.13"></a><h2>SEE ALSO</h2>
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
         <span class="refentrytitle">dig</span>(1)

bin/dig/win32/dig.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{F938F9B8-D395-4A40-BEC7-0122D289C692}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>dig</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/dig/win32/dighost.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{140DE800-E552-43CC-B0C7-A33A92E368CA}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>dighost</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/dig/win32/host.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{BA1048A8-6961-4A20-BE12-08BE20611C9D}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>host</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/dig/win32/nslookup.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>nslookup</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">

bin/dnssec/Makefile.in

@@ -20,7 +20,7 @@ CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 

bin/dnssec/dnssec-cds.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
 .sp
 The
 \fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
 .RE
 .PP
 \-c \fIclass\fR
@@ -293,5 +293,5 @@ RFC 7344\&.
 .RE
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-cds.c

@@ -86,7 +86,7 @@ static dns_rdataclass_t rdclass = dns_rdataclass_in;
  * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
  * from -a arguments. The size of the array is an arbitrary limit.
  */
-static dns_dsdigest_t dtype[8];
+static uint8_t dtype[8];
 
 static const char *startstr  = NULL;	/* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
@@ -129,7 +129,7 @@ static int nkey; /* number of child zone DNSKEY records */
 typedef struct keyinfo {
 	dns_rdata_t rdata;
 	dst_key_t *dst;
-	dns_secalg_t algo;
+	uint8_t algo;
 	dns_keytag_t tag;
 } keyinfo_t;
 
@@ -163,8 +163,8 @@ verbose_time(int level, const char *msg, isc_stdtime_t time) {
 	if (verbose < 3) {
 		vbprintf(level, "%s %s\n", msg, timestr);
 	} else {
-		vbprintf(level, "%s %s (%" PRIu32 ")\n",
-			 msg, timestr, time);
+		vbprintf(level, "%s %s (%lld)\n",
+			 msg, timestr, (long long)time);
 	}
 }
 
@@ -482,6 +482,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		dns_rdata_ds_t ds;
 		dns_rdata_t dsrdata = DNS_RDATA_INIT;
 		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+		dns_rdatatype_t keytype;
 		bool c;
 
 		dns_rdataset_current(dsset, &dsrdata);
@@ -492,8 +493,12 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 			continue;
 		}
 
+		/* allow for both DNSKEY and CDNSKEY */
+		keytype = ki->rdata.type;
+		ki->rdata.type = dns_rdatatype_dnskey;
 		result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
 					   dsbuf, &newdsrdata);
+		ki->rdata.type = keytype;
 		if (result != ISC_R_SUCCESS) {
 			vbprintf(3, "dns_ds_buildrdata("
 				 "keytag=%d, algo=%d, digest=%d): %s\n",
@@ -568,7 +573,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 		ki->algo = dnskey.algorithm;
 
 		dns_rdata_toregion(keyrdata, &r);
-		ki->tag = dst_region_computeid(&r);
+		ki->tag = dst_region_computeid(&r, ki->algo);
 
 		ki->dst = NULL;
 		if (!match_key_dsset(ki, dsset, strictness)) {
@@ -614,12 +619,12 @@ free_keytable(keyinfo_t **keytable_p) {
  * otherwise the key algorithm. This is used by the signature coverage
  * check functions below.
  */
-static dns_secalg_t *
+static uint8_t *
 matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	      dns_rdataset_t *sigset)
 {
 	isc_result_t result;
-	dns_secalg_t *algo;
+	uint8_t *algo;
 	int i;
 
 	algo = isc_mem_get(mctx, nkey);
@@ -702,7 +707,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
  * fetched from the child zone, any working signature is enough.
  */
 static bool
-signed_loose(dns_secalg_t *algo) {
+signed_loose(uint8_t *algo) {
 	bool ok = false;
 	int i;
 	for (i = 0; i < nkey; i++) {
@@ -721,7 +726,7 @@ signed_loose(dns_secalg_t *algo) {
  * RRset.
  */
 static bool
-signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
+signed_strict(dns_rdataset_t *dsset, uint8_t *algo) {
 	isc_result_t result;
 	bool all_ok = true;
 
@@ -821,6 +826,7 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 				return (ISC_R_NOSPACE);
 			}
 
+			cdnskey->type = dns_rdatatype_dnskey;
 			rdata = rdata_get();
 			result = dns_ds_buildrdata(name, cdnskey, dtype[i],
 						   r.base, rdata);
@@ -844,14 +850,14 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
  */
 static int
 cmp_dtype(const void *ap, const void *bp) {
-	int a = *(const dns_dsdigest_t *)ap;
-	int b = *(const dns_dsdigest_t *)bp;
+	int a = *(const uint8_t *)ap;
+	int b = *(const uint8_t *)bp;
 	return (a - b);
 }
 
 static void
 add_dtype(const char *dn) {
-	dns_dsdigest_t dt;
+	uint8_t dt;
 	unsigned i, n;
 
 	dt = strtodsdigest(dn);
@@ -936,7 +942,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 	dns_rdata_t *arrdata;
 	dns_rdata_ds_t *ds;
 	dns_keytag_t key_tag;
-	dns_secalg_t algorithm;
+	uint8_t algorithm;
 	bool match;
 	int i, j, n, d;
 

bin/dnssec/dnssec-cds.docbook

@@ -40,7 +40,6 @@
     <copyright>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -144,9 +143,9 @@
 	    record. This option has no effect when using CDS records.
           </para>
           <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <replaceable>algorithm</replaceable> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </para>
         </listitem>

bin/dnssec/dnssec-cds.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -129,9 +129,9 @@
 	    record. This option has no effect when using CDS records.
           </p>
           <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </p>
         </dd>

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,103 +39,61 @@
 dnssec-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
+\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
 .SH "DESCRIPTION"
 .PP
-The
 \fBdnssec\-dsfromkey\fR
-command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
-\fB\-l\fR
-option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
-\fB\-C\fR
-it outputs CDS (Child DS) RRs\&.
-.PP
-The input keys can be specified in a number of ways:
-.PP
-By default,
-\fBdnssec\-dsfromkey\fR
-reads a key file named like
-Knnnn\&.+aaa+iiiii\&.key, as generated by
-\fBdnssec\-keygen\fR\&.
-.PP
-With the
-\fB\-f \fR\fB\fIfile\fR\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
-.PP
-With the
-\fB\-s\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads a
-keyset\-
-file, as generated by
-\fBdnssec\-keygen\fR\fB\-C\fR\&.
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
 .SH "OPTIONS"
 .PP
 \-1
 .RS 4
-An abbreviation for
-\fB\-a SHA1\fR
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
 .RE
 .PP
 \-2
 .RS 4
-An abbreviation for
-\fB\-a SHA\-256\fR
+Use SHA\-256 as the digest algorithm\&.
 .RE
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
-.sp
-The
-\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
-.RE
-.PP
-\-A
-.RS 4
-Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
-\fB\-f\fR
-zone file mode\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class (default is IN)\&. Useful only in
-\fB\-s\fR
-keyset or
-\fB\-f\fR
-zone file mode\&.
+Select the digest algorithm\&. The value of
+\fBalgorithm\fR
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&.
 .RE
 .PP
 \-C
 .RS 4
-Generate CDS records rather than DS records\&. This is mutually exclusive with the
-\fB\-l\fR
-option for generating DLV records\&.
+Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
+.RE
+.PP
+\-T \fITTL\fR
+.RS 4
+Specifies the TTL of the DS records\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Look for key files (or, in keyset mode,
+keyset\-
+files) in
+\fBdirectory\fR\&.
 .RE
 .PP
 \-f \fIfile\fR
 .RS 4
-Zone file mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name of a zone whose master file can be read from
+Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
 \fBfile\fR\&. If the zone name is the same as
 \fBfile\fR, then it may be omitted\&.
 .sp
 If
-\fIfile\fR
-is
+\fBfile\fR
+is set to
 "\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
 \fBdig\fR
 command as input, as in:
@@ -143,41 +101,26 @@ command as input, as in:
 \fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
 .RE
 .PP
-\-h
+\-A
 .RS 4
-Prints usage information\&.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Look for key files or
-keyset\-
-files in
-\fBdirectory\fR\&.
+Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
 .RE
 .PP
 \-l \fIdomain\fR
 .RS 4
 Generate a DLV set instead of a DS set\&. The specified
-\fIdomain\fR
-is appended to the name for each record in the set\&. This is mutually exclusive with the
-\fB\-C\fR
-option for generating CDS records\&.
+\fBdomain\fR
+is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
 .RE
 .PP
 \-s
 .RS 4
-Keyset mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name used to locate a
-keyset\-
-file\&.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
 .RE
 .PP
-\-T \fITTL\fR
+\-c \fIclass\fR
 .RS 4
-Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
+Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
 .RE
 .PP
 \-v \fIlevel\fR
@@ -185,6 +128,11 @@ Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
 Sets the debugging level\&.
 .RE
 .PP
+\-h
+.RS 4
+Prints usage information\&.
+.RE
+.PP
 \-V
 .RS 4
 Prints version information\&.
@@ -193,16 +141,16 @@ Prints version information\&.
 .PP
 To build the SHA\-256 DS RR from the
 \fBKexample\&.com\&.+003+26160\fR
-keyfile name, you can issue the following command:
+keyfile name, the following command would be issued:
 .PP
 \fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
 .PP
 The command would print something like:
 .PP
-\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
 .SH "FILES"
 .PP
-The keyfile can be designated by the key identification
+The keyfile can be designed by the key identification
 Knnnn\&.+aaa+iiiii
 or the full file name
 Knnnn\&.+aaa+iiiii\&.key
@@ -222,20 +170,13 @@ A keyfile error can give a "file not found" even if the file exists\&.
 \fBdnssec-keygen\fR(8),
 \fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 3658
-(DS RRs),
-RFC 4431
-(DLV RRs),
-RFC 4509
-(SHA\-256 for DS RRs),
-RFC 6605
-(SHA\-384 for DS RRs),
-RFC 7344
-(CDS and CDNSKEY RRs)\&.
+RFC 3658,
+RFC 4431\&.
+RFC 4509\&.
 .SH "AUTHOR"
 .PP
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.c

@@ -235,7 +235,7 @@ logkey(dns_rdata_t *rdata)
 }
 
 static void
-emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
+emit(unsigned int dtype, bool showall, char *lookaside,
      bool cds, dns_rdata_t *rdata)
 {
 	isc_result_t result;
@@ -318,27 +318,30 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
-	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
-	fprintf(stderr, "    %s [-h|-V]\n\n", program);
+	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-K dir] [-c class] -s dnsname\n\n",
+		program);
+	fprintf(stderr, "    %s options -f zonefile (as zone name)\n\n", program);
+	fprintf(stderr, "    %s options -f zonefile zonename\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Options:\n"
-"    -1: digest algorithm SHA-1\n"
-"    -2: digest algorithm SHA-256\n"
-"    -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)\n"
-"    -A: include all keys in DS set, not just KSKs (-f only)\n"
-"    -c class: rdata class for DS set (default IN) (-f or -s only)\n"
-"    -C: print CDS records\n"
-"    -f zonefile: read keys from a zone file\n"
-"    -h: print help information\n"
-"    -K directory: where to find key or keyset files\n"
-"    -l zone: print DLV records in the given lookaside zone\n"
-"    -s: read keys from keyset-<dnsname> file\n"
-"    -T: TTL of output records (omitted by default)\n"
-"    -v level: verbosity\n"
-"    -V: print version information\n");
-	fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "    -K <directory>: directory in which to find "
+			"key file or keyset file\n");
+	fprintf(stderr, "    -a algorithm: digest algorithm "
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
+	fprintf(stderr, "    -1: use SHA-1\n");
+	fprintf(stderr, "    -2: use SHA-256\n");
+	fprintf(stderr, "    -C: print CDS record\n");
+	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
+	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
+	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
+	fprintf(stderr, "    -T TTL\n");
+	fprintf(stderr, "    -f file: read keyset from zone file\n");
+	fprintf(stderr, "    -A: when used with -f, "
+			"include all keys in DS set, not just KSKs\n");
+	fprintf(stderr, "Output: DS or DLV RRs\n");
 
 	exit (-1);
 }
@@ -350,7 +353,7 @@ main(int argc, char **argv) {
 	char		*lookaside = NULL;
 	char		*endp;
 	int		ch;
-	dns_dsdigest_t	dtype = DNS_DSDIGEST_SHA1;
+	unsigned int	dtype = DNS_DSDIGEST_SHA1;
 	bool	cds = false;
 	bool	both = true;
 	bool	usekeyset = false;
@@ -362,14 +365,12 @@ main(int argc, char **argv) {
 
 	dns_rdata_init(&rdata);
 
-	if (argc == 1) {
+	if (argc == 1)
 		usage();
-	}
 
 	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
-	}
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -397,10 +398,9 @@ main(int argc, char **argv) {
 			both = false;
 			break;
 		case 'C':
-			if (lookaside != NULL) {
+			if (lookaside != NULL)
 				fatal("lookaside and CDS are mutually"
 				      " exclusive");
-			}
 			cds = true;
 			break;
 		case 'c':
@@ -412,18 +412,16 @@ main(int argc, char **argv) {
 			/* fall through */
 		case 'K':
 			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U) {
+			if (strlen(dir) == 0U)
 				fatal("directory must be non-empty string");
-			}
 			break;
 		case 'f':
 			filename = isc_commandline_argument;
 			break;
 		case 'l':
-			if (cds) {
+			if (cds)
 				fatal("lookaside and CDS are mutually"
 				      " exclusive");
-			}
 			lookaside = isc_commandline_argument;
 			if (strlen(lookaside) == 0U)
 				fatal("lookaside must be a non-empty string");
@@ -437,18 +435,16 @@ main(int argc, char **argv) {
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
+			if (*endp != '\0')
 				fatal("-v must be followed by a number");
-			}
 			break;
 		case 'F':
 			/* Reserved for FIPS mode */
 			/* FALLTHROUGH */
 		case '?':
-			if (isc_commandline_option != '?') {
+			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			}
 			/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
@@ -467,56 +463,46 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
-	if (usekeyset && filename != NULL) {
+	if (usekeyset && filename != NULL)
 		fatal("cannot use both -s and -f");
-	}
 
 	/* When not using -f, -A is implicit */
-	if (filename == NULL) {
+	if (filename == NULL)
 		showall = true;
-	}
 
-	if (argc < isc_commandline_index + 1 && filename == NULL) {
+	if (argc < isc_commandline_index + 1 && filename == NULL)
 		fatal("the key file name was not specified");
-	}
-	if (argc > isc_commandline_index + 1) {
+	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
-	}
 
 	result = dst_lib_init(mctx, NULL);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(result));
-	}
 
 	setup_logging(mctx, &log);
 
 	dns_rdataset_init(&rdataset);
 
 	if (usekeyset || filename != NULL) {
-		if (argc < isc_commandline_index + 1) {
+		if (argc < isc_commandline_index + 1 && filename != NULL) {
 			/* using zone name as the zone file name */
 			namestr = filename;
-		} else {
+		} else
 			namestr = argv[isc_commandline_index];
-		}
 
 		result = initname(namestr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("could not initialize name %s", namestr);
-		}
 
-		if (usekeyset) {
+		if (usekeyset)
 			result = loadkeyset(dir, &rdataset);
-		} else {
-			INSIST(filename != NULL);
+		else
 			result = loadset(filename, &rdataset);
-		}
 
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("could not load DNSKEY set: %s\n",
 			      isc_result_totext(result));
-		}
 
 		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
@@ -524,18 +510,16 @@ main(int argc, char **argv) {
 			dns_rdata_init(&rdata);
 			dns_rdataset_current(&rdataset, &rdata);
 
-			if (verbose > 2) {
+			if (verbose > 2)
 				logkey(&rdata);
-			}
 
 			if (both) {
 				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
 				     cds, &rdata);
 				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
 				     cds, &rdata);
-			} else {
+			} else
 				emit(dtype, showall, lookaside, cds, &rdata);
-			}
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -548,9 +532,8 @@ main(int argc, char **argv) {
 			     &rdata);
 			emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
 			     &rdata);
-		} else {
+		} else
 			emit(dtype, showall, lookaside, cds, &rdata);
-		}
 	}
 
 	if (dns_rdataset_isassociated(&rdataset))
@@ -558,16 +541,14 @@ main(int argc, char **argv) {
 	cleanup_logging(&log);
 	dst_lib_destroy();
 	dns_name_destroy();
-	if (verbose > 10) {
+	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
-	}
 	isc_mem_destroy(&mctx);
 
 	fflush(stdout);
 	if (ferror(stdout)) {
 		fprintf(stderr, "write error\n");
 		return (1);
-	} else {
+	} else
 		return (0);
-	}
 }

bin/dnssec/dnssec-dsfromkey.docbook

@@ -41,7 +41,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -49,108 +48,56 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="req" rep="norepeat">keyfile</arg>
     </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req" rep="norepeat">-s</arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg choice="req" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
+   </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain" rep="norepeat"><option>-h</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-V</option></arg>
-      </group>
-    </cmdsynopsis>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+   </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsection><info><title>DESCRIPTION</title></info>
 
-    <para>
-      The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
-      Signer) resource records (RRs) and other similarly-constructed RRs:
-      with the <option>-l</option> option it outputs DLV (DNSSEC Lookaside
-      Validation) RRs; or with the <option>-C</option> it outputs CDS (Child
-      DS) RRs.
+    <para><command>dnssec-dsfromkey</command>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </para>
-
-    <para>
-      The input keys can be specified in a number of ways:
-    </para>
-
-    <para>
-      By default, <command>dnssec-dsfromkey</command> reads a key file
-      named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
-      by <command>dnssec-keygen</command>.
-    </para>
-
-    <para>
-      With the <option>-f <replaceable>file</replaceable></option>
-      option, <command>dnssec-dsfromkey</command> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </para>
-
-    <para>
-      With the <option>-s</option>
-      option, <command>dnssec-dsfromkey</command> reads
-      a <filename>keyset-</filename> file, as generated
-      by <command>dnssec-keygen</command> <option>-C</option>.
-    </para>
-
   </refsection>
 
   <refsection><info><title>OPTIONS</title></info>
 
+
     <variablelist>
       <varlistentry>
 	<term>-1</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA1</option>
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -159,7 +106,7 @@
 	<term>-2</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-256</option>
+	    Use SHA-256 as the digest algorithm.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -168,49 +115,40 @@
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </para>
-          <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
+	    Select the digest algorithm. The value of
+	    <option>algorithm</option> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </para>
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <option>-f</option> zone file mode.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <option>-s</option> keyset or <option>-f</option>
-	    zone file mode.
-	  </para>
-	  </listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Generate CDS records rather than DS records. This is mutually
-	    exclusive with the <option>-l</option> option for generating DLV
-	    records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the TTL of the DS records.
+	  </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Look for key files (or, in keyset mode,
+	    <filename>keyset-</filename> files) in
+	    <option>directory</option>.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -219,14 +157,13 @@
 	<term>-f <replaceable class="parameter">file</replaceable></term>
 	<listitem>
 	  <para>
-	    Zone file mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <option>file</option>.  If the zone name is the same as
 	    <option>file</option>, then it may be omitted.
 	  </para>
 	  <para>
-	    If <replaceable>file</replaceable> is <literal>"-"</literal>, then
+	    If <option>file</option> is set to <literal>"-"</literal>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <command>dig</command>
 	    command as input, as in:
@@ -238,33 +175,26 @@
       </varlistentry>
 
       <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints usage information.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-K <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	    Look for key files or <filename>keyset-</filename> files in
-	    <option>directory</option>.
-	  </para>
-	</listitem>
+        <term>-A</term>
+        <listitem>
+          <para>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>-l <replaceable class="parameter">domain</replaceable></term>
 	<listitem>
 	  <para>
-	    Generate a DLV set instead of a DS set. The specified
-	    <replaceable>domain</replaceable> is appended to the name for each
+	    Generate a DLV set instead of a DS set.  The specified
+	    <option>domain</option> is appended to the name for each
 	    record in the set.
-	    This is mutually exclusive with the <option>-C</option> option
-	    for generating CDS records.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -273,18 +203,18 @@
 	<term>-s</term>
 	<listitem>
 	  <para>
-	    Keyset mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is the DNS
-	    domain name used to locate a <filename>keyset-</filename> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
 	<listitem>
 	  <para>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </para>
 	  </listitem>
       </varlistentry>
@@ -298,6 +228,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints usage information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-V</term>
 	<listitem>
@@ -314,22 +253,21 @@
     <para>
       To build the SHA-256 DS RR from the
       <userinput>Kexample.com.+003+26160</userinput>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </para>
     <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
     </para>
     <para>
       The command would print something like:
     </para>
-    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
+    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
     </para>
-
   </refsection>
 
   <refsection><info><title>FILES</title></info>
 
     <para>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <filename>Knnnn.+aaa+iiiii</filename> or the full file name
       <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
       <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
@@ -357,11 +295,9 @@
 	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 3658</citetitle> (DS RRs),
-      <citetitle>RFC 4431</citetitle> (DLV RRs),
-      <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
-      <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
-      <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
+      <citetitle>RFC 3658</citetitle>,
+      <citetitle>RFC 4431</citetitle>.
+      <citetitle>RFC 4509</citetitle>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-dsfromkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,167 +33,105 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        {keyfile}
     </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        {-s}
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-s</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+       [<code class="option">-A</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
        {dnsname}
-    </p></div>
+   </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
+       [<code class="option">-h</code>]
+       [<code class="option">-V</code>]
+   </p></div>
   </div>
 
   <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 
-    <p>
-      The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
-      Signer) resource records (RRs) and other similarly-constructed RRs:
-      with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
-      Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
-      DS) RRs.
+    <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </p>
-
-    <p>
-      The input keys can be specified in a number of ways:
-    </p>
-
-    <p>
-      By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
-      named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span>.
-    </p>
-
-    <p>
-      With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </p>
-
-    <p>
-      With the <code class="option">-s</code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
-      a <code class="filename">keyset-</code> file, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
-    </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
 
+
     <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA1</code>
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </p>
 	</dd>
 <dt><span class="term">-2</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-256</code>
+	    Use SHA-256 as the digest algorithm.
 	  </p>
 	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </p>
-          <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
+	    Select the digest algorithm. The value of
+	    <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </p>
 	</dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-          <p>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
-	    zone file mode.
-	  </p>
-	  </dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Generate CDS records rather than DS records. This is mutually
-	    exclusive with the <code class="option">-l</code> option for generating DLV
-	    records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </p>
+	</dd>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the TTL of the DS records.
+	  </p>
+	  </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Look for key files (or, in keyset mode,
+	    <code class="filename">keyset-</code> files) in
+	    <code class="option">directory</code>.
 	  </p>
 	</dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
 	  <p>
-	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <code class="option">file</code>.  If the zone name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
 	  <p>
-	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
+	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <span class="command"><strong>dig</strong></span>
 	    command as input, as in:
@@ -202,41 +140,37 @@
 	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
 	  </p>
 	</dd>
-<dt><span class="term">-h</span></dt>
+<dt><span class="term">-A</span></dt>
 <dd>
-	  <p>
-	    Prints usage information.
-	  </p>
-	</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
-	    Look for key files or <code class="filename">keyset-</code> files in
-	    <code class="option">directory</code>.
-	  </p>
-	</dd>
+          <p>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </p>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd>
 	  <p>
-	    Generate a DLV set instead of a DS set. The specified
-	    <em class="replaceable"><code>domain</code></em> is appended to the name for each
+	    Generate a DLV set instead of a DS set.  The specified
+	    <code class="option">domain</code> is appended to the name for each
 	    record in the set.
-	    This is mutually exclusive with the <code class="option">-C</code> option
-	    for generating CDS records.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </p>
 	</dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 	  <p>
-	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
-	    domain name used to locate a <code class="filename">keyset-</code> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </p>
 	</dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd>
 	  <p>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </p>
 	  </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -245,6 +179,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints usage information.
+	  </p>
+	</dd>
 <dt><span class="term">-V</span></dt>
 <dd>
 	  <p>
@@ -260,23 +200,22 @@
     <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </p>
     <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       The command would print something like:
     </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
     </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
 
     <p>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
@@ -306,11 +245,9 @@
 	<span class="refentrytitle">dnssec-signzone</span>(8)
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em> (DS RRs),
-      <em class="citetitle">RFC 4431</em> (DLV RRs),
-      <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
-      <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
-      <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
+      <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4431</em>.
+      <em class="citetitle">RFC 4509</em>.
     </p>
   </div>
 

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -134,5 +134,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.docbook

@@ -38,7 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-importkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
 .RS 4
 Selects the cryptographic algorithm\&. The value of
 \fBalgorithm\fR
-must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -63,9 +63,9 @@ option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
 \fB\-3\fR
 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
 .sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
-option, then NSEC3RSASHA1 will be used instead\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 As of BIND 9\&.12\&.0, this option is mandatory except when using the
 \fB\-S\fR
@@ -307,5 +307,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keyfromlabel.c

@@ -64,8 +64,8 @@ usage(void) {
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -a algorithm: \n"
-			"        DH | RSASHA1 |\n"
-			"        NSEC3RSASHA1 |\n"
+			"        RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
+			"        NSEC3DSA | NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
@@ -382,21 +382,33 @@ main(int argc, char **argv) {
 			fatal("no algorithm specified");
 		}
 
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
+		if (strcasecmp(algname, "RSA") == 0) {
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS)
+				fatal("unknown algorithm %s", algname);
+			if (alg == DST_ALG_DH)
+				options |= DST_TYPE_KEY;
 		}
 
 		if (use_nsec3) {
 			switch (alg) {
+			case DST_ALG_DSA:
+				alg = DST_ALG_NSEC3DSA;
+				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
+			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
@@ -631,10 +643,10 @@ main(int argc, char **argv) {
 
 		if (setdel)
 			dst_key_settime(key, DST_TIME_DELETE, deltime);
-		if (setsyncadd)
-			dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-		if (setsyncdel)
-			dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+	if (setsyncadd)
+		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
+	if (setsyncdel)
+		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
 
 	} else {
 		if (setpub || setact || setrev || setinact ||

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -43,7 +43,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -106,8 +105,8 @@
 	<listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
-	    <option>algorithm</option> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </para>
 	  <para>
@@ -120,9 +119,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </para>
 	  <para>
 	    As of BIND 9.12.0, this option is mandatory except when using

bin/dnssec/dnssec-keyfromlabel.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -89,8 +89,8 @@
 <dd>
 	  <p>
 	    Selects the cryptographic algorithm.  The value of
-	    <code class="option">algorithm</code> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </p>
 	  <p>
@@ -103,9 +103,9 @@
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </p>
 	  <p>
 	    As of BIND 9.12.0, this option is mandatory except when using

bin/dnssec/dnssec-keygen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 dnssec-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -58,24 +58,17 @@ may be preferable to direct use of
 \fBdnssec\-keygen\fR\&.
 .SH "OPTIONS"
 .PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
-\fBdnssec\-keygen \-3a RSASHA1\fR
-specifies the NSEC3RSASHA1 algorithm\&.
-.RE
-.PP
 \-a \fIalgorithm\fR
 .RS 4
 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
 \fB\-T KEY\fR
 option as well\&.
 .sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
-option, then NSEC3RSASHA1 will be used instead\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 This parameter
 \fImust\fR
@@ -90,15 +83,29 @@ to generate TSIG keys\&.
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
 .sp
 If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
 \fB\-f KSK\fR) default to 2048 bits\&.
 .RE
 .PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
 \-C
 .RS 4
-Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any metadata\&. By default,
 \fBdnssec\-keygen\fR
 will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
 \fB\-C\fR
@@ -143,6 +150,11 @@ Prints a short summary of the options and arguments to
 Sets the directory in which the key files are to be written\&.
 .RE
 .PP
+\-k
+.RS 4
+Deprecated in favor of \-T KEY\&.
+.RE
+.PP
 \-L \fIttl\fR
 .RS 4
 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@@ -152,17 +164,9 @@ none
 is the same as leaving it unset\&.
 .RE
 .PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key, for use with
-\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
 .RE
 .PP
 \-q
@@ -189,25 +193,27 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
 Specifies the resource record type to use for the key\&.
 \fBrrtype\fR
 must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
+Specifying any TSIG algorithm (HMAC\-* or DH) with
+\fB\-a\fR
+forces this option to KEY\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-Indicates the use of the key, for use with
-\fB\-T KEY\fR\&.
+Indicates the use of the key\&.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
 .RE
 .PP
-\-V
-.RS 4
-Prints version information\&.
-.RE
-.PP
 \-v \fIlevel\fR
 .RS 4
 Sets the debugging level\&.
 .RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
 .SH "TIMING OPTIONS"
 .PP
 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@@ -308,39 +314,34 @@ contains the private key\&.
 .PP
 The
 \&.key
-file contains a DNSKEY or KEY record\&. When a zone is being signed by
-\fBnamed\fR
-or
-\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
-\&.key
-file can be inserted into a zone file manually or with a
-\fB$INCLUDE\fR
-statement\&.
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
 .PP
 The
 \&.private
 file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
+.PP
+Both
+\&.key
+and
+\&.private
+files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
-To generate an ECDSAP256SHA256 zone\-signing key for the zone
-\fBexample\&.com\fR, issue the command:
+To generate a 768\-bit DSA key for the domain
+\fBexample\&.com\fR, the following command would be issued:
 .PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
 .PP
 The command would print a string of the form:
 .PP
-\fBKexample\&.com\&.+013+26160\fR
+\fBKexample\&.com\&.+003+26160\fR
 .PP
 In this example,
 \fBdnssec\-keygen\fR
 creates the files
-Kexample\&.com\&.+013+26160\&.key
+Kexample\&.com\&.+003+26160\&.key
 and
-Kexample\&.com\&.+013+26160\&.private\&.
-.PP
-To generate a matching key\-signing key, issue the command:
-.PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
+Kexample\&.com\&.+003+26160\&.private\&.
 .SH "SEE ALSO"
 .PP
 \fBdnssec-signzone\fR(8),
@@ -353,5 +354,5 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keygen.c

@@ -79,17 +79,23 @@ usage(void) {
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K <directory>: write keys into directory\n");
 	fprintf(stderr, "    -a <algorithm>:\n");
-	fprintf(stderr, "        RSASHA1 | NSEC3RSASHA1 |\n");
+	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
+				" | NSEC3DSA |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        ED25519 | ED448 | DH\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
+	fprintf(stderr, "        RSAMD5:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
+	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
+	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
+				"by 64\n");
+	fprintf(stderr, "        ECCGOST:\tignored\n");
 	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
 	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
 	fprintf(stderr, "        ED25519:\tignored\n");
@@ -155,6 +161,11 @@ usage(void) {
 	exit (-1);
 }
 
+static bool
+dsa_size_ok(int size) {
+	return (size >= 512 && size <= 1024 && size % 64 == 0);
+}
+
 static void
 progress(int p)
 {
@@ -241,7 +252,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:L:m:n:P:p:qR:r:S:s:T:t:" \
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:" \
 		      "v:V"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
@@ -322,6 +333,11 @@ main(int argc, char **argv) {
 				fatal("cannot open directory %s: %s",
 				      directory, isc_result_totext(ret));
 			break;
+		case 'k':
+			fatal("The -k option has been deprecated.\n"
+			      "To generate a key-signing key, use -f KSK.\n"
+			      "To generate a key with TYPE=KEY, use -T KEY.\n");
+			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
 			setttl = true;
@@ -501,14 +517,23 @@ main(int argc, char **argv) {
 			fatal("no algorithm specified");
 		}
 
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
+		if (strcasecmp(algname, "RSA") == 0) {
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS) {
+				fatal("unknown algorithm %s", algname);
+			}
+			if (alg == DST_ALG_DH) {
+				options |= DST_TYPE_KEY;
+			}
 		}
 
 		if (!dst_algorithm_supported(alg)) {
@@ -517,12 +542,17 @@ main(int argc, char **argv) {
 
 		if (use_nsec3) {
 			switch (alg) {
+			case DST_ALG_DSA:
+				alg = DST_ALG_NSEC3DSA;
+				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
+			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
+			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -568,6 +598,7 @@ main(int argc, char **argv) {
 							" to %d\n", size);
 				}
 				break;
+			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -682,6 +713,7 @@ main(int argc, char **argv) {
 	}
 
 	switch (alg) {
+	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
@@ -696,6 +728,14 @@ main(int argc, char **argv) {
 		if (size != 0 && (size < 128 || size > 4096))
 			fatal("DH key size %d out of range", size);
 		break;
+	case DNS_KEYALG_DSA:
+	case DNS_KEYALG_NSEC3DSA:
+		if (size != 0 && !dsa_size_ok(size))
+			fatal("invalid DSS key size: %d", size);
+		break;
+	case DST_ALG_ECCGOST:
+		size = 256;
+		break;
 	case DST_ALG_ECDSA256:
 		size = 256;
 		break;
@@ -763,6 +803,7 @@ main(int argc, char **argv) {
 	}
 
 	switch(alg) {
+	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
@@ -774,6 +815,9 @@ main(int argc, char **argv) {
 		param = generator;
 		break;
 
+	case DNS_KEYALG_DSA:
+	case DNS_KEYALG_NSEC3DSA:
+	case DST_ALG_ECCGOST:
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
 	case DST_ALG_ED25519:

bin/dnssec/dnssec-keygen.docbook

@@ -50,7 +50,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -58,10 +57,11 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-keygen</command>
-      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-C</option></arg>
       <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -76,7 +76,6 @@
       <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-k</option></arg>
       <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -87,6 +86,7 @@
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-V</option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
       <arg choice="req" rep="norepeat">name</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -117,27 +117,13 @@
 
 
     <variablelist>
-
-      <varlistentry>
-	<term>-3</term>
-	<listitem>
-	  <para>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used with an algorithm that has both
-	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
-	    specifies the NSEC3RSASHA1 algorithm.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
-	    of <option>algorithm</option> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <option>-T KEY</option>
@@ -146,9 +132,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </para>
 	  <para>
 	    This parameter <emphasis>must</emphasis> be specified except
@@ -170,9 +156,11 @@
 	  <para>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
-	    128 and 4096 bits.  Elliptic curve algorithms don't need this
-	    parameter.
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  DSA keys must be between 512 and 1024
+	    bits and an exact multiple of 64.  HMAC keys must be
+	    between 1 and 512 bits. Elliptic curve algorithms don't need
+	    this parameter.
 	  </para>
 	  <para>
 	    If the key size is not specified, some algorithms have
@@ -184,16 +172,43 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-n <replaceable class="parameter">nametype</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the owner type of the key.  The value of
+	    <option>nametype</option> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-3</term>
+	<listitem>
+	  <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Compatibility mode: generates an old-style key, without any
-	    timing metadata. By default, <command>dnssec-keygen</command>
-	    will include the key's creation date in the metadata stored with
-	    the private key, and other dates may be set there as well
-	    (publication date, activation date, etc). Keys that include this
-	    data may be incompatible with older versions of BIND; the
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <command>dnssec-keygen</command>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
 	    <option>-C</option> option suppresses them.
 	  </para>
 	</listitem>
@@ -277,6 +292,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-k</term>
+	<listitem>
+	  <para>
+	    Deprecated in favor of -T KEY.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-L <replaceable class="parameter">ttl</replaceable></term>
 	<listitem>
@@ -293,28 +317,14 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-n <replaceable class="parameter">nametype</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the owner type of the key.  The value of
-	    <option>nametype</option> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    with a host (KEY)), USER (for a key associated with a
-	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-p <replaceable class="parameter">protocol</replaceable></term>
 	<listitem>
 	  <para>
-	    Sets the protocol value for the generated key, for use
-	    with <option>-T KEY</option>. The protocol is a number between 0
-	    and 255. The default is 3 (DNSSEC). Other possible values for
-	    this argument are listed in RFC 2535 and its successors.
+	    Sets the protocol value for the generated key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -372,6 +382,10 @@
 	    <option>rrtype</option> must be either DNSKEY or KEY.  The
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
 	    overridden to KEY for use with SIG(0).
+	  <para>
+	  </para>
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
+	    <option>-a</option> forces this option to KEY.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -380,20 +394,10 @@
 	<term>-t <replaceable class="parameter">type</replaceable></term>
 	<listitem>
 	  <para>
-	    Indicates the use of the key, for use with <option>-T
-	    KEY</option>. <option>type</option> must be one of AUTHCONF,
-	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
-	    refers to the ability to authenticate data, and CONF the ability
-	    to encrypt data.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-	<listitem>
-	  <para>
-	    Prints version information.
+	    Indicates the use of the key.  <option>type</option> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -407,6 +411,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
     </variablelist>
   </refsection>
 
@@ -571,12 +584,10 @@
       key.
     </para>
     <para>
-      The <filename>.key</filename> file contains a DNSKEY or KEY record.
-      When a zone is being signed by <command>named</command>
-      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
-      records are included automatically. In other cases,
-      the <filename>.key</filename> file can be inserted into a zone file
-      manually or with a <userinput>$INCLUDE</userinput> statement.
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </para>
     <para>
       The <filename>.private</filename> file contains
@@ -584,33 +595,32 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </para>
+    <para>
+      Both <filename>.key</filename> and <filename>.private</filename>
+      files are generated for symmetric cryptography algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </para>
   </refsection>
 
   <refsection><info><title>EXAMPLE</title></info>
 
     <para>
-      To generate an ECDSAP256SHA256 zone-signing key for the zone
-      <userinput>example.com</userinput>, issue the command:
+      To generate a 768-bit DSA key for the domain
+      <userinput>example.com</userinput>, the following command would be
+      issued:
     </para>
-    <para>
-      <userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
+    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
     </para>
     <para>
       The command would print a string of the form:
     </para>
-    <para><userinput>Kexample.com.+013+26160</userinput>
+    <para><userinput>Kexample.com.+003+26160</userinput>
     </para>
     <para>
       In this example, <command>dnssec-keygen</command> creates
-      the files <filename>Kexample.com.+013+26160.key</filename>
+      the files <filename>Kexample.com.+003+26160.key</filename>
       and
-      <filename>Kexample.com.+013+26160.private</filename>.
-    </para>
-    <para>
-      To generate a matching key-signing key, issue the command:
-    </para>
-    <para>
-      <userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
+      <filename>Kexample.com.+003+26160.private</filename>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-keygen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,10 +33,11 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-keygen</code> 
-       [<code class="option">-3</code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
        [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-3</code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-C</code>]
        [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
        [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
@@ -51,7 +52,6 @@
        [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        [<code class="option">-k</code>]
        [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
        [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
@@ -62,6 +62,7 @@
        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
        [<code class="option">-V</code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-z</code>]
        {name}
     </p></div>
   </div>
@@ -94,22 +95,12 @@
 
 
     <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used with an algorithm that has both
-	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
-	    specifies the NSEC3RSASHA1 algorithm.
-	  </p>
-	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
-	    of <code class="option">algorithm</code> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <code class="option">-T KEY</code>
@@ -118,9 +109,9 @@
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </p>
 	  <p>
 	    This parameter <span class="emphasis"><em>must</em></span> be specified except
@@ -139,9 +130,11 @@
 	  <p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
-	    128 and 4096 bits.  Elliptic curve algorithms don't need this
-	    parameter.
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  DSA keys must be between 512 and 1024
+	    bits and an exact multiple of 64.  HMAC keys must be
+	    between 1 and 512 bits. Elliptic curve algorithms don't need
+	    this parameter.
 	  </p>
 	  <p>
 	    If the key size is not specified, some algorithms have
@@ -151,15 +144,36 @@
 	    <code class="option">-f KSK</code>) default to 2048 bits.
 	  </p>
 	</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the owner type of the key.  The value of
+	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </p>
+	</dd>
+<dt><span class="term">-3</span></dt>
+<dd>
+	  <p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </p>
+	</dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Compatibility mode: generates an old-style key, without any
-	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
-	    will include the key's creation date in the metadata stored with
-	    the private key, and other dates may be set there as well
-	    (publication date, activation date, etc). Keys that include this
-	    data may be incompatible with older versions of BIND; the
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
 	  </p>
 	</dd>
@@ -220,6 +234,12 @@
 	    Sets the directory in which the key files are to be written.
 	  </p>
 	</dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+	  <p>
+	    Deprecated in favor of -T KEY.
+	  </p>
+	</dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd>
 	  <p>
@@ -233,24 +253,13 @@
 	    or <code class="literal">none</code> is the same as leaving it unset.
 	  </p>
 	</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the owner type of the key.  The value of
-	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    with a host (KEY)), USER (for a key associated with a
-	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </p>
-	</dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd>
 	  <p>
-	    Sets the protocol value for the generated key, for use
-	    with <code class="option">-T KEY</code>. The protocol is a number between 0
-	    and 255. The default is 3 (DNSSEC). Other possible values for
-	    this argument are listed in RFC 2535 and its successors.
+	    Sets the protocol value for the generated key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
 	  </p>
 	</dd>
 <dt><span class="term">-q</span></dt>
@@ -297,21 +306,20 @@
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
 	    overridden to KEY for use with SIG(0).
 	  </p>
+<p>
+	  </p>
+<p>
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
+	    <code class="option">-a</code> forces this option to KEY.
+	  </p>
 	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
-	    Indicates the use of the key, for use with <code class="option">-T
-	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
-	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
-	    refers to the ability to authenticate data, and CONF the ability
-	    to encrypt data.
-	  </p>
-	</dd>
-<dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
-	    Prints version information.
+	    Indicates the use of the key.  <code class="option">type</code> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
 	  </p>
 	</dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -320,6 +328,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
 </dl></div>
   </div>
 
@@ -462,12 +476,10 @@
       key.
     </p>
     <p>
-      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
-      When a zone is being signed by <span class="command"><strong>named</strong></span>
-      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
-      records are included automatically. In other cases,
-      the <code class="filename">.key</code> file can be inserted into a zone file
-      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </p>
     <p>
       The <code class="filename">.private</code> file contains
@@ -475,34 +487,33 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
+    <p>
+      Both <code class="filename">.key</code> and <code class="filename">.private</code>
+      files are generated for symmetric cryptography algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </p>
   </div>
 
   <div class="refsection">
 <a name="id-1.11"></a><h2>EXAMPLE</h2>
 
     <p>
-      To generate an ECDSAP256SHA256 zone-signing key for the zone
-      <strong class="userinput"><code>example.com</code></strong>, issue the command:
+      To generate a 768-bit DSA key for the domain
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
     </p>
-    <p>
-      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
+    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
     <p>
       The command would print a string of the form:
     </p>
-    <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
+    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
-      the files <code class="filename">Kexample.com.+013+26160.key</code>
+      the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
-      <code class="filename">Kexample.com.+013+26160.private</code>.
-    </p>
-    <p>
-      To generate a matching key-signing key, issue the command:
-    </p>
-    <p>
-      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
+      <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
   </div>
 

bin/dnssec/dnssec-revoke.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -99,5 +99,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-revoke.c

@@ -57,13 +57,13 @@ usage(void) {
 #else
 	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
 #endif
-	fprintf(stderr, "    -f:           force overwrite\n");
-	fprintf(stderr, "    -h:           help\n");
+	fprintf(stderr, "    -f:	   force overwrite\n");
 	fprintf(stderr, "    -K directory: use directory for key files\n");
-	fprintf(stderr, "    -r:           remove old keyfiles after "
+	fprintf(stderr, "    -h:	   help\n");
+	fprintf(stderr, "    -r:	   remove old keyfiles after "
 					   "creating revoked version\n");
-	fprintf(stderr, "    -v level:     set level of verbosity\n");
-	fprintf(stderr, "    -V:           print version information\n");
+	fprintf(stderr, "    -v level:	   set level of verbosity\n");
+	fprintf(stderr, "    -V: print version information\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
 			     "K<name>+<alg>+<new id>.private\n");
@@ -239,7 +239,7 @@ main(int argc, char **argv) {
 		 * Remove old key file, if told to (and if
 		 * it isn't the same as the new file)
 		 */
-		if (removefile) {
+		if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) {
 			isc_buffer_init(&buf, oldname, sizeof(oldname));
 			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
 			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);

bin/dnssec/dnssec-revoke.docbook

@@ -38,7 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-revoke.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-settime.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -200,5 +200,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-settime.docbook

@@ -40,7 +40,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-settime.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-signzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -415,9 +415,9 @@ Specify which keys should be used to sign the zone\&. If no keys are specified,
 .PP
 The following command signs the
 \fBexample\&.com\fR
-zone with the ECDSAP256SHA256 key generated by key generated by
+zone with the DSA key generated by
 \fBdnssec\-keygen\fR
-(Kexample\&.com\&.+013+17247)\&. Because the
+(Kexample\&.com\&.+003+17247)\&. Because the
 \fB\-S\fR
 option is not being used, the zone\*(Aqs keys must be in the master file (db\&.example\&.com)\&. This invocation looks for
 dsset
@@ -428,7 +428,7 @@ files, in the current directory, so that DS records can be imported from them (\
 .\}
 .nf
 % dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \e
-Kexample\&.com\&.+013+17247
+Kexample\&.com\&.+003+17247
 db\&.example\&.com\&.signed
 %
 .fi
@@ -468,5 +468,5 @@ RFC 4641\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-signzone.c

@@ -40,7 +40,6 @@
 #include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/hex.h>
-#include <isc/md.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/os.h>
@@ -533,6 +532,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 		arraysize += dns_rdataset_count(&sigset);
 	wassignedby = isc_mem_get(mctx, arraysize * sizeof(bool));
 	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(bool));
+	if (wassignedby == NULL || nowsignedby == NULL)
+		fatal("out of memory");
 
 	for (i = 0; i < arraysize; i++)
 		wassignedby[i] = nowsignedby[i] = false;
@@ -3874,11 +3875,9 @@ main(int argc, char *argv[]) {
 			      isc_result_totext(result));
 	}
 
-	isc_mutex_init(&namelock);
-
-	if (printstats) {
-		isc_mutex_init(&statslock);
-	}
+	RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS);
+	if (printstats)
+		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
 
 	presign();
 	TIME_NOW(&sign_start);
@@ -3936,9 +3935,9 @@ main(int argc, char *argv[]) {
 		check_result(result, "dns_master_dumptostream3");
 	}
 
-	isc_mutex_destroy(&namelock);
+	DESTROYLOCK(&namelock);
 	if (printstats)
-		isc_mutex_destroy(&statslock);
+		DESTROYLOCK(&statslock);
 
 	if (!output_stdout) {
 		result = isc_stdio_close(outfp);

bin/dnssec/dnssec-signzone.docbook

@@ -50,7 +50,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -788,16 +787,15 @@
 
     <para>
       The following command signs the <userinput>example.com</userinput>
-      zone with the ECDSAP256SHA256 key generated by key generated by
-      <command>dnssec-keygen</command> (Kexample.com.+013+17247).
-      Because the <command>-S</command> option is not being used,
-      the zone's keys must be in the master file
+      zone with the DSA key generated by <command>dnssec-keygen</command>
+      (Kexample.com.+003+17247).  Because the <command>-S</command> option
+      is not being used, the zone's keys must be in the master file
       (<filename>db.example.com</filename>).  This invocation looks
       for <filename>dsset</filename> files, in the current directory,
       so that DS records can be imported from them (<command>-g</command>).
     </para>
 <programlisting>% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+013+17247
+Kexample.com.+003+17247
 db.example.com.signed
 %</programlisting>
     <para>

bin/dnssec/dnssec-signzone.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -624,16 +624,15 @@
 
     <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
-      zone with the ECDSAP256SHA256 key generated by key generated by
-      <span class="command"><strong>dnssec-keygen</strong></span> (Kexample.com.+013+17247).
-      Because the <span class="command"><strong>-S</strong></span> option is not being used,
-      the zone's keys must be in the master file
+      zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
+      (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
+      is not being used, the zone's keys must be in the master file
       (<code class="filename">db.example.com</code>).  This invocation looks
       for <code class="filename">dsset</code> files, in the current directory,
       so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
     </p>
 <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+013+17247
+Kexample.com.+003+17247
 db.example.com.signed
 %</pre>
     <p>

bin/dnssec/dnssec-verify.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -113,5 +113,5 @@ RFC 4033\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-verify.docbook

@@ -37,7 +37,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-verify.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/win32/cds.vcxproj.filters.in

@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <Filter Include="Source Files">
-      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
-      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
-    </Filter>
-    <Filter Include="Resource Files">
-      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
-      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="..\dnssec-cds.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-  </ItemGroup>
-</Project>