Reduce the default RBT hash table size to 16 entries (4 bits)

The hash table rework MRs (!3865, !3871) increased the default RBT hash
table size from 64 to 65,536 entries (for 64-bit architectures, that is
512 bytes before vs. 524,288 bytes after).  This works fine for RBTs
used for cache databases, but since three separate RBT databases are
created for every zone loaded (RRs, NSEC, NSEC3), memory usage would
skyrocket when BIND 9 is used as an authoritative DNS server with many
zones.

The default RBT hash table size before the rework was 64 entries, this
commit reduces it to 16 entries because our educated guess is that most
zones are just couple of entries (SOA, NS, A, AAAA, MX) and rehashing
small hash tables is actually cheap.  The rework we did in the previous
MRs tries to avoid growing the hash tables for big-to-huge caches where
growing the hash table comes at a price because the whole cache needs to
be locked.

(cherry picked from commit 1e043a011b)
(cherry picked from commit f0ccc17f30)

.clang-format

@@ -11,7 +11,6 @@ BraceWrapping:
   AfterFunction:   false # should also be MultiLine, but not yet supported
   AfterExternBlock: false
   BeforeElse:      false
-  BeforeWhile:     false
   IndentBraces:    false
   SplitEmptyFunction: true
 AllowShortIfStatementsOnASingleLine: false
@@ -20,7 +19,6 @@ AlwaysBreakAfterReturnType: All
 Cpp11BracedListStyle: false
 ColumnLimit: 80
 AlignAfterOpenBracket: Align
-AlignConsecutiveBitFields: true
 AlignConsecutiveDeclarations: false
 AlignConsecutiveMacros: true
 AlignTrailingComments: true
@@ -64,7 +62,6 @@ IncludeCategories:
     Priority:        1
   - Regex:           '.*'
     Priority:        0
-IndentExternBlock: NoIndent
 KeepEmptyLinesAtTheStartOfBlocks: false
 MaxEmptyLinesToKeep: 1
 PenaltyBreakAssignment: 30

.clang-format.headers

@@ -11,7 +11,6 @@ BraceWrapping:
   AfterFunction:   false # should also be MultiLine, but not yet supported
   AfterExternBlock: false
   BeforeElse:      false
-  BeforeWhile:     false
   IndentBraces:    false
   SplitEmptyFunction: true
 AllowShortIfStatementsOnASingleLine: false
@@ -20,7 +19,6 @@ AlwaysBreakAfterReturnType: All
 Cpp11BracedListStyle: false
 ColumnLimit: 80
 AlignAfterOpenBracket: Align
-AlignConsecutiveBitFields: true
 AlignConsecutiveDeclarations: true
 AlignConsecutiveMacros: true
 AlignTrailingComments: true
@@ -52,7 +50,6 @@ IncludeCategories:
     Priority:        1
   - Regex:           '".*"'
     Priority:        9
-IndentExternBlock: NoIndent
 KeepEmptyLinesAtTheStartOfBlocks: false
 MaxEmptyLinesToKeep: 1
 PenaltyBreakAssignment: 30

.dir-locals.el

@@ -106,9 +106,6 @@
 	 (list
 	  "--enable=all"
 	  "--suppress=missingIncludeSystem"
-	  "--suppress=nullPointerRedundantCheck"
-	  (concat "--suppressions-list=" (expand-file-name
-			       (concat directory-of-current-dir-locals-file "util/suppressions.txt")))
 	  (concat "-include=" (expand-file-name
 			       (concat directory-of-current-dir-locals-file "config.h")))
 	  )

.gitattributes

@@ -1,8 +1,6 @@
 *.sln.in eol=crlf
 *.vcxproj.* eol=crlf
 
-/fuzz/dns_rdata_fromwire_text.in/input-* -text
-
 .gitignore			 export-ignore
 /conftools			 export-ignore
 /doc/design			 export-ignore

.github/workflows/lockdown.yml

@@ -1,15 +0,0 @@
-name: 'Lock down mirror repository'
-
-on:
-  issues:
-    types: opened
-  pull_request:
-    types: opened
-
-jobs:
-  lockdown:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: dessant/repo-lockdown@v2
-        with:
-          github-token: ${{ github.token }}

.gitignore

@@ -4,13 +4,11 @@
 *.gcno
 *.la
 *.lo
-*.log
 *.o
 *.orig
 *.plist/ # ccc-analyzer store its results in .plist directories
 *.rej
 *.so
-*.trs
 *_test
 *.ipch # vscode/intellisense precompiled header
 *~
@@ -39,6 +37,7 @@ __pycache__/
 /depcomp
 /install-sh
 /isc-config.sh
+/libltdl/*
 /libtool
 /ltmain.sh
 /m4/libtool.m4
@@ -53,48 +52,14 @@ __pycache__/
 /stamp-h1
 /test-driver
 Makefile
-Makefile.in
 ans.run
 gen.dSYM/
+kyua.log
 named.memstats
 named.run
 timestamp
 /compile_commands.json
-# Gets generated by Build Ear (bear)
-/compile_commands.commands.json
 /cppcheck_html/
 /cppcheck.results
 /tsan
 /util/check-make-install
-/INSTALL
-doc/man/dnssec-cds.8in
-doc/man/dnssec-checkds.8in
-doc/man/dnssec-coverage.8in
-doc/man/dnssec-dsfromkey.8in
-doc/man/dnssec-importkey.8in
-doc/man/dnssec-keyfromlabel.8in
-doc/man/dnssec-keygen.8in
-doc/man/dnssec-keymgr.8in
-doc/man/dnssec-revoke.8in
-doc/man/dnssec-settime.8in
-doc/man/dnssec-signzone.8in
-doc/man/dnssec-verify.8in
-doc/man/named-checkconf.8in
-doc/man/named-checkzone.8in
-doc/man/named-journalprint.8in
-doc/man/named-nzd2nzf.8in
-doc/man/nsec3hash.8in
-doc/man/pkcs11-destroy.8in
-doc/man/pkcs11-keygen.8in
-doc/man/pkcs11-list.8in
-doc/man/pkcs11-tokens.8in
-# clangd index directory
-/\.cache/
-# GNU Global index files
-/GPATH
-/GRTAGS
-/GTAGS
-# Emacs specific files
-\.dir-locals-2.el
-/emacs.desktop
-/emacs.desktop-lock

.gitlab/issue_templates/CVE.md

@@ -1,33 +0,0 @@
-<!--
-THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
-
-If the bug you are reporting is potentially security-related - for example,
-if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please do *NOT* report it here, but send an
-email to [security-officer@isc.org](security-officer@isc.org).
--->
-
-### CVE-specific actions
-
-  - [ ] Assign a CVE identifier
-  - [ ] Determine CVSS score
-  - [ ] Determine the range of BIND versions affected (including the Subscription Edition)
-  - [ ] Determine whether workarounds for the problem exists
-  - [ ] Create a draft of the security advisory and put the information above in there
-  - [ ] Prepare a detailed description of the problem which should include the following by default:
-      - instructions for reproducing the problem (a system test is good enough)
-      - explanation of code flow which triggers the problem (a system test is *not* good enough)
-  - [ ] Prepare a private merge request containing the following items in separate commits:
-      - a test for the issue (may be moved to a separate merge request for deferred merging)
-      - a fix for the issue
-      - documentation updates (`CHANGES`, release notes, anything else applicable)
-  - [ ] Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
-  - [ ] Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
-  - [ ] Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
-  - [ ] Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
-
-### Release-specific actions
-
-  - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
-  - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
-  - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order

.gitlab/issue_templates/Release.md

@@ -1,59 +1,36 @@
 ## Release Schedule
 
-**Code Freeze:**
-
 **Tagging Deadline:**
 
 **Public Release:**
 
-## Documentation Review Links
-
-**Closed issues assigned to the milestone without a release note:**
-
- - []()
- - []()
- - []()
-
-**Merge requests merged into the milestone without a release note:**
-
- - []()
- - []()
- - []()
-
-**Merge requests merged into the milestone without a `CHANGES` entry:**
-
- - []()
- - []()
- - []()
-
 ## Release Checklist
 
-### Before the Code Freeze
+## 2 Working Days Before the Tagging Deadline
 
- - [ ] ***(QA)*** Inform Support and Marketing of impending release (and give estimated release dates).
- - [ ] ***(QA)*** Ensure there are no permanent test failures on any platform.
- - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
  - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
  - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
  - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
 
-### Before the Tagging Deadline
+## Before the Tagging Deadline
 
- - [ ] ***(QA)*** Look for outstanding documentation issues (e.g. `CHANGES` mistakes) and address them if any are found.
- - [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well.
- - [ ] ***(QA)*** Update API files for libraries with new version information.
- - [ ] ***(QA)*** Change software version and library versions in `configure.ac` (new major release only).
- - [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- - [ ] ***(QA)*** Update `CHANGES`.
- - [ ] ***(QA)*** Update `CHANGES.SE` (Subscription Edition only).
- - [ ] ***(QA)*** Update `README.md`.
- - [ ] ***(QA)*** Update `version`.
- - [ ] ***(QA)*** Build documentation on `docs.isc.org`.
+ - [ ] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
+ - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
+ - [ ] ***(SwEng)*** Update API files for libraries with new version information.
+ - [ ] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
+ - [ ] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
+ - [ ] ***(SwEng)*** Update `CHANGES`.
+ - [ ] ***(SwEng)*** Update `CHANGES.SE` (Subscription Edition only).
+ - [ ] ***(SwEng)*** Update `README.md`.
+ - [ ] ***(SwEng)*** Update `version`.
+ - [ ] ***(SwEng)*** Build documentation on `docs.isc.org`.
+ - [ ] ***(QA)*** Check that all the above steps were performed correctly.
+ - [ ] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
  - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
- - [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
- - [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9_x_y`).
+ - [ ] ***(SwEng)*** Tag the releases[^2].  (Tags may only be pushed to the public repository for releases which are *not* security releases.)
+ - [ ] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
 
-### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
+## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
 
  - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
  - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
@@ -64,14 +41,13 @@
  - [ ] ***(QA)*** Notify Support that the releases have been prepared.
  - [ ] ***(Support)*** Send out ASNs (if applicable).
 
-### On the Day of Public Release
+## On the Day of Public Release
 
  - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
  - [ ] ***(Support)*** Place tarballs in public location on FTP site.
  - [ ] ***(Support)*** Publish links to downloads on ISC website.
  - [ ] ***(Support)*** Write release email to *bind-announce*.
  - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
  - [ ] ***(Support)*** Update tickets in case of waiting support customers.
  - [ ] ***(QA)*** Build and test any outstanding private packages.
  - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
@@ -81,13 +57,9 @@
  - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
  - [ ] ***(Marketing)*** Write blog article (if a major release).
  - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- - [ ] ***(QA)*** Push tags for the published releases to the public repository.
- - [ ] ***(QA)*** Merge the automatically prepared `prep 9.x.y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_x`).
- - [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
- - [ ] ***(QA)*** Prepare empty release notes for the next set of releases.
- - [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.
- - [ ] ***(QA)*** Sanitize confidential issues which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].
- - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Flake8, PyLint) by modifying the relevant `Dockerfile`.
+ - [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
+ - [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
 
 [^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
-[^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.
+
+[^2]: Preferred command line: `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]`, where `[alphatag]` is an optional string such as `b1`, `rc1`, etc.

.lgtm.yml

@@ -1,35 +0,0 @@
-extraction:
-  cpp:
-    prepare:
-      packages:
-      - "libxml2-dev"
-      - "libjson-c-dev"
-      - "libssl-dev"
-      - "zlib1g-dev"
-      - "libcmocka-dev"
-      - "pkg-config"
-      - "libcap2-dev"
-      - "libedit-dev"
-      - "libidn2-dev"
-      - "libmaxminddb-dev"
-      - "libuv1-dev"
-      - "libnghttp2-dev"
-    configure:
-      command:
-      - "autoreconf -fi"
-      - "CFLAGS=\"-Og -g\" ./configure --enable-developer"
-path_classifiers:
-  test:
-    - "lib/*/tests/"
-    - "bin/tests/"
-  docs:
-    - "**/*.xml"
-    - "**/*.docbook"
-    - "**/*.html"
-    - "**/*.1"
-    - "**/*.5"
-    - "**/*.8"
-queries:
-  - exclude: fuzz/
-  - exclude: "bin/tests/system/*/ans*/*.py"
-  - exclude: cpp/use-of-goto

.pylintrc

@@ -5,4 +5,3 @@ disable=
     C0116, # missing-function-docstring
     R0801, # duplicate-code
     C0103, # invalid-name
-    C0415,# import-outside-toplevel

AUTHORS

@@ -1,53 +0,0 @@
-Mark Andrews
-Andreas Gustafsson
-Evan Hunt
-Brian Wellington
-Bob Halley
-David Lawrence
-Michael Graff
-Michael Sawyer
-Ondřej Surý
-James Brister
-Tatuya JINMEI 神明達哉
-Francis Dupont
-Michał Kępień
-Danny Mayer
-Mukund Sivaraman
-Jeremy C. Reed
-William King
-Stephen Morris
-Witold Kręcicki
-Curtis Blackburn
-Scott Mann
-Rob Austein
-Jim Reid
-Eric Luce
-Olafur Gudmundsson
-Stephen Jacob
-Damien Neil
-Tony Finch
-Jakob Schlyter
-Petr Menšík
-Vernon Schryver
-Matt Nelson
-Shane Kerr
-Paul Ebersman
-Ray Bellis
-Shawn Routhier
-Ben Cottrell
-Tomas Hozza
-johnd
-Bill Parker
-李昶
-Kevin Chen
-Jonathan Casey
-Mary Stahl
-Mathieu Arnold
-David Hankins
-Paul Hoffman
-Paul Vixie
-Brian Conry
-Anay Panvalkar
-colleen
-Robert Edmonds
-João Damas

CODE_OF_CONDUCT

@@ -0,0 +1,79 @@
+CODE OF CONDUCT
+
+BIND 9 Code of Conduct
+
+Like the technical community as a whole, the BIND 9 team and community is
+made up of a mixture of professionals and volunteers from all over the
+world, working on every aspect of the mission - including mentorship,
+teaching, and connecting people.
+
+Diversity is one of our huge strengths, but it can also lead to
+communication issues and unhappiness. To that end, we have a few ground
+rules that we ask people to adhere to. This code applies equally to the
+core development team, open source contributors and those seeking help and
+guidance.
+
+This isn't an exhaustive list of things that you can't do. Rather, take it
+in the spirit in which it's intended - a guide to make it easier to enrich
+all of us and the technical communities in which we participate.
+
+This code of conduct applies to all spaces managed by the BIND 9 project
+or Internet Systems Consortium. This includes chat, the mailing lists, the
+issue tracker, and any other fora created by the project team which the
+community uses for communication. In addition, violations of this code
+outside these spaces may affect a person's ability to participate within
+them.
+
+If you believe someone is violating the code of conduct, we ask that you
+report it by emailing conduct@isc.org. For more details please see our
+Reporting Guidelines.
+
+  * Be friendly and patient.
+  * Be welcoming. We strive to be a community that welcomes and supports
+    people of all backgrounds and identities. This includes, but is not
+    limited to members of any race, ethnicity, culture, national origin,
+    colour, immigration status, social and economic class, educational
+    level, sex, sexual orientation, gender identity and expression, age,
+    size, family status, political belief, religion, and mental and
+    physical ability.
+  * Be considerate. Your work will be used by other people, and you in
+    turn will depend on the work of others. Any decision you take will
+    affect users and colleagues, and you should take those consequences
+    into account when making decisions. Remember that we're a world-wide
+    community, so you might not be communicating in someone else's primary
+    language.
+  * Be respectful. Not all of us will agree all the time, but disagreement
+    is no excuse for poor behavior and poor manners. We might all
+    experience some frustration now and then, but we cannot allow that
+    frustration to turn into a personal attack. It's important to remember
+    that a community where people feel uncomfortable or threatened is not
+    a productive one. Members of the BIND 9 community should be respectful
+    when dealing with other members as well as with people outside the
+    BIND 9 community.
+  * Be careful in the words that you choose. We are a community of
+    professionals, and we conduct ourselves professionally. Be kind to
+    others. Do not insult or put down other participants. Harassment and
+    other exclusionary behavior aren't acceptable. This includes, but is
+    not limited to:
+      + Violent threats or language directed against another person.
+      + Discriminatory jokes and language.
+      + Posting sexually explicit or violent material.
+      + Posting (or threatening to post) other people's personally
+        identifying information ("doxing").
+      + Personal insults, especially those using racist or sexist terms.
+      + Unwelcome sexual attention.
+      + Advocating for, or encouraging, any of the above behavior.
+      + Repeated harassment of others. In general, if someone asks you to
+        stop, then stop.
+  * When we disagree, try to understand why. Disagreements, both social
+    and technical, happen all the time and BIND 9 is no exception. It is
+    important that we resolve disagreements and differing views
+    constructively. Remember that we're different. The strength of BIND 9
+    comes from its varied community, people from a wide range of
+    backgrounds. Different people have different perspectives on issues.
+    Being unable to understand why someone holds a viewpoint doesn't mean
+    that they're wrong. Don't forget that it is human to err and blaming
+    each other doesn't get us anywhere. Instead, focus on helping to
+    resolve issues and learning from mistakes.
+
+Original text courtesy of the Django Code of Conduct project.

CODE_OF_CONDUCT.md

@@ -7,8 +7,8 @@ people.
 
 Diversity is one of our huge strengths, but it can also lead to communication
 issues and unhappiness. To that end, we have a few ground rules that we ask
-people to adhere to. This code applies equally to the core development team,
-open source contributors and those seeking help and guidance.
+people to adhere to. This code applies equally to the core development team, open source contributors and those
+seeking help and guidance.
 
 This isn't an exhaustive list of things that you can't do. Rather, take it in
 the spirit in which it's intended - a guide to make it easier to enrich all of

CONTRIBUTING

@@ -0,0 +1,196 @@
+CONTRIBUTING
+
+BIND Source Access and Contributor Guidelines
+
+Feb 22, 2018
+
+Contents
+
+ 1. Access to source code
+ 2. Reporting bugs
+ 3. Contributing code
+
+Introduction
+
+Thank you for using BIND!
+
+BIND is open source software that implements the Domain Name System (DNS)
+protocols for the Internet. It is a reference implementation of those
+protocols, but it is also production-grade software, suitable for use in
+high-volume and high-reliability applications. It is by far the most
+widely used DNS software, providing a robust and stable platform on top of
+which organizations can build distributed computing systems with the
+knowledge that those systems are fully compliant with published DNS
+standards.
+
+BIND is and will always remain free and openly available. It can be used
+and modified in any way by anyone.
+
+BIND is maintained by the Internet Systems Consortium, a public-benefit
+501(c)(3) nonprofit, using a "managed open source" approach: anyone can
+see the source, but only ISC employees have commit access. Until recently,
+the source could only be seen once ISC had published a release: read
+access to the source repository was restricted just as commit access was.
+That's now changing, with the opening of a public git mirror to the BIND
+source tree (see below).
+
+At Internet Systems Consortium, we're committed to building communities
+that are welcoming and inclusive; environments where people are encouraged
+to share ideas, treat each other with respect, and collaborate towards the
+best solutions. To reinforce our commitment, the Internet Systems
+Consortium has adopted the Contributor Covenant version 1.4 as our Code of
+Conduct for BIND 9 project, as well as for the conduct of our developers
+throughout the industry.
+
+Access to source code
+
+Public BIND releases are always available from the ISC FTP site.
+
+A public-access GIT repository is also available at https://gitlab.isc.org
+. This repository is a mirror, updated several times per day, of the
+source repository maintained by ISC. It contains all the public release
+branches; upcoming releases can be viewed in their current state at any
+time. It does not contain development branches or unreviewed work in
+progress. Commits which address security vulnerablilities are withheld
+until after public disclosure.
+
+You can browse the source online via https://gitlab.isc.org/isc-projects/
+bind9
+
+To clone the repository, use:
+
+      $ git clone https://gitlab.isc.org/isc-projects/bind9.git
+
+Release branch names are of the form v9_X, where X represents the second
+number in the BIND 9 version number. So, to check out the BIND 9.12
+branch, use:
+
+      $ git checkout v9_12
+
+Whenever a branch is ready for publication, a tag will be placed of the
+form v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
+
+The branch in which the next major release is being developed is called
+master.
+
+Reporting bugs
+
+Reports of flaws in the BIND package, including software bugs, errors in
+the documentation, missing files in the tarball, suggested changes or
+requests for new features, etc, can be filed using https://gitlab.isc.org/
+isc-projects/bind9/issues.
+
+Due to a large ticket backlog, we are sometimes slow to respond,
+especially if a bug is cosmetic or if a feature request is vague or low in
+priority, but we will try at least to acknowledge legitimate bug reports
+within a week.
+
+ISC's ticketing system is publicly readable; however, you must have an
+account to file a new issue. You can either register locally or use
+credentials from an existing account at GitHub, GitLab, Google, Twitter,
+or Facebook.
+
+Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the ISC Security Officer public key.
+
+Do not discuss undisclosed security vulnerabilities on any public mailing
+list. ISC has a long history of handling reported vulnerabilities promptly
+and effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at https://
+kb.isc.org/article/AA-00861/0.
+
+If you have a crash, you may want to consult ?What to do if your BIND or
+DHCP server has crashed.?
+
+Contributing code
+
+BIND is licensed under the Mozilla Public License 2.0. Earier versions
+(BIND 9.10 and earlier) were licensed under the ISC License
+
+ISC does not require an explicit copyright assignment for patch
+contributions. However, by submitting a patch to ISC, you implicitly
+certify that you are the author of the code, that you intend to reliquish
+exclusive copyright, and that you grant permission to publish your work
+under the open source license used for the BIND version(s) to which your
+patch will be applied.
+
+BIND code
+
+Patches for BIND may be submitted directly via merge requests in ISC's
+Gitlab source repository for BIND.
+
+Patches can also be submitted as diffs against a specific version of BIND
+-- preferably the current top of the master branch. Diffs may be generated
+using either git format-patch or git diff.
+
+Those wanting to write code for BIND may be interested in the developer
+information page, which includes information about BIND design and coding
+practices, including discussion of internal APIs and overall system
+architecture. (This is a work in progress, and still quite preliminary.)
+
+Every patch submitted will be reviewed by ISC engineers following our code
+review process before it is merged.
+
+It may take considerable time to review patch submissions, especially if
+they don't meet ISC style and quality guidelines. If a patch is a good
+idea, we can and will do additional work to bring it up to par, but if
+we're busy with other work, it may take us a long time to get to it.
+
+To ensure your patch is acted on as promptly as possible, please:
+
+  * Try to adhere to the BIND 9 coding style.
+  * Run make check to ensure your change hasn't caused any functional
+    regressions.
+  * Document your work, both in the patch itself and in the accompanying
+    email.
+  * In patches that make non-trivial functional changes, include system
+    tests if possible; when introducing or substantially altering a
+    library API, include unit tests. See Testing for more information.
+
+Changes to configure
+
+If you need to make changes to configure, you should not edit it directly;
+instead, edit configure.in, then run autoconf. Similarly, instead of
+editing config.h.in directly, edit configure.in and run autoheader.
+
+When submitting a patch as a diff, it's fine to omit the configure diffs
+to save space. Just send the configure.in diffs and we'll generate the new
+configure during the review process.
+
+Documentation
+
+All functional changes should be documented. There are three types of
+documentation in the BIND source tree:
+
+  * Man pages are kept alongside the source code for the commands they
+    document, in files ending in .docbook; for example, the named man page
+    is bin/named/named.docbook.
+  * The BIND 9 Administrator Reference Manual is mostly in doc/arm/
+    Bv9ARM-book.xml, plus a few other XML files that are included in it.
+  * API documentation is in the header file describing the API, in
+    Doxygen-formatted comments.
+
+It is not necessary to edit any documentation files other than these; all
+PDF, HTML, and nroff-format man page files will be updated automatically
+from the docbook and XML files after merging.
+
+Patches to improve existing documentation are also very welcome!
+
+Tests
+
+BIND is a large and complex project. We rely heavily on continuous
+automated testing and cannot merge new code without adequate test
+coverage. Please see the 'Testing' section of doc/dev/dev.md for more
+information.
+
+Thanks
+
+Thank you for your interest in contributing to the ongoing development of
+BIND.

CONTRIBUTING.md

@@ -39,28 +39,29 @@ anyone can see the source, but only ISC employees have commit access.
 In the past, the source could only be seen once ISC had published
 a release; read access to the source repository was restricted just
 as commit access was.  That has changed, as ISC now provides a
-public git repository of the BIND source tree (see below).
+public git mirror to the BIND source tree (see below).
 
 At ISC, we're committed to
 building communities that are welcoming and inclusive: environments where people
 are encouraged to share ideas, treat each other with respect, and collaborate
 towards the best solutions. To reinforce our commitment, ISC
 has adopted a slightly modified version of the Django
-[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
-for the BIND 9 project, as well as for the conduct of our developers throughout
-the industry.
+[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/master/CODE_OF_CONDUCT.md) for the BIND 9 project, as well as for the conduct of our
+developers throughout the industry.
 
 ### <a name="access"></a>Access to source code
 
 Public BIND releases are always available from the
 [ISC FTP site](ftp://ftp.isc.org/isc/bind9).
 
-A public-access git repository is also available at
-[https://gitlab.isc.org](https://gitlab.isc.org).  This repository
-contains all public release branches. Upcoming releases can be viewed in
-their current state at any time.  Short-lived development branches
-contain unreviewed work in progress.  Commits which address security
-vulnerablilities are withheld until after public disclosure.
+A public-access GIT repository is also available at
+[https://gitlab.isc.org](https://gitlab.isc.org).
+This repository is a mirror, updated several times per day, of the
+source repository maintained by ISC.  It contains all the public release
+branches; upcoming releases can be viewed in their current state at any
+time.  It does *not* contain development branches or unreviewed work in
+progress.  Commits which address security vulnerablilities are withheld
+until after public disclosure.
 
 You can browse the source online via
 [https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
@@ -79,7 +80,7 @@ Whenever a branch is ready for publication, a tag is placed of the
 form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
-`main`.
+`master`.
 
 ### <a name="bugs"></a>Reporting bugs
 
@@ -99,7 +100,6 @@ use credentials from an existing account at GitHub, GitLab, Google,
 Twitter, or Facebook.
 
 ### Reporting possible security issues
-
 If you think you may be seeing a potential security vulnerability in BIND
 (for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
 report it immediately by emailing to security-officer@isc.org. Plain-text
@@ -111,8 +111,7 @@ Do not discuss undisclosed security vulnerabilities on any public mailing list.
 ISC has a long history of handling reported vulnerabilities promptly and
 effectively and we respect and acknowledge responsible reporters.
 
-ISC's Security Vulnerability Disclosure Policy is documented at
-[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 If you have a crash, you may want to consult
 ["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
@@ -121,8 +120,7 @@ If you have a crash, you may want to consult
 
 BIND is licensed under the
 [Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
-Earlier versions (BIND 9.10 and earlier) were licensed under the
-[ISC License](https://www.isc.org/licenses/)
+Earlier versions (BIND 9.10 and earlier) were licensed under the [ISC License](https://www.isc.org/licenses/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
@@ -138,7 +136,7 @@ Patches for BIND may be submitted directly via merge requests in
 repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
-BIND -- preferably the current top of the `main` branch.  Diffs may
+BIND -- preferably the current top of the `master` branch.  Diffs may
 be generated using either `git format-patch` or `git diff`.
 
 Those wanting to write code for BIND may be interested in the
@@ -186,8 +184,7 @@ of documentation in the BIND source tree:
   they document, in files ending in `.rst`: for example, the
   `named` man page is `bin/named/named.rst`.
 * The *BIND 9 Administrator Reference Manual* is in the .rst files in
-  `doc/arm/`; the PDF and HTML versions are automatically generated from
-  the `.rst` files.
+  `doc/arm/`; the PDF and HTML versions are automatically generated from the `.rst` files.
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.
 

COPYING

@@ -1 +0,0 @@
-LICENSE

COPYRIGHT

@@ -1,8 +1,8 @@
-Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
  -----------------------------------------------------------------------------
 
@@ -367,25 +367,3 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-
------------------------------------------------------------------------------
-
-Copyright Joyent, Inc. and other Node contributors. All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-IN THE SOFTWARE.

ChangeLog

@@ -1 +0,0 @@
-CHANGES

HISTORY

@@ -0,0 +1,600 @@
+HISTORY
+
+Functional enhancements from prior major releases of BIND 9
+
+BIND 9.14
+
+BIND 9.14 (a stable branch based on the 9.13 development branch) includes
+a number of changes from BIND 9.12 and earlier releases. New features
+include:
+
+  * A new "plugin" mechanism has been added to allow query functionality
+    to be extended using dynamically loadable libraries. The "filter-aaaa"
+    feature has been removed from named and is now implemented as a
+    plugin.
+  * Socket and task code has been refactored to improve performance.
+  * QNAME minimization, as described in RFC 7816, is now supported.
+  * "Root key sentinel" support, enabling validating resolvers to indicate
+    via a special query which trust anchors are configured for the root
+    zone.
+  * Secondary zones can now be configured as "mirror" zones; their
+    contents are transferred in as with traditional slave zones, but are
+    subject to DNSSEC validation and are not treated as authoritative data
+    when answering. This makes it easier to configure a local copy of the
+    root zone as described in RFC 7706.
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
+  * The default value of "dnssec-validation" is now "auto".
+  * IDNA2008 is now supported when linking with libidn2.
+  * "named -V" now outputs the default paths for files used by named and
+    other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is no longer supported.
+
+Special code to support certain legacy operating systems has also been
+removed; see the file PLATFORMS.md for details of supported platforms. In
+addition to OpenSSL, BIND now requires support for IPv6, threads, and
+standard atomic operations provided by the C compiler.
+
+BIND 9.12
+
+BIND 9.12 includes a number of changes from BIND 9.11 and earlier
+releases. New features include:
+
+  * named and related libraries have been substantially refactored for
+    improved query performance -- particularly on delegation heavy zones
+    -- and for improved readability, maintainability, and testability.
+  * Code implementing the name server query processing logic has been
+    moved into a new libns library, for easier testing and use in tools
+    other than named.
+  * Cached, validated NSEC and other records can now be used to synthesize
+    NXDOMAIN responses.
+  * The DNS Response Policy Service API (DNSRPS) is now supported.
+  * Setting 'max-journal-size default' now limits the size of journal
+    files to twice the size of the zone.
+  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
+    message.
+  * dnstap output files can now be configured to roll automatically when
+    reaching a given size.
+  * Log file timestamps can now also be formatted in ISO 8601 (local) or
+    ISO 8601 (UTC) formats.
+  * Logging channels and dnstap output files can now be configured to use
+    a timestamp as the suffix when rolling to a new file.
+  * 'named-checkconf -l' lists zones found in named.conf.
+  * Added support for the EDNS Padding and Keepalive options.
+  * 'new-zones-directory' option sets the location where the configuration
+    data for zones added by rndc addzone is stored.
+  * The default key algorithm in rndc-confgen is now hmac-sha256.
+  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
+    default without a configure option.
+  * The obsolete isc-hmac-fixup command has been removed.
+
+BIND 9.11
+
+BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+releases. New features include:
+
+  * Added support for Catalog Zones, a new method for provisioning
+    servers: a list of zones to be served is stored in a DNS zone, along
+    with their configuration parameters. Changes to the catalog zone are
+    propagated to slaves via normal AXFR/IXFR, whereupon the zones that
+    are listed in it are automatically added, deleted or reconfigured.
+  * Added support for "dnstap", a fast and flexible method of capturing
+    and logging DNS traffic.
+  * Added support for "dyndb", a new API for loading zone data from an
+    external database, developed by Red Hat for the FreeIPA project.
+  * "fetchlimit" quotas are now compiled in by default. These are for the
+    use of recursive resolvers that are are under high query load for
+    domains whose authoritative servers are nonresponsive or are
+    experiencing a denial of service attack:
+      + "fetches-per-server" limits the number of simultaneous queries
+        that can be sent to any single authoritative server. The
+        configured value is a starting point; it is automatically adjusted
+        downward if the server is partially or completely non-responsive.
+        The algorithm used to adjust the quota can be configured via the
+        "fetch-quota-params" option.
+      + "fetches-per-zone" limits the number of simultaneous queries that
+        can be sent for names within a single domain. (Note: Unlike
+        "fetches-per-server", this value is not self-tuning.)
+      + New stats counters have been added to count queries spilled due to
+        these quotas.
+  * Added a new "dnssec-keymgr" key mainenance utility, which can generate
+    or update keys as needed to ensure that a zone's keys match a defined
+    DNSSEC policy.
+  * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
+    and is no longer optional. EDNS COOKIE is a mechanism enabling clients
+    to detect off-path spoofed responses, and servers to detect
+    spoofed-source queries. Clients that identify themselves using COOKIE
+    options are not subject to response rate limiting (RRL) and can
+    receive larger UDP responses.
+  * SERVFAIL responses can now be cached for a limited time (defaulting to
+    1 second, with an upper limit of 30). This can reduce the frequency of
+    retries when a query is persistently failing.
+  * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
+    be skipped if a name server IP address isn't in the cache yet; the
+    address will be looked up and the rule will be applied on future
+    queries.
+  * Added a Python RNDC module. This allows multiple commands to sent over
+    a persistent RNDC channel, which saves time.
+  * The "controls" block in named.conf can now grant read-only "rndc"
+    access to specified clients or keys. Read-only clients could, for
+    example, check "rndc status" but could not reconfigure or shut down
+    the server.
+  * "rndc" commands can now return arbitrarily large amounts of text to
+    the caller.
+  * The zone serial number of a dynamically updatable zone can now be set
+    via "rndc signing -serial ". This allows inline-signing zones to be
+    set to a specific serial number.
+  * The new "rndc nta" command can be used to set a Negative Trust Anchor
+    (NTA), disabling DNSSEC validation for a specific domain; this can be
+    used when responses from a domain are known to be failing validation
+    due to administrative error rather than because of a spoofing attack.
+    Negative trust anchors are strictly temporary; by default they expire
+    after one hour, but can be configured to last up to one week.
+  * "rndc delzone" can now be used on zones that were not originally
+    created by "rndc addzone".
+  * "rndc modzone" reconfigures a single zone, without requiring the
+    entire server to be reconfigured.
+  * "rndc showzone" displays the current configuration of a zone.
+  * "rndc managed-keys" can be used to check the status of RFC 5011
+    managed trust anchors, or to force trust anchors to be refreshed.
+  * "max-cache-size" can now be set to a percentage of available memory.
+    The default is 90%.
+  * Update forwarding performance has been improved by allowing a single
+    TCP connection to be shared by multiple updates.
+  * The EDNS Client Subnet (ECS) option is now supported for authoritative
+    servers; if a query contains an ECS option then ACLs containing
+    "geoip" or "ecs" elements can match against the the address encoded in
+    the option. This can be used to select a view for a query, so that
+    different answers can be provided depending on the client network.
+  * The EDNS EXPIRE option has been implemented on the client side,
+    allowing a slave server to set the expiration timer correctly when
+    transferring zone data from another slave server.
+  * The key generation and manipulation tools (dnssec-keygen,
+    dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
+    "-Psync" and "-Dsync" options to set the publication and deletion
+    times of CDS and CDNSKEY parent-synchronization records. Both named
+    and dnssec-signzone can now publish and remove these records at the
+    scheduled times.
+  * A new "minimal-any" option reduces the size of UDP responses for query
+    type ANY by returning a single arbitrarily selected RRset instead of
+    all RRsets.
+  * A new "masterfile-style" zone option controls the formatting of text
+    zone files: When set to "full", a zone file is dumped in
+    single-line-per-record format.
+  * "serial-update-method" can now be set to "date". On update, the serial
+    number will be set to the current date in YYYYMMDDNN format.
+  * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
+  * "named -L " causes named to send log messages to the specified file by
+    default instead of to the system log.
+  * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
+    s for weeks, days, hours, minutes, and seconds.
+  * "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
+    presentation format.
+  * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
+  * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
+    requests.
+  * "mdig" is an alternate version of dig which sends multiple pipelined
+    TCP queries to a server. Instead of waiting for a response after
+    sending a query, it sends all queries immediately and displays
+    responses in the order received.
+  * "serial-query-rate" no longer controls NOTIFY messages. These are
+    separately controlled by "notify-rate" and "startup-notify-rate".
+  * "nsupdate" now performs "check-names" processing by default on records
+    to be added. This can be disabled with "check-names no".
+  * The statistics channel now supports DEFLATE compression, reducing the
+    size of the data sent over the network when querying statistics.
+  * New counters have been added to the statistics channel to track the
+    sizes of incoming queries and outgoing responses in histogram buckets,
+    as specified in RSSAC002.
+  * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
+    added, allowing redirection to a specified DNS namespace instead of a
+    single redirect zone.
+  * When starting up, named now ensures that no other named process is
+    already running.
+  * Files created by named to store information, including "mkeys" and
+    "nzf" files, are now named after their corresponding views unless the
+    view name contains characters incompatible with use as a filename. Old
+    style filenames (based on the hash of the view name) will still work.
+
+BIND 9.10.0
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases. New features include:
+
+  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+    reflection and amplification attacks, is always compiled in and no
+    longer requires a compile-time option to enable it.
+  * An experimental "Source Identity Token" (SIT) EDNS option is now
+    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
+    these are designed to enable clients to detect off-path spoofed
+    responses, and to enable servers to detect spoofed-source queries.
+    Servers can be configured to send smaller responses to clients that
+    have not identified themselves using a SIT option, reducing the
+    effectiveness of amplification attacks. RRL processing has also been
+    updated; clients proven to be legitimate via SIT are not subject to
+    rate limiting. Use "configure --enable-sit" to enable this feature in
+    BIND.
+  * A new zone file format, "map", stores zone data in a format that can
+    be mapped directly into memory, allowing significantly faster zone
+    loading.
+  * "delv" (domain entity lookup and validation) is a new tool with
+    dig-like semantics for looking up DNS data and performing internal
+    DNSSEC validation. This allows easy validation in environments where
+    the resolver may not be trustworthy, and assists with troubleshooting
+    of DNSSEC problems. (NOTE: In previous development releases of BIND
+    9.10, this utility was called "delve". The spelling has been changed
+    to avoid confusion with the "delve" utility included with the Xapian
+    search engine.)
+  * Improved EDNS(0) processing for better resolver performance and
+    reliability over slow or lossy connections.
+  * A new "configure --with-tuning=large" option tunes certain compiled-in
+    constants and default settings to values better suited to large
+    servers with abundant memory. This can improve performance on such
+    servers, but will consume more memory and may degrade performance on
+    smaller systems.
+  * Substantial improvement in response-policy zone (RPZ) performance. Up
+    to 32 response-policy zones can be configured with minimal performance
+    loss.
+  * To improve recursive resolver performance, cache records which are
+    still being requested by clients can now be automatically refreshed
+    from the authoritative server before they expire, reducing or
+    eliminating the time window in which no answer is available in the
+    cache.
+  * New "rpz-client-ip" triggers and drop policies allowing response
+    policies based on the IP address of the client.
+  * ACLs can now be specified based on geographic location using the
+    MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
+  * Zone data can now be shared between views, allowing multiple views to
+    serve the same zones authoritatively without storing multiple copies
+    in memory.
+  * New XML schema (version 3) for the statistics channel includes many
+    new statistics and uses a flattened XML tree for faster parsing. The
+    older schema is now deprecated.
+  * A new stylesheet, based on the Google Charts API, displays XML
+    statistics in charts and graphs on javascript-enabled browsers.
+  * The statistics channel can now provide data in JSON format as well as
+    XML.
+  * New stats counters track TCP and UDP queries received per zone, and
+    EDNS options received in total.
+  * The internal and export versions of the BIND libraries (libisc,
+    libdns, etc) have been unified so that external library clients can
+    use the same libraries as BIND itself.
+  * A new compile-time option, "configure --enable-native-pkcs11", allows
+    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
+    BIND can drive a cryptographic hardware service module (HSM) directly
+    instead of using a modified OpenSSL as an intermediary. (Note: This
+    feature requires an HSM to have a full implementation of the PKCS#11
+    API; many current HSMs only have partial implementations. The new
+    "pkcs11-tokens" command can be used to check API completeness. Native
+    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
+    version 2 from the Open DNSSEC project.)
+  * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
+    can simplify the process of rolling DNSSEC keys by guaranteeing that
+    cached signatures will have expired within the specified amount of
+    time.
+  * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
+  * "dig +expire" sends an EDNS EXPIRE option when querying. When this
+    option is sent with an SOA query to a server that supports it, it will
+    report the expiry time of a slave zone.
+  * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
+    report if a lapse in signing coverage has been inadvertently
+    scheduled.
+  * Signing algorithm flexibility and other improvements for the "rndc"
+    control channel.
+  * "named-checkzone" and "named-compilezone" can now read journal files,
+    allowing them to process dynamic zones.
+  * Multiple DLZ databases can now be configured. Individual zones can be
+    configured to be served from a specific DLZ database. DLZ databases
+    now serve zones of type "master" and "redirect".
+  * "rndc zonestatus" reports information about a specified zone.
+  * "named" now listens on IPv6 as well as IPv4 interfaces by default.
+  * "named" now preserves the capitalization of names when responding to
+    queries: for instance, a query for "example.com" may be answered with
+    "example.COM" if the name was configured that way in the zone file.
+    Some clients have a bug causing them to depend on the older behavior,
+    in which the case of the answer always matched the case of the query,
+    rather than the case of the name configured in the DNS. Such clients
+    can now be specified in the new "no-case-compress" ACL; this will
+    restore the older behavior of "named" for those clients only.
+  * new "dnssec-importkey" command allows the use of offline DNSSEC keys
+    with automatic DNSKEY management.
+  * New "named-rrchecker" tool to verify the syntactic correctness of
+    individual resource records.
+  * When re-signing a zone, the new "dnssec-signzone -Q" option drops
+    signatures from keys that are still published but are no longer
+    active.
+  * "named-checkconf -px" will print the contents of configuration files
+    with the shared secrets obscured, making it easier to share
+    configuration (e.g. when submitting a bug report) without revealing
+    private information.
+  * "rndc scan" causes named to re-scan network interfaces for changes in
+    local addresses.
+  * On operating systems with support for routing sockets, network
+    interfaces are re-scanned automatically whenever they change.
+  * "tsig-keygen" is now available as an alternate command name to use for
+    "ddns-confgen".
+
+BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
+
+  * Inline signing, allowing automatic DNSSEC signing of master zones
+    without modification of the zonefile, or "bump in the wire" signing in
+    slaves.
+  * NXDOMAIN redirection.
+  * New 'rndc flushtree' command clears all data under a given name from
+    the DNS cache.
+  * New 'rndc sync' command dumps pending changes in a dynamic zone to
+    disk without a freeze/thaw cycle.
+  * New 'rndc signing' command displays or clears signing status records
+    in 'auto-dnssec' zones.
+  * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
+    signing, eliminating the need to initially sign with NSEC.
+  * Startup time improvements on large authoritative servers.
+  * Slave zones are now saved in raw format by default.
+  * Several improvements to response policy zones (RPZ).
+  * Improved hardware scalability by using multiple threads to listen for
+    queries and using finer-grained client locking
+  * The 'also-notify' option now takes the same syntax as 'masters', so it
+    can used named masterlists and TSIG keys.
+  * 'dnssec-signzone -D' writes an output file containing only DNSSEC
+    data, which can be included by the primary zone file.
+  * 'dnssec-signzone -R' forces removal of signatures that are not expired
+    but were created by a key which no longer exists.
+  * 'dnssec-signzone -X' allows a separate expiration date to be specified
+    for DNSKEY signatures from other signatures.
+  * New '-L' option to dnssec-keygen, dnssec-settime, and
+    dnssec-keyfromlabel sets the default TTL for the key.
+  * dnssec-dsfromkey now supports reading from standard input, to make it
+    easier to convert DNSKEY to DS.
+  * RFC 1918 reverse zones have been added to the empty-zones table per
+    RFC 6303.
+  * Dynamic updates can now optionally set the zone's SOA serial number to
+    the current UNIX time.
+  * DLZ modules can now retrieve the source IP address of the querying
+    client.
+  * 'request-ixfr' option can now be set at the per-zone level.
+  * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
+    their key ID, algorithm and function
+  * Simplified nsupdate syntax and added readline support
+
+BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
+
+  * Built-in trust anchor for the root zone, which can be switched on via
+    "dnssec-validation auto;"
+  * Support for DNS64.
+  * Support for response policy zones (RPZ).
+  * Support for writable DLZ zones.
+  * Improved ease of configuration of GSS/TSIG for interoperability with
+    Active Directory
+  * Support for GOST signing algorithm for DNSSEC.
+  * Removed RTT Banding from server selection algorithm.
+  * New "static-stub" zone type.
+  * Allow configuration of resolver timeouts via "resolver-query-timeout"
+    option.
+  * The DLZ "dlopen" driver is now built by default.
+  * Added a new include file with function typedefs for the DLZ "dlopen"
+    driver.
+  * Made "--with-gssapi" default.
+  * More verbose error reporting from DLZ LDAP.
+
+BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
+
+  * Fully automatic signing of zones by "named".
+  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+    command line tool or the "local" update-policy option. (As a side
+    effect, this also makes it easier to configure automatic zone
+    re-signing.)
+  * New named option "attach-cache" that allows multiple views to share a
+    single cache.
+  * DNS rebinding attack prevention.
+  * New default values for dnssec-keygen parameters.
+  * Support for RFC 5011 automated trust anchor maintenance
+  * Smart signing: simplified tools for zone signing and key maintenance.
+  * The "statistics-channels" option is now available on Windows.
+  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+  * On some platforms, named and other binaries can now print out a stack
+    backtrace on assertion failure, to aid in debugging.
+  * A "tools only" installation mode on Windows, which only installs dig,
+    host, nslookup and nsupdate.
+  * Improved PKCS#11 support, including Keyper support and explicit
+    OpenSSL engine selection.
+
+BIND 9.6.0
+
+  * Full NSEC3 support
+  * Automatic zone re-signing
+  * New update-policy methods tcp-self and 6to4-self
+  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+    distribution and is now available as a separate download.
+  * Change the default pid file location from /var/run to /var/run/
+    {named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+  * GSS-TSIG support (RFC 3645).
+  * DHCID support.
+  * Experimental http server and statistics support for named via xml.
+  * More detailed statistics counters including those supported in BIND 8.
+  * Faster ACL processing.
+  * Use Doxygen to generate internal documentation.
+  * Efficient LRU cache-cleaning mechanism.
+  * NSID support.
+
+BIND 9.4.0
+
+  * Implemented "additional section caching (or acache)", an internal
+    cache framework for additional section content to improve response
+    performance. Several configuration options were provided to control
+    the behavior.
+  * New notify type 'master-only'. Enable notify for master zones only.
+  * Accept 'notify-source' style syntax for query-source.
+  * rndc now allows addresses to be set in the server clauses.
+  * New option "allow-query-cache". This lets "allow-query" be used to
+    specify the default zone access level rather than having to have every
+    zone override the global value. "allow-query-cache" can be set at both
+    the options and view levels. If "allow-query-cache" is not set then
+    "allow-recursion" is used if set, otherwise "allow-query" is used if
+    set unless "recursion no;" is set in which case "none;" is used,
+    otherwise the default (localhost; localnets;) is used.
+  * rndc: the source address can now be specified.
+  * ixfr-from-differences now takes master and slave in addition to yes
+    and no at the options and view levels.
+  * Allow the journal's name to be changed via named.conf.
+  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+    specified zone.
+  * 'dig +trace' now randomly selects the next servers to try. Report if
+    there is a bad delegation.
+  * Improve check-names error messages.
+  * Make public the function to read a key file, dst_key_read_public().
+  * dig now returns the byte count for axfr/ixfr.
+  * allow-update is now settable at the options / view level.
+  * named-checkconf now checks the logging configuration.
+  * host now can turn on memory debugging flags with '-m'.
+  * Don't send notify messages to self.
+  * Perform sanity checks on NS records which refer to 'in zone' names.
+  * New zone option "notify-delay". Specify a minimum delay between sets
+    of NOTIFY messages.
+  * Extend adjusting TTL warning messages.
+  * Named and named-checkzone can now both check for non-terminal wildcard
+    records.
+  * "rndc freeze/thaw" now freezes/thaws all zones.
+  * named-checkconf now check acls to verify that they only refer to
+    existing acls.
+  * The server syntax has been extended to support a range of servers.
+  * Report differences between hints and real NS rrset and associated
+    address records.
+  * Preserve the case of domain names in rdata during zone transfers.
+  * Restructured the data locking framework using architecture dependent
+    atomic operations (when available), improving response performance on
+    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+    and mips are currently supported.
+  * UNIX domain controls are now supported.
+  * Add support for additional zone file formats for improving loading
+    performance. The masterfile-format option in named.conf can be used to
+    specify a non-default format. A separate command named-compilezone was
+    provided to generate zone files in the new format. Additionally, the
+    -I and -O options for dnssec-signzone specify the input and output
+    formats.
+  * dnssec-signzone can now randomize signature end times (dnssec-signzone
+    -j jitter).
+  * Add support for CH A record.
+  * Add additional zone data constancy checks. named-checkzone has
+    extended checking of NS, MX and SRV record and the hosts they
+    reference. named has extended post zone load checks. New zone options:
+    check-mx and integrity-check.
+  * edns-udp-size can now be overridden on a per server basis.
+  * dig can now specify the EDNS version when making a query.
+  * Added framework for handling multiple EDNS versions.
+  * Additional memory debugging support to track size and mctx arguments.
+  * Detect duplicates of UDP queries we are recursing on and drop them.
+    New stats category "duplicates".
+  * "USE INTERNAL MALLOC" is now runtime selectable.
+  * The lame cache is now done on a <qname,qclass,qtype> basis as some
+    servers only appear to be lame for certain query types.
+  * Limit the number of recursive clients that can be waiting for a single
+    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
+    and max-clients-per-query.
+  * dig: report the number of extra bytes still left in the packet after
+    processing all the records.
+  * Support for IPSECKEY rdata type.
+  * Raise the UDP receive buffer size to 32k if it is less than 32k.
+  * x86 and x86_64 now have separate atomic locking implementations.
+  * named-checkconf now validates update-policy entries.
+  * Attempt to make the amount of work performed in a iteration self
+    tuning. The covers nodes clean from the cache per iteration, nodes
+    written to disk when rewriting a master file and nodes destroyed per
+    iteration when destroying a zone or a cache.
+  * ISC string copy API.
+  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+    1918 zones are not yet covered by this but are likely to be in a
+    future release.
+  * New options: empty-server, empty-contact, empty-zones-enable and
+    disable-empty-zone.
+  * dig now has a '-q queryname' and '+showsearch' options.
+  * host/nslookup now continue (default)/fail on SERVFAIL.
+  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
+    is set unless a server is explicitly set.
+  * Integrate contributed DLZ code into named.
+  * Integrate contributed IDN code from JPNIC.
+  * libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+  * DNSSEC is now DS based (RFC 3658).
+  * DNSSEC lookaside validation.
+  * check-names is now implemented.
+  * rrset-order is more complete.
+  * IPv4/IPv6 transition support, dual-stack-servers.
+  * IXFR deltas can now be generated when loading master files,
+    ixfr-from-differences.
+  * It is now possible to specify the size of a journal, max-journal-size.
+  * It is now possible to define a named set of master servers to be used
+    in masters clause, masters.
+  * The advertised EDNS UDP size can now be set, edns-udp-size.
+  * allow-v6-synthesis has been obsoleted.
+  * Zones containing MD and MF will now be rejected.
+  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+    NOTIMPL. This will have impact on scripts that are looking for
+    NOTIMPL.
+  * libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+  * The size of the cache can now be limited using the "max-cache-size"
+    option.
+  * The server can now automatically convert RFC1886-style recursive
+    lookup requests into RFC2874-style lookups, when enabled using the new
+    option "allow-v6-synthesis". This allows stub resolvers that support
+    AAAA records but not A6 record chains or binary labels to perform
+    lookups in domains that make use of these IPv6 DNS features.
+  * Performance has been improved.
+  * The man pages now use the more portable "man" macros rather than the
+    "mandoc" macros, and are installed by "make install".
+  * The named.conf parser has been completely rewritten. It now supports
+    "include" directives in more places such as inside "view" statements,
+    and it no longer has any reserved words.
+  * The "rndc status" command is now implemented.
+  * rndc can now be configured automatically.
+  * A BIND 8 compatible stub resolver library is now included in lib/bind.
+  * OpenSSL has been removed from the distribution. This means that to use
+    DNSSEC, OpenSSL must be installed and the --with-openssl option must
+    be supplied to configure. This does not apply to the use of TSIG,
+    which does not require OpenSSL.
+  * The source distribution now builds on Windows. See win32utils/
+    readme1.txt and win32utils/win32-build.txt for details.
+  * This distribution also includes a new lightweight stub resolver
+    library and associated resolver daemon that fully support forward and
+    reverse lookups of both IPv4 and IPv6 addresses. This library is
+    considered experimental and is not a complete replacement for the BIND
+    8 resolver library. Applications that use the BIND 8 res_* functions
+    to perform DNS lookups or dynamic updates still need to be linked
+    against the BIND 8 libraries. For DNS lookups, they can also use the
+    new "getrrsetbyname()" API.
+  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+    secured zones. This functionality is believed to be stable and
+    complete except for lacking support for verifications involving
+    wildcard records in secure zones.
+  * When acting as a caching server, BIND 9.2 can be configured to perform
+    DNSSEC secure resolution on behalf of its clients. This part of the
+    DNSSEC implementation is still considered experimental. For detailed
+    information about the state of the DNSSEC implementation, see the file
+    doc/misc/dnssec.

HISTORY.md

@@ -10,21 +10,6 @@
 -->
 ### Functional enhancements from prior major releases of BIND 9
 
-#### BIND 9.16
-
-BIND 9.16 (a stable branch based on the 9.15 development branch)
-includes a number of changes from BIND 9.14 and earlier releases.
-New features include:
-
-* New `dnssec-policy` statement to configure a key and signing policy
-  for zones, enabling automatic key regeneration and rollover.
-* New network manager based on `libuv`.
-* Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
-* Improved DNSSEC trust anchor configuration using the `trust-anchors`
-  statement, permitting configuration of trust anchors in DS as well as
-  DNSKEY format.
-* YAML output for `dig`, `mdig`, and `delv`.
-
 #### BIND 9.14
 
 BIND 9.14 (a stable branch based on the 9.13 development branch)

Kyuafile

@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('lib/Kyuafile')

Makefile.am

@@ -1,25 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-SUBDIRS = . lib doc bin fuzz
-
-BUILT_SOURCES = bind.keys.h
-CLEANFILES = bind.keys.h
-
-bind.keys.h: bind.keys Makefile
-	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
-
-dist_sysconf_DATA = bind.keys
-
-.PHONY: doc
-
-EXTRA_DIST = 			\
-	util/bindkeys.pl	\
-	contrib			\
-	CHANGES			\
-	COPYRIGHT		\
-	LICENSE			\
-	*.md
-
-dist-hook:
-	find $(distdir) -type f -name .gitignore -delete
-	git rev-parse --short HEAD | cut -b1-7 > $(distdir)/srcid

Makefile.docs

@@ -1,52 +0,0 @@
-SPHINX_V = $(SPHINX_V_@AM_V@)
-SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
-SPHINX_V_0 = -q
-SPHINX_V_1 = -n
-
-AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
-AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
-AM_V_SPHINX_0 = @echo "  SPHINX   $@";
-
-SPHINXBUILDDIR = $(builddir)/_build
-
-common_SPHINXOPTS =			\
-	-W				\
-	-c $(srcdir)			\
-	-a				\
-	$(SPHINX_V)
-
-ALLSPHINXOPTS =				\
-	$(common_SPHINXOPTS)		\
-	-D version="$(PACKAGE_VERSION)"	\
-	-D today="$(RELEASE_DATE)"	\
-	-D release="$(PACKAGE_VERSION)"	\
-	$(SPHINXOPTS)			\
-	$(srcdir)
-
-man_SPHINXOPTS =			\
-	$(common_SPHINXOPTS)		\
-	-D version="@""PACKAGE_VERSION@"\
-	-D today="@""RELEASE_DATE@"	\
-	-D release="@""PACKAGE_VERSION@"\
-	$(SPHINXOPTS)			\
-	$(srcdir)
-
-AM_V_SED = $(AM_V_SED_@AM_V@)
-AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
-AM_V_SED_0 = @echo "  SED $@";
-
-AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
-AM_V_CFG_TEST_0 = @echo "  CFG_GEN $@";
-
-AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@)
-AM_V_RST_OPTIONS_0 = @echo "  RST_OPTIONS $@";
-
-AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@)
-AM_V_RST_ZONEOPT_0 = @echo "  RST_ZONEOPT $@";
-
-AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@)
-AM_V_RST_GRAMMARS_0 = @echo "  RST_GRAMMARS $@";

Makefile.in

@@ -0,0 +1,113 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+top_builddir =  @top_builddir@
+
+VERSION=@BIND9_VERSION@
+
+SUBDIRS =	make lib fuzz bin doc
+TARGETS =
+PREREQS =	bind.keys.h
+
+MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT
+
+@BIND9_MAKE_RULES@
+
+newrr:
+	cd lib/dns; ${MAKE} newrr
+
+bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
+	${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
+
+distclean::
+	rm -f config.cache config.h config.log config.status TAGS
+	rm -f libtool configure.lineno
+	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
+
+# XXX we should clean libtool stuff too.  Only do this after we add rules
+# to make it.
+maintainer-clean::
+	rm -f configure
+	rm -f bind.keys.h
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+doc man:: ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
+	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+
+install:: installdirs
+	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
+
+uninstall::
+	rm -f ${DESTDIR}${sysconfdir}/bind.keys
+
+test check:
+	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
+	echo I: NOTE: The tests were not run because they require that; \
+	echo I:	the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
+	echo I:	as alias addresses on the loopback interface.  Please run; \
+	echo I:	\'bin/tests/system/ifconfig.sh up\' as root to configure; \
+	echo I:	them, then rerun the tests. Run make force-test to run the; \
+	echo I:	tests anyway.; \
+	exit 1; \
+	fi
+	${MAKE} test-force
+
+force-test: test-force
+
+test-force:
+	status=0; \
+	(cd fuzz && ${MAKE} check) || status=1; \
+	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
+	(test -f ${top_builddir}/unit/unittest.sh && \
+		$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
+	exit $$status
+
+README: README.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+HISTORY: HISTORY.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+OPTIONS: OPTIONS.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+CONTRIBUTING: CONTRIBUTING.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+PLATFORMS: PLATFORMS.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+CODE_OF_CONDUCT: CODE_OF_CONDUCT.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="CODE OF CONDUCT" -f markdown-smart -t html CODE_OF_CONDUCT.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean::

Makefile.tests

@@ -1,11 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-AM_CPPFLAGS +=					\
-	$(CMOCKA_CFLAGS)			\
-	-DNAMED_PLUGINDIR=\"$(libdir)/named\"	\
-	-DSKIPPED_TEST_EXIT_CODE=77		\
-	-DTESTS_DIR=\"$(abs_srcdir)\"
-
-LDADD =			\
-	$(CMOCKA_LIBS)

Makefile.top

@@ -1,65 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
-
-AM_CFLAGS =					\
-	$(STD_CFLAGS)
-
-AM_CPPFLAGS =					\
-	$(STD_CPPFLAGS)				\
-	-include $(top_builddir)/config.h	\
-	-I$(srcdir)/include
-
-AM_LDFLAGS =
-
-if HOST_MACOS
-AM_LDFLAGS +=					\
-	-Wl,-flat_namespace
-endif HOST_MACOS
-
-LIBISC_CFLAGS =						\
-	-I$(top_srcdir)/include				\
-	-I$(top_srcdir)/lib/isc/unix/include		\
-	-I$(top_srcdir)/lib/isc/pthreads/include	\
-	-I$(top_srcdir)/lib/isc/include			\
-	-I$(top_builddir)/lib/isc/include
-
-LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
-
-LIBDNS_CFLAGS = \
-	-I$(top_srcdir)/lib/dns/include			\
-	-I$(top_builddir)/lib/dns/include
-
-LIBDNS_LIBS = \
-	$(top_builddir)/lib/dns/libdns.la
-
-LIBNS_CFLAGS = \
-	-I$(top_srcdir)/lib/ns/include
-
-LIBNS_LIBS = \
-	$(top_builddir)/lib/ns/libns.la
-
-LIBIRS_CFLAGS = \
-	-I$(top_srcdir)/lib/irs/include
-
-LIBIRS_LIBS = \
-	$(top_builddir)/lib/irs/libirs.la
-
-LIBISCCFG_CFLAGS = \
-	-I$(top_srcdir)/lib/isccfg/include
-
-LIBISCCFG_LIBS = \
-	$(top_builddir)/lib/isccfg/libisccfg.la
-
-LIBISCCC_CFLAGS = \
-	-I$(top_srcdir)/lib/isccc/include/
-
-LIBISCCC_LIBS = \
-	$(top_builddir)/lib/isccc/libisccc.la
-
-LIBBIND9_CFLAGS = \
-	-I$(top_srcdir)/lib/bind9/include
-
-LIBBIND9_LIBS = \
-	$(top_builddir)/lib/bind9/libbind9.la

NEWS

@@ -1 +0,0 @@
-CHANGES

OPTIONS

@@ -0,0 +1,28 @@
+OPTIONS
+
+Setting the STD_CDEFINES environment variable before running configure can
+be used to enable certain compile-time options that are not explicitly
+defined in configure.
+
+Some of these settings are:
+
+         Setting                            Description
+                          Overwrite memory with tag values when allocating
+-DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
+                          makes debugging of memory problems easier.
+                          Don't track memory allocations by file and line
+-DISC_MEM_TRACKLINES=0    number; this improves performance but makes
+                          debugging more difficult.
+-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
+-DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
+                          well-known ports:
+-DCHECK_SIBLING=0         Don't check sibling glue in named-checkzone
+-DCHECK_LOCAL=0           Don't check out-of-zone addresses in
+                          named-checkzone
+-DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
+                          rather than ${localstatedir}/run/named/
+                          Disable the use of inline functions to implement
+-DISC_BUFFER_USEINLINE=0  the isc_buffer API: this reduces performance but
+                          may be useful when debugging
+-DISC_HEAP_CHECK          Test heap consistency after every heap
+                          operation; used when debugging

OPTIONS.md

@@ -8,19 +8,20 @@
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
-Setting the `CPPFLAGS` environment variable before running `configure`
-can be used to enable certain compile-time options that are not
-explicitly defined in `configure`.
+Setting the `STD_CDEFINES` environment variable before running `configure`
+can be used to enable certain compile-time options that are not explicitly
+defined in `configure`.
 
 Some of these settings are:
 
-| Setting                      | Description                                                                                                                            |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
-| `-DCHECK_LOCAL=0`            | Don't check out-of-zone addresses in `named-checkzone`                                                                                 |
-| `-DCHECK_SIBLING=0`          | Don't check sibling glue in `named-checkzone`                                                                                          |
-| `-DISC_FACILITY=LOG_LOCAL0`  | Change the default syslog facility for `named`                                                                                         |
-| `-DISC_HEAP_CHECK`           | Test heap consistency after every heap operation; used when debugging                                                                  |
-| `-DISC_MEM_DEFAULTFILL=1`    | Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier |
-| `-DISC_MEM_TRACKLINES=0`     | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult                   |
-| `-DNAMED_RUN_PID_DIR=0`      | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`                                           |
-| `-DNS_CLIENT_DROPPORT=0`     | Disable dropping queries from particular well-known ports                                                                              |
+|Setting                            |Description |
+|-----------------------------------|----------------------------------------|
+|`-DISC_MEM_DEFAULTFILL=1`|Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier.|
+|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
+|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
+|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
+|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
+|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
+|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`|
+|`-DISC_BUFFER_USEINLINE=0`|Disable the use of inline functions to implement the `isc_buffer` API: this reduces performance but may be useful when debugging |
+|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|

PLATFORMS

@@ -0,0 +1,99 @@
+PLATFORMS
+
+Supported platforms
+
+In general, this version of BIND will build and run on any POSIX-compliant
+system with a C11-compliant C compiler, BSD-style sockets with
+RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
+asynchronous I/O library, and the OpenSSL cryptography library.
+
+The following C11 features are used in BIND 9:
+
+  * Atomic operations support from the compiler is needed, either in the
+    form of builtin operations, C11 atomics, or the Interlocked family of
+    functions on Windows.
+
+  * Thread Local Storage support from the compiler is needed, either in
+    the form of C11 _Thread_local/thread_local, the __thread GCC
+    extension, or the __declspec(thread) MSVC extension on Windows.
+
+BIND 9.16 requires a fairly recent version of libuv (at least 1.x). For
+some of the older systems listed below, you will have to install an
+updated libuv package from sources such as EPEL, PPA, or other native
+sources for updated packages. The other option is to build and install
+libuv from source.
+
+Certain optional BIND features have additional library dependencies. These
+include libxml2 and libjson-c for statistics, libmaxminddb for
+geolocation, libfstrm and libprotobuf-c for DNSTAP, and libidn2 for
+internationalized domain name conversion.
+
+ISC regularly tests BIND on many operating systems and architectures, but
+lacks the resources to test all of them. Consequently, ISC is only able to
+offer support on a "best effort" basis for some.
+
+Regularly tested platforms
+
+As of Jul 2020, BIND 9.16 is fully supported and regularly tested on the
+following systems:
+
+  * Debian 9, 10
+  * Ubuntu LTS 16.04, 20.04
+  * Fedora 32
+  * Red Hat Enterprise Linux / CentOS 7, 8
+  * FreeBSD 11.3, 12.1
+  * OpenBSD 6.6
+  * Alpine Linux
+
+The amd64, i386, armhf and arm64 CPU architectures are all fully
+supported.
+
+Best effort
+
+The following are platforms on which BIND is known to build and run. ISC
+makes every effort to fix bugs on these platforms, but may be unable to do
+so quickly due to lack of hardware, less familiarity on the part of
+engineering staff, and other constraints. With the exception of Windows
+Server 2012 R2, none of these are tested regularly by ISC.
+
+  * Windows Server 2012 R2, 2016 / x64
+  * Windows 10 / x64
+  * macOS 10.12+
+  * Solaris 11
+  * NetBSD
+  * Other Linux distributions still supported by their vendors, such as:
+      + Ubuntu 19.04+
+      + Gentoo
+      + Arch Linux
+  * OpenWRT/LEDE 17.01+
+  * Other CPU architectures (mips, mipsel, sparc, ...)
+
+Community maintained
+
+These systems may not all have the required dependencies for building BIND
+easily available, although it will be possible in many cases to compile
+those directly from source. The community and interested parties may wish
+to help with maintenance, and we welcome patch contributions, although we
+cannot guarantee that we will accept them. All contributions will be
+assessed against the risk of adverse effect on officially supported
+platforms.
+
+  * Platforms past or close to their respective EOL dates, such as:
+      + Ubuntu 14.04, 18.10
+      + CentOS 6
+      + Debian Jessie
+      + FreeBSD 10.x
+
+Unsupported platforms
+
+These are platforms on which BIND 9.16 is known not to build or run:
+
+  * Platforms without at least OpenSSL 1.0.2
+  * Windows 10 / x86
+  * Windows Server 2012 and older
+  * Solaris 10 and older
+  * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
+  * Platforms that don't support atomic operations (via compiler or
+    library)
+  * Linux without NPTL (Native POSIX Thread Library)
+  * Platforms on which libuv cannot be compiled

PLATFORMS.md

@@ -13,7 +13,7 @@
 In general, this version of BIND will build and run on any POSIX-compliant
 system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
 IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
-the OpenSSL cryptography library, and the `nghttp2` HTTP/2 library.
+and the OpenSSL cryptography library.
 
 The following C11 features are used in BIND 9:
 
@@ -25,7 +25,7 @@ The following C11 features are used in BIND 9:
   of C11 `_Thread_local`/`thread_local`, the `__thread` GCC extension, or
   the `__declspec(thread)` MSVC extension on Windows.
 
-BIND 9.17 requires a fairly recent version of `libuv` (at least 1.x).  For
+BIND 9.16 requires a fairly recent version of `libuv` (at least 1.x).  For
 some of the older systems listed below, you will have to install an updated
 `libuv` package from sources such as EPEL, PPA, or other native sources for
 updated packages. The other option is to build and install `libuv` from
@@ -42,16 +42,16 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Nov 2020, BIND 9.17 is fully supported and regularly tested on the
+As of Jul 2020, BIND 9.16 is fully supported and regularly tested on the
 following systems:
 
 * Debian 9, 10
-* Ubuntu LTS 18.04, 20.04
-* Fedora 34
+* Ubuntu LTS 16.04, 20.04
+* Fedora 32
 * Red Hat Enterprise Linux / CentOS 7, 8
-* FreeBSD 11.4, 12.2, 13.0
-* OpenBSD 6.9
-* Alpine Linux 3.13
+* FreeBSD 11.4, 12.1
+* OpenBSD 6.7
+* Alpine Linux 3.12
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
 
@@ -61,7 +61,7 @@ The following are platforms on which BIND is known to build and run.
 ISC makes every effort to fix bugs on these platforms, but may be unable to
 do so quickly due to lack of hardware, less familiarity on the part of
 engineering staff, and other constraints. With the exception of Windows
-Server 2016, none of these are tested regularly by ISC.
+Server 2012 R2, none of these are tested regularly by ISC.
 
 * Windows Server 2012 R2, 2016 / x64
 * Windows 10 / x64
@@ -69,7 +69,7 @@ Server 2016, none of these are tested regularly by ISC.
 * Solaris 11
 * NetBSD
 * Other Linux distributions still supported by their vendors, such as:
-    * Ubuntu 20.10+
+    * Ubuntu 19.04+
     * Gentoo
     * Arch Linux
 * OpenWRT/LEDE 17.01+
@@ -86,14 +86,14 @@ assessed against the risk of adverse effect on officially supported
 platforms.
 
 * Platforms past or close to their respective EOL dates, such as:
-    * Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported)
+    * Ubuntu 14.04, 18.10
     * CentOS 6
     * Debian Jessie
     * FreeBSD 10.x
 
 ## Unsupported platforms
 
-These are platforms on which BIND 9.17 is known *not* to build or run:
+These are platforms on which BIND 9.16 is known *not* to build or run:
 
 * Platforms without at least OpenSSL 1.0.2
 * Windows 10 / x86

README

@@ -0,0 +1,383 @@
+README
+
+BIND 9
+
+Contents
+
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.16 features
+ 5. Building BIND
+ 6. macOS
+ 7. Dependencies
+ 8. Compile-time options
+ 9. Automated testing
+10. Documentation
+11. Change log
+12. Acknowledgments
+
+Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
+
+BIND 9 began as a complete re-write of the BIND architecture that was used
+in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
+501(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licensed under the terms of the Mozilla Public License,
+version 2.0.
+
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
+
+For up-to-date versions and release notes, see https://www.isc.org/
+download/.
+
+For information about supported platforms, see PLATFORMS.
+
+Reporting bugs and getting help
+
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the ISC GitLab server at https://
+gitlab.isc.org/isc-projects/bind9.
+
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable. Please do not include any
+information in bug reports that you consider to be confidential unless the
+issue has been marked as such. In particular, if submitting the contents
+of your configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+named-checkconf -px.
+
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in named, please do NOT use GitLab to
+report it. Instead, send mail to security-officer@isc.org using our
+OpenPGP key to secure your message. (Information about OpenPGP and links
+to our key can be found at https://www.isc.org/pgpkey.) Please do not
+discuss the bug on any public mailing list.
+
+For a general overview of ISC security policies, read the Knowledge Base
+article at https://kb.isc.org/docs/aa-00861.
+
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
+
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
+
+If you're planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
+
+Contributing to BIND
+
+ISC maintains a public git repository for BIND; details can be found at
+http://www.isc.org/git/.
+
+Information for BIND contributors can be found in the following files: -
+General information: CONTRIBUTING.md - Code of Conduct: CODE_OF_CONDUCT.md
+- BIND 9 code style: doc/dev/style.md - BIND architecture and developer
+guide: doc/dev/dev.md
+
+Patches for BIND may be submitted as merge requests in the ISC GitLab
+server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
+
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
+
+If you prefer, you may also submit code by opening a GitLab Issue and
+including your patch as an attachment, preferably generated by git
+format-patch.
+
+BIND 9.16 features
+
+BIND 9.16 is the current stable branch of BIND 9. It includes all changes
+from the 9.15 development branch, updating the previous stable branch,
+9.14. New features include:
+
+  * New dnssec-policy statement to configure a key and signing policy for
+    zones, enabling automatic key regeneration and rollover.
+  * New network manager based on libuv.
+  * Added support for the new GeoIP2 geolocation API, libmaxminddb.
+  * Improved DNSSEC trust anchor configuration using the trust-anchors
+    statement, permitting configuration of trust anchors in DS as well as
+    DNSKEY format.
+  * YAML output for dig, mdig, and delv.
+
+Building BIND
+
+Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
+basic POSIX support, and a 64-bit integer type. BIND also requires the
+libuv asynchronous I/O library, and a cryptography provider library such
+as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
+requires the libcap library to set process privileges, though this
+requirement can be overridden by disabling capability support at compile
+time. See Compile-time options below for details on other libraries that
+may be required to support optional features.
+
+Successful builds have been observed on many versions of Linux and UNIX,
+including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
+Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
+HP-UX, and OpenWRT.
+
+BIND is also available for Windows Server 2012 R2 and higher. See
+win32utils/build.txt for details on building for Windows systems.
+
+To build on a UNIX or Linux system, use:
+
+    $ ./configure
+    $ make
+
+If you're planning on making changes to the BIND 9 source, you should run
+make depend. If you're using Emacs, you might find make tags helpful.
+
+Several environment variables that can be set before running configure
+will affect compilation. Significant ones are:
+
+   Variable                            Description
+CC             The C compiler to use. configure tries to figure out the
+               right one for supported systems.
+               C compiler flags. Defaults to include -g and/or -O2 as
+CFLAGS         supported by the compiler. Please include '-g' if you need
+               to set CFLAGS.
+               System header file directories. Can be used to specify
+STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
+               Defaults to empty string.
+               Any additional preprocessor symbols you want defined.
+STD_CDEFINES   Defaults to empty string. For a list of possible settings,
+               see the file OPTIONS.
+LDFLAGS        Linker flags. Defaults to empty string.
+BUILD_CC       Needed when cross-compiling: the native C compiler to use
+               when building for the target system.
+BUILD_CFLAGS   CFLAGS for the target system during cross-compiling.
+BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
+BUILD_LDFLAGS  LDFLAGS for the target system during cross-compiling.
+BUILD_LIBS     LIBS for the target system during cross-compiling.
+
+Additional environment variables affecting the build are listed at the end
+of the configure help text, which can be obtained by running the command:
+
+$ ./configure --help
+
+macOS
+
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from https://developer.apple.com/download/more/ or,
+if you have Xcode already installed, you can run xcode-select --install.
+(Note that an Apple ID may be required to access the download page.)
+
+Dependencies
+
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+argparse, ply and distutils.core modules to be available. argparse is a
+standard module as of Python 2.7 and Python 3.2. ply is available from
+https://pypi.python.org/pypi/ply. distutils.core is required for
+installation.
+
+Compile-time options
+
+To see a full list of configuration options, run configure --help.
+
+To build shared libraries, specify --with-libtool on the configure command
+line.
+
+For the server to support DNSSEC, you need to build it with crypto
+support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
+installed. If the OpenSSL library is installed in a nonstandard location,
+specify the prefix using --with-openssl=<PREFIX> on the configure command
+line. To use a PKCS#11 hardware service module for cryptographic
+operations, specify the path to the PKCS#11 provider library using
+--with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following libraries: libxml2 http://xmlsoft.org or json-c
+https://github.com/json-c/json-c. If these are installed at a nonstandard
+location, then:
+
+  * for libxml2, specify the prefix using --with-libxml2=/prefix,
+  * for json-c, adjust PKG_CONFIG_PATH.
+
+To support compression on the HTTP statistics channel, the server must be
+linked against libzlib. If this is installed in a nonstandard location,
+specify the prefix using --with-zlib=/prefix.
+
+To support storing configuration data for runtime-added zones in an LMDB
+database, the server must be linked with liblmdb. If this is installed in
+a nonstandard location, specify the prefix using with-lmdb=/prefix.
+
+To support MaxMind GeoIP2 location-based ACLs, the server must be linked
+with libmaxminddb. This is turned on by default if the library is found;
+if the library is installed in a nonstandard location, specify the prefix
+using --with-maxminddb=/prefix. GeoIP2 support can be switched off with
+--disable-geoip.
+
+For DNSTAP packet logging, you must have installed libfstrm https://
+github.com/farsightsec/fstrm and libprotobuf-c https://
+developers.google.com/protocol-buffers, and BIND must be configured with
+--enable-dnstap.
+
+Certain compiled-in constants and default settings can be decreased to
+values better suited to small machines, e.g. OpenWRT boxes, by specifying
+--with-tuning=small on the configure command line. This will decrease
+memory usage by using smaller structures, but will degrade performance.
+
+On Linux, process capabilities are managed in user space using the libcap
+library, which can be installed on most Linux systems via the libcap-dev
+or libcap-devel package. Process capability support can also be disabled
+by configuring with --disable-linux-caps.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB. This can be done by using
+--enable-largefile on the configure command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
+command line. By default, fixed rrset-order is disabled to reduce memory
+footprint.
+
+The --enable-querytrace option causes named to log every step of
+processing every query. This should only be enabled when debugging,
+because it has a significant negative impact on query performance.
+
+make install will install named and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+--prefix option when running configure.
+
+You may specify the option --sysconfdir to set the directory where
+configuration files like named.conf go by default, and --localstatedir to
+set the default parent directory of run/named.pid. --sysconfdir defaults
+to $prefix/etc and --localstatedir defaults to $prefix/var.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by running the command bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the dnspython module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using the CMocka unit testing framework. To
+build them, use configure --with-cmocka. Execution of tests is done by the
+Kyua test execution engine; if the kyua command is available, then unit
+tests can be run via make test or make unit.
+
+Documentation
+
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
+
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
+
+Additional information on various subjects can be found in other README
+files throughout the source tree.
+
+Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+   Category                            Description
+[func]         New feature
+[bug]          General bug fix
+[security]     Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+               the design are still in flux and may change
+[port]         Portability enhancement
+[maint]        Updates to built-in data such as root server addresses and
+               keys
+[tuning]       Changes to built-in configuration defaults and constants to
+               improve performance
+[performance]  Other changes to improve server performance
+[protocol]     Updates to the DNS protocol such as new RR types
+[test]         Changes to the automatic tests, not affecting server
+               functionality
+[cleanup]      Minor corrections and refactoring
+[doc]          Documentation
+[contrib]      Changes to the contributed tools and libraries in the
+               'contrib' subdirectory
+               Used in the master development branch to reserve change
+[placeholder]  numbers for use in other branches, e.g. when fixing a bug
+               that only exists in older releases
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+Bug report identifiers
+
+Most notes in the CHANGES file include a reference to a bug report or
+issue number. Prior to 2018, these were usually of the form [RT #NNN] and
+referred to entries in the "bind9-bugs" RT database, which was not open to
+the public. More recent entries use the form [GL #NNN] or, less often, [GL
+!NNN], which, respectively, refer to issues or merge requests in the
+GitLab database. Most of these are publicly readable, unless they include
+information which is confidential or security sensitive.
+
+To look up a GitLab issue by its number, use the URL https://
+gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
+use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
+
+In rare cases, an issue or merge request number may be followed with the
+letter "P". This indicates that the information is in the private ISC
+GitLab instance, which is not visible to the public.
+
+Acknowledgments
+
+  * The original development of BIND 9 was underwritten by the following
+    organizations:
+
+      Sun Microsystems, Inc.
+      Hewlett Packard
+      Compaq Computer Corporation
+      IBM
+      Process Software Corporation
+      Silicon Graphics, Inc.
+      Network Associates, Inc.
+      U.S. Defense Information Systems Agency
+      USENIX Association
+      Stichting NLnet - NLnet Foundation
+      Nominum, Inc.
+
+  * This product includes software developed by the OpenSSL Project for
+    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
+  * This product includes cryptographic software written by Eric Young
+    (eay@cryptsoft.com)
+
+  * This product includes software written by Tim Hudson
+    (tjh@cryptsoft.com)

README.md

@@ -15,6 +15,7 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
+1. [BIND 9.16 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
 1. [Dependencies](#dependencies)
@@ -27,26 +28,26 @@
 ### <a name="intro"/> Introduction
 
 BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the Domain Name System (DNS) protocol.
+implementation of the DNS (Domain Name System) protocol.
 
-The BIND name server, `named`, can act as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
+The BIND name server, `named`, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously.  It
 implements views for split-horizon DNS, automatic DNSSEC zone signing and
 key management, catalog zones to facilitate provisioning of zone data
 throughout a name server constellation, response policy zones (RPZ) to
 protect clients from malicious data, response rate limiting (RRL) and
 recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
+and many other advanced DNS features.  BIND also includes a suite of
 administrative tools, including the `dig` and `delv` DNS lookup tools,
 `nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
 administration, and more.
 
-BIND 9 began as a complete rewrite of the BIND architecture that was
+BIND 9 began as a complete re-write of the BIND architecture that was
 used in versions 4 and 8.  Internet Systems Consortium
-([https://www.isc.org](https://www.isc.org)), a 501(c)(3) US public benefit
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
 corporation dedicated to providing software and services in support of the
 Internet infrastructure, developed BIND 9 and is responsible for its
-ongoing maintenance and improvement. BIND is open source software
+ongoing maintenance and improvement.  BIND is open source software
 licensed under the terms of the Mozilla Public License, version 2.0.
 
 For a summary of features introduced in past major releases of BIND,
@@ -64,19 +65,19 @@ For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
 ### <a name="help"/> Reporting bugs and getting help
 
 To report non-security-sensitive bugs or request new features, you may
-open an issue in the BIND 9 project on the
+open an Issue in the BIND 9 project on the
 [ISC GitLab server](https://gitlab.isc.org) at
 [https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
 
-Please note that, unless you explicitly mark the newly created issue as
-"confidential," it will be publicly readable. Please do not include any
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable.  Please do not include any
 information in bug reports that you consider to be confidential unless
-the issue has been marked as such. In particular, if submitting the
-contents of your configuration file in a non-confidential issue, it is
-advisable to obscure key secrets; this can be done automatically by
+the issue has been marked as such.  In particular, if submitting the
+contents of your configuration file in a non-confidential Issue, it is
+advisable to obscure key secrets: this can be done automatically by
 using `named-checkconf -px`.
 
-If you are reporting a bug that is a potential security issue, such as an
+If the bug you are reporting is a potential security issue, such as an
 assertion failure or other crash in `named`, please do *NOT* use GitLab to
 report it. Instead, send mail to
 [security-officer@isc.org](mailto:security-officer@isc.org) using our
@@ -85,12 +86,11 @@ to our key can be found at
 [https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
 discuss the bug on any public mailing list.
 
-For a general overview of ISC security policies, read the Knowledgebase
+For a general overview of ISC security policies, read the Knowledge Base
 article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 Professional support and training for BIND are available from
-ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
-for more information.
+ISC at [https://www.isc.org/support](https://www.isc.org/support).
 
 To join the __BIND Users__ mailing list, or view the archives, visit
 [https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
@@ -102,7 +102,7 @@ may also want to join the __BIND Workers__ mailing list, at
 ### <a name="contrib"/> Contributing to BIND
 
 ISC maintains a public git repository for BIND; details can be found
-at [https://www.isc.org/sourceaccess/](https://www.isc.org/sourceaccess/).
+at [http://www.isc.org/git/](http://www.isc.org/git/).
 
 Information for BIND contributors can be found in the following files:
 - General information: [CONTRIBUTING.md](CONTRIBUTING.md)
@@ -112,55 +112,78 @@ Information for BIND contributors can be found in the following files:
 
 Patches for BIND may be submitted as
 [merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
-on the [ISC GitLab server](https://gitlab.isc.org).
+in the [ISC GitLab server](https://gitlab.isc.org) at
+at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
 
-By default, external contributors do not have the ability to fork BIND on the
-GitLab server; if you wish to contribute code to BIND, you may request
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
 permission to do so. Thereafter, you can create git branches and directly
 submit requests that they be reviewed and merged.
 
 If you prefer, you may also submit code by opening a
-[GitLab issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
+[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="build"/> Building BIND 9
+### <a name="features"/> BIND 9.16 features
 
-At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. BIND also requires the
-`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, and a
-cryptography provider library such as OpenSSL or a hardware service
-module supporting PKCS#11. On Linux, BIND requires the `libcap` library
-to set process privileges, though this requirement can be overridden by
-disabling capability support at compile time. See [Compile-time
-options](#opts) below for details on other libraries that may be
-required to support optional features.
+BIND 9.16 is the current stable branch of BIND 9. It includes all
+changes from the 9.15 development branch, updating the previous stable
+branch, 9.14. New features include:
+
+* New `dnssec-policy` statement to configure a key and signing policy
+  for zones, enabling automatic key regeneration and rollover.
+* New network manager based on `libuv`.
+* Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
+* Improved DNSSEC trust anchor configuration using the `trust-anchors`
+  statement, permitting configuration of trust anchors in DS as well as
+  DNSKEY format.
+* YAML output for `dig`, `mdig`, and `delv`.
+
+### <a name="build"/> Building BIND
+
+Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
+basic POSIX support, and a 64-bit integer type.  BIND also requires the
+`libuv` asynchronous I/O library, and a cryptography provider library
+such as OpenSSL or a hardware service module supporting PKCS#11. On
+Linux, BIND requires the `libcap` library to set process privileges,
+though this requirement can be overridden by disabling capability
+support at compile time. See [Compile-time options](#opts) below
+for details on other libraries that may be required to support
+optional features.
 
 Successful builds have been observed on many versions of Linux and
-Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
+UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
 Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
 OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
 
-BIND 9 is also available for Windows Server 2012 R2 and higher. See
+BIND is also available for Windows Server 2012 R2 and higher.  See
 `win32utils/build.txt` for details on building for Windows
 systems.
 
-To build on a Unix or Linux system, use:
+To build on a UNIX or Linux system, use:
 
-		$ autoreconf -fi (if you are building in the git repository)
 		$ ./configure
 		$ make
 
-If you're using Emacs, you might find `make tags` helpful.
+If you're planning on making changes to the BIND 9 source, you should run
+`make depend`.  If you're using Emacs, you might find `make tags` helpful.
 
-Several environment variables, which can be set before running `configure`,
+Several environment variables that can be set before running `configure` will
 affect compilation.  Significant ones are:
 
 |Variable|Description |
 |--------------------|-----------------------------------------------|
 |`CC`|The C compiler to use.  `configure` tries to figure out the right one for supported systems.|
 |`CFLAGS`|C compiler flags.  Defaults to include -g and/or -O2 as supported by the compiler.  Please include '-g' if you need to set `CFLAGS`. |
+|`STD_CINCLUDES`|System header file directories.  Can be used to specify where add-on thread or IPv6 support is, for example.  Defaults to empty string.|
+|`STD_CDEFINES`|Any additional preprocessor symbols you want defined.  Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
 |`LDFLAGS`|Linker flags. Defaults to empty string.|
+|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
+|`BUILD_CFLAGS`|`CFLAGS` for the target system during cross-compiling.|
+|`BUILD_CPPFLAGS`|`CPPFLAGS` for the target system during cross-compiling.|
+|`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
+|`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
 
 Additional environment variables affecting the build are listed at the
 end of the `configure` help text, which can be obtained by running the
@@ -170,32 +193,32 @@ command:
 
 #### <a name="macos"> macOS
 
-Building on macOS assumes that the "Command Tools for Xcode" are installed.
-These can be downloaded from
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from
 [https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
-or, if you have Xcode already installed, you can run `xcode-select --install`.
-(Note that an Apple ID may be required to access the download page.)
+or, if you have Xcode already installed, you can run `xcode-select
+--install`.  (Note that an Apple ID may be required to access the download
+page.)
 
-#### <a name="dependencies"> Dependencies
+### <a name="dependencies"/> Dependencies
 
-To build BIND you need to have the following packages installed:
-
-    libuv
-    pkg-config / pkgconfig / pkgconf
-
-To build BIND from the git repository, you need the following tools
-installed:
-
-    autoconf (includes autoreconf)
-    automake
-    libtool
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the `argparse`, `ply` and `distutils.core` modules
+to be available.
+`argparse` is a standard module as of Python 2.7 and Python 3.2.
+`ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
+`distutils.core` is required for installation.
 
 #### <a name="opts"/> Compile-time options
 
 To see a full list of configuration options, run `configure --help`.
 
+To build shared libraries, specify `--with-libtool` on the `configure`
+command line.
+
 For the server to support DNSSEC, you need to build it with crypto support.
-To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
+To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
 using `--with-openssl=<PREFIX>` on the configure command line. To use a
 PKCS#11 hardware service module for cryptographic operations, specify the
@@ -208,15 +231,15 @@ least one of the following libraries: `libxml2`
 [https://github.com/json-c/json-c](https://github.com/json-c/json-c).
 If these are installed at a nonstandard location, then:
 
-* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`.
+* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`,
 * for `json-c`, adjust `PKG_CONFIG_PATH`.
 
 To support compression on the HTTP statistics channel, the server must be
-linked against `libzlib`. If this is installed in a nonstandard location,
+linked against `libzlib`.  If this is installed in a nonstandard location,
 specify the prefix using `--with-zlib=/prefix`.
 
 To support storing configuration data for runtime-added zones in an LMDB
-database, the server must be linked with `liblmdb`. If this is installed in a
+database, the server must be linked with liblmdb. If this is installed in a
 nonstandard location, specify the prefix using `with-lmdb=/prefix`.
 
 To support MaxMind GeoIP2 location-based ACLs, the server must be linked
@@ -233,8 +256,8 @@ and BIND must be configured with `--enable-dnstap`.
 
 Certain compiled-in constants and default settings can be decreased to
 values better suited to small machines, e.g. OpenWRT boxes, by specifying
-`--with-tuning=small` on the `configure` command line. This decreases
-memory usage by using smaller structures, but degrades performance.
+`--with-tuning=small` on the `configure` command line. This will decrease
+memory usage by using smaller structures, but will degrade performance.
 
 On Linux, process capabilities are managed in user space using
 the `libcap` library, which can be installed on most Linux systems via
@@ -247,54 +270,53 @@ to handle files bigger than 2GB.  This can be done by using
 
 Support for the "fixed" rrset-order option can be enabled or disabled by
 specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
-configure command line. By default, fixed rrset-order is disabled to
+configure command line.  By default, fixed rrset-order is disabled to
 reduce memory footprint.
 
 The `--enable-querytrace` option causes `named` to log every step of
-processing every query. The `--enable-singletrace` option turns on the
-same verbose tracing, but allows an individual query to be separately
-traced by setting its query ID to 0. These options should only be enabled
-when debugging, because they have a significant negative impact on query
-performance.
+processing every query. This should only be enabled when debugging, because
+it has a significant negative impact on query performance.
 
-`make install` installs `named` and the various BIND 9 libraries. By
+`make install` will install `named` and the various BIND 9 libraries.  By
 default, installation is into /usr/local, but this can be changed with the
 `--prefix` option when running `configure`.
 
 You may specify the option `--sysconfdir` to set the directory where
 configuration files like `named.conf` go by default, and `--localstatedir`
-to set the default parent directory of `run/named.pid`. `--sysconfdir`
+to set the default parent directory of `run/named.pid`.   `--sysconfdir`
 defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
 
 ### <a name="testing"/> Automated testing
 
-A system test suite can be run with `make check`. The system tests require
+A system test suite can be run with `make test`.  The system tests require
 you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with each other). These
+multiple servers to run locally and communicate with one another).  These
 IP addresses can be configured by running the command
 `bin/tests/system/ifconfig.sh up` as root.
 
 Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
-and are skipped if these are not available. Some tests require Python
-and the `dnspython` module and are skipped if these are not available.
+and will be skipped if these are not available. Some tests require Python
+and the `dnspython` module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework. To build
-them, use `configure --with-cmocka`. Execution of tests is done by the automake
-parallel test driver; unit tests are also run by `make check`.
+Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
+To build them, use `configure --with-cmocka`. Execution of tests is done
+by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
+`kyua` command is available, then unit tests can be run via `make test`
+or `make unit`.
 
 ### <a name="doc"/> Documentation
 
-The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
-distribution, and in .rst format, in the `doc/arm`
-directory. HTML and PDF versions are automatically generated and can
-be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
+The *BIND 9 Administrator Reference Manual* is included with the source
+distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
+directory.
 
-Man pages for some of the programs in the BIND 9 distribution
-are also included in the BIND ARM.
+Some of the programs in the BIND 9 distribution have man pages in their
+directories.  In particular, the command line options of `named` are
+documented in `bin/named/named.8`.
 
 Frequently (and not-so-frequently) asked questions and their answers
-can be found in the ISC Knowledgebase at
+can be found in the ISC Knowledge Base at
 [https://kb.isc.org](https://kb.isc.org).
 
 Additional information on various subjects can be found in other
@@ -303,8 +325,8 @@ Additional information on various subjects can be found in other
 ### <a name="changes"/> Change log
 
 A detailed list of all changes that have been made throughout the
-development of BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first.  Change notes include tags indicating the category of
 the change that was made; these categories are:
 
 |Category	|Description	        			|
@@ -322,12 +344,12 @@ the change that was made; these categories are:
 | [cleanup] | Minor corrections and refactoring |
 | [doc] | Documentation |
 | [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
-| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
+| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
 
-In general, [func] and [experimental] tags only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero).  Some new
 functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently supported releases.
+All other change types may be applied to all currently-supported releases.
 
 #### Bug report identifiers
 
@@ -337,7 +359,7 @@ and referred to entries in the "bind9-bugs" RT database, which was not open
 to the public. More recent entries use the form `[GL #NNN]` or, less often,
 `[GL !NNN]`, which, respectively, refer to issues or merge requests in the
 GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security-sensitive.
+information which is confidential or security sensitive.
 
 To look up a GitLab issue by its number, use the URL
 [https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
@@ -367,7 +389,7 @@ GitLab instance, which is not visible to the public.
 
 * This product includes software developed by the OpenSSL Project for use
   in the OpenSSL Toolkit.
-  [https://www.OpenSSL.org/](https://www.OpenSSL.org/)
+  [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
 * This product includes cryptographic software written by Eric Young
-  (eay@cryptsoft.com).
-* This product includes software written by Tim Hudson (tjh@cryptsoft.com).
+  (eay@cryptsoft.com)
+* This product includes software written by Tim Hudson (tjh@cryptsoft.com)

aclocal.m4

@@ -0,0 +1,387 @@
+# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
+
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# serial 12 (pkg-config-0.29.2)
+
+dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
+dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
+dnl
+dnl This program is free software; you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful, but
+dnl WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program; if not, write to the Free Software
+dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+dnl 02111-1307, USA.
+dnl
+dnl As a special exception to the GNU General Public License, if you
+dnl distribute this file as part of a program that contains a
+dnl configuration script generated by Autoconf, you may include it under
+dnl the same distribution terms that you use for the rest of that
+dnl program.
+
+dnl PKG_PREREQ(MIN-VERSION)
+dnl -----------------------
+dnl Since: 0.29
+dnl
+dnl Verify that the version of the pkg-config macros are at least
+dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
+dnl installed version of pkg-config, this checks the developer's version
+dnl of pkg.m4 when generating configure.
+dnl
+dnl To ensure that this macro is defined, also add:
+dnl m4_ifndef([PKG_PREREQ],
+dnl     [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])])
+dnl
+dnl See the "Since" comment for each macro you use to see what version
+dnl of the macros you require.
+m4_defun([PKG_PREREQ],
+[m4_define([PKG_MACROS_VERSION], [0.29.2])
+m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
+    [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
+])dnl PKG_PREREQ
+
+dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
+dnl ----------------------------------
+dnl Since: 0.16
+dnl
+dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
+dnl first found in the path. Checks that the version of pkg-config found
+dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
+dnl used since that's the first version where most current features of
+dnl pkg-config existed.
+AC_DEFUN([PKG_PROG_PKG_CONFIG],
+[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
+m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
+m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
+AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
+AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=m4_default([$1], [0.9.0])
+	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+		PKG_CONFIG=""
+	fi
+fi[]dnl
+])dnl PKG_PROG_PKG_CONFIG
+
+dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------------------------------
+dnl Since: 0.18
+dnl
+dnl Check to see whether a particular set of modules exists. Similar to
+dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
+dnl
+dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+dnl only at the first occurence in configure.ac, so if the first place
+dnl it's called might be skipped (such as if it is within an "if", you
+dnl have to call PKG_CHECK_EXISTS manually
+AC_DEFUN([PKG_CHECK_EXISTS],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+if test -n "$PKG_CONFIG" && \
+    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
+  m4_default([$2], [:])
+m4_ifvaln([$3], [else
+  $3])dnl
+fi])
+
+dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
+dnl ---------------------------------------------
+dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting
+dnl pkg_failed based on the result.
+m4_define([_PKG_CONFIG],
+[if test -n "$$1"; then
+    pkg_cv_[]$1="$$1"
+ elif test -n "$PKG_CONFIG"; then
+    PKG_CHECK_EXISTS([$3],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes ],
+		     [pkg_failed=yes])
+ else
+    pkg_failed=untried
+fi[]dnl
+])dnl _PKG_CONFIG
+
+dnl _PKG_SHORT_ERRORS_SUPPORTED
+dnl ---------------------------
+dnl Internal check to see if pkg-config supports short errors.
+AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi[]dnl
+])dnl _PKG_SHORT_ERRORS_SUPPORTED
+
+
+dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+dnl   [ACTION-IF-NOT-FOUND])
+dnl --------------------------------------------------------------
+dnl Since: 0.4.0
+dnl
+dnl Note that if there is a possibility the first call to
+dnl PKG_CHECK_MODULES might not happen, you should be sure to include an
+dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
+AC_DEFUN([PKG_CHECK_MODULES],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
+AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
+
+pkg_failed=no
+AC_MSG_CHECKING([for $2])
+
+_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
+_PKG_CONFIG([$1][_LIBS], [libs], [$2])
+
+m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
+and $1[]_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.])
+
+if test $pkg_failed = yes; then
+        AC_MSG_RESULT([no])
+        _PKG_SHORT_ERRORS_SUPPORTED
+        if test $_pkg_short_errors_supported = yes; then
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
+        else
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
+
+	m4_default([$4], [AC_MSG_ERROR(
+[Package requirements ($2) were not met:
+
+$$1_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+_PKG_TEXT])[]dnl
+        ])
+elif test $pkg_failed = untried; then
+        AC_MSG_RESULT([no])
+	m4_default([$4], [AC_MSG_FAILURE(
+[The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+_PKG_TEXT
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
+        ])
+else
+	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
+	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+        AC_MSG_RESULT([yes])
+	$3
+fi[]dnl
+])dnl PKG_CHECK_MODULES
+
+
+dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+dnl   [ACTION-IF-NOT-FOUND])
+dnl ---------------------------------------------------------------------
+dnl Since: 0.29
+dnl
+dnl Checks for existence of MODULES and gathers its build flags with
+dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags
+dnl and VARIABLE-PREFIX_LIBS from --libs.
+dnl
+dnl Note that if there is a possibility the first call to
+dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to
+dnl include an explicit call to PKG_PROG_PKG_CONFIG in your
+dnl configure.ac.
+AC_DEFUN([PKG_CHECK_MODULES_STATIC],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+_save_PKG_CONFIG=$PKG_CONFIG
+PKG_CONFIG="$PKG_CONFIG --static"
+PKG_CHECK_MODULES($@)
+PKG_CONFIG=$_save_PKG_CONFIG[]dnl
+])dnl PKG_CHECK_MODULES_STATIC
+
+
+dnl PKG_INSTALLDIR([DIRECTORY])
+dnl -------------------------
+dnl Since: 0.27
+dnl
+dnl Substitutes the variable pkgconfigdir as the location where a module
+dnl should install pkg-config .pc files. By default the directory is
+dnl $libdir/pkgconfig, but the default can be changed by passing
+dnl DIRECTORY. The user can override through the --with-pkgconfigdir
+dnl parameter.
+AC_DEFUN([PKG_INSTALLDIR],
+[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
+m4_pushdef([pkg_description],
+    [pkg-config installation directory @<:@]pkg_default[@:>@])
+AC_ARG_WITH([pkgconfigdir],
+    [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
+    [with_pkgconfigdir=]pkg_default)
+AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
+m4_popdef([pkg_default])
+m4_popdef([pkg_description])
+])dnl PKG_INSTALLDIR
+
+
+dnl PKG_NOARCH_INSTALLDIR([DIRECTORY])
+dnl --------------------------------
+dnl Since: 0.27
+dnl
+dnl Substitutes the variable noarch_pkgconfigdir as the location where a
+dnl module should install arch-independent pkg-config .pc files. By
+dnl default the directory is $datadir/pkgconfig, but the default can be
+dnl changed by passing DIRECTORY. The user can override through the
+dnl --with-noarch-pkgconfigdir parameter.
+AC_DEFUN([PKG_NOARCH_INSTALLDIR],
+[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
+m4_pushdef([pkg_description],
+    [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
+AC_ARG_WITH([noarch-pkgconfigdir],
+    [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
+    [with_noarch_pkgconfigdir=]pkg_default)
+AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
+m4_popdef([pkg_default])
+m4_popdef([pkg_description])
+])dnl PKG_NOARCH_INSTALLDIR
+
+
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------
+dnl Since: 0.28
+dnl
+dnl Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])dnl PKG_CHECK_VAR
+
+# AM_CONDITIONAL                                            -*- Autoconf -*-
+
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_CONDITIONAL(NAME, SHELL-CONDITION)
+# -------------------------------------
+# Define a conditional.
+AC_DEFUN([AM_CONDITIONAL],
+[AC_PREREQ([2.52])dnl
+ m4_if([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
+       [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
+AC_SUBST([$1_TRUE])dnl
+AC_SUBST([$1_FALSE])dnl
+_AM_SUBST_NOTMAKE([$1_TRUE])dnl
+_AM_SUBST_NOTMAKE([$1_FALSE])dnl
+m4_define([_AM_COND_VALUE_$1], [$2])dnl
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi
+AC_CONFIG_COMMANDS_PRE(
+[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
+  AC_MSG_ERROR([[conditional "$1" was never defined.
+Usually this means the macro was only invoked conditionally.]])
+fi])])
+
+# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
+# From Jim Meyering
+
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_MAINTAINER_MODE([DEFAULT-MODE])
+# ----------------------------------
+# Control maintainer-specific portions of Makefiles.
+# Default is to disable them, unless 'enable' is passed literally.
+# For symmetry, 'disable' may be passed as well.  Anyway, the user
+# can override the default with the --enable/--disable switch.
+AC_DEFUN([AM_MAINTAINER_MODE],
+[m4_case(m4_default([$1], [disable]),
+       [enable], [m4_define([am_maintainer_other], [disable])],
+       [disable], [m4_define([am_maintainer_other], [enable])],
+       [m4_define([am_maintainer_other], [enable])
+        m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])])
+AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
+  dnl maintainer-mode's default is 'disable' unless 'enable' is passed
+  AC_ARG_ENABLE([maintainer-mode],
+    [AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode],
+      am_maintainer_other[ make rules and dependencies not useful
+      (and sometimes confusing) to the casual installer])],
+    [USE_MAINTAINER_MODE=$enableval],
+    [USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes]))
+  AC_MSG_RESULT([$USE_MAINTAINER_MODE])
+  AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes])
+  MAINT=$MAINTAINER_MODE_TRUE
+  AC_SUBST([MAINT])dnl
+]
+)
+
+# Copyright (C) 2006-2020 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_SUBST_NOTMAKE(VARIABLE)
+# ---------------------------
+# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
+# This macro is traced by Automake.
+AC_DEFUN([_AM_SUBST_NOTMAKE])
+
+# AM_SUBST_NOTMAKE(VARIABLE)
+# --------------------------
+# Public sister of _AM_SUBST_NOTMAKE.
+AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
+
+m4_include([m4/ax_check_compile_flag.m4])
+m4_include([m4/ax_check_openssl.m4])
+m4_include([m4/ax_posix_shell.m4])
+m4_include([m4/ax_pthread.m4])
+m4_include([m4/ax_restore_flags.m4])
+m4_include([m4/ax_save_flags.m4])
+m4_include([m4/libtool.m4])
+m4_include([m4/ltoptions.m4])
+m4_include([m4/ltsugar.m4])
+m4_include([m4/ltversion.m4])
+m4_include([m4/lt~obsolete.m4])

autogen.sh

@@ -4,11 +4,10 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-. ../conf.sh
-
-copy_setports ns1/named.conf.in ns1/named.conf
+# Run this script after modifying configure.in to generate configure
+autoreconf -f -i

bin/Makefile.am

@@ -1,5 +0,0 @@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
-
-if HAVE_PKCS11
-SUBDIRS += pkcs11
-endif

bin/Makefile.in

@@ -0,0 +1,18 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+TARGETS =
+
+@BIND9_MAKE_RULES@

bin/check/Makefile.am

@@ -1,34 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	$(LIBNS_CFLAGS)		\
-	$(LIBISCCFG_CFLAGS)	\
-	$(LIBBIND9_CFLAGS)
-
-AM_CPPFLAGS +=						\
-	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-
-noinst_LTLIBRARIES = libcheck-tool.la
-
-libcheck_tool_la_SOURCES =	\
-	check-tool.h		\
-	check-tool.c
-
-LDADD =				\
-	libcheck-tool.la	\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)		\
-	$(LIBNS_LIBS)		\
-	$(LIBISCCFG_LIBS)	\
-	$(LIBBIND9_LIBS)
-
-bin_PROGRAMS = named-checkconf named-checkzone
-
-install-exec-hook:
-	ln -f $(DESTDIR)$(bindir)/named-checkzone \
-	      $(DESTDIR)$(bindir)/named-compilezone
-
-uninstall-hook:
-	-rm -f $(DESTDIR)$(bindir)/named-compilezone

bin/check/Makefile.in

@@ -0,0 +1,87 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+NSLIBS =	../../lib/ns/libns.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+NSDEPENDLIBS =	../../lib/ns/libns.@A@
+
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+# Alphabetically
+TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
+
+# Alphabetically
+SRCS =		named-checkconf.c named-checkzone.c check-tool.c
+
+@BIND9_MAKE_RULES@
+
+named-checkconf.@O@: named-checkconf.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkconf.c
+
+named-checkzone.@O@: named-checkzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkzone.c
+
+named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
+	export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${NSDEPENDLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
+	export LIBS0="${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
+
+uninstall::
+	rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
+
+clean distclean::
+	rm -f ${TARGETS} r1.htm

bin/check/check-tool.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -695,13 +695,8 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
 	dns_zone_setdbtype(zone, 1, (const char *const *)dbtype);
-	if (strcmp(filename, "-") == 0) {
-		CHECK(dns_zone_setstream(zone, stdin, fileformat,
-					 &dns_master_style_default));
-	} else {
-		CHECK(dns_zone_setfile(zone, filename, fileformat,
-				       &dns_master_style_default));
-	}
+	CHECK(dns_zone_setfile(zone, filename, fileformat,
+			       &dns_master_style_default));
 	if (journal != NULL) {
 		CHECK(dns_zone_setjournal(zone, journal));
 	}

bin/check/check-tool.h

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.

bin/check/named-checkconf.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -16,7 +16,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#include <isc/attributes.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
 #include <isc/hash.h>
@@ -57,8 +56,8 @@ isc_log_t *logc = NULL;
 	} while (0)
 
 /*% usage */
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
@@ -185,7 +184,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 	const char *zname;
 	const char *zfile = NULL;
 	const cfg_obj_t *maps[4];
-	const cfg_obj_t *primariesobj = NULL;
+	const cfg_obj_t *mastersobj = NULL;
 	const cfg_obj_t *inviewobj = NULL;
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *classobj = NULL;
@@ -279,12 +278,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 	 * Is the redirect zone configured as a slave?
 	 */
 	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
-		cfg_map_get(zoptions, "primaries", &primariesobj);
-		if (primariesobj == NULL) {
-			cfg_map_get(zoptions, "masters", &primariesobj);
-		}
-
-		if (primariesobj != NULL) {
+		cfg_map_get(zoptions, "masters", &mastersobj);
+		if (mastersobj != NULL) {
 			return (ISC_R_SUCCESS);
 		}
 	}
@@ -665,7 +660,7 @@ main(int argc, char **argv) {
 			break;
 
 		case 'v':
-			printf("%s\n", PACKAGE_VERSION);
+			printf(VERSION "\n");
 			exit(0);
 
 		case 'x':

bin/check/named-checkconf.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -35,62 +35,62 @@ Description
 ~~~~~~~~~~~
 
 ``named-checkconf`` checks the syntax, but not the semantics, of a
-``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
-errors. If no file is specified,
+``named`` configuration file. The file is parsed and checked for syntax
+errors, along with all files included by it. If no file is specified,
 ``/etc/named.conf`` is read by default.
 
 Note: files that ``named`` reads in separate parser contexts, such as
 ``rndc.key`` and ``bind.keys``, are not automatically read by
 ``named-checkconf``. Configuration errors in these files may cause
 ``named`` to fail to run, even if ``named-checkconf`` was successful.
-However, ``named-checkconf`` can be run on these files explicitly.
+``named-checkconf`` can be run on these files explicitly, however.
 
 Options
 ~~~~~~~
 
-``-h``
-   This option prints the usage summary and exits.
+**-h**
+   Print the usage summary and exit.
 
-``-j``
-   When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
+**-j**
+   When loading a zonefile read the journal if it exists.
 
-``-l``
-   This option lists all the configured zones. Each line of output contains the zone
-   name, class (e.g. IN), view, and type (e.g. primary or secondary).
+**-l**
+   List all the configured zones. Each line of output contains the zone
+   name, class (e.g. IN), view, and type (e.g. master or slave).
 
-``-c``
-   This option specifies that only the "core" configuration should be checked. This suppresses the loading of
+**-c**
+   Check "core" configuration only. This suppresses the loading of
    plugin modules, and causes all parameters to ``plugin`` statements to
    be ignored.
 
-``-i``
-   This option ignores warnings on deprecated options.
+**-i**
+   Ignore warnings on deprecated options.
 
-``-p``
-   This option prints out the ``named.conf`` and included files in canonical form if
+**-p**
+   Print out the ``named.conf`` and included files in canonical form if
    no errors were detected. See also the ``-x`` option.
 
-``-t directory``
-   This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
+**-t** directory
+   Chroot to ``directory`` so that include directives in the
    configuration file are processed as if run by a similarly chrooted
    ``named``.
 
-``-v``
-   This option prints the version of the ``named-checkconf`` program and exits.
+**-v**
+   Print the version of the ``named-checkconf`` program and exit.
 
-``-x``
-   When printing the configuration files in canonical form, this option obscures
+**-x**
+   When printing the configuration files in canonical form, obscure
    shared secrets by replacing them with strings of question marks
-   (``?``). This allows the contents of ``named.conf`` and related files
-   to be shared - for example, when submitting bug reports -
+   ('?'). This allows the contents of ``named.conf`` and related files
+   to be shared MDASH for example, when submitting bug reports MDASH
    without compromising private data. This option cannot be used without
    ``-p``.
 
-``-z``
-   This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
+**-z**
+   Perform a test load of all master zones found in ``named.conf``.
 
-``filename``
-   This indicates the name of the configuration file to be checked. If not specified,
+filename
+   The name of the configuration file to be checked. If not specified,
    it defaults to ``/etc/named.conf``.
 
 Return Values

bin/check/named-checkzone.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -16,10 +16,8 @@
 #include <stdlib.h>
 
 #include <isc/app.h>
-#include <isc/attributes.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
-#include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
@@ -64,8 +62,8 @@ static enum { progmode_check, progmode_compile } progmode;
 		}                                                             \
 	} while (0)
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
@@ -78,7 +76,7 @@ usage(void) {
 		"[-i (full|full-sibling|local|local-sibling|none)] "
 		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
 		"[-W (ignore|warn)] "
-		"%s zonename [ (filename|-) ]\n",
+		"%s zonename filename\n",
 		prog_name,
 		progmode == progmode_check ? "[-o filename]" : "-o filename");
 	exit(1);
@@ -96,7 +94,7 @@ int
 main(int argc, char **argv) {
 	int c;
 	char *origin = NULL;
-	const char *filename = NULL;
+	char *filename = NULL;
 	isc_log_t *lctx = NULL;
 	isc_result_t result;
 	char classname_in[] = "IN";
@@ -355,7 +353,7 @@ main(int argc, char **argv) {
 			break;
 
 		case 'v':
-			printf("%s\n", PACKAGE_VERSION);
+			printf(VERSION "\n");
 			exit(0);
 
 		case 'w':
@@ -514,8 +512,7 @@ main(int argc, char **argv) {
 		logdump = false;
 	}
 
-	if (argc - isc_commandline_index < 1 ||
-	    argc - isc_commandline_index > 2) {
+	if (isc_commandline_index + 2 != argc) {
 		usage();
 	}
 
@@ -532,16 +529,7 @@ main(int argc, char **argv) {
 	dns_result_register();
 
 	origin = argv[isc_commandline_index++];
-
-	if (isc_commandline_index == argc) {
-		/* "-" will be interpreted as stdin */
-		filename = "-";
-	} else {
-		filename = argv[isc_commandline_index];
-	}
-
-	isc_commandline_index++;
-
+	filename = argv[isc_commandline_index++];
 	result = load_zone(mctx, origin, filename, inputformat, classname,
 			   maxttl, &zone);
 
@@ -575,6 +563,5 @@ main(int argc, char **argv) {
 #ifdef _WIN32
 	DestroySockets();
 #endif /* ifdef _WIN32 */
-
 	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }

bin/check/named-checkzone.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -21,6 +21,8 @@
 
 .. highlight: console
 
+.. _man_named-checkzone:
+
 named-checkzone, named-compilezone - zone file validity checking or converting tool
 -----------------------------------------------------------------------------------
 
@@ -41,164 +43,163 @@ configuring them into a name server.
 
 ``named-compilezone`` is similar to ``named-checkzone``, but it always
 dumps the zone contents to a specified file in a specified format.
-It also applies stricter check levels by default, since the
-dump output is used as an actual zone file loaded by ``named``.
+Additionally, it applies stricter check levels by default, since the
+dump output will be used as an actual zone file loaded by ``named``.
 When manually specified otherwise, the check levels must at least be as
 strict as those specified in the ``named`` configuration file.
 
 Options
 ~~~~~~~
 
-``-d``
-   This option enables debugging.
+**-d**
+   Enable debugging.
 
-``-h``
-   This option prints the usage summary and exits.
+**-h**
+   Print the usage summary and exit.
 
-``-q``
-   This option sets quiet mode, which only sets an exit code to indicate
-   successful or failed completion.
+**-q**
+   Quiet mode - exit code only.
 
-``-v``
-   This option prints the version of the ``named-checkzone`` program and exits.
+**-v**
+   Print the version of the ``named-checkzone`` program and exit.
 
-``-j``
-   When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
-   file name is assumed to be the zone file name with the
-   string ``.jnl`` appended.
+**-j**
+   When loading a zone file, read the journal if it exists. The journal
+   file name is assumed to be the zone file name appended with the
+   string ``.jnl``.
 
-``-J filename``
-   When loading the zone file, this option tells ``named`` to read the journal from the given file, if
-   it exists. This implies ``-j``.
+**-J** filename
+   When loading the zone file read the journal from the given file, if
+   it exists. (Implies -j.)
 
-``-c class``
-   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
+**-c** class
+   Specify the class of the zone. If not specified, "IN" is assumed.
 
-``-i mode``
-   This option performs post-load zone integrity checks. Possible modes are
-   ``full`` (the default), ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none``.
+**-i** mode
+   Perform post-load zone integrity checks. Possible modes are
+   ``"full"`` (default), ``"full-sibling"``, ``"local"``,
+   ``"local-sibling"`` and ``"none"``.
 
-   Mode ``full`` checks that MX records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
+   Mode ``"full"`` checks that MX records refer to A or AAAA record
+   (both in-zone and out-of-zone hostnames). Mode ``"local"`` only
    checks MX records which refer to in-zone hostnames.
 
-   Mode ``full`` checks that SRV records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
+   Mode ``"full"`` checks that SRV records refer to A or AAAA record
+   (both in-zone and out-of-zone hostnames). Mode ``"local"`` only
    checks SRV records which refer to in-zone hostnames.
 
-   Mode ``full`` checks that delegation NS records refer to A or AAAA
-   records (both in-zone and out-of-zone hostnames). It also checks that
+   Mode ``"full"`` checks that delegation NS records refer to A or AAAA
+   record (both in-zone and out-of-zone hostnames). It also checks that
    glue address records in the zone match those advertised by the child.
-   Mode ``local`` only checks NS records which refer to in-zone
-   hostnames or verifies that some required glue exists, i.e., when the
-   name server is in a child zone.
+   Mode ``"local"`` only checks NS records which refer to in-zone
+   hostnames or that some required glue exists, that is when the
+   nameserver is in a child zone.
 
-   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
-   checks, but are otherwise the same as ``full`` and ``local``,
+   Mode ``"full-sibling"`` and ``"local-sibling"`` disable sibling glue
+   checks but are otherwise the same as ``"full"`` and ``"local"``
    respectively.
 
-   Mode ``none`` disables the checks.
+   Mode ``"none"`` disables the checks.
 
-``-f format``
-   This option specifies the format of the zone file. Possible formats are ``text``
-   (the default), ``raw``, and ``map``.
+**-f** format
+   Specify the format of the zone file. Possible formats are ``"text"``
+   (default), ``"raw"``, and ``"map"``.
 
-``-F format``
-   This option specifies the format of the output file specified. For
-   ``named-checkzone``, this does not have any effect unless it dumps
+**-F** format
+   Specify the format of the output file specified. For
+   ``named-checkzone``, this does not cause any effects unless it dumps
    the zone contents.
 
-   Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``map``, ``raw``, and
-   ``raw=N``, which store the zone in a binary format for rapid
-   loading by ``named``. ``raw=N`` specifies the format version of the
-   raw zone file: if ``N`` is 0, the raw file can be read by any version of
-   ``named``; if N is 1, the file can only be read by release 9.9.0 or
-   higher. The default is 1.
+   Possible formats are ``"text"`` (default), which is the standard
+   textual representation of the zone, and ``"map"``, ``"raw"``, and
+   ``"raw=N"``, which store the zone in a binary format for rapid
+   loading by ``named``. ``"raw=N"`` specifies the format version of the
+   raw zone file: if N is 0, the raw file can be read by any version of
+   ``named``; if N is 1, the file can be read by release 9.9.0 or
+   higher; the default is 1.
 
-``-k mode``
-   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail`` (the default for ``named-compilezone``),
-   ``warn`` (the default for ``named-checkzone``), and ``ignore``.
+**-k** mode
+   Perform ``"check-names"`` checks with the specified failure mode.
+   Possible modes are ``"fail"`` (default for ``named-compilezone``),
+   ``"warn"`` (default for ``named-checkzone``) and ``"ignore"``.
 
-``-l ttl``
-   This option sets a maximum permissible TTL for the input file. Any record with a
-   TTL higher than this value causes the zone to be rejected. This
+**-l** ttl
+   Sets a maximum permissible TTL for the input file. Any record with a
+   TTL higher than this value will cause the zone to be rejected. This
    is similar to using the ``max-zone-ttl`` option in ``named.conf``.
 
-``-L serial``
-   When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
-   serial" value in the header to the specified serial number. This is
-   expected to be used primarily for testing purposes.
+**-L** serial
+   When compiling a zone to "raw" or "map" format, set the "source
+   serial" value in the header to the specified serial number. (This is
+   expected to be used primarily for testing purposes.)
 
-``-m mode``
-   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and
-   ``ignore``.
+**-m** mode
+   Specify whether MX records should be checked to see if they are
+   addresses. Possible modes are ``"fail"``, ``"warn"`` (default) and
+   ``"ignore"``.
 
-``-M mode``
-   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
+**-M** mode
+   Check if a MX record refers to a CNAME. Possible modes are
+   ``"fail"``, ``"warn"`` (default) and ``"ignore"``.
 
-``-n mode``
-   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail`` (the default for
-   ``named-compilezone``), ``warn`` (the default for ``named-checkzone``),
-   and ``ignore``.
+**-n** mode
+   Specify whether NS records should be checked to see if they are
+   addresses. Possible modes are ``"fail"`` (default for
+   ``named-compilezone``), ``"warn"`` (default for ``named-checkzone``)
+   and ``"ignore"``.
 
-``-o filename``
-   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output. This is mandatory for ``named-compilezone``.
+**-o** filename
+   Write zone output to ``filename``. If ``filename`` is ``-`` then
+   write to standard out. This is mandatory for ``named-compilezone``.
 
-``-r mode``
-   This option checks for records that are treated as different by DNSSEC but are
-   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn`` (the default), and ``ignore``.
+**-r** mode
+   Check for records that are treated as different by DNSSEC but are
+   semantically equal in plain DNS. Possible modes are ``"fail"``,
+   ``"warn"`` (default) and ``"ignore"``.
 
-``-s style``
-   This option specifies the style of the dumped zone file. Possible styles are
-   ``full`` (the default) and ``relative``. The ``full`` format is most
-   suitable for processing automatically by a separate script.
-   The relative format is more human-readable and is thus
-   suitable for editing by hand. For ``named-checkzone``, this does not
-   have any effect unless it dumps the zone contents. It also does not
+**-s** style
+   Specify the style of the dumped zone file. Possible styles are
+   ``"full"`` (default) and ``"relative"``. The full format is most
+   suitable for processing automatically by a separate script. On the
+   other hand, the relative format is more human-readable and is thus
+   suitable for editing by hand. For ``named-checkzone`` this does not
+   cause any effects unless it dumps the zone contents. It also does not
    have any meaning if the output format is not text.
 
-``-S mode``
-   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
+**-S** mode
+   Check if a SRV record refers to a CNAME. Possible modes are
+   ``"fail"``, ``"warn"`` (default) and ``"ignore"``.
 
-``-t directory``
-   This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
+**-t** directory
+   Chroot to ``directory`` so that include directives in the
    configuration file are processed as if run by a similarly chrooted
    ``named``.
 
-``-T mode``
-   This option checks whether Sender Policy Framework (SPF) records exist and issues a
+**-T** mode
+   Check if Sender Policy Framework (SPF) records exist and issues a
    warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` (the default) and ``ignore``.
+   modes are ``"warn"`` (default), ``"ignore"``.
 
-``-w directory``
-   This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
-   ``$INCLUDE`` directives work. This is similar to the directory clause in
+**-w** directory
+   chdir to ``directory`` so that relative filenames in master file
+   $INCLUDE directives work. This is similar to the directory clause in
    ``named.conf``.
 
-``-D``
-   This option dumps the zone file in canonical format. This is always enabled for
+**-D**
+   Dump zone file in canonical format. This is always enabled for
    ``named-compilezone``.
 
-``-W mode``
-   This option specifies whether to check for non-terminal wildcards. Non-terminal
+**-W** mode
+   Specify whether to check for non-terminal wildcards. Non-terminal
    wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn``
-   (the default) and ``ignore``.
+   wildcard matching algorithm (:rfc:`1034`). Possible modes are ``"warn"``
+   (default) and ``"ignore"``.
 
-``zonename``
-   This indicates the domain name of the zone being checked.
+zonename
+   The domain name of the zone being checked.
 
-``filename``
-   This is the name of the zone file.
+filename
+   The name of the zone file.
 
 Return Values
 ~~~~~~~~~~~~~

bin/check/win32/checkconf.vcxproj.in

@@ -77,7 +77,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -108,7 +108,7 @@
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
@@ -118,26 +118,6 @@
   <ItemGroup>
     <ClCompile Include="..\named-checkconf.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
-      <Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\check\win32\checktool.vcxproj">
-      <Project>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/check/win32/checktool.vcxproj.in

@@ -104,20 +104,6 @@
       <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
     </Lib>
   </ItemDefinitionGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
-      <Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/check/win32/checkzone.vcxproj.in

@@ -77,7 +77,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
@@ -114,7 +114,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
     <PostBuildEvent>
@@ -129,23 +129,6 @@ copy /Y named-checkzone.exe named-compilezone.exe
   <ItemGroup>
     <ClCompile Include="..\named-checkzone.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
-      <Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\check\win32\checktool.vcxproj">
-      <Project>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/confgen/Makefile.am

@@ -1,30 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
-
-LDADD =				\
-	libconfgen.la		\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)
-
-noinst_LTLIBRARIES = libconfgen.la
-
-libconfgen_la_SOURCES =		\
-	include/confgen/os.h	\
-	keygen.h		\
-	keygen.c		\
-	util.h			\
-	util.c			\
-	unix/os.c
-
-sbin_PROGRAMS = tsig-keygen rndc-confgen
-
-install-exec-hook:
-	ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
-	      $(DESTDIR)$(sbindir)/ddns-confgen
-
-uninstall-hook:
-	-rm -f $(DESTDIR)$(sbindir)/ddns-confgen

bin/confgen/Makefile.in

@@ -0,0 +1,95 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS=		rndc-confgen.c ddns-confgen.c
+
+SUBDIRS =	unix
+
+TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
+
+UOBJS =		unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
+	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
+	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+# make a link in the build directory to assist with testing
+tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
+	rm -f tsig-keygen@EXEEXT@
+	${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
+
+uninstall::
+	rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}

bin/confgen/ddns-confgen.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -12,8 +12,9 @@
 /*! \file */
 
 /**
- * tsig-keygen generates TSIG keys that can be used in named configuration
- * files for dynamic DNS.
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
  */
 
 #include <stdarg.h>
@@ -21,7 +22,6 @@
 #include <stdlib.h>
 
 #include <isc/assertions.h>
-#include <isc/attributes.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
@@ -57,8 +57,8 @@ const char *progname;
 static enum { progmode_keygen, progmode_confgen } progmode;
 bool verbose = false; /* needed by util.c but not used here */
 
-ISC_NORETURN static void
-usage(int status);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(int status) {

bin/confgen/ddns-confgen.rst

@@ -0,0 +1,103 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_ddns-confgen:
+
+ddns-confgen - ddns key generation tool
+---------------------------------------
+
+Synopsis
+~~~~~~~~
+:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [**-s** name]
+
+:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
+
+Description
+~~~~~~~~~~~
+
+``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
+utility that generates keys for use in TSIG signing. The resulting keys
+can be used, for example, to secure dynamic DNS updates to a zone or for
+the ``rndc`` command channel.
+
+When run as ``tsig-keygen``, a domain name can be specified on the
+command line which will be used as the name of the generated key. If no
+name is specified, the default is ``tsig-key``.
+
+When run as ``ddns-confgen``, the generated key is accompanied by
+configuration text and instructions that can be used with ``nsupdate``
+and ``named`` when setting up dynamic DNS, including an example
+``update-policy`` statement. (This usage similar to the ``rndc-confgen``
+command for setting up command channel security.)
+
+Note that ``named`` itself can configure a local DDNS key for use with
+``nsupdate -l``: it does this when a zone is configured with
+``update-policy local;``. ``ddns-confgen`` is only needed when a more
+elaborate configuration is required: for instance, if ``nsupdate`` is to
+be used from a remote system.
+
+Options
+~~~~~~~
+
+**-a** algorithm
+   Specifies the algorithm to use for the TSIG key. Available choices
+   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
+   hmac-sha512. The default is hmac-sha256. Options are
+   case-insensitive, and the "hmac-" prefix may be omitted.
+
+**-h**
+   Prints a short summary of options and arguments.
+
+**-k** keyname
+   Specifies the key name of the DDNS authentication key. The default is
+   ``ddns-key`` when neither the ``-s`` nor ``-z`` option is specified;
+   otherwise, the default is ``ddns-key`` as a separate label followed
+   by the argument of the option, e.g., ``ddns-key.example.com.`` The
+   key name must have the format of a valid domain name, consisting of
+   letters, digits, hyphens and periods.
+
+**-q**
+   (``ddns-confgen`` only.) Quiet mode: Print only the key, with no
+   explanatory text or usage examples; This is essentially identical to
+   ``tsig-keygen``.
+
+**-s** name
+   (``ddns-confgen`` only.) Generate configuration example to allow
+   dynamic updates of a single hostname. The example ``named.conf`` text
+   shows how to set an update policy for the specified name using the
+   "name" nametype. The default key name is ddns-key.name. Note that the
+   "self" nametype cannot be used, since the name to be updated may
+   differ from the key name. This option cannot be used with the ``-z``
+   option.
+
+**-z** zone
+   (``ddns-confgen`` only.) Generate configuration example to allow
+   dynamic updates of a zone: The example ``named.conf`` text shows how
+   to set an update policy for the specified zone using the "zonesub"
+   nametype, allowing updates to all subdomain names within that zone.
+   This option cannot be used with the ``-s`` option.
+
+See Also
+~~~~~~~~
+
+:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/include/confgen/os.h

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.

bin/confgen/keygen.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -198,4 +198,5 @@ write_key_file(const char *keyfile, const char *user, const char *keyname,
 	if (fclose(fd)) {
 		fatal("fclose(%s) failed\n", keyfile);
 	}
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
 }

bin/confgen/keygen.h

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.

bin/confgen/rndc-confgen.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -25,7 +25,6 @@
 #include <stdlib.h>
 
 #include <isc/assertions.h>
-#include <isc/attributes.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
@@ -61,8 +60,8 @@ bool verbose = false;
 
 const char *keyfile, *keydef;
 
-ISC_NORETURN static void
-usage(int status);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(int status) {
@@ -76,7 +75,6 @@ Usage:\n\
   -c keyfile:	 specify an alternate key file (requires -a)\n\
   -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
   -p port:	 the port named will listen on and rndc will connect to\n\
-  -q:		 suppress printing written key path\n\
   -s addr:	 the address to which rndc should connect\n\
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
@@ -105,7 +103,6 @@ main(int argc, char **argv) {
 	char *chrootdir = NULL;
 	char *user = NULL;
 	bool keyonly = false;
-	bool quiet = false;
 	int len;
 
 	keydef = keyfile = RNDC_KEYFILE;
@@ -166,9 +163,6 @@ main(int argc, char **argv) {
 				      isc_commandline_argument);
 			}
 			break;
-		case 'q':
-			quiet = true;
-			break;
 		case 'r':
 			fatal("The -r option has been deprecated.");
 			break;
@@ -232,9 +226,6 @@ main(int argc, char **argv) {
 	if (keyonly) {
 		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
 			       keyname, &key_txtbuffer, alg);
-		if (!quiet) {
-			printf("wrote key file \"%s\"\n", keyfile);
-		}
 
 		if (chrootdir != NULL) {
 			char *buf;
@@ -244,9 +235,6 @@ main(int argc, char **argv) {
 				 (*keyfile != '/') ? "/" : "", keyfile);
 
 			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
-			if (!quiet) {
-				printf("wrote key file \"%s\"\n", buf);
-			}
 			isc_mem_put(mctx, buf, len);
 		}
 	} else {

bin/confgen/rndc-confgen.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -41,75 +41,76 @@ by hand. Alternatively, it can be run with the ``-a`` option to set up a
 ``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
 ``controls`` statement altogether.
 
-Options
-~~~~~~~
+Arguments
+~~~~~~~~~
 
-``-a``
-   This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
-   in ``/etc`` (or a different ``sysconfdir`` specified when BIND
+**-a**
+   Do automatic ``rndc`` configuration. This creates a file ``rndc.key``
+   in ``/etc`` (or whatever ``sysconfdir`` was specified as when BIND
    was built) that is read by both ``rndc`` and ``named`` on startup.
    The ``rndc.key`` file defines a default command channel and
    authentication key allowing ``rndc`` to communicate with ``named`` on
    the local host with no further configuration.
 
+   Running ``rndc-confgen -a`` allows BIND 9 and ``rndc`` to be used as
+   drop-in replacements for BIND 8 and ``ndc``, with no changes to the
+   existing BIND 8 ``named.conf`` file.
+
    If a more elaborate configuration than that generated by
    ``rndc-confgen -a`` is required, for example if rndc is to be used
-   remotely, run ``rndc-confgen`` without the ``-a`` option
-   and set up ``rndc.conf`` and ``named.conf`` as directed.
+   remotely, you should run ``rndc-confgen`` without the ``-a`` option
+   and set up a ``rndc.conf`` and ``named.conf`` as directed.
 
-``-A algorithm``
-   This option specifies the algorithm to use for the TSIG key. Available choices
-   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
+**-A** algorithm
+   Specifies the algorithm to use for the TSIG key. Available choices
+   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
    hmac-sha512. The default is hmac-sha256.
 
-``-b keysize``
-   This option specifies the size of the authentication key in bits. The size must be between
+**-b** keysize
+   Specifies the size of the authentication key in bits. Must be between
    1 and 512 bits; the default is the hash size.
 
-``-c keyfile``
-   This option is used with the ``-a`` option to specify an alternate location for
+**-c** keyfile
+   Used with the ``-a`` option to specify an alternate location for
    ``rndc.key``.
 
-``-h``
-   This option prints a short summary of the options and arguments to
+**-h**
+   Prints a short summary of the options and arguments to
    ``rndc-confgen``.
 
-``-k keyname``
-   This option specifies the key name of the ``rndc`` authentication key. This must be a
+**-k** keyname
+   Specifies the key name of the rndc authentication key. This must be a
    valid domain name. The default is ``rndc-key``.
 
-``-p port``
-   This option specifies the command channel port where ``named`` listens for
+**-p** port
+   Specifies the command channel port where ``named`` listens for
    connections from ``rndc``. The default is 953.
 
-``-q``
-   This option prevets printing the written path in automatic configuration mode.
-
-``-s address``
-   This option specifies the IP address where ``named`` listens for command-channel
+**-s** address
+   Specifies the IP address where ``named`` listens for command channel
    connections from ``rndc``. The default is the loopback address
    127.0.0.1.
 
-``-t chrootdir``
-   This option is used with the ``-a`` option to specify a directory where ``named``
-   runs chrooted. An additional copy of the ``rndc.key`` is
-   written relative to this directory, so that it is found by the
+**-t** chrootdir
+   Used with the ``-a`` option to specify a directory where ``named``
+   will run chrooted. An additional copy of the ``rndc.key`` will be
+   written relative to this directory so that it will be found by the
    chrooted ``named``.
 
-``-u user``
-   This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
-   If ``-t`` is also specified, only the file in the chroot
+**-u** user
+   Used with the ``-a`` option to set the owner of the ``rndc.key`` file
+   generated. If ``-t`` is also specified only the file in the chroot
    area has its owner changed.
 
 Examples
 ~~~~~~~~
 
-To allow ``rndc`` to be used with no manual configuration, run:
+To allow ``rndc`` to be used with no manual configuration, run
 
 ``rndc-confgen -a``
 
-To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
-``key`` statements to be manually inserted into ``named.conf``, run:
+To print a sample ``rndc.conf`` file and corresponding ``controls`` and
+``key`` statements to be manually inserted into ``named.conf``, run
 
 ``rndc-confgen``
 

bin/confgen/tsig-keygen.rst

@@ -1,101 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-tsig-keygen, ddns-confgen - TSIG key generation tool
-----------------------------------------------------
-
-Synopsis
-~~~~~~~~
-:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name]
-
-:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
-
-Description
-~~~~~~~~~~~
-
-``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
-utility that generates keys for use in TSIG signing. The resulting keys
-can be used, for example, to secure dynamic DNS updates to a zone, or for
-the ``rndc`` command channel.
-
-When run as ``tsig-keygen``, a domain name can be specified on the
-command line to be used as the name of the generated key. If no
-name is specified, the default is ``tsig-key``.
-
-When run as ``ddns-confgen``, the key name can specified using ``-k``
-parameter and defaults to ``ddns-key``. The generated key is accompanied
-by configuration text and instructions that can be used with ``nsupdate``
-and ``named`` when setting up dynamic DNS, including an example
-``update-policy`` statement. (This usage is similar to the ``rndc-confgen``
-command for setting up command-channel security.)
-
-Note that ``named`` itself can configure a local DDNS key for use with
-``nsupdate -l``; it does this when a zone is configured with
-``update-policy local;``. ``ddns-confgen`` is only needed when a more
-elaborate configuration is required: for instance, if ``nsupdate`` is to
-be used from a remote system.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   This option specifies the algorithm to use for the TSIG key. Available
-   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
-   and hmac-sha512. The default is hmac-sha256. Options are
-   case-insensitive, and the "hmac-" prefix may be omitted.
-
-``-h``
-   This option prints a short summary of options and arguments.
-
-``-k keyname``
-   This option specifies the key name of the DDNS authentication key. The
-   default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is
-   specified; otherwise, the default is ``ddns-key`` as a separate label
-   followed by the argument of the option, e.g., ``ddns-key.example.com.``
-   The key name must have the format of a valid domain name, consisting of
-   letters, digits, hyphens, and periods.
-
-``-q`` (``ddns-confgen`` only)
-   This option enables quiet mode, which prints only the key, with no
-   explanatory text or usage examples. This is essentially identical to
-   ``tsig-keygen``.
-
-``-s name`` (``ddns-confgen`` only)
-   This option generates a configuration example to allow dynamic updates
-   of a single hostname. The example ``named.conf`` text shows how to set
-   an update policy for the specified name using the "name" nametype. The
-   default key name is ``ddns-key.name``. Note that the "self" nametype
-   cannot be used, since the name to be updated may differ from the key
-   name. This option cannot be used with the ``-z`` option.
-
-``-z zone`` (``ddns-confgen`` only)
-   This option generates a configuration example to allow
-   dynamic updates of a zone. The example ``named.conf`` text shows how
-   to set an update policy for the specified zone using the "zonesub"
-   nametype, allowing updates to all subdomain names within that zone.
-   This option cannot be used with the ``-s`` option.
-
-See Also
-~~~~~~~~
-
-:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/unix/Makefile.in

@@ -0,0 +1,28 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
+		${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		os.@O@
+
+SRCS =		os.c
+
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@

bin/confgen/unix/os.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.

bin/confgen/util.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -30,7 +30,7 @@ notify(const char *fmt, ...) {
 		va_start(ap, fmt);
 		vfprintf(stderr, fmt, ap);
 		va_end(ap);
-		fprintf(stderr, "\n");
+		fputs("\n", stderr);
 	}
 }
 

bin/confgen/util.h

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -14,7 +14,6 @@
 
 /*! \file */
 
-#include <isc/attributes.h>
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/platform.h>
@@ -36,8 +35,9 @@ ISC_LANG_BEGINDECLS
 void
 notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
 
-ISC_NORETURN void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
 
 ISC_LANG_ENDDECLS
 

bin/confgen/win32/confgentool.vcxproj.in

@@ -114,14 +114,6 @@
     <ClCompile Include="..\util.c" />
     <ClCompile Include="os.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/confgen/win32/ddnsconfgen.vcxproj.filters.in

@@ -11,8 +11,8 @@
     </Filter>
   </ItemGroup>
   <ItemGroup>
-    <ClCompile Include="..\tsig-keygen.c">
+    <ClCompile Include="..\ddns-confgen.c">
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
-</Project>
+</Project>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -13,7 +13,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
-    <RootNamespace>tsigkeygen</RootNamespace>
+    <RootNamespace>ddnsconfgen</RootNamespace>
     @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
@@ -45,14 +45,14 @@
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
     <IntDirSharingDetected>None</IntDirSharingDetected>
-    <TargetName>tsig-keygen</TargetName>
+    <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
     <IntDirSharingDetected>None</IntDirSharingDetected>
-    <TargetName>tsig-keygen</TargetName>
+    <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
@@ -69,20 +69,20 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
-copy /Y tsig-keygen.exe ddns-confgen.exe
-copy /Y tsig-keygen.ilk ddns-confgen.ilk
+copy /Y ddns-confgen.exe tsig-keygen.exe
+copy /Y ddns-confgen.ilk tsig-keygen.ilk
 </Command>
     </PostBuildEvent>
   </ItemDefinitionGroup>
@@ -104,7 +104,7 @@ copy /Y tsig-keygen.ilk ddns-confgen.ilk
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -114,28 +114,17 @@ copy /Y tsig-keygen.ilk ddns-confgen.ilk
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
-copy /Y tsig-keygen.exe ddns-confgen.exe
+copy /Y ddns-confgen.exe tsig-keygen.exe
 </Command>
     </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemGroup>
-    <ClCompile Include="..\tsig-keygen.c" />
-  </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\confgen\win32\confgentool.vcxproj">
-      <Project>{64964B03-4815-41F0-9057-E766A94AF197}</Project>
-    </ProjectReference>
+    <ClCompile Include="..\ddns-confgen.c" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

bin/confgen/win32/os.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -69,15 +69,15 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -98,7 +98,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -108,24 +108,13 @@
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\rndc-confgen.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\confgen\win32\confgentool.vcxproj">
-      <Project>{64964B03-4815-41F0-9057-E766A94AF197}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/delv/Makefile.am

@@ -1,21 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=				\
-	-I$(top_builddir)/include	\
-	$(LIBISC_CFLAGS)		\
-	$(LIBDNS_CFLAGS)		\
-	$(LIBISCCFG_CFLAGS)		\
-	$(LIBIRS_CFLAGS)
-
-AM_CPPFLAGS +=				\
-	-DSYSCONFDIR=\"${sysconfdir}\"
-
-bin_PROGRAMS = delv
-
-delv_SOURCES =				\
-	delv.c
-delv_LDADD =				\
-	$(LIBISC_LIBS)			\
-	$(LIBDNS_LIBS)			\
-	$(LIBISCCFG_LIBS)		\
-	$(LIBIRS_LIBS)

bin/delv/Makefile.in

@@ -0,0 +1,68 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" \
+		-DSYSCONFDIR=\"${sysconfdir}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+IRSLIBS =	../../lib/irs/libirs.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+IRSDEPLIBS =	../../lib/irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	delv@EXEEXT@
+
+OBJS =		delv.@O@
+
+SRCS =		delv.c
+
+@BIND9_MAKE_RULES@
+
+delv@EXEEXT@: delv.@O@ ${DEPLIBS}
+	export BASEOBJS="delv.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: delv@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		delv@EXEEXT@ ${DESTDIR}${bindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}

bin/delv/delv.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -28,16 +28,13 @@
 #include <unistd.h>
 
 #include <isc/app.h>
-#include <isc/attributes.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/hex.h>
 #include <isc/lib.h>
 #include <isc/log.h>
-#include <isc/managers.h>
 #include <isc/md.h>
 #include <isc/mem.h>
-#include <isc/netmgr.h>
 #ifdef WIN32
 #include <isc/ntpaths.h>
 #endif /* ifdef WIN32 */
@@ -74,6 +71,7 @@
 #include <isccfg/log.h>
 #include <isccfg/namedconf.h>
 
+#include <irs/netdb.h>
 #include <irs/resconf.h>
 
 #define CHECK(r)                             \
@@ -137,88 +135,79 @@ parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
 
 static void
 usage(void) {
-	fprintf(stderr,
-		"Usage:  delv [@server] {q-opt} {d-opt} [domain] [q-type] "
-		"[q-class]\n"
-		"Where:  domain	  is in the Domain Name System\n"
-		"        q-class  is one of (in,hs,ch,...) [default: in]\n"
-		"        q-type   is one of "
-		"(a,any,mx,ns,soa,hinfo,axfr,txt,...) "
-		"[default:a]\n"
-		"        q-opt    is one of:\n"
-		"                 -4                  (use IPv4 query "
-		"transport "
-		"only)\n"
-		"                 -6                  (use IPv6 query "
-		"transport "
-		"only)\n"
-		"                 -a anchor-file      (specify root trust "
-		"anchor)\n"
-		"                 -b address[#port]   (bind to source "
-		"address/port)\n"
-		"                 -c class            (option included for "
-		"compatibility;\n"
-		"                 -d level            (set debugging level)\n"
-		"                 -h                  (print help and exit)\n"
-		"                 -i                  (disable DNSSEC "
-		"validation)\n"
-		"                 -m                  (enable memory usage "
-		"debugging)\n"
-		"                 -p port             (specify port number)\n"
-		"                 -q name             (specify query name)\n"
-		"                 -t type             (specify query type)\n"
-		"                                      only IN is supported)\n"
-		"                 -v                  (print version and "
-		"exit)\n"
-		"                 -x dot-notation     (shortcut for reverse "
-		"lookups)\n"
-		"        d-opt    is of the form +keyword[=value], where "
-		"keyword "
-		"is:\n"
-		"                 +[no]all            (Set or clear all "
-		"display "
-		"flags)\n"
-		"                 +[no]class          (Control display of "
-		"class)\n"
-		"                 +[no]comments       (Control display of "
-		"comment lines)\n"
-		"                 +[no]crypto         (Control display of "
-		"cryptographic\n"
-		"                                      fields in records)\n"
-		"                 +[no]dlv            (Obsolete)\n"
-		"                 +[no]dnssec         (Display DNSSEC "
-		"records)\n"
-		"                 +[no]mtrace         (Trace messages "
-		"received)\n"
-		"                 +[no]multiline      (Print records in an "
-		"expanded format)\n"
-		"                 +[no]root           (DNSSEC validation trust "
-		"anchor)\n"
-		"                 +[no]rrcomments     (Control display of "
-		"per-record "
-		"comments)\n"
-		"                 +[no]rtrace         (Trace resolver "
-		"fetches)\n"
-		"                 +[no]short          (Short form answer)\n"
-		"                 +[no]split=##       (Split hex/base64 fields "
-		"into chunks)\n"
-		"                 +[no]tcp            (TCP mode)\n"
-		"                 +[no]ttl            (Control display of ttls "
-		"in records)\n"
-		"                 +[no]trust          (Control display of "
-		"trust "
-		"level)\n"
-		"                 +[no]unknownformat  (Print RDATA in RFC 3597 "
-		"\"unknown\" format)\n"
-		"                 +[no]vtrace         (Trace validation "
-		"process)\n"
-		"                 +[no]yaml           (Present the results as "
-		"YAML)\n");
+	fputs("Usage:  delv [@server] {q-opt} {d-opt} [domain] [q-type] "
+	      "[q-class]\n"
+	      "Where:  domain	  is in the Domain Name System\n"
+	      "        q-class  is one of (in,hs,ch,...) [default: in]\n"
+	      "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
+	      "[default:a]\n"
+	      "        q-opt    is one of:\n"
+	      "                 -4                  (use IPv4 query transport "
+	      "only)\n"
+	      "                 -6                  (use IPv6 query transport "
+	      "only)\n"
+	      "                 -a anchor-file      (specify root trust "
+	      "anchor)\n"
+	      "                 -b address[#port]   (bind to source "
+	      "address/port)\n"
+	      "                 -c class            (option included for "
+	      "compatibility;\n"
+	      "                 -d level            (set debugging level)\n"
+	      "                 -h                  (print help and exit)\n"
+	      "                 -i                  (disable DNSSEC "
+	      "validation)\n"
+	      "                 -m                  (enable memory usage "
+	      "debugging)\n"
+	      "                 -p port             (specify port number)\n"
+	      "                 -q name             (specify query name)\n"
+	      "                 -t type             (specify query type)\n"
+	      "                                      only IN is supported)\n"
+	      "                 -v                  (print version and exit)\n"
+	      "                 -x dot-notation     (shortcut for reverse "
+	      "lookups)\n"
+	      "        d-opt    is of the form +keyword[=value], where keyword "
+	      "is:\n"
+	      "                 +[no]all            (Set or clear all display "
+	      "flags)\n"
+	      "                 +[no]class          (Control display of "
+	      "class)\n"
+	      "                 +[no]comments       (Control display of "
+	      "comment lines)\n"
+	      "                 +[no]crypto         (Control display of "
+	      "cryptographic\n"
+	      "                                      fields in records)\n"
+	      "                 +[no]dlv            (Obsolete)\n"
+	      "                 +[no]dnssec         (Display DNSSEC records)\n"
+	      "                 +[no]mtrace         (Trace messages received)\n"
+	      "                 +[no]multiline      (Print records in an "
+	      "expanded format)\n"
+	      "                 +[no]root           (DNSSEC validation trust "
+	      "anchor)\n"
+	      "                 +[no]rrcomments     (Control display of "
+	      "per-record "
+	      "comments)\n"
+	      "                 +[no]rtrace         (Trace resolver fetches)\n"
+	      "                 +[no]short          (Short form answer)\n"
+	      "                 +[no]split=##       (Split hex/base64 fields "
+	      "into chunks)\n"
+	      "                 +[no]tcp            (TCP mode)\n"
+	      "                 +[no]ttl            (Control display of ttls "
+	      "in records)\n"
+	      "                 +[no]trust          (Control display of trust "
+	      "level)\n"
+	      "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
+	      "\"unknown\" format)\n"
+	      "                 +[no]vtrace         (Trace validation "
+	      "process)\n"
+	      "                 +[no]yaml           (Present the results as "
+	      "YAML)\n",
+	      stderr);
 	exit(1);
 }
 
-ISC_NORETURN static void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
 
 static void
 fatal(const char *format, ...) {
@@ -612,13 +601,11 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	dns_name_t *keyname;
 	isc_result_t result;
 	bool match_root = false;
-	enum {
-		INITIAL_KEY,
-		STATIC_KEY,
-		INITIAL_DS,
-		STATIC_DS,
-		TRUSTED
-	} anchortype;
+	enum { INITIAL_KEY,
+	       STATIC_KEY,
+	       INITIAL_DS,
+	       STATIC_DS,
+	       TRUSTED } anchortype;
 	const cfg_obj_t *obj;
 
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
@@ -1350,7 +1337,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			/* handled in preparse_args() */
 			break;
 		case 'v':
-			fprintf(stderr, "delv %s\n", PACKAGE_VERSION);
+			fputs("delv " VERSION "\n", stderr);
 			exit(0);
 		/* NOTREACHED */
 		default:
@@ -1736,9 +1723,8 @@ main(int argc, char *argv[]) {
 	char namestr[DNS_NAME_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	dns_namelist_t namelist;
-	unsigned int resopt;
+	unsigned int resopt, clopt;
 	isc_appctx_t *actx = NULL;
-	isc_nm_t *netmgr = NULL;
 	isc_taskmgr_t *taskmgr = NULL;
 	isc_socketmgr_t *socketmgr = NULL;
 	isc_timermgr_t *timermgr = NULL;
@@ -1762,8 +1748,9 @@ main(int argc, char *argv[]) {
 	isc_mem_create(&mctx);
 
 	CHECK(isc_appctx_create(mctx, &actx));
-	isc_managers_create(mctx, 1, 0, 0, &netmgr, &taskmgr, &timermgr,
-			    &socketmgr);
+	CHECK(isc_taskmgr_createinctx(mctx, 1, 0, &taskmgr));
+	CHECK(isc_socketmgr_createinctx(mctx, &socketmgr));
+	CHECK(isc_timermgr_createinctx(mctx, &timermgr));
 
 	parse_args(argc, argv);
 
@@ -1783,8 +1770,9 @@ main(int argc, char *argv[]) {
 #endif /* ifndef WIN32 */
 
 	/* Create client */
-	result = dns_client_create(mctx, actx, taskmgr, socketmgr, timermgr, 0,
-				   &client, srcaddr4, srcaddr6);
+	clopt = DNS_CLIENTCREATEOPT_USECACHE;
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    clopt, &client, srcaddr4, srcaddr6);
 	if (result != ISC_R_SUCCESS) {
 		delv_log(ISC_LOG_ERROR, "dns_client_create: %s",
 			 isc_result_totext(result));
@@ -1804,7 +1792,7 @@ main(int argc, char *argv[]) {
 	CHECK(convert_name(&qfn, &query_name, qname));
 
 	/* Set up resolution options */
-	resopt = DNS_CLIENTRESOPT_NOCDFLAG;
+	resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
 	if (no_sigs) {
 		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
 	}
@@ -1866,7 +1854,15 @@ cleanup:
 	if (client != NULL) {
 		dns_client_destroy(&client);
 	}
-	isc_managers_destroy(&netmgr, &taskmgr, &timermgr, &socketmgr);
+	if (taskmgr != NULL) {
+		isc_taskmgr_destroy(&taskmgr);
+	}
+	if (timermgr != NULL) {
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (socketmgr != NULL) {
+		isc_socketmgr_destroy(&socketmgr);
+	}
 	if (actx != NULL) {
 		isc_appctx_destroy(&actx);
 	}

bin/delv/delv.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -43,15 +43,15 @@ Description
 ``delv`` is a tool for sending DNS queries and validating the results,
 using the same internal resolver and validator logic as ``named``.
 
-``delv`` sends to a specified name server all queries needed to
+``delv`` will send to a specified name server all queries needed to
 fetch and validate the requested data; this includes the original
-requested query, subsequent queries to follow CNAME or DNAME chains,
+requested query, subsequent queries to follow CNAME or DNAME chains, and
 queries for DNSKEY, and DS records to establish a chain of trust for
 DNSSEC validation. It does not perform iterative resolution, but
 simulates the behavior of a name server configured for DNSSEC validating
 and forwarding.
 
-By default, responses are validated using the built-in DNSSEC trust anchor
+By default, responses are validated using built-in DNSSEC trust anchor
 for the root zone ("."). Records returned by ``delv`` are either fully
 validated or were not signed. If validation fails, an explanation of the
 failure is included in the output; the validation process can be traced
@@ -59,13 +59,13 @@ in detail. Because ``delv`` does not rely on an external server to carry
 out validation, it can be used to check the validity of DNS responses in
 environments where local name servers may not be trustworthy.
 
-Unless it is told to query a specific name server, ``delv`` tries
+Unless it is told to query a specific name server, ``delv`` will try
 each of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, ``delv`` sends queries to the localhost
+addresses are found, ``delv`` will send queries to the localhost
 addresses (127.0.0.1 for IPv4, ::1 for IPv6).
 
-When no command-line arguments or options are given, ``delv``
-performs an NS query for "." (the root zone).
+When no command line arguments or options are given, ``delv`` will
+perform an NS query for "." (the root zone).
 
 Simple Usage
 ~~~~~~~~~~~~
@@ -89,109 +89,109 @@ where:
    If no ``server`` argument is provided, ``delv`` consults
    ``/etc/resolv.conf``; if an address is found there, it queries the
    name server at that address. If either of the ``-4`` or ``-6``
-   options is in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, ``delv``
-   sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+   options are in use, then only addresses for the corresponding
+   transport will be tried. If no usable addresses are found, ``delv``
+   will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1
    for IPv6).
 
 ``name``
    is the domain name to be looked up.
 
 ``type``
-   indicates what type of query is required - ANY, A, MX, etc.
+   indicates what type of query is required MDASH ANY, A, MX, etc.
    ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, ``delv`` performs a lookup for an A record.
+   supplied, ``delv`` will perform a lookup for an A record.
 
 Options
 ~~~~~~~
 
-``-a anchor-file``
-   This option specifies a file from which to read DNSSEC trust anchors. The default
+**-a** anchor-file
+   Specifies a file from which to read DNSSEC trust anchors. The default
    is ``/etc/bind.keys``, which is included with BIND 9 and contains one
    or more trust anchors for the root zone (".").
 
    Keys that do not match the root zone name are ignored. An alternate
    key name can be specified using the ``+root=NAME`` options.
 
-   Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
-   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
+   Note: When reading the trust anchor file, ``delv`` treat ``trust-anchors``
+   ``initial-key`` and ``static-key`` identically. That is, for a managed key,
    it is the *initial* key that is trusted; :rfc:`5011` key management is not
-   supported. ``delv`` does not consult the managed-keys database maintained by
-   ``named``, which means that if either of the keys in ``/etc/bind.keys`` is
-   revoked and rolled over, ``/etc/bind.keys`` must be updated to
+   supported. ``delv`` will not consult the managed-keys database maintained by
+   ``named``. This means that if either of the keys in ``/etc/bind.keys`` is
+   revoked and rolled over, it will be necessary to update ``/etc/bind.keys`` to
    use DNSSEC validation in ``delv``.
 
-``-b address``
-   This option sets the source IP address of the query to ``address``. This must be
-   a valid address on one of the host's network interfaces, or ``0.0.0.0``,
-   or ``::``. An optional source port may be specified by appending
-   ``#<port>``
+**-b** address
+   Sets the source IP address of the query to ``address``. This must be
+   a valid address on one of the host's network interfaces or "0.0.0.0"
+   or "::". An optional source port may be specified by appending
+   "#<port>"
 
-``-c class``
-   This option sets the query class for the requested data. Currently, only class
+**-c** class
+   Sets the query class for the requested data. Currently, only class
    "IN" is supported in ``delv`` and any other value is ignored.
 
-``-d level``
-   This option sets the systemwide debug level to ``level``. The allowed range is
+**-d** level
+   Set the systemwide debug level to ``level``. The allowed range is
    from 0 to 99. The default is 0 (no debugging). Debugging traces from
    ``delv`` become more verbose as the debug level increases. See the
    ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
    additional debugging details.
 
-``-h``
-   This option displays the ``delv`` help usage output and exits.
+**-h**
+   Display the ``delv`` help usage output and exit.
 
-``-i``
-   This option sets insecure mode, which disables internal DNSSEC validation. (Note,
-   however, that this does not set the CD bit on upstream queries. If the
-   server being queried is performing DNSSEC validation, then it does
+**-i**
+   Insecure mode. This disables internal DNSSEC validation. (Note,
+   however, this does not set the CD bit on upstream queries. If the
+   server being queried is performing DNSSEC validation, then it will
    not return invalid data; this can cause ``delv`` to time out. When it
    is necessary to examine invalid data to debug a DNSSEC problem, use
    ``dig +cd``.)
 
-``-m``
-   This option enables memory usage debugging.
+**-m**
+   Enables memory usage debugging.
 
-``-p port#``
-   This option specifies a destination port to use for queries, instead of the
-   standard DNS port number 53. This option is used with a name
+**-p** port#
+   Specifies a destination port to use for queries instead of the
+   standard DNS port number 53. This option would be used with a name
    server that has been configured to listen for queries on a
    non-standard port number.
 
-``-q name``
-   This option sets the query name to ``name``. While the query name can be
-   specified without using the ``-q`` option, it is sometimes necessary to
+**-q** name
+   Sets the query name to ``name``. While the query name can be
+   specified without using the ``-q``, it is sometimes necessary to
    disambiguate names from types or classes (for example, when looking
    up the name "ns", which could be misinterpreted as the type NS, or
    "ch", which could be misinterpreted as class CH).
 
-``-t type``
-   This option sets the query type to ``type``, which can be any valid query type
+**-t** type
+   Sets the query type to ``type``, which can be any valid query type
    supported in BIND 9 except for zone transfer types AXFR and IXFR. As
-   with ``-q``, this is useful to distinguish query-name types or classes
-   when they are ambiguous. It is sometimes necessary to disambiguate
+   with ``-q``, this is useful to distinguish query name type or class
+   when they are ambiguous. it is sometimes necessary to disambiguate
    names from types.
 
    The default query type is "A", unless the ``-x`` option is supplied
    to indicate a reverse lookup, in which case it is "PTR".
 
-``-v``
-   This option prints the ``delv`` version and exits.
+**-v**
+   Print the ``delv`` version and exit.
 
-``-x addr``
-   This option performs a reverse lookup, mapping an address to a name. ``addr``
+**-x** addr
+   Performs a reverse lookup, mapping an addresses to a name. ``addr``
    is an IPv4 address in dotted-decimal notation, or a colon-delimited
    IPv6 address. When ``-x`` is used, there is no need to provide the
-   ``name`` or ``type`` arguments; ``delv`` automatically performs a
+   ``name`` or ``type`` arguments. ``delv`` automatically performs a
    lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
    query type to PTR. IPv6 addresses are looked up using nibble format
    under the IP6.ARPA domain.
 
-``-4``
-   This option forces ``delv`` to only use IPv4.
+**-4**
+   Forces ``delv`` to only use IPv4.
 
-``-6``
-   This option forces ``delv`` to only use IPv6.
+**-6**
+   Forces ``delv`` to only use IPv6.
 
 Query Options
 ~~~~~~~~~~~~~
@@ -206,122 +206,122 @@ assign values to options like the timeout interval. They have the form
 ``+keyword=value``. The query options are:
 
 ``+[no]cdflag``
-   This option controls whether to set the CD (checking disabled) bit in queries
+   Controls whether to set the CD (checking disabled) bit in queries
    sent by ``delv``. This may be useful when troubleshooting DNSSEC
    problems from behind a validating resolver. A validating resolver
-   blocks invalid responses, making it difficult to retrieve them
-   for analysis. Setting the CD flag on queries causes the resolver
+   will block invalid responses, making it difficult to retrieve them
+   for analysis. Setting the CD flag on queries will cause the resolver
    to return invalid responses, which ``delv`` can then validate
    internally and report the errors in detail.
 
 ``+[no]class``
-   This option controls whether to display the CLASS when printing a record. The
+   Controls whether to display the CLASS when printing a record. The
    default is to display the CLASS.
 
 ``+[no]ttl``
-   This option controls whether to display the TTL when printing a record. The
+   Controls whether to display the TTL when printing a record. The
    default is to display the TTL.
 
 ``+[no]rtrace``
-   This option toggles resolver fetch logging. This reports the name and type of each
+   Toggle resolver fetch logging. This reports the name and type of each
    query sent by ``delv`` in the process of carrying out the resolution
-   and validation process, including the original query
+   and validation process: this includes including the original query
    and all subsequent queries to follow CNAMEs and to establish a chain
    of trust for DNSSEC validation.
 
    This is equivalent to setting the debug level to 1 in the "resolver"
    logging category. Setting the systemwide debug level to 1 using the
-   ``-d`` option produces the same output, but affects other
-   logging categories as well.
+   ``-d`` option will product the same output (but will affect other
+   logging categories as well).
 
 ``+[no]mtrace``
-   This option toggles message logging. This produces a detailed dump of the
+   Toggle message logging. This produces a detailed dump of the
    responses received by ``delv`` in the process of carrying out the
    resolution and validation process.
 
    This is equivalent to setting the debug level to 10 for the "packets"
    module of the "resolver" logging category. Setting the systemwide
-   debug level to 10 using the ``-d`` option produces the same
-   output, but affects other logging categories as well.
+   debug level to 10 using the ``-d`` option will produce the same
+   output (but will affect other logging categories as well).
 
 ``+[no]vtrace``
-   This option toggles validation logging. This shows the internal process of the
+   Toggle validation logging. This shows the internal process of the
    validator as it determines whether an answer is validly signed,
    unsigned, or invalid.
 
    This is equivalent to setting the debug level to 3 for the
    "validator" module of the "dnssec" logging category. Setting the
-   systemwide debug level to 3 using the ``-d`` option produces the
-   same output, but affects other logging categories as well.
+   systemwide debug level to 3 using the ``-d`` option will produce the
+   same output (but will affect other logging categories as well).
 
 ``+[no]short``
-   This option toggles between verbose and terse answers. The default is to print the answer in a
+   Provide a terse answer. The default is to print the answer in a
    verbose form.
 
 ``+[no]comments``
-   This option toggles the display of comment lines in the output. The default is to
+   Toggle the display of comment lines in the output. The default is to
    print comments.
 
 ``+[no]rrcomments``
-   This option toggles the display of per-record comments in the output (for example,
+   Toggle the display of per-record comments in the output (for example,
    human-readable key information about DNSKEY records). The default is
    to print per-record comments.
 
 ``+[no]crypto``
-   This option toggles the display of cryptographic fields in DNSSEC records. The
-   contents of these fields are unnecessary to debug most DNSSEC
+   Toggle the display of cryptographic fields in DNSSEC records. The
+   contents of these field are unnecessary to debug most DNSSEC
    validation failures and removing them makes it easier to see the
-   common failures. The default is to display the fields. When omitted,
-   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
-   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
+   common failures. The default is to display the fields. When omitted
+   they are replaced by the string "[omitted]" or in the DNSKEY case the
+   key id is displayed as the replacement, e.g. "[ key id = value ]".
 
 ``+[no]trust``
-   This option controls whether to display the trust level when printing a record.
+   Controls whether to display the trust level when printing a record.
    The default is to display the trust level.
 
 ``+[no]split[=W]``
-   This option splits long hex- or base64-formatted fields in resource records into
+   Split long hex- or base64-formatted fields in resource records into
    chunks of ``W`` characters (where ``W`` is rounded up to the nearest
    multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
    split at all. The default is 56 characters, or 44 characters when
    multiline mode is active.
 
 ``+[no]all``
-   This option sets or clears the display options ``+[no]comments``,
+   Set or clear the display options ``+[no]comments``,
    ``+[no]rrcomments``, and ``+[no]trust`` as a group.
 
 ``+[no]multiline``
-   This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
+   Print long records (such as RRSIG, DNSKEY, and SOA records) in a
    verbose multi-line format with human-readable comments. The default
    is to print each record on a single line, to facilitate machine
    parsing of the ``delv`` output.
 
 ``+[no]dnssec``
-   This option indicates whether to display RRSIG records in the ``delv`` output.
+   Indicates whether to display RRSIG records in the ``delv`` output.
    The default is to do so. Note that (unlike in ``dig``) this does
-   *not* control whether to request DNSSEC records or to
+   *not* control whether to request DNSSEC records or whether to
    validate them. DNSSEC records are always requested, and validation
-   always occurs unless suppressed by the use of ``-i`` or
+   will always occur unless suppressed by the use of ``-i`` or
    ``+noroot``.
 
 ``+[no]root[=ROOT]``
-   This option indicates whether to perform conventional DNSSEC validation, and if so,
+   Indicates whether to perform conventional DNSSEC validation, and if so,
    specifies the name of a trust anchor. The default is to validate using a
    trust anchor of "." (the root zone), for which there is a built-in key. If
    specifying a different trust anchor, then ``-a`` must be used to specify a
    file containing the key.
 
 ``+[no]tcp``
-   This option controls whether to use TCP when sending queries. The default is to
+   Controls whether to use TCP when sending queries. The default is to
    use UDP unless a truncated response has been received.
 
 ``+[no]unknownformat``
-   This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
+   Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
    The default is to print RDATA for known types in the type's
    presentation format.
 
 ``+[no]yaml``
-   This option prints response data in YAML format.
+   Print response data in YAML format.
 
 Files
 ~~~~~

bin/delv/win32/delv.vcxproj.in

@@ -75,7 +75,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,26 +107,12 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\delv.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/Makefile.am

@@ -1,39 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	$(LIBISCCFG_CFLAGS)	\
-	$(LIBIRS_CFLAGS)	\
-	$(LIBBIND9_CFLAGS)	\
-	$(LIBIDN2_CFLAGS)
-
-LDADD =				\
-	libdighost.la		\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)		\
-	$(LIBISCCFG_LIBS)	\
-	$(LIBIRS_LIBS)		\
-	$(LIBBIND9_LIBS)	\
-	$(LIBIDN2_LIBS)
-
-noinst_LTLIBRARIES = libdighost.la
-
-libdighost_la_SOURCES = \
-	dighost.h	\
-	dighost.c
-
-bin_PROGRAMS = dig host nslookup
-
-nslookup_CPPFLAGS =		\
-	$(AM_CPPFLAGS)
-
-nslookup_LDADD =		\
-	$(LDADD)
-
-if HAVE_READLINE
-nslookup_CPPFLAGS +=		\
-	$(READLINE_CFLAGS)
-nslookup_LDADD +=		\
-	$(READLINE_LIBS)
-endif HAVE_READLINE

bin/dig/Makefile.in

@@ -0,0 +1,96 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+READLINE_LIB = @READLINE_LIB@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
+		${BIND9_INCLUDES} ${ISC_INCLUDES} \
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+IRSLIBS =	../../lib/irs/libirs.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+IRSDEPLIBS =	../../lib/irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${BIND9DEPLIBS} \
+		${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+
+LIBS =		${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCLIBS} @LIBIDN2_LIBS@ @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCNOSYMLIBS} @LIBIDN2_LIBS@ @LIBS@
+
+SUBDIRS =
+
+TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
+
+OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
+
+UOBJS =
+
+SRCS =		dig.c dighost.c host.c nslookup.c
+
+@BIND9_MAKE_RULES@
+
+LDFLAGS =	@LDFLAGS@ @LIBIDN2_LDFLAGS@
+
+dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		dig@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		host@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		nslookup@EXEEXT@ ${DESTDIR}${bindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@

bin/dig/dig.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -40,33 +40,33 @@ Description
 ``dig`` is a flexible tool for interrogating DNS name servers. It
 performs DNS lookups and displays the answers that are returned from the
 name server(s) that were queried. Most DNS administrators use ``dig`` to
-troubleshoot DNS problems because of its flexibility, ease of use, and
+troubleshoot DNS problems because of its flexibility, ease of use and
 clarity of output. Other lookup tools tend to have less functionality
 than ``dig``.
 
 Although ``dig`` is normally used with command-line arguments, it also
 has a batch mode of operation for reading lookup requests from a file. A
 brief summary of its command-line arguments and options is printed when
-the ``-h`` option is given. The BIND 9
+the ``-h`` option is given. Unlike earlier versions, the BIND 9
 implementation of ``dig`` allows multiple lookups to be issued from the
 command line.
 
-Unless it is told to query a specific name server, ``dig`` tries each
+Unless it is told to query a specific name server, ``dig`` will try each
 of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, ``dig`` sends the query to the local host.
+addresses are found, ``dig`` will send the query to the local host.
 
-When no command-line arguments or options are given, ``dig``
-performs an NS query for "." (the root).
+When no command line arguments or options are given, ``dig`` will
+perform an NS query for "." (the root).
 
 It is possible to set per-user defaults for ``dig`` via
 ``${HOME}/.digrc``. This file is read and any options in it are applied
-before the command-line arguments. The ``-r`` option disables this
-feature, for scripts that need predictable behavior.
+before the command line arguments. The ``-r`` option disables this
+feature, for scripts that need predictable behaviour.
 
-The IN and CH class names overlap with the IN and CH top-level domain
+The IN and CH class names overlap with the IN and CH top level domain
 names. Either use the ``-t`` and ``-c`` options to specify the type and
-class, use the ``-q`` to specify the domain name, or use "IN." and
-"CH." when looking up these top-level domains.
+class, use the ``-q`` the specify the domain name, or use "IN." and
+"CH." when looking up these top level domains.
 
 Simple Usage
 ~~~~~~~~~~~~
@@ -90,110 +90,110 @@ where:
    ``/etc/resolv.conf``; if an address is found there, it queries the
    name server at that address. If either of the ``-4`` or ``-6``
    options are in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, ``dig``
-   sends the query to the local host. The reply from the name server
+   transport will be tried. If no usable addresses are found, ``dig``
+   will send the query to the local host. The reply from the name server
    that responds is displayed.
 
 ``name``
    is the name of the resource record that is to be looked up.
 
 ``type``
-   indicates what type of query is required - ANY, A, MX, SIG, etc.
+   indicates what type of query is required MDASH ANY, A, MX, SIG, etc.
    ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, ``dig`` performs a lookup for an A record.
+   supplied, ``dig`` will perform a lookup for an A record.
 
 Options
 ~~~~~~~
 
-``-4``
-   This option indicates that only IPv4 should be used.
+**-4**
+   Use IPv4 only.
 
-``-6``
-   This option indicates that only IPv6 should be used.
+**-6**
+   Use IPv6 only.
 
-``-b address[#port]``
-   This option sets the source IP address of the query. The ``address`` must be a
+**-b** address[#port]
+   Set the source IP address of the query. The ``address`` must be a
    valid address on one of the host's network interfaces, or "0.0.0.0"
-   or "::". An optional port may be specified by appending ``#port``.
+   or "::". An optional port may be specified by appending "#<port>"
 
-``-c class``
-   This option sets the query class. The default ``class`` is IN; other classes are
+**-c** class
+   Set the query class. The default ``class`` is IN; other classes are
    HS for Hesiod records or CH for Chaosnet records.
 
-``-f file``
-   This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
+**-f** file
+   Batch mode: ``dig`` reads a list of lookup requests to process from
    the given ``file``. Each line in the file should be organized in the
-   same way it would be presented as a query to ``dig`` using the
+   same way they would be presented as queries to ``dig`` using the
    command-line interface.
 
-``-k keyfile``
-   This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
-   files can be generated using ``tsig-keygen``. When using TSIG
+**-k** keyfile
+   Sign queries using TSIG using a key read from the given file. Key
+   files can be generated using tsig-keygen8. When using TSIG
    authentication with ``dig``, the name server that is queried needs to
    know the key and algorithm that is being used. In BIND, this is done
    by providing appropriate ``key`` and ``server`` statements in
    ``named.conf``.
 
-``-m``
-   This option enables memory usage debugging.
+**-m**
+   Enable memory usage debugging.
 
-``-p port``
-   This option sends the query to a non-standard port on the server, instead of the
-   default port 53. This option is used to test a name server that
+**-p** port
+   Send the query to a non-standard port on the server, instead of the
+   default port 53. This option would be used to test a name server that
    has been configured to listen for queries on a non-standard port
    number.
 
-``-q name``
-   This option specifies the domain name to query. This is useful to distinguish the ``name``
+**-q** name
+   The domain name to query. This is useful to distinguish the ``name``
    from other arguments.
 
-``-r``
-   This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
-   scripts that need predictable behavior.
+**-r**
+   Do not read options from ``${HOME}/.digrc``. This is useful for
+   scripts that need predictable behaviour.
 
-``-t type``
-   This option indicates the resource record type to query, which can be any valid query type. If
+**-t** type
+   The resource record type to query. It can be any valid query type. If
    it is a resource record type supported in BIND 9, it can be given by
-   the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
-   ``A``, unless the ``-x`` option is supplied to indicate a reverse
+   the type mnemonic (such as "NS" or "AAAA"). The default query type is
+   "A", unless the ``-x`` option is supplied to indicate a reverse
    lookup. A zone transfer can be requested by specifying a type of
    AXFR. When an incremental zone transfer (IXFR) is required, set the
-   ``type`` to ``ixfr=N``. The incremental zone transfer contains
-   all changes made to the zone since the serial number in the zone's
+   ``type`` to ``ixfr=N``. The incremental zone transfer will contain
+   the changes made to the zone since the serial number in the zone's
    SOA record was ``N``.
 
-   All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
+   All resource record types can be expressed as "TYPEnn", where "nn" is
    the number of the type. If the resource record type is not supported
-   in BIND 9, the result is displayed as described in :rfc:`3597`.
+   in BIND 9, the result will be displayed as described in :rfc:`3597`.
 
-``-u``
-   This option indicates that print query times should be provided in microseconds instead of milliseconds.
+**-u**
+   Print query times in microseconds instead of milliseconds.
 
-``-v``
-   This option prints the version number and exits.
+**-v**
+   Print the version number and exit.
 
-``-x addr``
-   This option sets simplified reverse lookups, for mapping addresses to names. The
+**-x** addr
+   Simplified reverse lookups, for mapping addresses to names. The
    ``addr`` is an IPv4 address in dotted-decimal notation, or a
-   colon-delimited IPv6 address. When the ``-x`` option is used, there is no
-   need to provide the ``name``, ``class``, and ``type`` arguments.
+   colon-delimited IPv6 address. When the ``-x`` is used, there is no
+   need to provide the ``name``, ``class`` and ``type`` arguments.
    ``dig`` automatically performs a lookup for a name like
    ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
    and IN respectively. IPv6 addresses are looked up using nibble format
    under the IP6.ARPA domain.
 
-``-y [hmac:]keyname:secret``
-   This option signs queries using TSIG with the given authentication key.
-   ``keyname`` is the name of the key, and ``secret`` is the
-   base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
+**-y** [hmac:]keyname:secret
+   Sign queries using TSIG with the given authentication key.
+   ``keyname`` is the name of the key, and ``secret`` is the base64
+   encoded shared secret. ``hmac`` is the name of the key algorithm;
    valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
    ``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
-   not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
+   not specified, the default is ``hmac-md5`` or if MD5 was disabled
    ``hmac-sha256``.
 
-.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
-   because with ``-y`` the shared secret is supplied as a command-line
-   argument in clear text. This may be visible in the output from ``ps1`` or
+.. note:: You should use the ``-k`` option and avoid the ``-y`` option,
+   because with ``-y`` the shared secret is supplied as a command line
+   argument in clear text. This may be visible in the output from ps1 or
    in a history file maintained by the user's shell.
 
 Query Options
@@ -206,324 +206,293 @@ answer get printed, and others determine the timeout and retry
 strategies.
 
 Each query option is identified by a keyword preceded by a plus sign
-(``+``). Some keywords set or reset an option; these may be preceded by
+(``+``). Some keywords set or reset an option. These may be preceded by
 the string ``no`` to negate the meaning of that keyword. Other keywords
-assign values to options, like the timeout interval. They have the form
+assign values to options like the timeout interval. They have the form
 ``+keyword=value``. Keywords may be abbreviated, provided the
 abbreviation is unambiguous; for example, ``+cd`` is equivalent to
 ``+cdflag``. The query options are:
 
 ``+[no]aaflag``
-   This option is a synonym for ``+[no]aaonly``.
+   A synonym for ``+[no]aaonly``.
 
 ``+[no]aaonly``
-   This option sets the ``aa`` flag in the query.
+   Sets the "aa" flag in the query.
 
 ``+[no]additional``
-   This option displays [or does not display] the additional section of a reply. The
+   Display [do not display] the additional section of a reply. The
    default is to display it.
 
 ``+[no]adflag``
-   This option sets [or does not set] the AD (authentic data) bit in the query. This
+   Set [do not set] the AD (authentic data) bit in the query. This
    requests the server to return whether all of the answer and authority
-   sections have been validated as secure, according to the security
-   policy of the server. ``AD=1`` indicates that all records have been
-   validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
-   indicates that some part of the answer was insecure or not validated.
+   sections have all been validated as secure according to the security
+   policy of the server. AD=1 indicates that all records have been
+   validated as secure and the answer is not from a OPT-OUT range. AD=0
+   indicate that some part of the answer was insecure or not validated.
    This bit is set by default.
 
 ``+[no]all``
-   This option sets or clears all display flags.
+   Set or clear all display flags.
 
 ``+[no]answer``
-   This option displays [or does not display] the answer section of a reply. The default
+   Display [do not display] the answer section of a reply. The default
    is to display it.
 
 ``+[no]authority``
-   This option displays [or does not display] the authority section of a reply. The
+   Display [do not display] the authority section of a reply. The
    default is to display it.
 
 ``+[no]badcookie``
-   This option retries the lookup with a new server cookie if a BADCOOKIE response is
+   Retry lookup with the new server cookie if a BADCOOKIE response is
    received.
 
 ``+[no]besteffort``
-   This option attempts to display the contents of messages which are malformed. The
+   Attempt to display the contents of messages which are malformed. The
    default is to not display malformed answers.
 
-``+bufsize[=B]``
-   This option sets the UDP message buffer size advertised using EDNS0 to
-   ``B`` bytes.  The maximum and minimum sizes of this buffer are 65535 and
-   0, respectively.  ``+bufsize`` restores the default buffer size.
+``+bufsize=B``
+   Set the UDP message buffer size advertised using EDNS0 to ``B``
+   bytes. The maximum and minimum sizes of this buffer are 65535 and 0
+   respectively. Values outside this range are rounded up or down
+   appropriately. Values other than zero will cause a EDNS query to be
+   sent.
 
 ``+[no]cdflag``
-   This option sets [or does not set] the CD (checking disabled) bit in the query. This
+   Set [do not set] the CD (checking disabled) bit in the query. This
    requests the server to not perform DNSSEC validation of responses.
 
 ``+[no]class``
-   This option displays [or does not display] the CLASS when printing the record.
+   Display [do not display] the CLASS when printing the record.
 
 ``+[no]cmd``
-   This option toggles the printing of the initial comment in the output, identifying the
-   version of ``dig`` and the query options that have been applied. This option
-   always has a global effect; it cannot be set globally and then overridden on a
-   per-lookup basis. The default is to print this comment.
+   Toggles the printing of the initial comment in the output, identifying the
+   version of ``dig`` and the query options that have been applied.  This option
+   always has global effect; it cannot be set globally and then overridden on a
+   per-lookup basis.  The default is to print this comment.
 
 ``+[no]comments``
-   This option toggles the display of some comment lines in the output, with
+   Toggles the display of some comment lines in the output, containing
    information about the packet header and OPT pseudosection, and the names of
-   the response section. The default is to print these comments.
+   the response section.  The default is to print these comments.
 
    Other types of comments in the output are not affected by this option, but
-   can be controlled using other command-line switches. These include
+   can be controlled using other command line switches. These include
    ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
 
 ``+[no]cookie=####``
-   This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
-   from a previous response allows the server to identify a previous
+   Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
+   from a previous response will allow the server to identify a previous
    client. The default is ``+cookie``.
 
-   ``+cookie`` is also set when ``+trace`` is set to better emulate the
+   ``+cookie`` is also set when +trace is set to better emulate the
    default queries from a nameserver.
 
 ``+[no]crypto``
-   This option toggles the display of cryptographic fields in DNSSEC records. The
-   contents of these fields are unnecessary for debugging most DNSSEC
+   Toggle the display of cryptographic fields in DNSSEC records. The
+   contents of these field are unnecessary to debug most DNSSEC
    validation failures and removing them makes it easier to see the
-   common failures. The default is to display the fields. When omitted,
-   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
-   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
+   common failures. The default is to display the fields. When omitted
+   they are replaced by the string "[omitted]" or in the DNSKEY case the
+   key id is displayed as the replacement, e.g. "[ key id = value ]".
 
 ``+[no]defname``
-   This option, which is deprecated, is treated as a synonym for ``+[no]search``.
-
-``+[no]dns64prefix``
-   Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
+   Deprecated, treated as a synonym for ``+[no]search``
 
 ``+[no]dnssec``
-   This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
+   Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in
    the OPT record in the additional section of the query.
 
 ``+domain=somename``
-   This option sets the search list to contain the single domain ``somename``, as if
+   Set the search list to contain the single domain ``somename``, as if
    specified in a ``domain`` directive in ``/etc/resolv.conf``, and
-   enables search list processing as if the ``+search`` option were
+   enable search list processing as if the ``+search`` option were
    given.
 
 ``+dscp=value``
-   This option sets the DSCP code point to be used when sending the query. Valid DSCP
-   code points are in the range [0...63]. By default no code point is
+   Set the DSCP code point to be used when sending the query. Valid DSCP
+   code points are in the range [0..63]. By default no code point is
    explicitly set.
 
 ``+[no]edns[=#]``
-   This option specifies the EDNS version to query with. Valid values are 0 to 255.
-   Setting the EDNS version causes an EDNS query to be sent.
+   Specify the EDNS version to query with. Valid values are 0 to 255.
+   Setting the EDNS version will cause a EDNS query to be sent.
    ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
    default.
 
 ``+[no]ednsflags[=#]``
-   This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
-   Decimal, hex, and octal encodings are accepted. Setting a named flag
-   (e.g., DO) is silently ignored. By default, no Z bits are set.
+   Set the must-be-zero EDNS flags bits (Z bits) to the specified value.
+   Decimal, hex and octal encodings are accepted. Setting a named flag
+   (e.g. DO) will silently be ignored. By default, no Z bits are set.
 
 ``+[no]ednsnegotiation``
-   This option enables/disables EDNS version negotiation. By default, EDNS version
+   Enable / disable EDNS version negotiation. By default EDNS version
    negotiation is enabled.
 
 ``+[no]ednsopt[=code[:value]]``
-   This option specifies the EDNS option with code point ``code`` and an optional payload
+   Specify EDNS option with code point ``code`` and optionally payload
    of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
-   option name (for example, ``NSID`` or ``ECS``) or an arbitrary
+   option name (for example, ``NSID`` or ``ECS``), or an arbitrary
    numeric value. ``+noednsopt`` clears the EDNS options to be sent.
 
 ``+[no]expire``
-   This option sends an EDNS Expire option.
+   Send an EDNS Expire option.
 
 ``+[no]fail``
-   This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
-   to not try the next server, which is the reverse of normal stub
+   Do not try the next server if you receive a SERVFAIL. The default is
+   to not try the next server which is the reverse of normal stub
    resolver behavior.
 
 ``+[no]header-only``
-   This option sends a query with a DNS header without a question section. The
+   Send a query with a DNS header without a question section. The
    default is to add a question section. The query type and query name
    are ignored when this is set.
 
-``+[no]https[=value]``
-   This option indicates whether to use DNS-over-HTTPS (DoH) when querying
-   name servers.  When this option is in use, the port number defaults to 443.
-   The HTTP POST request mode is used when sending the query.
-
-   If ``value`` is specified, it will be used as the HTTP endpoint in the
-   query URI; the default is ``/dns-query``. So, for example, ``dig
-   @example.com +https`` will use the URI ``https://example.com/dns-query``.
-
-``+[no]https-get[=value]``
-   Similar to ``+https``, except that the HTTP GET request mode is used
-   when sending the query.
-
-``+[no]https-post[=value]``
-   Same as ``+https``.
-
-``+[no]http-plain[=value]``
-   Similar to ``+https``, except that HTTP queries will be sent over a
-   non-encrypted channel. When this option is in use, the port number
-   defaults to 80 and the HTTP request mode is POST.
-
-``+[no]http-plain-get[=value]``
-   Similar to ``+http-plain``, except that the HTTP request mode is GET.
-
-``+[no]http-plain-post[=value]``
-   Same as ``+http-plain``.
-
 ``+[no]identify``
-   This option shows [or does not show] the IP address and port number that
-   supplied the answer, when the ``+short`` option is enabled. If short
-   form answers are requested, the default is not to show the source
-   address and port number of the server that provided the answer.
+   Show [or do not show] the IP address and port number that supplied
+   the answer when the ``+short`` option is enabled. If short form
+   answers are requested, the default is not to show the source address
+   and port number of the server that provided the answer.
 
 ``+[no]idnin``
-   This option processes [or does not process] IDN domain names on input. This requires
-   ``IDN SUPPORT`` to have been enabled at compile time.
+   Process [do not process] IDN domain names on input. This requires IDN
+   SUPPORT to have been enabled at compile time.
 
    The default is to process IDN input when standard output is a tty.
-   The IDN processing on input is disabled when ``dig`` output is redirected
+   The IDN processing on input is disabled when dig output is redirected
    to files, pipes, and other non-tty file descriptors.
 
 ``+[no]idnout``
-   This option converts [or does not convert] puny code on output. This requires
-   ``IDN SUPPORT`` to have been enabled at compile time.
+   Convert [do not convert] puny code on output. This requires IDN
+   SUPPORT to have been enabled at compile time.
 
    The default is to process puny code on output when standard output is
-   a tty. The puny code processing on output is disabled when ``dig`` output
+   a tty. The puny code processing on output is disabled when dig output
    is redirected to files, pipes, and other non-tty file descriptors.
 
 ``+[no]ignore``
-   This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
+   Ignore truncation in UDP responses instead of retrying with TCP. By
    default, TCP retries are performed.
 
 ``+[no]keepalive``
-   This option sends [or does not send] an EDNS Keepalive option.
+   Send [or do not send] an EDNS Keepalive option.
 
 ``+[no]keepopen``
-   This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
+   Keep the TCP socket open between queries and reuse it rather than
    creating a new TCP socket for each lookup. The default is
    ``+nokeepopen``.
 
 ``+[no]mapped``
-   This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
+   Allow mapped IPv4 over IPv6 addresses to be used. The default is
    ``+mapped``.
 
 ``+[no]multiline``
-   This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
+   Print records like the SOA records in a verbose multi-line format
    with human-readable comments. The default is to print each record on
-   a single line to facilitate machine parsing of the ``dig`` output.
+   a single line, to facilitate machine parsing of the ``dig`` output.
 
 ``+ndots=D``
-   This option sets the number of dots (``D``) that must appear in ``name`` for
+   Set the number of dots that have to appear in ``name`` to ``D`` for
    it to be considered absolute. The default value is that defined using
-   the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
+   the ndots statement in ``/etc/resolv.conf``, or 1 if no ndots
    statement is present. Names with fewer dots are interpreted as
-   relative names, and are searched for in the domains listed in the
+   relative names and will be searched for in the domains listed in the
    ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
    ``+search`` is set.
 
 ``+[no]nsid``
-   When enabled, this option includes an EDNS name server ID request when sending a query.
+   Include an EDNS name server ID request when sending a query.
 
 ``+[no]nssearch``
    When this option is set, ``dig`` attempts to find the authoritative
-   name servers for the zone containing the name being looked up, and
+   name servers for the zone containing the name being looked up and
    display the SOA record that each name server has for the zone.
-   Addresses of servers that did not respond are also printed.
+   Addresses of servers that that did not respond are also printed.
 
 ``+[no]onesoa``
-   When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
+   Print only one (starting) SOA record when performing an AXFR. The
    default is to print both the starting and ending SOA records.
 
 ``+[no]opcode=value``
-   When enabled, this option sets (restores) the DNS message opcode to the specified value. The
+   Set [restore] the DNS message opcode to the specified value. The
    default value is QUERY (0).
 
 ``+padding=value``
-   This option pads the size of the query packet using the EDNS Padding option to
-   blocks of ``value`` bytes. For example, ``+padding=32`` causes a
+   Pad the size of the query packet using the EDNS Padding option to
+   blocks of ``value`` bytes. For example, ``+padding=32`` would cause a
    48-byte query to be padded to 64 bytes. The default block size is 0,
-   which disables padding; the maximum is 512. Values are ordinarily
+   which disables padding. The maximum is 512. Values are ordinarily
    expected to be powers of two, such as 128; however, this is not
    mandatory. Responses to padded queries may also be padded, but only
    if the query uses TCP or DNS COOKIE.
 
-``+qid=value``
-   This option specifies the query ID to use when sending queries.
-
 ``+[no]qr``
-   This option toggles the display of the query message as it is sent. By default, the query
+   Toggles the display of the query message as it is sent. By default, the query
    is not printed.
 
 ``+[no]question``
-   This option toggles the display of the question section of a query when an answer is
-   returned. The default is to print the question section as a comment.
+   Toggles the display of the question section of a query when an answer is
+   returned.  The default is to print the question section as a comment.
 
 ``+[no]raflag``
-   This option sets [or does not set] the RA (Recursion Available) bit in the query. The
-   default is ``+noraflag``. This bit is ignored by the server for
+   Set [do not set] the RA (Recursion Available) bit in the query. The
+   default is +noraflag. This bit should be ignored by the server for
    QUERY.
 
 ``+[no]rdflag``
-   This option is a synonym for ``+[no]recurse``.
+   A synonym for ``+[no]recurse``.
 
 ``+[no]recurse``
-   This option toggles the setting of the RD (recursion desired) bit in the query.
+   Toggle the setting of the RD (recursion desired) bit in the query.
    This bit is set by default, which means ``dig`` normally sends
    recursive queries. Recursion is automatically disabled when the
-   ``+nssearch`` or ``+trace`` query option is used.
+   ``+nssearch`` or ``+trace`` query options are used.
 
 ``+retry=T``
-   This option sets the number of times to retry UDP and TCP queries to server to ``T``
-   instead of the default, 2.  Unlike ``+tries``, this does not include
+   Sets the number of times to retry UDP queries to server to ``T``
+   instead of the default, 2. Unlike ``+tries``, this does not include
    the initial query.
 
 ``+[no]rrcomments``
-   This option toggles the display of per-record comments in the output (for example,
+   Toggle the display of per-record comments in the output (for example,
    human-readable key information about DNSKEY records). The default is
    not to print record comments unless multiline mode is active.
 
 ``+[no]search``
-   This option uses [or does not use] the search list defined by the searchlist or domain
-   directive in ``resolv.conf``, if any. The search list is not used by
+   Use [do not use] the search list defined by the searchlist or domain
+   directive in ``resolv.conf`` (if any). The search list is not used by
    default.
 
-   ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
-   ``+ndots``, determines whether the name is treated as relative
-   and hence whether a search is eventually performed.
+   'ndots' from ``resolv.conf`` (default 1) which may be overridden by
+   ``+ndots`` determines if the name will be treated as relative or not
+   and hence whether a search is eventually performed or not.
 
 ``+[no]short``
-   This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
-   form. This option always has a global effect; it cannot be set globally and
+   Provide a terse answer.  The default is to print the answer in a verbose
+   form.  This option always has global effect; it cannot be set globally and
    then overridden on a per-lookup basis.
 
 ``+[no]showsearch``
-   This option performs [or does not perform] a search showing intermediate results.
+   Perform [do not perform] a search showing intermediate results.
 
 ``+[no]sigchase``
    This feature is now obsolete and has been removed; use ``delv``
    instead.
 
 ``+split=W``
-   This option splits long hex- or base64-formatted fields in resource records into
+   Split long hex- or base64-formatted fields in resource records into
    chunks of ``W`` characters (where ``W`` is rounded up to the nearest
    multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
    split at all. The default is 56 characters, or 44 characters when
    multiline mode is active.
 
 ``+[no]stats``
-   This option toggles the printing of statistics: when the query was made, the size of the
-   reply, etc. The default behavior is to print the query statistics as a
+   Toggles the printing of statistics: when the query was made, the size of the
+   reply and so on.  The default behavior is to print the query statistics as a
    comment after each lookup.
 
 ``+[no]subnet=addr[/prefix-length]``
-   This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
+   Send (don't send) an EDNS Client Subnet option with the specified IP
    address or network prefix.
 
    ``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
@@ -532,75 +501,75 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to
    address information must *not* be used when resolving this query.
 
 ``+[no]tcflag``
-   This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
-   ``+notcflag``. This bit is ignored by the server for QUERY.
+   Set [do not set] the TC (TrunCation) bit in the query. The default is
+   +notcflag. This bit should be ignored by the server for QUERY.
 
 ``+[no]tcp``
-   This option indicates whether to use TCP when querying name servers.
-   The default behavior is to use UDP unless a type ``any`` or ``ixfr=N``
-   query is requested, in which case the default is TCP. AXFR queries
-   always use TCP.
+   Use [do not use] TCP when querying name servers. The default behavior
+   is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested,
+   in which case the default is TCP. AXFR queries always use TCP.
 
 ``+timeout=T``
-   This option sets the timeout for a query to ``T`` seconds. The default timeout is
-   5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
-
-``+[no]tls``
-   This option indicates whether to use DNS-over-TLS (DoT) when querying
-   name servers. When this option is in use, the port number defaults
-   to 853.
+   Sets the timeout for a query to ``T`` seconds. The default timeout is
+   5 seconds. An attempt to set ``T`` to less than 1 will result in a
+   query timeout of 1 second being applied.
 
 ``+[no]topdown``
    This feature is related to ``dig +sigchase``, which is obsolete and
    has been removed. Use ``delv`` instead.
 
 ``+[no]trace``
-   This option toggles tracing of the delegation path from the root name servers for
+   Toggle tracing of the delegation path from the root name servers for
    the name being looked up. Tracing is disabled by default. When
    tracing is enabled, ``dig`` makes iterative queries to resolve the
-   name being looked up. It follows referrals from the root servers,
+   name being looked up. It will follow referrals from the root servers,
    showing the answer from each server that was used to resolve the
    lookup.
 
-   If ``@server`` is also specified, it affects only the initial query for
+   If @server is also specified, it affects only the initial query for
    the root zone name servers.
 
-   ``+dnssec`` is also set when ``+trace`` is set, to better emulate the
-   default queries from a name server.
+   ``+dnssec`` is also set when +trace is set to better emulate the
+   default queries from a nameserver.
 
 ``+tries=T``
-   This option sets the number of times to try UDP and TCP queries to server to ``T``
+   Sets the number of times to try UDP queries to server to ``T``
    instead of the default, 3. If ``T`` is less than or equal to zero,
    the number of tries is silently rounded up to 1.
 
 ``+trusted-key=####``
-   This option formerly specified trusted keys for use with ``dig +sigchase``. This
+   Formerly specified trusted keys for use with ``dig +sigchase``. This
    feature is now obsolete and has been removed; use ``delv`` instead.
 
 ``+[no]ttlid``
-   This option displays [or does not display] the TTL when printing the record.
+   Display [do not display] the TTL when printing the record.
 
 ``+[no]ttlunits``
-   This option displays [or does not display] the TTL in friendly human-readable time
-   units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
-   hours, days, and weeks. This implies ``+ttlid``.
+   Display [do not display] the TTL in friendly human-readable time
+   units of "s", "m", "h", "d", and "w", representing seconds, minutes,
+   hours, days and weeks. Implies +ttlid.
+
+``+[no]unexpected``
+   Accept [do not accept] answers from unexpected sources.  By default, ``dig``
+   won't accept a reply from a source other than the one to which it sent the
+   query.
 
 ``+[no]unknownformat``
-   This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
+   Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
    The default is to print RDATA for known types in the type's
    presentation format.
 
 ``+[no]vc``
-   This option uses [or does not use] TCP when querying name servers. This alternate
+   Use [do not use] TCP when querying name servers. This alternate
    syntax to ``+[no]tcp`` is provided for backwards compatibility. The
-   ``vc`` stands for "virtual circuit."
+   "vc" stands for "virtual circuit".
 
 ``+[no]yaml``
-   When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
+   Print the responses (and, if <option>+qr</option> is in use, also the
    outgoing queries) in a detailed YAML format.
 
 ``+[no]zflag``
-   This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
+   Set [do not set] the last unassigned DNS header flag in a DNS query.
    This flag is off by default.
 
 Multiple Queries
@@ -609,12 +578,12 @@ Multiple Queries
 The BIND 9 implementation of ``dig`` supports specifying multiple
 queries on the command line (in addition to supporting the ``-f`` batch
 file option). Each of those queries can be supplied with its own set of
-flags, options, and query options.
+flags, options and query options.
 
-In this case, each ``query`` argument represents an individual query in
+In this case, each ``query`` argument represent an individual query in
 the command-line syntax described above. Each consists of any of the
 standard options and flags, the name to be looked up, an optional query
-type and class, and any query options that should be applied to that
+type and class and any query options that should be applied to that
 query.
 
 A global set of query options, which should be applied to all queries,
@@ -628,12 +597,12 @@ query options. For example:
 
    dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
-shows how ``dig`` can be used from the command line to make three
-lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
+shows how ``dig`` could be used from the command line to make three
+lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1
 and a query for the NS records of ``isc.org``. A global query option of
 ``+qr`` is applied, so that ``dig`` shows the initial query it made for
 each lookup. The final query has a local query option of ``+noqr`` which
-means that ``dig`` does not print the initial query when it looks up the
+means that ``dig`` will not print the initial query when it looks up the
 NS records for ``isc.org``.
 
 IDN Support
@@ -641,10 +610,10 @@ IDN Support
 
 If ``dig`` has been built with IDN (internationalized domain name)
 support, it can accept and display non-ASCII domain names. ``dig``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, use the parameters
-``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
+appropriately converts character encoding of domain name before sending
+a request to DNS server or displaying a reply from the server. If you'd
+like to turn off the IDN support for some reason, use parameters
+``+noidnin`` and ``+noidnout`` or define the IDN_DISABLE environment
 variable.
 
 Files

bin/dig/host.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -21,7 +21,6 @@
 #endif /* ifdef HAVE_LOCALE_H */
 
 #include <isc/app.h>
-#include <isc/attributes.h>
 #include <isc/commandline.h>
 #include <isc/netaddr.h>
 #include <isc/print.h>
@@ -39,7 +38,7 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 
-#include "dighost.h"
+#include <dig/dig.h>
 
 static bool short_form = true, listed_server = false;
 static bool default_lookups = true;
@@ -102,39 +101,37 @@ rcode_totext(dns_rcode_t rcode) {
 	return (totext.deconsttext);
 }
 
-ISC_NORETURN static void
-show_usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+show_usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 show_usage(void) {
-	fprintf(stderr,
-		"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
-		"time]\n"
-		"            [-R number] [-m flag] [-p port] hostname "
-		"[server]\n"
-		"       -a is equivalent to -v -t ANY\n"
-		"       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
-		"       -c specifies query class for non-IN data\n"
-		"       -C compares SOA records on authoritative nameservers\n"
-		"       -d is equivalent to -v\n"
-		"       -l lists all hosts in a domain, using AXFR\n"
-		"       -m set memory debugging flag (trace|record|usage)\n"
-		"       -N changes the number of dots allowed before root "
-		"lookup "
-		"is done\n"
-		"       -p specifies the port on the server to query\n"
-		"       -r disables recursive processing\n"
-		"       -R specifies number of retries for UDP packets\n"
-		"       -s a SERVFAIL response should stop query\n"
-		"       -t specifies the query type\n"
-		"       -T enables TCP/IP mode\n"
-		"       -U enables UDP mode\n"
-		"       -v enables verbose output\n"
-		"       -V print version number and exit\n"
-		"       -w specifies to wait forever for a reply\n"
-		"       -W specifies how long to wait for a reply\n"
-		"       -4 use IPv4 query transport only\n"
-		"       -6 use IPv6 query transport only\n");
+	fputs("Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
+	      "time]\n"
+	      "            [-R number] [-m flag] [-p port] hostname [server]\n"
+	      "       -a is equivalent to -v -t ANY\n"
+	      "       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
+	      "       -c specifies query class for non-IN data\n"
+	      "       -C compares SOA records on authoritative nameservers\n"
+	      "       -d is equivalent to -v\n"
+	      "       -l lists all hosts in a domain, using AXFR\n"
+	      "       -m set memory debugging flag (trace|record|usage)\n"
+	      "       -N changes the number of dots allowed before root lookup "
+	      "is done\n"
+	      "       -p specifies the port on the server to query\n"
+	      "       -r disables recursive processing\n"
+	      "       -R specifies number of retries for UDP packets\n"
+	      "       -s a SERVFAIL response should stop query\n"
+	      "       -t specifies the query type\n"
+	      "       -T enables TCP/IP mode\n"
+	      "       -U enables UDP mode\n"
+	      "       -v enables verbose output\n"
+	      "       -V print version number and exit\n"
+	      "       -w specifies to wait forever for a reply\n"
+	      "       -W specifies how long to wait for a reply\n"
+	      "       -4 use IPv4 query transport only\n"
+	      "       -6 use IPv6 query transport only\n",
+	      stderr);
 	exit(1);
 }
 
@@ -151,11 +148,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	if (!short_form) {
 		char fromtext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-		if (query->lookup->use_usec) {
-			TIME_NOW_HIRES(&now);
-		} else {
-			TIME_NOW(&now);
-		}
+		TIME_NOW(&now);
 		diff = (int)isc_time_microdiff(&now, &query->time_sent);
 		printf("Received %u bytes from %s in %d ms\n", bytes, fromtext,
 		       diff / 1000);
@@ -379,7 +372,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &cname, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		dns_name_copy(&cname.cname, qname);
+		dns_name_copynf(&cname.cname, qname);
 		dns_rdata_freestruct(&cname);
 	}
 }
@@ -442,7 +435,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 
 		/* Add AAAA and MX lookups. */
 		name = dns_fixedname_initname(&fixed);
-		dns_name_copy(query->lookup->name, name);
+		dns_name_copynf(query->lookup->name, name);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, false);
@@ -588,7 +581,7 @@ static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
 /*% version */
 static void
 version(void) {
-	fprintf(stderr, "host %s\n", PACKAGE_VERSION);
+	fputs("host " VERSION "\n", stderr);
 }
 
 static void

bin/dig/host.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -36,12 +36,12 @@ Description
 
 ``host`` is a simple utility for performing DNS lookups. It is normally
 used to convert names to IP addresses and vice versa. When no arguments
-or options are given, ``host`` prints a short summary of its
-command-line arguments and options.
+or options are given, ``host`` prints a short summary of its command
+line arguments and options.
 
 ``name`` is the domain name that is to be looked up. It can also be a
 dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
-case ``host`` by default performs a reverse lookup for that address.
+case ``host`` will by default perform a reverse lookup for that address.
 ``server`` is an optional argument which is either the name or IP
 address of the name server that ``host`` should query instead of the
 server or servers listed in ``/etc/resolv.conf``.
@@ -49,111 +49,111 @@ server or servers listed in ``/etc/resolv.conf``.
 Options
 ~~~~~~~
 
-``-4``
-   This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
+**-4**
+   Use IPv4 only for query transport. See also the ``-6`` option.
 
-``-6``
-   This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
+**-6**
+   Use IPv6 only for query transport. See also the ``-4`` option.
 
-``-a``
-   The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
-   also affects the behavior of the ``-l`` list zone option.
+**-a**
+   "All". The ``-a`` option is normally equivalent to ``-v -t ANY``. It
+   also affects the behaviour of the ``-l`` list zone option.
 
-``-A``
-   The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
+**-A**
+   "Almost all". The ``-A`` option is equivalent to ``-a`` except RRSIG,
    NSEC, and NSEC3 records are omitted from the output.
 
-``-c class``
-   This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
+**-c** class
+   Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet)
    class resource records. The default class is IN (Internet).
 
-``-C``
-   This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
+**-C**
+   Check consistency: ``host`` will query the SOA records for zone
    ``name`` from all the listed authoritative name servers for that
    zone. The list of name servers is defined by the NS records that are
    found for the zone.
 
-``-d``
-   This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
+**-d**
+   Print debugging traces. Equivalent to the ``-v`` verbose option.
 
-``-l``
-   This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone
-   ``name`` and prints out the NS, PTR, and address records (A/AAAA).
+**-l**
+   List zone: The ``host`` command performs a zone transfer of zone
+   ``name`` and prints out the NS, PTR and address records (A/AAAA).
 
    Together, the ``-l -a`` options print all records in the zone.
 
-``-N ndots``
-   This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
+**-N** ndots
+   The number of dots that have to be in ``name`` for it to be
    considered absolute. The default value is that defined using the
-   ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
-   is present. Names with fewer dots are interpreted as relative names,
-   and are searched for in the domains listed in the ``search`` or
+   ndots statement in ``/etc/resolv.conf``, or 1 if no ndots statement
+   is present. Names with fewer dots are interpreted as relative names
+   and will be searched for in the domains listed in the ``search`` or
    ``domain`` directive in ``/etc/resolv.conf``.
 
-``-p port``
-   This option specifies the port to query on the server. The default is 53.
+**-p** port
+   Specify the port on the server to query. The default is 53.
 
-``-r``
-   This option specifies a non-recursive query; setting this option clears the RD (recursion
-   desired) bit in the query. This means that the name server
-   receiving the query does not attempt to resolve ``name``. The ``-r``
+**-r**
+   Non-recursive query: Setting this option clears the RD (recursion
+   desired) bit in the query. This should mean that the name server
+   receiving the query will not attempt to resolve ``name``. The ``-r``
    option enables ``host`` to mimic the behavior of a name server by
-   making non-recursive queries, and expecting to receive answers to
+   making non-recursive queries and expecting to receive answers to
    those queries that can be referrals to other name servers.
 
-``-R number``
-   This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
-   the number of retries is silently set to 1. The default value is 1, or
+**-R** number
+   Number of retries for UDP queries: If ``number`` is negative or zero,
+   the number of retries will default to 1. The default value is 1, or
    the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
 
-``-s``
-   This option tells ``named`` *not* to send the query to the next nameserver if any server responds
+**-s**
+   Do *not* send the query to the next nameserver if any server responds
    with a SERVFAIL response, which is the reverse of normal stub
    resolver behavior.
 
-``-t type``
-   This option specifies the query type. The ``type`` argument can be any recognized query type:
+**-t** type
+   Query type: The ``type`` argument can be any recognized query type:
    CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
 
    When no query type is specified, ``host`` automatically selects an
    appropriate query type. By default, it looks for A, AAAA, and MX
-   records. If the ``-C`` option is given, queries are made for SOA
+   records. If the ``-C`` option is given, queries will be made for SOA
    records. If ``name`` is a dotted-decimal IPv4 address or
-   colon-delimited IPv6 address, ``host`` queries for PTR records.
+   colon-delimited IPv6 address, ``host`` will query for PTR records.
 
-   If a query type of IXFR is chosen, the starting serial number can be
-   specified by appending an equals sign (=), followed by the starting serial
-   number, e.g., ``-t IXFR=12345678``.
+   If a query type of IXFR is chosen the starting serial number can be
+   specified by appending an equal followed by the starting serial
+   number (like ``-t IXFR=12345678``).
 
-``-T``; ``-U``
-   This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
+**-T**; **-U**
+   TCP/UDP: By default, ``host`` uses UDP when making queries. The
    ``-T`` option makes it use a TCP connection when querying the name
-   server. TCP is automatically selected for queries that require
-   it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
-   to TCP, but can be forced to use UDP initially via ``-U``.
+   server. TCP will be automatically selected for queries that require
+   it, such as zone transfer (AXFR) requests. Type ANY queries default
+   to TCP but can be forced to UDP initially using ``-U``.
 
-``-m flag``
-   This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
-   ``trace``. The ``-m`` option can be specified more than once to set
+**-m** flag
+   Memory usage debugging: the flag can be ``record``, ``usage``, or
+   ``trace``. You can specify the ``-m`` option more than once to set
    multiple flags.
 
-``-v``
-   This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
+**-v**
+   Verbose output. Equivalent to the ``-d`` debug option. Verbose output
    can also be enabled by setting the ``debug`` option in
    ``/etc/resolv.conf``.
 
-``-V``
-   This option prints the version number and exits.
+**-V**
+   Print the version number and exit.
 
-``-w``
-   This option sets "wait forever": the query timeout is set to the maximum possible. See
+**-w**
+   Wait forever: The query timeout is set to the maximum possible. See
    also the ``-W`` option.
 
-``-W wait``
-   This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
-   less than 1, the wait interval is set to 1 second.
+**-W** wait
+   Timeout: Wait for up to ``wait`` seconds for a reply. If ``wait`` is
+   less than one, the wait interval is set to one second.
 
-   By default, ``host`` waits for 5 seconds for UDP responses and 10
+   By default, ``host`` will wait for 5 seconds for UDP responses and 10
    seconds for TCP connections. These defaults can be overridden by the
    ``timeout`` option in ``/etc/resolv.conf``.
 
@@ -164,10 +164,10 @@ IDN Support
 
 If ``host`` has been built with IDN (internationalized domain name)
 support, it can accept and display non-ASCII domain names. ``host``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, define the ``IDN_DISABLE``
-environment variable. IDN support is disabled if the variable is set
+appropriately converts character encoding of domain name before sending
+a request to DNS server or displaying a reply from the server. If you'd
+like to turn off the IDN support for some reason, define the IDN_DISABLE
+environment variable. The IDN support is disabled if the variable is set
 when ``host`` runs.
 
 Files

bin/dig/include/.clang-format

@@ -0,0 +1 @@
+../../../.clang-format.headers

bin/dig/include/dig/dig.h

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -17,16 +17,14 @@
 #include <inttypes.h>
 #include <stdbool.h>
 
-#include <isc/attributes.h>
 #include <isc/buffer.h>
+#include <isc/bufferlist.h>
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/list.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
-#include <isc/netmgr.h>
 #include <isc/print.h>
-#include <isc/refcount.h>
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
 
@@ -61,8 +59,6 @@
 #define MAXPORT 0xffff
 /*% Max serial number */
 #define MAXSERIAL 0xffffffff
-/*% Max query ID */
-#define MAXQID 0xffff
 
 /*% Default TCP Timeout */
 #define TCP_TIMEOUT 10
@@ -72,13 +68,6 @@
 #define SERVER_TIMEOUT 1
 
 #define LOOKUP_LIMIT 64
-
-#define DEFAULT_EDNS_VERSION 0
-#define DEFAULT_EDNS_BUFSIZE 1232
-
-#define DEFAULT_HTTPS_PATH  "/dns-query"
-#define DEFAULT_HTTPS_QUERY "?dns="
-
 /*%
  * Lookup_limit is just a limiter, keeping too many lookups from being
  * created.  It's job is mainly to prevent the program from running away
@@ -88,127 +77,111 @@
 ISC_LANG_BEGINDECLS
 
 typedef struct dig_lookup dig_lookup_t;
-typedef struct dig_query dig_query_t;
+typedef struct dig_query  dig_query_t;
 typedef struct dig_server dig_server_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
-#define DIG_LOOKUP_MAGIC ISC_MAGIC('D', 'i', 'g', 'l')
-
-#define DIG_VALID_LOOKUP(x) ISC_MAGIC_VALID((x), DIG_LOOKUP_MAGIC)
-
 #define DIG_QUERY_MAGIC ISC_MAGIC('D', 'i', 'g', 'q')
 
 #define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
 
 /*% The dig_lookup structure */
 struct dig_lookup {
-	unsigned int magic;
-	isc_refcount_t references;
-	bool aaonly, adflag, badcookie, besteffort, cdflag, comments,
-		dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa,
-		expire, header_only, identify, /*%< Append an "on server <foo>"
-						  message */
-		identify_previous_line,	       /*% Prepend a "Nameserver <foo>:"
-						  message, with newline and tab */
-		idnin, idnout, ignore, mapped, multiline, need_search,
-		new_search, noclass, nocrypto, nottl,
-		ns_search_only,	 /*%< dig +nssearch, host -C */
-		nsid,		 /*% Name Server ID (RFC 5001) */
-		onesoa, pending, /*%< Pending a successful answer */
-		print_unknown_format, qr, raflag, recurse, section_additional,
-		section_answer, section_authority, section_question,
-		seenbadcookie, sendcookie, servfail_stops,
-		setqid, /*% use a speciied query ID */
-		stats, tcflag, tcp_keepalive, tcp_mode, tcp_mode_set,
-		tls_mode,   /*% connect using TLS */
+	bool pending, /*%< Pending a successful answer */
+		waiting_connect, doing_xfr, ns_search_only, /*%< dig
+							     * +nssearch,
+							     * host -C */
+		identify, /*%< Append an "on server <foo>" message */
+		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
+					 * message, with newline and tab */
+		ignore, recurse, aaonly, adflag, cdflag, raflag, tcflag, zflag,
 		trace,	    /*% dig +trace */
-		trace_root, /*% initial query for either +trace or +nssearch */
-		ttlunits, use_usec, waiting_connect, zflag;
-	char textname[MXNAME]; /*% Name we're going to be looking up */
-	char cmdline[MXNAME];
-	dns_rdatatype_t rdtype;
-	dns_rdatatype_t qrdtype;
+		trace_root, /*% initial query for either +trace or +nssearch
+			     * */
+		tcp_mode, tcp_mode_set, comments, stats, section_question,
+		section_answer, section_authority, section_additional,
+		servfail_stops, new_search, need_search, done_as_is, besteffort,
+		dnssec, expire, sendcookie, seenbadcookie, badcookie,
+		nsid, /*% Name Server ID (RFC 5001) */
+		tcp_keepalive, header_only, ednsneg, mapped,
+		print_unknown_format, multiline, nottl, noclass, onesoa,
+		use_usec, nocrypto, ttlunits, idnin, idnout, expandaaaa, qr,
+		accept_reply_unexpected_src; /*%  print replies from
+					      * unexpected
+					      *   sources. */
+	char textname[MXNAME];		     /*% Name we're going to be
+					      * looking up */
+	char		 cmdline[MXNAME];
+	dns_rdatatype_t	 rdtype;
+	dns_rdatatype_t	 qrdtype;
 	dns_rdataclass_t rdclass;
-	bool rdtypeset;
-	bool rdclassset;
-	char name_space[BUFSIZE];
-	char oname_space[BUFSIZE];
-	isc_buffer_t namebuf;
-	isc_buffer_t onamebuf;
-	isc_buffer_t renderbuf;
-	char *sendspace;
-	dns_name_t *name;
-	isc_interval_t interval;
-	dns_message_t *sendmsg;
-	dns_name_t *oname;
+	bool		 rdtypeset;
+	bool		 rdclassset;
+	char		 name_space[BUFSIZE];
+	char		 oname_space[BUFSIZE];
+	isc_buffer_t	 namebuf;
+	isc_buffer_t	 onamebuf;
+	isc_buffer_t	 renderbuf;
+	char *		 sendspace;
+	dns_name_t *	 name;
+	isc_interval_t	 interval;
+	dns_message_t *	 sendmsg;
+	dns_name_t *	 oname;
 	ISC_LINK(dig_lookup_t) link;
 	ISC_LIST(dig_query_t) q;
 	ISC_LIST(dig_query_t) connecting;
-	dig_query_t *current_query;
-	dig_serverlist_t my_server_list;
+	dig_query_t *	  current_query;
+	dig_serverlist_t  my_server_list;
 	dig_searchlist_t *origin;
-	dig_query_t *xfr_q;
-	uint32_t retries;
-	int nsfound;
-	int16_t udpsize;
-	int16_t edns;
-	int16_t padding;
-	uint32_t ixfr_serial;
-	isc_buffer_t rdatabuf;
-	char rdatastore[MXNAME];
-	dst_context_t *tsigctx;
-	isc_buffer_t *querysig;
-	uint32_t msgcounter;
-	dns_fixedname_t fdomain;
-	isc_sockaddr_t *ecs_addr;
-	char *cookie;
-	dns_ednsopt_t *ednsopts;
-	unsigned int ednsoptscnt;
-	isc_dscp_t dscp;
-	unsigned int ednsflags;
-	dns_opcode_t opcode;
-	int rrcomments;
-	unsigned int eoferr;
-	uint16_t qid;
-	struct {
-		bool http_plain;
-		bool https_mode;
-		bool https_get;
-		char *https_path;
-	};
+	dig_query_t *	  xfr_q;
+	uint32_t	  retries;
+	int		  nsfound;
+	uint16_t	  udpsize;
+	int16_t		  edns;
+	int16_t		  padding;
+	uint32_t	  ixfr_serial;
+	isc_buffer_t	  rdatabuf;
+	char		  rdatastore[MXNAME];
+	dst_context_t *	  tsigctx;
+	isc_buffer_t *	  querysig;
+	uint32_t	  msgcounter;
+	dns_fixedname_t	  fdomain;
+	isc_sockaddr_t *  ecs_addr;
+	char *		  cookie;
+	dns_ednsopt_t *	  ednsopts;
+	unsigned int	  ednsoptscnt;
+	isc_dscp_t	  dscp;
+	unsigned int	  ednsflags;
+	dns_opcode_t	  opcode;
+	int		  rrcomments;
+	unsigned int	  eoferr;
 };
 
 /*% The dig_query structure */
 struct dig_query {
-	unsigned int magic;
+	unsigned int  magic;
 	dig_lookup_t *lookup;
-	bool first_pass;
-	bool first_soa_rcvd;
-	bool second_rr_rcvd;
-	bool first_repeat_rcvd;
-	bool warn_id;
-	uint32_t first_rr_serial;
-	uint32_t second_rr_serial;
-	uint32_t msg_count;
-	uint32_t rr_count;
-	bool ixfr_axfr;
-	char *servname;
-	char *userarg;
-	isc_buffer_t sendbuf;
-	char *recvspace, *tmpsendspace, lengthspace[4];
-	isc_refcount_t references;
-	isc_nmhandle_t *handle;
-	isc_nmhandle_t *readhandle;
-	isc_nmhandle_t *sendhandle;
+	bool waiting_connect, pending_free, waiting_senddone, first_pass,
+		first_soa_rcvd, second_rr_rcvd, first_repeat_rcvd, recv_made,
+		warn_id, timedout;
+	uint32_t      first_rr_serial;
+	uint32_t      second_rr_serial;
+	uint32_t      msg_count;
+	uint32_t      rr_count;
+	bool	      ixfr_axfr;
+	char *	      servname;
+	char *	      userarg;
+	isc_buffer_t  recvbuf, lengthbuf, tmpsendbuf, sendbuf;
+	char *	      recvspace, *tmpsendspace, lengthspace[4];
+	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
 	ISC_LINK(dig_query_t) clink;
 	isc_sockaddr_t sockaddr;
-	isc_time_t time_sent;
-	isc_time_t time_recv;
-	uint64_t byte_count;
-	isc_timer_t *timer;
-	isc_tlsctx_t *tlsctx;
+	isc_time_t     time_sent;
+	isc_time_t     time_recv;
+	uint64_t       byte_count;
+	isc_timer_t *  timer;
 };
 
 struct dig_server {
@@ -229,39 +202,38 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
  * Externals from dighost.c
  */
 
-extern dig_lookuplist_t lookup_list;
-extern dig_serverlist_t server_list;
+extern dig_lookuplist_t	    lookup_list;
+extern dig_serverlist_t	    server_list;
 extern dig_searchlistlist_t search_list;
-extern unsigned int extrabytes;
+extern unsigned int	    extrabytes;
 
 extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
 	showsearch, yaml;
-extern in_port_t port;
-extern bool port_set;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern isc_refcount_t sendcount;
-extern int ndots;
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t localaddr;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
+extern in_port_t	 port;
+extern unsigned int	 timeout;
+extern isc_mem_t *	 mctx;
+extern int		 sendcount;
+extern int		 ndots;
+extern int		 lookup_counter;
+extern int		 exitcode;
+extern isc_sockaddr_t	 bind_address;
+extern char		 keynametext[MXNAME];
+extern char		 keyfile[MXNAME];
+extern char		 keysecret[MXNAME];
 extern const dns_name_t *hmacname;
-extern unsigned int digestbits;
-extern dns_tsigkey_t *tsigkey;
-extern bool validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern bool free_now;
-extern bool debugging, debugtiming, memdebugging;
-extern bool keep_open;
+extern unsigned int	 digestbits;
+extern dns_tsigkey_t *	 tsigkey;
+extern bool		 validated;
+extern isc_taskmgr_t *	 taskmgr;
+extern isc_task_t *	 global_task;
+extern bool		 free_now;
+extern bool		 debugging, debugtiming, memdebugging;
+extern bool		 keep_open;
 
 extern char *progname;
-extern int tries;
-extern int fatalexit;
-extern bool verbose;
+extern int   tries;
+extern int   fatalexit;
+extern bool  verbose;
 
 /*
  * Routines in dighost.c.
@@ -275,14 +247,15 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
 isc_result_t
 get_reverse(char *reverse, size_t len, char *value, bool strict);
 
-ISC_NORETURN void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
 
 void
 warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
-ISC_NORETURN void
-digexit(void);
+ISC_PLATFORM_NORETURN_PRE void
+digexit(void) ISC_PLATFORM_NORETURN_POST;
 
 void
 debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@@ -360,7 +333,7 @@ set_search_domain(char *domain);
  * Routines to be defined in dig.c, host.c, and nslookup.c. and
  * then assigned to the appropriate function pointer
  */
-extern isc_result_t (*dighost_printmessage)(dig_query_t *query,
+extern isc_result_t (*dighost_printmessage)(dig_query_t *	query,
 					    const isc_buffer_t *msgbuf,
 					    dns_message_t *msg, bool headers);
 
@@ -409,38 +382,32 @@ setup_text_key(void);
  * Routines exported from dig.c for use by dig for iOS
  */
 
-/*%
+/*%<
  * Call once only to set up libraries, parse global
  * parameters and initial command line query parameters
  */
 void
 dig_setup(int argc, char **argv);
 
-/*%
+/*%<
  * Call to supply new parameters for the next lookup
  */
 void
 dig_query_setup(bool, bool, int argc, char **argv);
 
-/*%
+/*%<
  * set the main application event cycle running
  */
 void
 dig_startup(void);
 
-/*%
+/*%<
  * Initiates the next lookup cycle
  */
 void
 dig_query_start(void);
 
-/*%
- * Activate/deactivate IDN filtering of output.
- */
-void
-dig_idnsetup(dig_lookup_t *lookup, bool active);
-
-/*%
+/*%<
  * Cleans up the application
  */
 void

bin/dig/nslookup.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -15,7 +15,6 @@
 #include <unistd.h>
 
 #include <isc/app.h>
-#include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/event.h>
@@ -36,8 +35,23 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 
-#include "dighost.h"
-#include "readline.h"
+#include <dig/dig.h>
+
+#if defined(HAVE_READLINE)
+#if defined(HAVE_EDIT_READLINE_READLINE_H)
+#include <edit/readline/readline.h>
+#if defined(HAVE_EDIT_READLINE_HISTORY_H)
+#include <edit/readline/history.h>
+#endif /* if defined(HAVE_EDIT_READLINE_HISTORY_H) */
+#elif defined(HAVE_EDITLINE_READLINE_H)
+#include <editline/readline.h>
+#elif defined(HAVE_READLINE_READLINE_H)
+#include <readline/readline.h>
+#if defined(HAVE_READLINE_HISTORY_H)
+#include <readline/history.h>
+#endif /* if defined(HAVE_READLINE_HISTORY_H) */
+#endif /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+#endif /* if defined(HAVE_READLINE) */
 
 static bool short_form = true, tcpmode = false, tcpmode_set = false,
 	    identify = false, stats = true, comments = true,
@@ -110,6 +124,8 @@ static const char *rtypetext[] = {
 
 #define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
 
+static void
+flush_lookup_list(void);
 static void
 getinput(isc_task_t *task, isc_event_t *event);
 
@@ -134,6 +150,7 @@ static void
 query_finished(void) {
 	isc_event_t *event = global_event;
 
+	flush_lookup_list();
 	debug("dighost_shutdown()");
 
 	if (!in_use) {
@@ -391,7 +408,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &cname, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		dns_name_copy(&cname.cname, qname);
+		dns_name_copynf(&cname.cname, qname);
 		dns_rdata_freestruct(&cname);
 	}
 }
@@ -448,7 +465,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 
 		/* Add AAAA lookup. */
 		name = dns_fixedname_initname(&fixed);
-		dns_name_copy(query->lookup->name, name);
+		dns_name_copynf(query->lookup->name, name);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, false);
@@ -612,15 +629,13 @@ set_ndots(const char *value) {
 
 static void
 version(void) {
-	fprintf(stderr, "nslookup %s\n", PACKAGE_VERSION);
+	fputs("nslookup " VERSION "\n", stderr);
 }
 
 static void
 setoption(char *opt) {
 	size_t l = strlen(opt);
 
-	debugging = true;
-
 #define CHECKOPT(A, N) \
 	((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
 
@@ -771,8 +786,7 @@ addlookup(char *opt) {
 	lookup->recurse = recurse;
 	lookup->aaonly = aaonly;
 	lookup->retries = tries;
-	lookup->setqid = false;
-	lookup->qid = 0;
+	lookup->udpsize = 0;
 	lookup->comments = comments;
 	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
 		lookup->tcp_mode = true;
@@ -831,31 +845,42 @@ do_next_command(char *input) {
 
 static void
 get_next_command(void) {
-	char cmdlinebuf[COMMSIZE];
-	char *cmdline, *ptr = NULL;
+	char *buf;
+	char *ptr;
 
+	fflush(stdout);
+	buf = isc_mem_allocate(mctx, COMMSIZE);
 	isc_app_block();
 	if (interactive) {
-		cmdline = ptr = readline("> ");
-		if (ptr != NULL && *ptr != 0) {
+#ifdef HAVE_READLINE
+		ptr = readline("> ");
+		if (ptr != NULL) {
 			add_history(ptr);
 		}
+#else  /* ifdef HAVE_READLINE */
+		fputs("> ", stderr);
+		fflush(stderr);
+		ptr = fgets(buf, COMMSIZE, stdin);
+#endif /* ifdef HAVE_READLINE */
 	} else {
-		cmdline = fgets(cmdlinebuf, COMMSIZE, stdin);
+		ptr = fgets(buf, COMMSIZE, stdin);
 	}
 	isc_app_unblock();
-	if (cmdline == NULL) {
+	if (ptr == NULL) {
 		in_use = false;
 	} else {
-		do_next_command(cmdline);
+		do_next_command(ptr);
 	}
-	if (ptr != NULL) {
+#ifdef HAVE_READLINE
+	if (interactive) {
 		free(ptr);
 	}
+#endif /* ifdef HAVE_READLINE */
+	isc_mem_free(mctx, buf);
 }
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
@@ -903,6 +928,46 @@ parse_args(int argc, char **argv) {
 	}
 }
 
+static void
+flush_lookup_list(void) {
+	dig_lookup_t *l, *lp;
+	dig_query_t *q, *qp;
+	dig_server_t *s, *sp;
+
+	lookup_counter = 0;
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		q = ISC_LIST_HEAD(l->q);
+		while (q != NULL) {
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+				isc_socket_detach(&q->sock);
+			}
+			isc_buffer_invalidate(&q->recvbuf);
+			isc_buffer_invalidate(&q->lengthbuf);
+			qp = q;
+			q = ISC_LIST_NEXT(q, link);
+			ISC_LIST_DEQUEUE(l->q, qp, link);
+			isc_mem_free(mctx, qp);
+		}
+		s = ISC_LIST_HEAD(l->my_server_list);
+		while (s != NULL) {
+			sp = s;
+			s = ISC_LIST_NEXT(s, link);
+			ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
+			isc_mem_free(mctx, sp);
+		}
+		if (l->sendmsg != NULL) {
+			dns_message_destroy(&l->sendmsg);
+		}
+		lp = l;
+		l = ISC_LIST_NEXT(l, link);
+		ISC_LIST_DEQUEUE(lookup_list, lp, link);
+		isc_mem_free(mctx, lp);
+	}
+}
+
 static void
 getinput(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);

bin/dig/nslookup.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -34,11 +34,11 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-``nslookup`` is a program to query Internet domain name servers.
-``nslookup`` has two modes: interactive and non-interactive. Interactive
+``Nslookup`` is a program to query Internet domain name servers.
+``Nslookup`` has two modes: interactive and non-interactive. Interactive
 mode allows the user to query name servers for information about various
 hosts and domains or to print a list of hosts in a domain.
-Non-interactive mode prints just the name and requested
+Non-interactive mode is used to print just the name and requested
 information for a host or domain.
 
 Arguments
@@ -46,7 +46,7 @@ Arguments
 
 Interactive mode is entered in the following cases:
 
-a. when no arguments are given (the default name server is used);
+a. when no arguments are given (the default name server will be used)
 
 b. when the first argument is a hyphen (-) and the second argument is
    the host name or Internet address of a name server.
@@ -57,7 +57,7 @@ argument specifies the host name or address of a name server.
 
 Options can also be specified on the command line if they precede the
 arguments and are prefixed with a hyphen. For example, to change the
-default query type to host information, with an initial timeout of 10
+default query type to host information, and the initial timeout to 10
 seconds, type:
 
 ::
@@ -65,59 +65,59 @@ seconds, type:
    nslookup -query=hinfo  -timeout=10
 
 The ``-version`` option causes ``nslookup`` to print the version number
-and immediately exit.
+and immediately exits.
 
 Interactive Commands
 ~~~~~~~~~~~~~~~~~~~~
 
-``host [server]``
-   This command looks up information for ``host`` using the current default server or
-   using ``server``, if specified. If ``host`` is an Internet address and the
-   query type is A or PTR, the name of the host is returned. If ``host`` is
-   a name and does not have a trailing period (``.``), the search list is used
+``host`` [server]
+   Look up information for host using the current default server or
+   using server, if specified. If host is an Internet address and the
+   query type is A or PTR, the name of the host is returned. If host is
+   a name and does not have a trailing period, the search list is used
    to qualify the name.
 
    To look up a host not in the current domain, append a period to the
    name.
 
-``server domain`` | ``lserver domain``
-   These commands change the default server to ``domain``; ``lserver`` uses the initial
-   server to look up information about ``domain``, while ``server`` uses the
-   current default server. If an authoritative answer cannot be found,
+``server`` domain | ``lserver`` domain
+   Change the default server to domain; ``lserver`` uses the initial
+   server to look up information about domain, while ``server`` uses the
+   current default server. If an authoritative answer can't be found,
    the names of servers that might have the answer are returned.
 
 ``root``
-   This command is not implemented.
+   not implemented
 
 ``finger``
-   This command is not implemented.
+   not implemented
 
 ``ls``
-   This command is not implemented.
+   not implemented
 
 ``view``
-   This command is not implemented.
+   not implemented
 
 ``help``
-   This command is not implemented.
+   not implemented
 
 ``?``
-   This command is not implemented.
+   not implemented
 
 ``exit``
-   This command exits the program.
+   Exits the program.
 
-``set keyword[=value]``
+``set`` keyword[=value]
    This command is used to change state information that affects the
    lookups. Valid keywords are:
 
    ``all``
-      This keyword prints the current values of the frequently used options to
+      Prints the current values of the frequently used options to
       ``set``. Information about the current default server and host is
       also printed.
 
-   ``class=value``
-      This keyword changes the query class to one of:
+   ``class=``\ value
+      Change the query class to one of:
 
       ``IN``
          the Internet class
@@ -131,62 +131,72 @@ Interactive Commands
       ``ANY``
          wildcard
 
-      The class specifies the protocol group of the information. The default
-      is ``IN``; the abbreviation for this keyword is ``cl``.
+      The class specifies the protocol group of the information.
+
+      (Default = IN; abbreviation = cl)
 
    ``nodebug``
-      This keyword turns on or off the display of the full response packet, and any
-      intermediate response packets, when searching. The default for this keyword is
-      ``nodebug``; the abbreviation for this keyword is ``[no]deb``.
+      Turn on or off the display of the full response packet and any
+      intermediate response packets when searching.
+
+      (Default = nodebug; abbreviation = [no]deb)
 
    ``nod2``
-      This keyword turns debugging mode on or off. This displays more about what
-      nslookup is doing. The default is ``nod2``.
+      Turn debugging mode on or off. This displays more about what
+      nslookup is doing.
 
-   ``domain=name``
-      This keyword sets the search list to ``name``.
+      (Default = nod2)
+
+   ``domain=``\ name
+      Sets the search list to name.
 
    ``nosearch``
-      If the lookup request contains at least one period, but does not end
-      with a trailing period, this keyword appends the domain names in the domain
-      search list to the request until an answer is received. The default is ``search``.
+      If the lookup request contains at least one period but doesn't end
+      with a trailing period, append the domain names in the domain
+      search list to the request until an answer is received.
 
-   ``port=value``
-      This keyword changes the default TCP/UDP name server port to ``value`` from
-      its default, port 53. The abbreviation for this keyword is ``po``.
+      (Default = search)
 
-   ``querytype=value`` | ``type=value``
-      This keyword changes the type of the information query to ``value``. The
-      defaults are A and then AAAA; the abbreviations for these keywords are
-      ``q`` and ``ty``.
+   ``port=``\ value
+      Change the default TCP/UDP name server port to value.
 
-      Please note that it is only possible to specify one query type. Only the default
-      behavior looks up both when an alternative is not specified.
+      (Default = 53; abbreviation = po)
+
+   ``querytype=``\ value | ``type=``\ value
+      Change the type of the information query.
+
+      (Default = A and then AAAA; abbreviations = q, ty)
+
+      **Note:** It is only possible to specify one query type, only the default
+        behavior looks up both when an alternative is not specified.
 
    ``norecurse``
-      This keyword tells the name server to query other servers if it does not have
-      the information. The default is ``recurse``; the abbreviation for this
-      keyword is ``[no]rec``.
+      Tell the name server to query other servers if it does not have
+      the information.
 
-   ``ndots=number``
-      This keyword sets the number of dots (label separators) in a domain that
-      disables searching. Absolute names always stop searching.
+      (Default = recurse; abbreviation = [no]rec)
 
-   ``retry=number``
-      This keyword sets the number of retries to ``number``.
+   ``ndots=``\ number
+      Set the number of dots (label separators) in a domain that will
+      disable searching. Absolute names always stop searching.
 
-   ``timeout=number``
-      This keyword changes the initial timeout interval to wait for a reply to
-      ``number``, in seconds.
+   ``retry=``\ number
+      Set the number of retries to number.
+
+   ``timeout=``\ number
+      Change the initial timeout interval for waiting for a reply to
+      number seconds.
 
    ``novc``
-      This keyword indicates that a virtual circuit should always be used when sending requests to the server.
-      ``novc`` is the default.
+      Always use a virtual circuit when sending requests to the server.
+
+      (Default = novc)
 
    ``nofail``
-      This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
-      a referral (nofail), or terminates the query (fail) on such a response. The
-      default is ``nofail``.
+      Try the next nameserver if a nameserver responds with SERVFAIL or
+      a referral (nofail) or terminate query (fail) on such a response.
+
+      (Default = nofail)
 
 Return Values
 ~~~~~~~~~~~~~
@@ -199,11 +209,11 @@ IDN Support
 
 If ``nslookup`` has been built with IDN (internationalized domain name)
 support, it can accept and display non-ASCII domain names. ``nslookup``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, define the ``IDN_DISABLE``
-environment variable. IDN support is disabled if the variable is set
-when ``nslookup`` runs, or when the standard output is not a tty.
+appropriately converts character encoding of domain name before sending
+a request to DNS server or displaying a reply from the server. If you'd
+like to turn off the IDN support for some reason, define the IDN_DISABLE
+environment variable. The IDN support is disabled if the variable is set
+when ``nslookup`` runs or when the standard output is not a tty.
 
 Files
 ~~~~~

bin/dig/readline.h

@@ -1,56 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*
- * A little wrapper around readline(), add_history() and free() to make using
- * the readline code simpler.
- */
-
-#if defined(HAVE_READLINE_LIBEDIT)
-#include <editline/readline.h>
-#elif defined(HAVE_READLINE_EDITLINE)
-#include <editline.h>
-#elif defined(HAVE_READLINE_READLINE)
-/* Prevent deprecated functions being declared. */
-#define _FUNCTION_DEF 1
-/* Ensure rl_message() gets prototype. */
-#define USE_VARARGS   1
-#define PREFER_STDARG 1
-#include <readline/history.h>
-#include <readline/readline.h>
-#endif
-
-#if !defined(HAVE_READLINE_LIBEDIT) && !defined(HAVE_READLINE_EDITLINE) && \
-	!defined(HAVE_READLINE_READLINE)
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#define RL_MAXCMD (128 * 1024)
-
-static inline char *
-readline(const char *prompt) {
-	char *line, *buf = malloc(RL_MAXCMD);
-	fprintf(stdout, "%s", prompt);
-	fflush(stdout);
-	line = fgets(buf, RL_MAXCMD, stdin);
-	if (line == NULL) {
-		free(buf);
-		return (NULL);
-	}
-	return (buf);
-};
-
-#define add_history(line)
-
-#endif

bin/dig/win32/dig.vcxproj.in

@@ -75,7 +75,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,7 +107,7 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
@@ -116,26 +116,6 @@
   <ItemGroup>
     <ClCompile Include="..\dig.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
-      <Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/win32/dighost.vcxproj.in

@@ -109,23 +109,6 @@
   <ItemGroup>
     <ClCompile Include="..\dighost.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/win32/host.vcxproj.in

@@ -75,7 +75,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,32 +107,12 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\host.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
-      <Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/win32/nslookup.vcxproj.in

@@ -75,7 +75,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,33 +107,13 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@OPENSSL_LIB@@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\dighost.c" />
     <ClCompile Include="..\nslookup.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
-      <Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dnssec/Makefile.am

@@ -1,38 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)
-
-AM_CPPFLAGS +=						\
-	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-
-noinst_LTLIBRARIES = libdnssectool.la
-
-LDADD =				\
-	libdnssectool.la	\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)
-
-bin_PROGRAMS = \
-	dnssec-cds		\
-	dnssec-dsfromkey	\
-	dnssec-importkey	\
-	dnssec-keyfromlabel	\
-	dnssec-keygen		\
-	dnssec-revoke		\
-	dnssec-settime		\
-	dnssec-signzone		\
-	dnssec-verify
-
-libdnssectool_la_SOURCES =	\
-	dnssectool.h		\
-	dnssectool.c
-
-dnssec_keygen_CPPFLAGS =	\
-	$(AM_CPPFLAGS)		\
-	$(LIBISCCFG_CFLAGS)
-
-dnssec_keygen_LDADD =		\
-	$(LDADD)		\
-	$(LIBISCCFG_LIBS)

bin/dnssec/Makefile.in

@@ -0,0 +1,110 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+# Alphabetically
+TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+		dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
+		dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
+		dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
+		dnssec-verify@EXEEXT@
+
+OBJS =		dnssectool.@O@
+
+SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
+		dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \
+		dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
+		dnssectool.c
+
+@BIND9_MAKE_RULES@
+
+dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-signzone.@O@: dnssec-signzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dnssec-signzone.c
+
+dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-verify.@O@: dnssec-verify.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dnssec-verify.c
+
+dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-revoke.@O@ ${OBJS} ${LIBS}
+
+dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-settime.@O@ ${OBJS} ${LIBS}
+
+dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-importkey.@O@ ${OBJS} ${LIBS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
+
+uninstall::
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
+
+clean distclean::
+	rm -f ${TARGETS}

bin/dnssec/dnssec-cds.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -21,7 +21,6 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
-#include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/file.h>
@@ -1021,8 +1020,8 @@ nsdiff(uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
 	}
 }
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
@@ -1030,7 +1029,7 @@ usage(void) {
 	fprintf(stderr,
 		"    %s options [options] -f <file> -d <path> <domain>\n",
 		program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
+	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
 			"    -a <algorithm>     digest algorithm (SHA-1 / "
 			"SHA-256 / SHA-384)\n"

bin/dnssec/dnssec-cds.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -29,7 +29,7 @@ dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
 Synopsis
 ~~~~~~~~
 
-:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
+:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i** [extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
 
 Description
 ~~~~~~~~~~~
@@ -38,8 +38,8 @@ The ``dnssec-cds`` command changes DS records at a delegation point
 based on CDS or CDNSKEY records published in the child zone. If both CDS
 and CDNSKEY records are present in the child zone, the CDS is preferred.
 This enables a child zone to inform its parent of upcoming changes to
-its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the
-parent can keep the DS records up-to-date and enable automatic rolling
+its key-signing keys; by polling periodically with ``dnssec-cds``, the
+parent can keep the DS records up to date and enable automatic rolling
 of KSKs.
 
 Two input files are required. The ``-f child-file`` option specifies a
@@ -52,12 +52,12 @@ output of a previous run of ``dnssec-cds``.
 
 The ``dnssec-cds`` command uses special DNSSEC validation logic
 specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
-be validly signed by a key represented in the existing DS records. This
-is typically the pre-existing KSK.
+are validly signed by a key represented in the existing DS records. This
+will typically be the pre-existing key-signing key (KSK).
 
 For protection against replay attacks, the signatures on the child
 records must not be older than they were on a previous run of
-``dnssec-cds``. Their age is obtained from the modification time of the
+``dnssec-cds``. This time is obtained from the modification time of the
 ``dsset-`` file, or from the ``-s`` option.
 
 To protect against breaking the delegation, ``dnssec-cds`` ensures that
@@ -67,104 +67,103 @@ type.
 
 By default, replacement DS records are written to the standard output;
 with the ``-i`` option the input file is overwritten in place. The
-replacement DS records are the same as the existing records, when no
-change is required. The output can be empty if the CDS/CDNSKEY records
-specify that the child zone wants to be insecure.
+replacement DS records will be the same as the existing records when no
+change is required. The output can be empty if the CDS / CDNSKEY records
+specify that the child zone wants to go insecure.
 
-.. warning::
-
-   Be careful not to delete the DS records when ``dnssec-cds`` fails!
+Warning: Be careful not to delete the DS records when ``dnssec-cds``
+fails!
 
 Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
-standard output. The ``-u`` and ``-i`` options can be used together to
+standard output. You can use the ``-u`` and ``-i`` options together to
 maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
 
 Options
 ~~~~~~~
 
-``-a algorithm``
-   This option specifies a digest algorithm to use when converting CDNSKEY records to
+**-a** algorithm
+   Specify a digest algorithm to use when converting CDNSKEY records to
    DS records. This option can be repeated, so that multiple DS records
    are created for each CDNSKEY record. This option has no effect when
    using CDS records.
 
    The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
-   are case-insensitive, and the hyphen may be omitted. If no algorithm
+   are case insensitive, and the hyphen may be omitted. If no algorithm
    is specified, the default is SHA-256.
 
-``-c class``
-   This option specifies the DNS class of the zones.
+**-c** class
+   Specifies the DNS class of the zones.
 
-``-D``
-   This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
+**-D**
+   Generate DS records from CDNSKEY records if both CDS and CDNSKEY
    records are present in the child zone. By default CDS records are
    preferred.
 
-``-d path``
-   This specifies the location of the parent DS records. The path can be the name of a file
-   containing the DS records; if it is a directory, ``dnssec-cds``
+**-d** path
+   Location of the parent DS records. The path can be the name of a file
+   containing the DS records, or if it is a directory, ``dnssec-cds``
    looks for a ``dsset-`` file for the domain inside the directory.
 
    To protect against replay attacks, child records are rejected if they
    were signed earlier than the modification time of the ``dsset-``
    file. This can be adjusted with the ``-s`` option.
 
-``-f child-file``
-   This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
-   DNSKEY records and the covering RRSIG records, so that they can be
+**-f** child-file
+   File containing the child's CDS and/or CDNSKEY records, plus its
+   DNSKEY records and the covering RRSIG records so that they can be
    authenticated.
 
-   The examples below describe how to generate this file.
+   The EXAMPLES below describe how to generate this file.
 
-``-iextension``
-   This option updates the ``dsset-`` file in place, instead of writing DS records to
+**-iextension**
+   Update the ``dsset-`` file in place, instead of writing DS records to
    the standard output.
 
-   There must be no space between the ``-i`` and the extension. If
-   no extension is provided, the old ``dsset-`` is discarded. If an
+   There must be no space between the ``-i`` and the extension. If you
+   provide no extension then the old ``dsset-`` is discarded. If an
    extension is present, a backup of the old ``dsset-`` file is kept
    with the extension appended to its filename.
 
    To protect against replay attacks, the modification time of the
    ``dsset-`` file is set to match the signature inception time of the
-   child records, provided that it is later than the file's current
+   child records, provided that is later than the file's current
    modification time.
 
-``-s start-time``
-   This option specifies the date and time after which RRSIG records become
-   acceptable. This can be either an absolute or a relative time. An
+**-s** start-time
+   Specify the date and time after which RRSIG records become
+   acceptable. This can be either an absolute or relative time. An
    absolute start time is indicated by a number in YYYYMMDDHHMMSS
    notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
-   time relative to the ``dsset-`` file is indicated with ``-N``, which is N
+   time relative to the ``dsset-`` file is indicated with -N, which is N
    seconds before the file modification time. A time relative to the
-   current time is indicated with ``now+N``.
+   current time is indicated with now+N.
 
    If no start-time is specified, the modification time of the
    ``dsset-`` file is used.
 
-``-T ttl``
-   This option specifies a TTL to be used for new DS records. If not specified, the
-   default is the TTL of the old DS records. If they had no explicit TTL,
-   the new DS records also have no explicit TTL.
+**-T** ttl
+   Specifies a TTL to be used for new DS records. If not specified, the
+   default is the TTL of the old DS records. If they had no explicit TTL
+   then the new DS records also have no explicit TTL.
 
-``-u``
-   This option writes an ``nsupdate`` script to the standard output, instead of
-   printing the new DS reords. The output is empty if no change is
+**-u**
+   Write an ``nsupdate`` script to the standard output, instead of
+   printing the new DS reords. The output will be empty if no change is
    needed.
 
-   Note: The TTL of new records needs to be specified: it can be done in the
-   original ``dsset-`` file, with the ``-T`` option, or using the
+   Note: The TTL of new records needs to be specified, either in the
+   original ``dsset-`` file, or with the ``-T`` option, or using the
    ``nsupdate`` ``ttl`` command.
 
-``-V``
-   This option prints version information.
+**-V**
+   Print version information.
 
-``-v level``
-   This option sets the debugging level. Level 1 is intended to be usefully verbose
+**-v** level
+   Sets the debugging level. Level 1 is intended to be usefully verbose
    for general users; higher levels are intended for developers.
 
-``domain``
-   This indicates the name of the delegation point/child zone apex.
+domain
+   The name of the delegation point / child zone apex.
 
 Exit Status
 ~~~~~~~~~~~
@@ -172,17 +171,17 @@ Exit Status
 The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
 occurred.
 
-If successful, the DS records may or may not need to be
+In the success case, the DS records might or might not need to be
 changed.
 
 Examples
 ~~~~~~~~
 
-Before running ``dnssec-signzone``, ensure that the delegations
+Before running ``dnssec-signzone``, you can ensure that the delegations
 are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
 
-To fetch the child records required by ``dnssec-cds``, invoke
-``dig`` as in the script below. It is acceptable if the ``dig`` fails, since
+To fetch the child records required by ``dnssec-cds`` you can invoke
+``dig`` as in the script below. It's okay if the ``dig`` fails since
 ``dnssec-cds`` performs all the necessary checking.
 
 ::
@@ -194,10 +193,10 @@ To fetch the child records required by ``dnssec-cds``, invoke
        dnssec-cds -i -f /dev/stdin -d $f $d
    done
 
-When the parent zone is automatically signed by ``named``,
-``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows.
+When the parent zone is automatically signed by ``named``, you can use
+``dnssec-cds`` with ``nsupdate`` to maintain a delegation as follows.
 The ``dsset-`` file allows the script to avoid having to fetch and
-validate the parent DS records, and it maintains the replay attack
+validate the parent DS records, and it keeps the replay attack
 protection time.
 
 ::

bin/dnssec/dnssec-dsfromkey.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -15,7 +15,6 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
-#include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/hash.h>
@@ -215,7 +214,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	rdclass = dst_key_class(key);
 
 	name = dns_fixedname_initname(&fixed);
-	dns_name_copy(dst_key_name(key), name);
+	dns_name_copynf(dst_key_name(key), name);
 
 	dst_key_free(&key);
 }
@@ -321,8 +320,8 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) {
 	}
 }
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
@@ -331,7 +330,7 @@ usage(void) {
 	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
 	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
 	fprintf(stderr, "    %s [-h|-V]\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
+	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
 			"    -1: digest algorithm SHA-1\n"
 			"    -2: digest algorithm SHA-256\n"

bin/dnssec/dnssec-dsfromkey.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -45,7 +45,7 @@ The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
 
 The input keys can be specified in a number of ways:
 
-By default, ``dnssec-dsfromkey`` reads a key file named in the format
+By default, ``dnssec-dsfromkey`` reads a key file named like
 ``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
 
 With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
@@ -57,73 +57,73 @@ as generated by ``dnssec-keygen`` ``-C``.
 Options
 ~~~~~~~
 
-``-1``
-   This option is an abbreviation for ``-a SHA1``.
+**-1**
+   An abbreviation for ``-a SHA1``
 
-``-2``
-   This option is an abbreviation for ``-a SHA-256``.
+**-2**
+   An abbreviation for ``-a SHA-256``
 
-``-a algorithm``
-   This option specifies a digest algorithm to use when converting DNSKEY records to
+**-a** algorithm
+   Specify a digest algorithm to use when converting DNSKEY records to
    DS records. This option can be repeated, so that multiple DS records
    are created for each DNSKEY record.
 
    The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
-   are case-insensitive, and the hyphen may be omitted. If no algorithm
+   are case insensitive, and the hyphen may be omitted. If no algorithm
    is specified, the default is SHA-256.
 
-``-A``
-   This option indicates that ZSKs are to be included when generating DS records. Without this option, only
-   keys which have the KSK flag set are converted to DS records and
-   printed. This option is only useful in ``-f`` zone file mode.
+**-A**
+   Include ZSKs when generating DS records. Without this option, only
+   keys which have the KSK flag set will be converted to DS records and
+   printed. Useful only in ``-f`` zone file mode.
 
-``-c class``
-   This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
+**-c** class
+   Specifies the DNS class (default is IN). Useful only in ``-s`` keyset
    or ``-f`` zone file mode.
 
-``-C``
-   This option generates CDS records rather than DS records.
+**-C**
+   Generate CDS records rather than DS records.
 
-``-f file``
-   This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
+**-f** file
+   Zone file mode: ``dnssec-dsfromkey``'s final dnsname argument is the
    DNS domain name of a zone whose master file can be read from
    ``file``. If the zone name is the same as ``file``, then it may be
    omitted.
 
-   If ``file`` is ``-``, then the zone data is read from the standard
+   If file is ``"-"``, then the zone data is read from the standard
    input. This makes it possible to use the output of the ``dig``
    command as input, as in:
 
    ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
 
-``-h``
-   This option prints usage information.
+**-h**
+   Prints usage information.
 
-``-K directory``
-   This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
+**-K** directory
+   Look for key files or ``keyset-`` files in ``directory``.
 
-``-s``
-   This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
+**-s**
+   Keyset mode: ``dnssec-dsfromkey``'s final dnsname argument is the DNS
    domain name used to locate a ``keyset-`` file.
 
-``-T TTL``
-   This option specifies the TTL of the DS records. By default the TTL is omitted.
+**-T** TTL
+   Specifies the TTL of the DS records. By default the TTL is omitted.
 
-``-v level``
-   This option sets the debugging level.
+**-v** level
+   Sets the debugging level.
 
-``-V``
-   This option prints version information.
+**-V**
+   Prints version information.
 
 Example
 ~~~~~~~
 
-To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
-issue the following command:
+To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile
+name, you can issue the following command:
 
 ``dnssec-dsfromkey -2 Kexample.com.+003+26160``
 
-The command returns something similar to:
+The command would print something like:
 
 ``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
 
@@ -131,16 +131,16 @@ Files
 ~~~~~
 
 The keyfile can be designated by the key identification
-``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
-generated by ``dnssec-keygen``.
+``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key`` as
+generated by dnssec-keygen8.
 
 The keyset file name is built from the ``directory``, the string
-``keyset-``, and the ``dnsname``.
+``keyset-`` and the ``dnsname``.
 
 Caveat
 ~~~~~~
 
-A keyfile error may return "file not found," even if the file exists.
+A keyfile error can give a "file not found" even if the file exists.
 
 See Also
 ~~~~~~~~

bin/dnssec/dnssec-importkey.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -14,7 +14,6 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
-#include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/hash.h>
@@ -185,7 +184,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	rdclass = dst_key_class(key);
 
 	name = dns_fixedname_initname(&fixed);
-	dns_name_copy(dst_key_name(key), name);
+	dns_name_copynf(dst_key_name(key), name);
 
 	dst_key_free(&key);
 }
@@ -265,15 +264,15 @@ emit(const char *dir, dns_rdata_t *rdata) {
 	dst_key_free(&key);
 }
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s options [-K dir] keyfile\n\n", program);
 	fprintf(stderr, "    %s options -f file [keyname]\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
+	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -f file: read key from zone file\n");
 	fprintf(stderr, "    -K <directory>: directory in which to store "

bin/dnssec/dnssec-importkey.rst

@@ -3,7 +3,7 @@
    
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
    
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
@@ -37,12 +37,12 @@ Description
 ~~~~~~~~~~~
 
 ``dnssec-importkey`` reads a public DNSKEY record and generates a pair
-of .key/.private files. The DNSKEY record may be read from an
-existing .key file, in which case a corresponding .private file is
+of .key/.private files. The DNSKEY record may be read from an existing
+.key file, in which case a corresponding .private file will be
 generated, or it may be read from any other file or from the standard
-input, in which case both .key and .private files are generated.
+input, in which case both .key and .private files will be generated.
 
-The newly created .private file does *not* contain private key data, and
+The newly-created .private file does *not* contain private key data, and
 cannot be used for signing. However, having a .private file makes it
 possible to set publication (``-P``) and deletion (``-D``) times for the
 key, which means the public key can be added to and removed from the
@@ -51,70 +51,70 @@ DNSKEY RRset on schedule even if the true private key is stored offline.
 Options
 ~~~~~~~
 
-``-f filename``
-   This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
+**-f** filename
+   Zone file mode: instead of a public keyfile name, the argument is the
    DNS domain name of a zone master file, which can be read from
-   ``filename``. If the domain name is the same as ``filename``, then it may be
+   ``file``. If the domain name is the same as ``file``, then it may be
    omitted.
 
-   If ``filename`` is set to ``"-"``, then the zone data is read from the
+   If ``file`` is set to ``"-"``, then the zone data is read from the
    standard input.
 
-``-K directory``
-   This option sets the directory in which the key files are to reside.
+**-K** directory
+   Sets the directory in which the key files are to reside.
 
-``-L ttl``
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
-   removes it from the key.
+**-L** ttl
+   Sets the default TTL to use for this key when it is converted into a
+   DNSKEY RR. If the key is imported into a zone, this is the TTL that
+   will be used for it, unless there was already a DNSKEY RRset in
+   place, in which case the existing TTL would take precedence. Setting
+   the default TTL to ``0`` or ``none`` removes it.
 
-``-h``
-   This option emits a usage message and exits.
+**-h**
+   Emit usage message and exit.
 
-``-v level``
-   This option sets the debugging level.
+**-v** level
+   Sets the debugging level.
 
-``-V``
-   This option prints version information.
+**-V**
+   Prints version information.
 
 Timing Options
 ~~~~~~~~~~~~~~
 
 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+argument begins with a '+' or '-', it is interpreted as an offset from
 the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
 computed in years (defined as 365 24-hour days, ignoring leap years),
 months (defined as 30 24-hour days), weeks, days, hours, or minutes,
 respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
+explicitly prevent a date from being set, use 'none' or 'never'.
 
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
+**-P** date/offset
+   Sets the date on which a key is to be published to the zone. After
+   that date, the key will be included in the zone but will not be used
    to sign it.
 
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
+**-P** sync date/offset
+   Sets the date on which CDS and CDNSKEY records that match this key
    are to be published to the zone.
 
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
+**-D** date/offset
+   Sets the date on which the key is to be deleted. After that date, the
+   key will no longer be included in the zone. (It may remain in the key
+   repository, however.)
 
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
+**-D** sync date/offset
+   Sets the date on which the CDS and CDNSKEY records that match this
    key are to be deleted.
 
 Files
 ~~~~~
 
 A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
-or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
-``dnssec-keygen``.
+or the full file name ``Knnnn.+aaa+iiiii.key`` as generated by
+dnssec-keygen8.
 
 See Also
 ~~~~~~~~

bin/dnssec/dnssec-keyfromlabel.c

@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -16,7 +16,6 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
-#include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/mem.h>
@@ -48,14 +47,14 @@
 
 const char *program = "dnssec-keyfromlabel";
 
-ISC_NORETURN static void
-usage(void);
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s -l label [options] name\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
+	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
 	fprintf(stderr, "    -l label: label of the key pair\n");
 	fprintf(stderr, "    name: owner of the key\n");