Merge branch '1876-kasp-test-wait-for-reconfig' into 'main'

Resolve "kasp: algnum migration test does not wait long enough."

Closes #1876

See merge request isc-projects/bind9!3588

(cherry picked from commit 5cc856095b)

cf76d839 kasp tests: Replace while loops with retry_quiet
a47192ed kasp tests: fix wait for reconfig done

.clang-format

@@ -0,0 +1,73 @@
+BasedOnStyle: LLVM
+IndentWidth: 8
+UseTab: Always
+BreakBeforeBraces: Custom
+BraceWrapping:
+  AfterClass:      false
+  AfterEnum:       false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterControlStatement: MultiLine
+  AfterFunction:   false # should also be MultiLine, but not yet supported
+  AfterExternBlock: false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+AllowShortIfStatementsOnASingleLine: false
+IndentCaseLabels: false
+AlwaysBreakAfterReturnType: All
+Cpp11BracedListStyle: false
+ColumnLimit: 80
+AlignAfterOpenBracket: Align
+AlignConsecutiveDeclarations: false
+AlignConsecutiveMacros: true
+AlignTrailingComments: true
+AllowAllArgumentsOnNextLine: true
+AlwaysBreakBeforeMultilineStrings: false
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+AlignEscapedNewlines: Left
+DerivePointerAlignment: false
+PointerAlignment: Right
+PointerBindsToType: false
+IncludeBlocks: Regroup
+IncludeCategories:
+  - Regex:           '^<isc/'
+    Priority:        5
+  - Regex:           '^<(pk11|pkcs11)/'
+    Priority:        10
+  - Regex:           '^<dns/'
+    Priority:        15
+  - Regex:           '^<dst/'
+    Priority:        20
+  - Regex:           '^<isccc/'
+    Priority:        25
+  - Regex:           '^<isccfg/'
+    Priority:        30
+  - Regex:           '^<ns/'
+    Priority:        35
+  - Regex:           '^<irs/'
+    Priority:        40
+  - Regex:           '^<bind9/'
+    Priority:        45
+  - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
+    Priority:        50
+  - Regex:           '^<dlz_'
+    Priority:        55
+  - Regex:           '^".*"'
+    Priority:        99
+  - Regex:           '<openssl/'
+    Priority:        1
+  - Regex:           '<(mysql|protobuf-c)/'
+    Priority:        1
+  - Regex:           '.*'
+    Priority:        0
+KeepEmptyLinesAtTheStartOfBlocks: false
+MaxEmptyLinesToKeep: 1
+PenaltyBreakAssignment: 30
+PenaltyBreakComment: 10
+PenaltyBreakFirstLessLess: 0
+PenaltyBreakString: 80
+PenaltyExcessCharacter: 100
+Standard: Cpp11
+ContinuationIndentWidth: 8

.clang-format.headers

@@ -0,0 +1,61 @@
+BasedOnStyle: LLVM
+IndentWidth: 8
+UseTab: Always
+BreakBeforeBraces: Custom
+BraceWrapping:
+  AfterClass:      false
+  AfterEnum:       false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterControlStatement: MultiLine
+  AfterFunction:   false # should also be MultiLine, but not yet supported
+  AfterExternBlock: false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+AllowShortIfStatementsOnASingleLine: false
+IndentCaseLabels: false
+AlwaysBreakAfterReturnType: All
+Cpp11BracedListStyle: false
+ColumnLimit: 80
+AlignAfterOpenBracket: Align
+AlignConsecutiveDeclarations: true
+AlignConsecutiveMacros: true
+AlignTrailingComments: true
+AllowAllArgumentsOnNextLine: true
+AlwaysBreakBeforeMultilineStrings: false
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+AlignEscapedNewlines: Left
+DerivePointerAlignment: false
+PointerAlignment: Right
+PointerBindsToType: false
+IncludeBlocks: Regroup
+IncludeCategories:
+  - Regex:           '^<isc/'
+    Priority:        2
+  - Regex:           '^<dns/'
+    Priority:        3
+  - Regex:           '^<iscccc/'
+    Priority:        4
+  - Regex:           '^<isccfg/'
+    Priority:        5
+  - Regex:           '^<ns/'
+    Priority:        6
+  - Regex:           '^<bind9/)'
+    Priority:        7
+  - Regex:           '^(<[^/]*)/)'
+    Priority:        8
+  - Regex:           '<[[:alnum:].]+>'
+    Priority:        1
+  - Regex:           '".*"'
+    Priority:        9
+KeepEmptyLinesAtTheStartOfBlocks: false
+MaxEmptyLinesToKeep: 1
+PenaltyBreakAssignment: 30
+PenaltyBreakComment: 10
+PenaltyBreakFirstLessLess: 0
+PenaltyBreakString: 80
+PenaltyExcessCharacter: 100
+Standard: Cpp11
+ContinuationIndentWidth: 8

.gitattributes

@@ -7,4 +7,5 @@
 /doc/dev			 export-ignore
 /util/**			 export-ignore
 /util/bindkeys.pl		-export-ignore
+/util/check-make-install.in	-export-ignore
 /util/mksymtbl.pl		-export-ignore

.gitignore

@@ -12,6 +12,7 @@
 *_test
 *.ipch # vscode/intellisense precompiled header
 *~
+__pycache__/
 .ccache/
 .cproject
 .deps/
@@ -61,3 +62,4 @@ timestamp
 /cppcheck_html/
 /cppcheck.results
 /tsan
+/util/check-make-install

.pylintrc

@@ -0,0 +1,7 @@
+[MASTER]
+disable=
+    C0114, # missing-module-docstring
+    C0115, # missing-class-docstring
+    C0116, # missing-function-docstring
+    R0801, # duplicate-code
+    C0103, # invalid-name

.uncrustify.cfg

@@ -24,7 +24,7 @@ string_escape_char2                      = 0        # number
 # Improvements to template detection may make this option obsolete.
 tok_split_gte                            = false    # false/true
 
-# Control what to do with the UTF-8 BOM (recommed 'remove')
+# Control what to do with the UTF-8 BOM (recommend 'remove')
 utf8_bom                                 = ignore   # ignore/add/remove/force
 
 # If the file only contains chars between 128 and 255 and is not UTF-8, then output as UTF-8
@@ -1352,7 +1352,7 @@ cmt_insert_func_header                   = ""         # string
 # Will substitute $(class) with the class name.
 cmt_insert_class_header                  = ""         # string
 
-# The filename that contains text to insert before a Obj-C message specification if the method isn't preceeded with a C/C++ comment.
+# The filename that contains text to insert before a Obj-C message specification if the method isn't preceded with a C/C++ comment.
 # Will substitute $(message) with the function name and $(javaparam) with the javadoc @param and @return stuff.
 cmt_insert_oc_msg_header                 = ""         # string
 

CHANGES

@@ -1,3 +1,293 @@
+5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
+
+5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
+			[GL #1937]
+
+5447.	[bug]		IPv6 addresses ending in "::" could break YAML
+			parsing. A "0" is now appended to such addresses
+			in YAML output from dig, mdig, delv, and dnstap-read.
+			[GL #1952]
+
+5446.	[bug]		The validator could fail to accept a properly signed
+			RRset if an unsupported algorithm appeared earlier in
+			the DNSKEY RRset than a supported algorithm.  It could
+			also stop if it detected a malformed public key.
+			[GL #1689]
+
+5443.	[bug]		The "primary" and "secondary" keywords, when used
+			as parameters for "check-names", were not
+			processed correctly and were being ignored. [GL #1949]
+
+5441.	[bug]		${LMDB_CFLAGS} missing from make/includes.in
+			[GL #1955]
+
+5440.	[test]		Properly handle missing kyua. [GL #1950]
+
+5439.	[bug]		The dsset returned by dns_keynode_dsset() was not
+			thread safe. [GL #1926]
+
+	--- 9.16.4 released ---
+
+5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
+
+5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
+			[GL #1808]
+
+5436.	[security]	It was possible to trigger an INSIST when determining
+			whether a record would fit into a TCP message buffer.
+			(CVE-2020-8618) [GL #1850]
+
+5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
+			test. [GL #1718]
+
+5434.	[security]	It was possible to trigger an INSIST in
+			lib/dns/rbtdb.c:new_reference() with a particular zone
+			content and query patterns. (CVE-2020-8619) [GL #1111]
+			[GL #1718]
+
+5431.	[func]		Reject DS records at the zone apex when loading
+			master files. Log but otherwise ignore attempts to
+			add DS records at the zone apex via UPDATE. [GL #1798]
+
+5430.	[doc]		Update docs - with netmgr, a separate listening socket
+			is created for each IPv6 interface (just as with IPv4).
+			[GL #1782]
+
+5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
+			has been destroyed. Thanks to Petr Menšík. [GL !3316]
+
+5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
+			fails. [GL #1911]
+
+5425.	[func]		The default value of "max-stale-ttl" has been changed
+			from 1 week to 12 hours. [GL #1877]
+
+5424.	[bug]		With KASP, when creating a successor key, the "goal"
+			state of the current active key (predecessor) was not
+			changed and thus never removed from the zone. [GL #1846]
+
+5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
+			returned true if any other key in the keyring had a
+			successor. [GL #1845]
+
+5422.	[bug]		When using dnssec-policy, print correct key timing
+			metadata. [GL #1843]
+
+5421.	[bug]		Fix a race that could cause named to crash when looking
+			up the nodename of an RBT node if the tree was modified.
+			[GL #1857]
+
+5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
+			that caused a memory leak on FreeBSD. [GL #1893]
+
+5418.	[bug]		delv failed to parse deprecated trusted-keys-style
+			trust anchors. [GL #1860]
+
+5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
+			[GL #1859]
+
+5415.	[test]		Address race in dnssec system test that led to
+			test failures. [GL #1852]
+
+5414.	[test]		Adjust time allowed for journal truncation to occur
+			in nsupdate system test to avoid test failure.
+			[GL #1855]
+
+5413.	[test]		Address race in autosign system test that led to
+			test failures. [GL #1852]
+
+5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
+			when the serial was greater than or equal to the
+			current serial. [GL #1714]
+
+5411.	[cleanup]	TCP accept code has been refactored to use a single
+			accept() and pass the accepted socket to child threads
+			for processing. [GL !3320]
+
+5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
+			check for empty non-terminal nodes; the NSEC3 tree does
+			not have any. [GL #1834]
+
+5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
+			[GL #1835]
+
+5407.	[func]		Zone timers are now exported via statistics channel.
+			Thanks to Paul Frieden, Verizon Media. [GL #1232]
+
+5405.	[bug]		'named-checkconf -p' could include spurious text in
+			server-addresses statements due to an uninitialized DSCP
+			value. [GL #1812]
+
+	--- 9.16.3 released ---
+
+5404.	[bug]		'named-checkconf -z' could incorrectly indicate
+			success if errors were found in one view but not in a
+			subsequent one. [GL #1807]
+
+5403.	[func]		Do not set UDP receive/send buffer sizes - use system
+			defaults. [GL #1713]
+
+5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
+			Enable use of SO_REUSEADDR on all platforms which
+			support it. [GL !3365]
+
+5401.	[bug]		The number of input queues allocated during dnstap
+			initialization was too low, which could prevent some
+			dnstap data from being logged. [GL #1795]
+
+5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
+			[GL #1763]
+
+5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
+			[GL #1534]
+
+5398.	[bug]		Named could fail to restart if a zone with a double
+			quote (") in its name was added with 'rndc addzone'.
+			[GL #1695]
+
+5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
+			Thanks to Aaron Thompson. [GL !3326]
+
+5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
+			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
+			libuv. [GL #1797]
+
+5395.	[security]	Further limit the number of queries that can be
+			triggered from a request.  Root and TLD servers
+			are no longer exempt from max-recursion-queries.
+			Fetches for missing name server address records
+			are limited to 4 for any domain. (CVE-2020-8616)
+			[GL #1388]
+
+5394.	[cleanup]	Named formerly attempted to change the effective UID and
+			GID in named_os_openfile(), which could trigger a
+			spurious log message if they were already set to the
+			desired values. This has been fixed. [GL #1042]
+			[GL #1090]
+
+5392.	[bug]		It was possible for named to crash during shutdown
+			or reconfiguration if an RPZ zone was still being
+			updated. [GL #1779]
+
+5390.	[security]	Replaying a TSIG BADTIME response as a request could
+			trigger an assertion failure. (CVE-2020-8617)
+			[GL #1703]
+
+5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
+			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
+			Thanks to Aaron Thompson. [GL !3391]
+
+5387.	[func]		Warn about AXFR streams with inconsistent message IDs.
+			[GL #1674]
+
+5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
+			[GL #1737]
+
+5385.	[func]		Make ISC rwlock implementation the default again.
+			[GL #1753]
+
+5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
+			implicitly set to "yes". Now "inline-signing" is only
+			set to "yes" if the zone is not dynamic. [GL #1709]
+
+	--- 9.16.2 released ---
+
+5383.	[func]		Add a quota attach function with a callback and clean up
+			the isc_quota API. [GL !3280]
+
+5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
+			isc_stdtime() function. [GL #1679]
+
+5381.	[bug]		Fix logging API data race by adding rwlock and caching
+			logging levels in stdatomic variables to restore
+			performance to original levels. [GL #1675] [GL #1717]
+
+5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
+			libraries. [GL #1678]
+
+5378.	[bug]		Receiving invalid DNS data was triggering an assertion
+			failure in nslookup. [GL #1652]
+
+5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
+			configured as a forwarding DNS server. Thanks to Tobias
+			Klein. [GL #1574]
+
+5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
+
+5374.	[bug]		Statistics counters tracking recursive clients and
+			active connections could underflow. [GL #1087]
+
+5373.	[bug]		Collecting statistics for DNSSEC signing operations
+			(change 5254) caused an array of significant size (over
+			100 kB) to be allocated for each configured zone. Each
+			of these arrays is tracking all possible key IDs; this
+			could trigger an out-of-memory condition on servers with
+			a high enough number of zones configured. Fixed by
+			tracking up to four keys per zone and rotating counters
+			when keys are replaced. This fixes the immediate problem
+			of high memory usage, but should be improved in a future
+			release by growing or shrinking the number of keys to
+			track upon key rollover events. [GL #1179]
+
+5372.	[bug]		Fix migration from existing DNSSEC key files
+			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
+
+5371.	[bug]		Improve incremental updates of the RPZ summary
+			database to reduce delays that could occur when
+			a policy zone update included a large number of
+			record deletions. [GL #1447]
+
+5370.	[bug]		Deactivation of a netmgr handle associated with a
+			socket could be skipped in some circumstances.
+			Fixed by deactivating the netmgr handle before
+			scheduling the asynchronous close routine. [GL #1700]
+
+5368.	[bug]		Named failed to restart if 'rndc addzone' names
+			contained special characters (e.g. '/'). [GL #1655]
+
+5367.	[bug]		Fixed a flaw in the calculation of the zone database
+			size so that "max-journal-size default" uses the correct
+			limit. [GL #1661]
+
+	--- 9.16.1 released ---
+
+5366.	[bug]		Fix a race condition with the keymgr when the same
+			zone plus dnssec-policy is configured in multiple
+			views. [GL #1653]
+
+5365.	[bug]		Algorithm rollover was stuck on submitting DS
+			because keymgr thought it would move to an invalid
+			state.  Fixed by checking the current key against
+			the desired state, not the existing state. [GL #1626]
+
+5364.	[bug]		Algorithm rollover waited too long before introducing
+			zone signatures.  It waited to make sure all signatures
+			were regenerated, but when introducing a new algorithm,
+			all signatures are regenerated immediately.  Only
+			add the sign delay if there is a predecessor key.
+			[GL #1625]
+
+5363.	[bug]		When changing a dnssec-policy, existing keys with
+			properties that no longer match were not being retired.
+			[GL #1624]
+
+5361.	[bug]		named might not accept new connections after
+			hitting tcp-clients quota. [GL #1643]
+
+5360.	[bug]		delv could fail to load trust anchors in DNSKEY
+			format. [GL #1647]
+
+5358.	[bug]		Inline master zones whose master files were touched
+			but otherwise unchanged and were subsequently reloaded
+			may have stopped re-signing. [GL !3135]
+
+5357.	[bug]		Newly added RRSIG records with expiry times before
+			the previous earliest expiry times might not be
+			re-signed in time.  This was a side effect of 5315.
+			[GL !3137]
+
+	--- 9.16.0 released ---
+
 5356.	[func]		Update dnssec-policy configuration statements:
 			- Rename "zone-max-ttl" dnssec-policy option to
 			  "max-zone-ttl" for consistency with the existing
@@ -40,7 +330,7 @@
 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
 
 5348.	[bug]		dnssec-settime -Psync was not being honoured.
-			[GL !2893]
+			[GL !2925]
 
 	--- 9.15.8 released ---
 
@@ -124,7 +414,7 @@
 			close all open sockets during shutdown. [GL #1312]
 
 5324.	[bug]		Change the category of some log messages from general
-			to the more appopriate catergory of xfer-in. [GL #1394]
+			to the more appropriate catergory of xfer-in. [GL #1394]
 
 5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
 			[GL !2609]
@@ -172,7 +462,7 @@
 
 			See the ARM for configuration details. [GL #1134]
 
-5315.	[bug]		Apply the inital RRSIG expiration spread fixed
+5315.	[bug]		Apply the initial RRSIG expiration spread fixed
 			to all dynamically created records in the zone
 			including NSEC3. Also fix the signature clusters
 			when the server has been offline for prolonged
@@ -1385,7 +1675,7 @@
 4965.	[func]		Add support for marking options as deprecated.
 			[GL #322]
 
-4964.	[bug]		Reduce the probabilty of double signature when deleting
+4964.	[bug]		Reduce the probability of double signature when deleting
 			a DNSKEY by checking if the node is otherwise signed
 			by the algorithm of the key to be deleted. [GL #240]
 
@@ -1469,7 +1759,7 @@
 			for unsigned zones since change 4596. [GL #209]
 
 4945.	[func]		BIND can no longer be built without DNSSEC support.
-			A cryptography provder (i.e., OpenSSL or a hardware
+			A cryptography provider (i.e., OpenSSL or a hardware
 			service module with PKCS#11 support) must be
 			available. [GL #244]
 
@@ -1528,7 +1818,7 @@
 			dig (+[no]raflag, +[no]tcflag). [GL #213]
 
 4928.	[func]		The "dnskey-sig-validity" option allows
-			"sig-validity-interval" to be overriden for signatures
+			"sig-validity-interval" to be overridden for signatures
 			covering DNSKEY RRsets. [GL #145]
 
 4927.	[placeholder]
@@ -1867,7 +2157,7 @@
 			[RT #46725]
 
 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
-			comparisions in diff.c:resign. [RT #46710]
+			comparisons in diff.c:resign. [RT #46710]
 
 4830.	[bug]		Failure to configure ATF when requested did not cause
 			an error in top-level configure script. [RT #46655]
@@ -2093,7 +2383,7 @@
 			used to append a formatted string to the used region of
 			a buffer. [RT #46201]
 
-4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]
+4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 
 4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
 
@@ -2287,7 +2577,7 @@
 
 4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
 
-4718.	[func]		Avoid seaching for a owner name compression pointer
+4718.	[func]		Avoid searching for a owner name compression pointer
 			more than once when writing out a RRset. [RT #45802]
 
 4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
@@ -6432,7 +6722,7 @@
 
 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 			so that all dns_rrl_rtype_t enum values fit regardless
-			of whether it is teated as signed or unsigned by
+			of whether it is treated as signed or unsigned by
 			the compiler. [RT #32792]
 
 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
@@ -7507,7 +7797,7 @@
 
 	--- 9.9.0b1 released ---
 
-3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]
+3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 
 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 			 - 'rndc signing -list' displays the current
@@ -8172,7 +8462,7 @@
 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 			to the task api. [RT #22776]
 
-2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
+2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 			it was compiled against. [RT #22687]
 
 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
@@ -11155,7 +11445,7 @@
 2096.	[bug]		libbind: handle applications that fail to detect
 			res_init() failures better.
 
-2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
+2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
 			net_cidr_ntop_ipv6(). [RT #16388]
 
 2094.	[contrib]	Update named-bootconf.  [RT #16404]
@@ -11211,7 +11501,7 @@
 2076.	[bug]		Several files were missing #include <config.h>
 			causing build failures on OSF. [RT #16341]
 
-2075.	[bug]		The spillat timer event hander could leak memory.
+2075.	[bug]		The spillat timer event handler could leak memory.
 			[RT #16357]
 
 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
@@ -11973,7 +12263,7 @@
 
 1831.	[doc]		Update named-checkzone documentation. [RT #13604]
 
-1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]
+1830.	[bug]		adb lame cache has sense of test reversed. [RT #13600]
 
 1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
 
@@ -12084,7 +12374,7 @@
 1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
 
 1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
-			formating issues with "rndc dumpdb -all".  [RT #13396]
+			formatting issues with "rndc dumpdb -all".  [RT #13396]
 
 1794.	[func]		Named and named-checkzone can now both check for
 			non-terminal wildcard records.
@@ -13261,7 +13551,7 @@
 			acl.
 
 1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
-			is not available in the kernel to prevent accidently
+			is not available in the kernel to prevent accidentally
 			listening on IPv4 interfaces.
 
 1392.	[bug]		named-checkzone: update usage.
@@ -14989,7 +15279,7 @@
  839.	[func]		Dump packets for which there was no view or that the
 			class could not be determined to category "unmatched".
 
- 838.	[port]		UnixWare 7.x.x is now suported by
+ 838.	[port]		UnixWare 7.x.x is now supported by
 			bin/tests/system/ifconfig.sh.
 
  837.	[cleanup]	Multi-threading is now enabled by default only on

CONTRIBUTING

@@ -99,7 +99,7 @@ e-mail is not a secure choice for communications concerning undisclosed
 security issues so please encrypt your communications to us if possible,
 using the ISC Security Officer public key.
 
-Do not discuss undisclosed security vulnerabilites on any public mailing
+Do not discuss undisclosed security vulnerabilities on any public mailing
 list. ISC has a long history of handling reported vulnerabilities promptly
 and effectively and we respect and acknowledge responsible reporters.
 

CONTRIBUTING.md

@@ -8,8 +8,8 @@
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
-## BIND Source Access and Contributor Guidelines
-*Feb 22, 2018*
+## BIND 9 Source Access and Contributor Guidelines
+*May 28, 2020*
 
 ### Contents
 
@@ -19,12 +19,12 @@
 
 ### Introduction
 
-Thank you for using BIND!
+Thank you for using BIND 9!
 
 BIND is open source software that implements the Domain Name System (DNS)
 protocols for the Internet. It is a reference implementation of those
 protocols, but it is also production-grade software, suitable for use in
-high-volume and high-reliability applications.  It is by far the most
+high-volume and high-reliability applications.  It is very
 widely used DNS software, providing a robust and stable platform on top of
 which organizations can build distributed computing systems with the
 knowledge that those systems are fully compliant with published DNS
@@ -33,20 +33,20 @@ standards.
 BIND is and will always remain free and openly available.  It can be
 used and modified in any way by anyone.
 
-BIND is maintained by the [Internet Systems Consortium](https://www.isc.org),
+BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
 a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
 anyone can see the source, but only ISC employees have commit access.
-Until recently, the source could only be seen once ISC had published
-a release: read access to the source repository was restricted just
-as commit access was.  That's now changing, with the opening of a
+In the past, the source could only be seen once ISC had published
+a release; read access to the source repository was restricted just
+as commit access was.  That has changed, as ISC now provides a
 public git mirror to the BIND source tree (see below).
 
-At [Internet Systems Consortium](https://www.isc.org), we're committed to
-building communities that are welcoming and inclusive; environments where people
+At ISC, we're committed to
+building communities that are welcoming and inclusive: environments where people
 are encouraged to share ideas, treat each other with respect, and collaborate
-towards the best solutions. To reinforce our commitment, the [Internet Systems
-Consortium](https://www.isc.org) has adopted the Contributor Covenant version
-1.4 as our Code of Conduct for BIND 9 project, as well as for the conduct of our
+towards the best solutions. To reinforce our commitment, ISC
+has adopted a slightly modified version of the Django
+[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/master/CODE_OF_CONDUCT.md) for the BIND 9 project, as well as for the conduct of our
 developers throughout the industry.
 
 ### <a name="access"></a>Access to source code
@@ -76,7 +76,7 @@ branch, use:
 
 >       $ git checkout v9_12
 
-Whenever a branch is ready for publication, a tag will be placed of the
+Whenever a branch is ready for publication, a tag is placed of the
 form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
@@ -86,16 +86,16 @@ The branch in which the next major release is being developed is called
 
 Reports of flaws in the BIND package, including software bugs, errors
 in the documentation, missing files in the tarball, suggested changes
-or requests for new features, etc, can be filed using
+or requests for new features, etc., can be filed using
 [https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
 
 Due to a large ticket backlog, we are sometimes slow to respond,
 especially if a bug is cosmetic or if a feature request is vague or
-low in priority, but we will try at least to acknowledge legitimate
+low in priority, but we try at least to acknowledge legitimate
 bug reports within a week.
 
-ISC's ticketing system is publicly readable; however, you must have
-an account to file a new issue. You can either register locally or
+ISC's GitLab system is publicly readable; however, you must have
+an account to create a new issue. You can either register locally or
 use credentials from an existing account at GitHub, GitLab, Google,
 Twitter, or Facebook.
 
@@ -105,26 +105,26 @@ If you think you may be seeing a potential security vulnerability in BIND
 report it immediately by emailing to security-officer@isc.org. Plain-text
 e-mail is not a secure choice for communications concerning undisclosed
 security issues so please encrypt your communications to us if possible,
-using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
+using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
 
-Do not discuss undisclosed security vulnerabilites on any public mailing list.
+Do not discuss undisclosed security vulnerabilities on any public mailing list.
 ISC has a long history of handling reported vulnerabilities promptly and
 effectively and we respect and acknowledge responsible reporters.
 
-ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
+ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 If you have a crash, you may want to consult
-[‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
+["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
 
 ### <a name="contrib"></a>Contributing code
 
 BIND is licensed under the
-[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
-Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
+[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
+Earlier versions (BIND 9.10 and earlier) were licensed under the [ISC License](https://www.isc.org/licenses/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
-certify that you are the author of the code, that you intend to reliquish
+certify that you are the author of the code, that you intend to relinquish
 exclusive copyright, and that you grant permission to publish your work
 under the open source license used for the BIND version(s) to which your
 patch will be applied.
@@ -132,7 +132,7 @@ patch will be applied.
 #### <a name="bind"></a>BIND code
 
 Patches for BIND may be submitted directly via merge requests in
-[ISC's Gitlab](https://gitlab.isc.org/isc-projects/bind9/) source
+[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
 repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
@@ -142,10 +142,9 @@ be generated using either `git format-patch` or `git diff`.
 Those wanting to write code for BIND may be interested in the
 [developer information](doc/dev/dev.md) page, which includes information
 about BIND design and coding practices, including discussion of internal
-APIs and overall system architecture.  (This is a work in progress, and
-still quite preliminary.)
+APIs and overall system architecture.
 
-Every patch submitted will be reviewed by ISC engineers following our
+Every patch submitted is reviewed by ISC engineers following our
 [code review process](doc/dev/dev.md#reviews) before it is merged.
 
 It may take considerable time to review patch submissions, especially if
@@ -156,7 +155,7 @@ we're busy with other work, it may take us a long time to get to it.
 To ensure your patch is acted on as promptly as possible, please:
 
 * Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
-* Run `make` `check` to ensure your change hasn't caused any
+* Run `make check` to ensure your change hasn't caused any
   functional regressions.
 * Document your work, both in the patch itself and in the
   accompanying email.
@@ -182,28 +181,23 @@ All functional changes should be documented. There are three types
 of documentation in the BIND source tree:
 
 * Man pages are kept alongside the source code for the commands
-  they document, in files ending in `.docbook`; for example, the
-  `named` man page is `bin/named/named.docbook`.
-* The *BIND 9 Administrator Reference Manual* is mostly in
-  `doc/arm/Bv9ARM-book.xml`, plus a few other XML files that are included
-  in it.
+  they document, in files ending in `.rst`: for example, the
+  `named` man page is `bin/named/named.rst`.
+* The *BIND 9 Administrator Reference Manual* is in the .rst files in
+  `doc/arm/`; the PDF and HTML versions are automatically generated from the `.rst` files.
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.
 
-It is not necessary to edit any documentation files other than these;
-all PDF, HTML, and `nroff`-format man page files will be updated
-automatically from the `docbook` and `XML` files after merging.
-
 Patches to improve existing documentation are also very welcome!
 
 ##### Tests
 
 BIND is a large and complex project. We rely heavily on continuous
 automated testing and cannot merge new code without adequate test coverage.
-Please see [the 'Testing' section of doc/dev/dev.md](doc/dev/dev.md#testing)
+Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
 for more information.
 
 #### Thanks
 
 Thank you for your interest in contributing to the ongoing development
-of BIND.
+of BIND 9.

HISTORY

@@ -143,7 +143,7 @@ releases. New features include:
   * "rndc modzone" reconfigures a single zone, without requiring the
     entire server to be reconfigured.
   * "rndc showzone" displays the current configuration of a zone.
-  * "rndc managed-keys" can be used to check the status of RFC 5001
+  * "rndc managed-keys" can be used to check the status of RFC 5011
     managed trust anchors, or to force trust anchors to be refreshed.
   * "max-cache-size" can now be set to a percentage of available memory.
     The default is 90%.
@@ -515,8 +515,8 @@ BIND 9.4.0
   * dig: report the number of extra bytes still left in the packet after
     processing all the records.
   * Support for IPSECKEY rdata type.
-  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
-  * x86 and x86_64 now have seperate atomic locking implementations.
+  * Raise the UDP receive buffer size to 32k if it is less than 32k.
+  * x86 and x86_64 now have separate atomic locking implementations.
   * named-checkconf now validates update-policy entries.
   * Attempt to make the amount of work performed in a iteration self
     tuning. The covers nodes clean from the cache per iteration, nodes
@@ -533,8 +533,8 @@ BIND 9.4.0
   * dig now warns if 'RA' is not set in the answer when 'RD' was set in
     the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
     is set unless a server is explicitly set.
-  * Integrate contibuted DLZ code into named.
-  * Integrate contibuted IDN code from JPNIC.
+  * Integrate contributed DLZ code into named.
+  * Integrate contributed IDN code from JPNIC.
   * libbind: corresponds to that from BIND 8.4.7.
 
 BIND 9.3.0

HISTORY.md

@@ -533,8 +533,8 @@ BIND 9.4.0
 - dig: report the number of extra bytes still left in the packet after
   processing all the records.
 - Support for IPSECKEY rdata type.
-- Raise the UDP recieve buffer size to 32k if it is less than 32k.
-- x86 and x86_64 now have seperate atomic locking implementations.
+- Raise the UDP receive buffer size to 32k if it is less than 32k.
+- x86 and x86_64 now have separate atomic locking implementations.
 - named-checkconf now validates update-policy entries.
 - Attempt to make the amount of work performed in a iteration self tuning.
   The covers nodes clean from the cache per iteration, nodes written to
@@ -551,8 +551,8 @@ BIND 9.4.0
 - dig now warns if 'RA' is not set in the answer when 'RD' was set in the
   query.  host/nslookup skip servers that fail to set 'RA' when 'RD' is set
   unless a server is explicitly set.
-- Integrate contibuted DLZ code into named.
-- Integrate contibuted IDN code from JPNIC.
+- Integrate contributed DLZ code into named.
+- Integrate contributed IDN code from JPNIC.
 - libbind: corresponds to that from BIND 8.4.7.
 
 #### BIND 9.3.0

Makefile.in

@@ -18,8 +18,7 @@ SUBDIRS =	make lib fuzz bin doc
 TARGETS =
 PREREQS =	bind.keys.h
 
-MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT \
-		${MANPAGES} ${HTMLPAGES}
+MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT
 
 @BIND9_MAKE_RULES@
 

PLATFORMS

@@ -17,7 +17,7 @@ The following C11 features are used in BIND 9:
     the form of C11 _Thread_local/thread_local, the __thread GCC
     extension, or the __declspec(thread) MSVC extension on Windows.
 
-BIND 9.15 requires a fairly recent version of libuv (at least 1.x). For
+BIND 9.16 requires a fairly recent version of libuv (at least 1.x). For
 some of the older systems listed below, you will have to install an
 updated libuv package from sources such as EPEL, PPA, or other native
 sources for updated packages. The other option is to build and install
@@ -34,14 +34,14 @@ offer support on a "best effort" basis for some.
 
 Regularly tested platforms
 
-As of Feb 2020, BIND 9.15 is fully supported and regularly tested on the
+As of Mar 2020, BIND 9.16 is fully supported and regularly tested on the
 following systems:
 
   * Debian 9, 10
   * Ubuntu LTS 16.04, 18.04
   * Fedora 31
   * Red Hat Enterprise Linux / CentOS 7, 8
-  * FreeBSD 11.3, 12.0
+  * FreeBSD 11.3, 12.1
   * OpenBSD 6.6
   * Alpine Linux
 
@@ -86,7 +86,7 @@ platforms.
 
 Unsupported platforms
 
-These are platforms on which BIND 9.15 is known not to build or run:
+These are platforms on which BIND 9.16 is known not to build or run:
 
   * Platforms without at least OpenSSL 1.0.2
   * Windows 10 / x86

PLATFORMS.md

@@ -25,7 +25,7 @@ The following C11 features are used in BIND 9:
   of C11 `_Thread_local`/`thread_local`, the `__thread` GCC extension, or
   the `__declspec(thread)` MSVC extension on Windows.
 
-BIND 9.15 requires a fairly recent version of `libuv` (at least 1.x).  For
+BIND 9.16 requires a fairly recent version of `libuv` (at least 1.x).  For
 some of the older systems listed below, you will have to install an updated
 `libuv` package from sources such as EPEL, PPA, or other native sources for
 updated packages. The other option is to build and install `libuv` from
@@ -42,14 +42,14 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Feb 2020, BIND 9.15 is fully supported and regularly tested on the
+As of Mar 2020, BIND 9.16 is fully supported and regularly tested on the
 following systems:
 
 * Debian 9, 10
 * Ubuntu LTS 16.04, 18.04
 * Fedora 31
 * Red Hat Enterprise Linux / CentOS 7, 8
-* FreeBSD 11.3, 12.0
+* FreeBSD 11.3, 12.1
 * OpenBSD 6.6
 * Alpine Linux
 
@@ -93,7 +93,7 @@ platforms.
 
 ## Unsupported platforms
 
-These are platforms on which BIND 9.15 is known *not* to build or run:
+These are platforms on which BIND 9.16 is known *not* to build or run:
 
 * Platforms without at least OpenSSL 1.0.2
 * Windows 10 / x86

README

@@ -7,7 +7,7 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.15 features
+ 4. BIND 9.16 features
  5. Building BIND
  6. macOS
  7. Dependencies
@@ -109,10 +109,11 @@ If you prefer, you may also submit code by opening a GitLab Issue and
 including your patch as an attachment, preferably generated by git
 format-patch.
 
-BIND 9.15 features
+BIND 9.16 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.14 and earlier releases. New features include:
+BIND 9.16 is the current stable branch of BIND 9. It includes all changes
+from the 9.15 development branch, updating the previous stable branch,
+9.14. New features include:
 
   * New dnssec-policy statement to configure a key and signing policy for
     zones, enabling automatic key regeneration and rollover.
@@ -236,12 +237,10 @@ github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
+Certain compiled-in constants and default settings can be decreased to
+values better suited to small machines, e.g. OpenWRT boxes, by specifying
+--with-tuning=small on the configure command line. This will decrease
+memory usage by using smaller structures, but will degrade performance.
 
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev

README.md

@@ -15,7 +15,7 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
-1. [BIND 9.15 features](#features)
+1. [BIND 9.16 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
 1. [Dependencies](#dependencies)
@@ -125,15 +125,15 @@ If you prefer, you may also submit code by opening a
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="features"/> BIND 9.15 features
+### <a name="features"/> BIND 9.16 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.14 and earlier releases. New features
-include:
+BIND 9.16 is the current stable branch of BIND 9. It includes all
+changes from the 9.15 development branch, updating the previous stable
+branch, 9.14. New features include:
 
 * New `dnssec-policy` statement to configure a key and signing policy
   for zones, enabling automatic key regeneration and rollover.
-* New network manager based on libuv.
+* New network manager based on `libuv`.
 * Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
 * Improved DNSSEC trust anchor configuration using the `trust-anchors`
   statement, permitting configuration of trust anchors in DS as well as
@@ -254,7 +254,7 @@ and `libprotobuf-c`
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
 and BIND must be configured with `--enable-dnstap`.
 
-Certain compiled-in constants and default settings can be increased to
+Certain compiled-in constants and default settings can be decreased to
 values better suited to small machines, e.g. OpenWRT boxes, by specifying
 `--with-tuning=small` on the `configure` command line. This will decrease
 memory usage by using smaller structures, but will degrade performance.

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -290,7 +290,7 @@ AS_VAR_IF([$1], [""], [$5], [$4])dnl
 
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -324,7 +324,7 @@ fi])])
 # Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
 # From Jim Meyering
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -357,7 +357,7 @@ AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
 ]
 )
 
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
+# Copyright (C) 2006-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

bin/check/Makefile.in

@@ -22,10 +22,10 @@ CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES}
 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 NSLIBS =	../../lib/ns/libns.@A@
 
@@ -46,12 +46,6 @@ TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
 # Alphabetically
 SRCS =		named-checkconf.c named-checkzone.c check-tool.c
 
-MANPAGES =	named-checkconf.8 named-checkzone.8
-
-HTMLPAGES =	named-checkconf.html named-checkzone.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
 @BIND9_MAKE_RULES@
 
 named-checkconf.@O@: named-checkconf.c
@@ -76,25 +70,15 @@ named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 	export LIBS0="${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
 install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
 	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
-	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 
 uninstall::
-	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
 	rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@

bin/check/check-tool.c

@@ -9,23 +9,21 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
+#include <inttypes.h>
 #include <stdbool.h>
 #include <stdio.h>
-#include <inttypes.h>
 
 #ifdef _WIN32
 #include <Winsock2.h>
-#endif
+#endif /* ifdef _WIN32 */
 
-#include "check-tool.h"
 #include <isc/buffer.h>
 #include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/netdb.h>
 #include <isc/net.h>
+#include <isc/netdb.h>
 #include <isc/print.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
@@ -52,29 +50,31 @@
 
 #include <ns/log.h>
 
+#include "check-tool.h"
+
 #ifndef CHECK_SIBLING
 #define CHECK_SIBLING 1
-#endif
+#endif /* ifndef CHECK_SIBLING */
 
 #ifndef CHECK_LOCAL
 #define CHECK_LOCAL 1
-#endif
+#endif /* ifndef CHECK_LOCAL */
 
-#define CHECK(r) \
-	do { \
-		result = (r); \
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
 		if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
+			goto cleanup;        \
 	} while (0)
 
-#define ERR_IS_CNAME 1
-#define ERR_NO_ADDRESSES 2
+#define ERR_IS_CNAME	   1
+#define ERR_NO_ADDRESSES   2
 #define ERR_LOOKUP_FAILURE 3
-#define ERR_EXTRA_A 4
-#define ERR_EXTRA_AAAA 5
-#define ERR_MISSING_GLUE 5
-#define ERR_IS_MXCNAME 6
-#define ERR_IS_SRVCNAME 7
+#define ERR_EXTRA_A	   4
+#define ERR_EXTRA_AAAA	   5
+#define ERR_MISSING_GLUE   5
+#define ERR_IS_MXCNAME	   6
+#define ERR_IS_SRVCNAME	   7
 
 static const char *dbtype[] = { "rbt" };
 
@@ -85,31 +85,26 @@ bool nomerge = true;
 bool docheckmx = true;
 bool dochecksrv = true;
 bool docheckns = true;
-#else
+#else  /* if CHECK_LOCAL */
 bool docheckmx = false;
 bool dochecksrv = false;
 bool docheckns = false;
-#endif
-dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS |
-			     DNS_ZONEOPT_CHECKMX |
-			     DNS_ZONEOPT_MANYERRORS |
-			     DNS_ZONEOPT_CHECKNAMES |
+#endif /* if CHECK_LOCAL */
+dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
+			     DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES |
 			     DNS_ZONEOPT_CHECKINTEGRITY |
 #if CHECK_SIBLING
 			     DNS_ZONEOPT_CHECKSIBLING |
-#endif
+#endif /* if CHECK_SIBLING */
 			     DNS_ZONEOPT_CHECKWILDCARD |
-			     DNS_ZONEOPT_WARNMXCNAME |
-			     DNS_ZONEOPT_WARNSRVCNAME;
+			     DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME;
 
 /*
  * This needs to match the list in bin/named/log.c.
  */
-static isc_logcategory_t categories[] = {
-	{ "",		     0 },
-	{ "unmatched", 	     0 },
-	{ NULL,		     0 }
-};
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "unmatched", 0 },
+					  { NULL, 0 } };
 
 static isc_symtab_t *symtab = NULL;
 static isc_mem_t *sym_mctx;
@@ -133,8 +128,9 @@ add(char *key, int value) {
 	if (symtab == NULL) {
 		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
 					   false, &symtab);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			return;
+		}
 	}
 
 	key = isc_mem_strdup(sym_mctx, key);
@@ -142,27 +138,29 @@ add(char *key, int value) {
 	symvalue.as_pointer = NULL;
 	result = isc_symtab_define(symtab, key, value, symvalue,
 				   isc_symexists_reject);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		isc_mem_free(sym_mctx, key);
+	}
 }
 
 static bool
 logged(char *key, int value) {
 	isc_result_t result;
 
-	if (symtab == NULL)
+	if (symtab == NULL) {
 		return (false);
+	}
 
 	result = isc_symtab_lookup(symtab, key, value, NULL);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		return (true);
+	}
 	return (false);
 }
 
 static bool
 checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
-	dns_rdataset_t *a, dns_rdataset_t *aaaa)
-{
+	dns_rdataset_t *a, dns_rdataset_t *aaaa) {
 	dns_rdataset_t *rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	struct addrinfo hints, *ai, *cur;
@@ -180,8 +178,9 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
 		aaaa->type == dns_rdatatype_aaaa);
 
-	if (a == NULL || aaaa == NULL)
+	if (a == NULL || aaaa == NULL) {
 		return (answer);
+	}
 
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
@@ -208,16 +207,17 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 		 */
 		cur = ai;
 		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
+		       cur->ai_next != NULL) {
 			cur = cur->ai_next;
+		}
 		if (cur != NULL && cur->ai_canonname != NULL &&
 		    strcasecmp(cur->ai_canonname, namebuf) != 0 &&
-		    !logged(namebuf, ERR_IS_CNAME)) {
+		    !logged(namebuf, ERR_IS_CNAME))
+		{
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "%s/NS '%s' (out of zone) "
 				     "is a CNAME '%s' (illegal)",
-				     ownerbuf, namebuf,
-				     cur->ai_canonname);
+				     ownerbuf, namebuf, cur->ai_canonname);
 			/* XXX950 make fatal for 9.5.0 */
 			/* answer = false; */
 			add(namebuf, ERR_IS_CNAME);
@@ -226,7 +226,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
-#endif
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
 		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "%s/NS '%s' (out of zone) "
@@ -240,8 +240,8 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
 			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s",
-				     namebuf, gai_strerror(result));
+				     "getaddrinfo(%s) failed: %s", namebuf,
+				     gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
 		return (true);
@@ -250,15 +250,17 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	/*
 	 * Check that all glue records really exist.
 	 */
-	if (!dns_rdataset_isassociated(a))
+	if (!dns_rdataset_isassociated(a)) {
 		goto checkaaaa;
+	}
 	result = dns_rdataset_first(a);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(a, &rdata);
 		match = false;
 		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET)
+			if (cur->ai_family != AF_INET) {
 				continue;
+			}
 			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
 			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
 				match = true;
@@ -266,11 +268,12 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 			}
 		}
 		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' "
 				     "extra GLUE A record (%s)",
 				     ownerbuf, namebuf,
-				     inet_ntop(AF_INET, rdata.data,
-					       addrbuf, sizeof(addrbuf)));
+				     inet_ntop(AF_INET, rdata.data, addrbuf,
+					       sizeof(addrbuf)));
 			add(namebuf, ERR_EXTRA_A);
 			/* XXX950 make fatal for 9.5.0 */
 			/* answer = false; */
@@ -279,28 +282,32 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 		result = dns_rdataset_next(a);
 	}
 
- checkaaaa:
-	if (!dns_rdataset_isassociated(aaaa))
+checkaaaa:
+	if (!dns_rdataset_isassociated(aaaa)) {
 		goto checkmissing;
+	}
 	result = dns_rdataset_first(aaaa);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(aaaa, &rdata);
 		match = false;
 		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET6)
+			if (cur->ai_family != AF_INET6) {
 				continue;
-			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+			}
+			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
+				       ->sin6_addr;
 			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
 				match = true;
 				break;
 			}
 		}
 		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' "
 				     "extra GLUE AAAA record (%s)",
 				     ownerbuf, namebuf,
-				     inet_ntop(AF_INET6, rdata.data,
-					       addrbuf, sizeof(addrbuf)));
+				     inet_ntop(AF_INET6, rdata.data, addrbuf,
+					       sizeof(addrbuf)));
 			add(namebuf, ERR_EXTRA_AAAA);
 			/* XXX950 make fatal for 9.5.0. */
 			/* answer = false; */
@@ -309,7 +316,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 		result = dns_rdataset_next(aaaa);
 	}
 
- checkmissing:
+checkmissing:
 	/*
 	 * Check that all addresses appear in the glue.
 	 */
@@ -319,42 +326,50 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 			switch (cur->ai_family) {
 			case AF_INET:
 				rdataset = a;
-				ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+				ptr = &((struct sockaddr_in *)(cur->ai_addr))
+					       ->sin_addr;
 				type = "A";
 				break;
 			case AF_INET6:
 				rdataset = aaaa;
-				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
+					       ->sin6_addr;
 				type = "AAAA";
 				break;
 			default:
-				 continue;
+				continue;
 			}
 			match = false;
-			if (dns_rdataset_isassociated(rdataset))
+			if (dns_rdataset_isassociated(rdataset)) {
 				result = dns_rdataset_first(rdataset);
-			else
+			} else {
 				result = ISC_R_FAILURE;
+			}
 			while (result == ISC_R_SUCCESS && !match) {
 				dns_rdataset_current(rdataset, &rdata);
 				if (memcmp(ptr, rdata.data, rdata.length) == 0)
+				{
 					match = true;
+				}
 				dns_rdata_reset(&rdata);
 				result = dns_rdataset_next(rdataset);
 			}
 			if (!match) {
-				dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "%s/NS '%s' "
 					     "missing GLUE %s record (%s)",
 					     ownerbuf, namebuf, type,
 					     inet_ntop(cur->ai_family, ptr,
-						       addrbuf, sizeof(addrbuf)));
+						       addrbuf,
+						       sizeof(addrbuf)));
 				/* XXX950 make fatal for 9.5.0. */
 				/* answer = false; */
 				missing_glue = true;
 			}
 		}
-		if (missing_glue)
+		if (missing_glue) {
 			add(namebuf, ERR_MISSING_GLUE);
+		}
 	}
 	freeaddrinfo(ai);
 	return (answer);
@@ -394,12 +409,15 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 		 */
 		cur = ai;
 		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
+		       cur->ai_next != NULL) {
 			cur = cur->ai_next;
+		}
 		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0) {
-			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
+		    strcasecmp(cur->ai_canonname, namebuf) != 0)
+		{
+			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) {
 				level = ISC_LOG_WARNING;
+			}
 			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
 				if (!logged(namebuf, ERR_IS_MXCNAME)) {
 					dns_zone_log(zone, level,
@@ -410,8 +428,9 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 						     cur->ai_canonname);
 					add(namebuf, ERR_IS_MXCNAME);
 				}
-				if (level == ISC_LOG_ERROR)
+				if (level == ISC_LOG_ERROR) {
 					answer = false;
+				}
 			}
 		}
 		freeaddrinfo(ai);
@@ -420,7 +439,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
-#endif
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
 		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "%s/MX '%s' (out of zone) "
@@ -434,8 +453,8 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
 			dns_zone_log(zone, ISC_LOG_WARNING,
-			     "getaddrinfo(%s) failed: %s",
-			     namebuf, gai_strerror(result));
+				     "getaddrinfo(%s) failed: %s", namebuf,
+				     gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
 		return (true);
@@ -476,23 +495,28 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 		 */
 		cur = ai;
 		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
+		       cur->ai_next != NULL) {
 			cur = cur->ai_next;
+		}
 		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0) {
-			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
+		    strcasecmp(cur->ai_canonname, namebuf) != 0)
+		{
+			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) {
 				level = ISC_LOG_WARNING;
+			}
 			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
 				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
-					dns_zone_log(zone, level, "%s/SRV '%s'"
+					dns_zone_log(zone, level,
+						     "%s/SRV '%s'"
 						     " (out of zone) is a "
 						     "CNAME '%s' (illegal)",
 						     ownerbuf, namebuf,
 						     cur->ai_canonname);
 					add(namebuf, ERR_IS_SRVCNAME);
 				}
-				if (level == ISC_LOG_ERROR)
+				if (level == ISC_LOG_ERROR) {
 					answer = false;
+				}
 			}
 		}
 		freeaddrinfo(ai);
@@ -501,7 +525,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
-#endif
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
 		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "%s/SRV '%s' (out of zone) "
@@ -515,8 +539,8 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
 			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s",
-				     namebuf, gai_strerror(result));
+				     "getaddrinfo(%s) failed: %s", namebuf,
+				     gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
 		return (true);
@@ -529,7 +553,7 @@ setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
 	isc_logconfig_t *logconfig = NULL;
 	isc_log_t *log = NULL;
 
-	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_create(mctx, &log, &logconfig);
 	isc_log_registercategories(log, categories);
 	isc_log_setcontext(log);
 	dns_log_init(log);
@@ -541,12 +565,11 @@ setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
 	destination.file.name = NULL;
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
-	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
-				       ISC_LOG_TOFILEDESC,
-				       ISC_LOG_DYNAMIC,
-				       &destination, 0) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
-					 NULL, NULL) == ISC_R_SUCCESS);
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, 0);
+
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
+		      ISC_R_SUCCESS);
 
 	*logp = log;
 	return (ISC_R_SUCCESS);
@@ -573,18 +596,20 @@ check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
 	CHECK(dns_db_newversion(db, &version));
 	CHECK(dns_db_createiterator(db, 0, &dbiter));
 
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter)) {
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
 		result = dns_dbiterator_current(dbiter, &node, name);
-		if (result == DNS_R_NEWORIGIN)
+		if (result == DNS_R_NEWORIGIN) {
 			result = ISC_R_SUCCESS;
+		}
 		CHECK(result);
 
 		CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsiter));
 		for (result = dns_rdatasetiter_first(rdsiter);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
 			dns_rdatasetiter_current(rdsiter, &rdataset);
 			if (rdataset.ttl > maxttl) {
 				char nbuf[DNS_NAME_FORMATSIZE];
@@ -607,28 +632,35 @@ check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
 			}
 			dns_rdataset_disassociate(&rdataset);
 		}
-		if (result == ISC_R_NOMORE)
+		if (result == ISC_R_NOMORE) {
 			result = ISC_R_SUCCESS;
+		}
 		CHECK(result);
 
 		dns_rdatasetiter_destroy(&rdsiter);
 		dns_db_detachnode(db, &node);
 	}
 
-	if (result == ISC_R_NOMORE)
+	if (result == ISC_R_NOMORE) {
 		result = ISC_R_SUCCESS;
+	}
 
- cleanup:
-	if (node != NULL)
+cleanup:
+	if (node != NULL) {
 		dns_db_detachnode(db, &node);
-	if (rdsiter != NULL)
+	}
+	if (rdsiter != NULL) {
 		dns_rdatasetiter_destroy(&rdsiter);
-	if (dbiter != NULL)
+	}
+	if (dbiter != NULL) {
 		dns_dbiterator_destroy(&dbiter);
-	if (version != NULL)
+	}
+	if (version != NULL) {
 		dns_db_closeversion(db, &version, false);
-	if (db != NULL)
+	}
+	if (db != NULL) {
 		dns_db_detach(&db);
+	}
 
 	return (result);
 }
@@ -637,8 +669,7 @@ check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	  dns_masterformat_t fileformat, const char *classname,
-	  dns_ttl_t maxttl, dns_zone_t **zonep)
-{
+	  dns_ttl_t maxttl, dns_zone_t **zonep) {
 	isc_result_t result;
 	dns_rdataclass_t rdclass;
 	isc_textregion_t region;
@@ -649,9 +680,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 
 	REQUIRE(zonep == NULL || *zonep == NULL);
 
-	if (debug)
+	if (debug) {
 		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
 			zonename, filename, classname);
+	}
 
 	CHECK(dns_zone_create(&zone, mctx));
 
@@ -662,11 +694,12 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	origin = dns_fixedname_initname(&fixorigin);
 	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
-	dns_zone_setdbtype(zone, 1, (const char * const *) dbtype);
+	dns_zone_setdbtype(zone, 1, (const char *const *)dbtype);
 	CHECK(dns_zone_setfile(zone, filename, fileformat,
 			       &dns_master_style_default));
-	if (journal != NULL)
+	if (journal != NULL) {
 		CHECK(dns_zone_setjournal(zone, journal));
+	}
 
 	DE_CONST(classname, region.base);
 	region.length = strlen(classname);
@@ -678,12 +711,15 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 
 	dns_zone_setmaxttl(zone, maxttl);
 
-	if (docheckmx)
+	if (docheckmx) {
 		dns_zone_setcheckmx(zone, checkmx);
-	if (docheckns)
+	}
+	if (docheckns) {
 		dns_zone_setcheckns(zone, checkns);
-	if (dochecksrv)
+	}
+	if (dochecksrv) {
 		dns_zone_setchecksrv(zone, checksrv);
+	}
 
 	CHECK(dns_zone_load(zone, false));
 
@@ -700,9 +736,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 		zone = NULL;
 	}
 
- cleanup:
-	if (zone != NULL)
+cleanup:
+	if (zone != NULL) {
 		dns_zone_detach(&zone);
+	}
 	return (result);
 }
 
@@ -710,8 +747,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 isc_result_t
 dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const uint32_t rawversion)
-{
+	  const uint32_t rawversion) {
 	isc_result_t result;
 	FILE *output = stdout;
 	const char *flags;
@@ -719,27 +755,31 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
 
 	if (debug) {
-		if (filename != NULL && strcmp(filename, "-") != 0)
-			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
-				zonename, filename);
-		else
+		if (filename != NULL && strcmp(filename, "-") != 0) {
+			fprintf(stderr, "dumping \"%s\" to \"%s\"\n", zonename,
+				filename);
+		} else {
 			fprintf(stderr, "dumping \"%s\"\n", zonename);
+		}
 	}
 
 	if (filename != NULL && strcmp(filename, "-") != 0) {
 		result = isc_stdio_open(filename, flags, &output);
 
 		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "could not open output "
-				"file \"%s\" for writing\n", filename);
+			fprintf(stderr,
+				"could not open output "
+				"file \"%s\" for writing\n",
+				filename);
 			return (ISC_R_FAILURE);
 		}
 	}
 
 	result = dns_zone_dumptostream(zone, output, fileformat, style,
 				       rawversion);
-	if (output != stdout)
+	if (output != stdout) {
 		(void)isc_stdio_close(output);
+	}
 
 	return (result);
 }
@@ -753,7 +793,7 @@ InitSockets(void) {
 
 	wVersionRequested = MAKEWORD(2, 0);
 
-	err = WSAStartup( wVersionRequested, &wsaData );
+	err = WSAStartup(wVersionRequested, &wsaData);
 	if (err != 0) {
 		fprintf(stderr, "WSAStartup() failed: %d\n", err);
 		exit(1);
@@ -764,4 +804,4 @@ void
 DestroySockets(void) {
 	WSACleanup();
 }
-#endif
+#endif /* ifdef _WIN32 */

bin/check/check-tool.h

@@ -9,7 +9,6 @@
  * information regarding copyright ownership.
  */
 
-
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
 
@@ -42,9 +41,11 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	  const uint32_t rawversion);
 
 #ifdef _WIN32
-void InitSockets(void);
-void DestroySockets(void);
-#endif
+void
+InitSockets(void);
+void
+DestroySockets(void);
+#endif /* ifdef _WIN32 */
 
 extern int debug;
 extern const char *journal;
@@ -56,4 +57,4 @@ extern dns_zoneopt_t zone_options;
 
 ISC_LANG_ENDDECLS
 
-#endif
+#endif /* ifndef CHECK_TOOL_H */

bin/check/named-checkconf.8

@@ -1,152 +0,0 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: named-checkconf
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-01-10
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-named-checkconf \- named configuration file syntax checking tool
-.SH "SYNOPSIS"
-.HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a
-\fBnamed\fR
-configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
-/etc/named\&.conf
-is read by default\&.
-.PP
-Note: files that
-\fBnamed\fR
-reads in separate parser contexts, such as
-rndc\&.key
-and
-bind\&.keys, are not automatically read by
-\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
-\fBnamed\fR
-to fail to run, even if
-\fBnamed\-checkconf\fR
-was successful\&.
-\fBnamed\-checkconf\fR
-can be run on these files explicitly, however\&.
-.SH "OPTIONS"
-.PP
-\-h
-.RS 4
-Print the usage summary and exit\&.
-.RE
-.PP
-\-j
-.RS 4
-When loading a zonefile read the journal if it exists\&.
-.RE
-.PP
-\-l
-.RS 4
-List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
-.RE
-.PP
-\-c
-.RS 4
-Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
-\fBplugin\fR
-statements to be ignored\&.
-.RE
-.PP
-\-i
-.RS 4
-Ignore warnings on deprecated options\&.
-.RE
-.PP
-\-p
-.RS 4
-Print out the
-named\&.conf
-and included files in canonical form if no errors were detected\&. See also the
-\fB\-x\fR
-option\&.
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-directory
-so that include directives in the configuration file are processed as if run by a similarly chrooted
-\fBnamed\fR\&.
-.RE
-.PP
-\-v
-.RS 4
-Print the version of the
-\fBnamed\-checkconf\fR
-program and exit\&.
-.RE
-.PP
-\-x
-.RS 4
-When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
-named\&.conf
-and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
-\fB\-p\fR\&.
-.RE
-.PP
-\-z
-.RS 4
-Perform a test load of all master zones found in
-named\&.conf\&.
-.RE
-.PP
-filename
-.RS 4
-The name of the configuration file to be checked\&. If not specified, it defaults to
-/etc/named\&.conf\&.
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBnamed\-checkconf\fR
-returns an exit status of 1 if errors were detected and 0 otherwise\&.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnamed-checkzone\fR(8),
-BIND 9 Administrator Reference Manual\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/check/named-checkconf.c

@@ -9,13 +9,12 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
 #include <errno.h>
 #include <stdbool.h>
-#include <stdlib.h>
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <isc/commandline.h>
 #include <isc/dir.h>
@@ -27,11 +26,6 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
-#include <isccfg/namedconf.h>
-#include <isccfg/grammar.h>
-
-#include <bind9/check.h>
-
 #include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
@@ -41,6 +35,11 @@
 #include <dns/rootns.h>
 #include <dns/zone.h>
 
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
 #include "check-tool.h"
 
 static const char *program = "named-checkconf";
@@ -49,11 +48,11 @@ static bool loadplugins = true;
 
 isc_log_t *logc = NULL;
 
-#define CHECK(r)\
-	do { \
-		result = (r); \
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
 		if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
+			goto cleanup;        \
 	} while (0)
 
 /*% usage */
@@ -62,8 +61,10 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-chijlvz] [-p [-x]] [-t directory] "
-		"[named.conf]\n", program);
+	fprintf(stderr,
+		"usage: %s [-chijlvz] [-p [-x]] [-t directory] "
+		"[named.conf]\n",
+		program);
 	exit(1);
 }
 
@@ -85,8 +86,8 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	result = isc_dir_chdir(directory);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s\n",
-			    directory, isc_result_totext(result));
+			    "change directory to '%s' failed: %s\n", directory,
+			    isc_result_totext(result));
 		return (result);
 	}
 
@@ -97,10 +98,12 @@ static bool
 get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 	for (i = 0;; i++) {
-		if (maps[i] == NULL)
+		if (maps[i] == NULL) {
 			return (false);
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+		}
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
 			return (true);
+		}
 	}
 }
 
@@ -114,25 +117,26 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0;; i++) {
-		if (maps[i] == NULL)
+		if (maps[i] == NULL) {
 			return (false);
+		}
 		checknames = NULL;
 		result = cfg_map_get(maps[i], "check-names", &checknames);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			continue;
+		}
 		if (checknames != NULL && !cfg_obj_islist(checknames)) {
 			*obj = checknames;
 			return (true);
 		}
-		for (element = cfg_list_first(checknames);
-		     element != NULL;
-		     element = cfg_list_next(element)) {
+		for (element = cfg_list_first(checknames); element != NULL;
+		     element = cfg_list_next(element))
+		{
 			value = cfg_listelt_value(element);
 			type = cfg_tuple_get(value, "type");
-			if ((strcasecmp(cfg_obj_asstring(type),
-					"primary") != 0) &&
-			    (strcasecmp(cfg_obj_asstring(type),
-					"master") != 0))
+			if ((strcasecmp(cfg_obj_asstring(type), "primary") !=
+			     0) &&
+			    (strcasecmp(cfg_obj_asstring(type), "master") != 0))
 			{
 				continue;
 			}
@@ -149,18 +153,21 @@ configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
 	dns_rdataclass_t rdclass;
 	isc_textregion_t r;
 
-	if (zfile == NULL)
+	if (zfile == NULL) {
 		return (ISC_R_FAILURE);
+	}
 
 	DE_CONST(zclass, r.base);
 	r.length = strlen(zclass);
 	result = dns_rdataclass_fromtext(&rdclass, &r);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 
 	result = dns_rootns_create(mctx, rdclass, zfile, &db);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 
 	dns_db_detach(&db);
 	return (ISC_R_SUCCESS);
@@ -168,10 +175,9 @@ configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
 
 /*% configure the zone */
 static isc_result_t
-configure_zone(const char *vclass, const char *view,
-	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-	       const cfg_obj_t *config, isc_mem_t *mctx, bool list)
-{
+configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, const cfg_obj_t *config,
+	       isc_mem_t *mctx, bool list) {
 	int i = 0;
 	isc_result_t result;
 	const char *zclass;
@@ -195,19 +201,22 @@ configure_zone(const char *vclass, const char *view,
 
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 	classobj = cfg_tuple_get(zconfig, "class");
-	if (!cfg_obj_isstring(classobj))
+	if (!cfg_obj_isstring(classobj)) {
 		zclass = vclass;
-	else
+	} else {
 		zclass = cfg_obj_asstring(classobj);
+	}
 
 	zoptions = cfg_tuple_get(zconfig, "options");
 	maps[i++] = zoptions;
-	if (vconfig != NULL)
+	if (vconfig != NULL) {
 		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
 	if (config != NULL) {
 		cfg_map_get(config, "options", &obj);
-		if (obj != NULL)
+		if (obj != NULL) {
 			maps[i++] = obj;
+		}
 	}
 	maps[i] = NULL;
 
@@ -216,12 +225,14 @@ configure_zone(const char *vclass, const char *view,
 		const char *inview = cfg_obj_asstring(inviewobj);
 		printf("%s %s %s in-view %s\n", zname, zclass, view, inview);
 	}
-	if (inviewobj != NULL)
+	if (inviewobj != NULL) {
 		return (ISC_R_SUCCESS);
+	}
 
 	cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL)
+	if (typeobj == NULL) {
 		return (ISC_R_FAILURE);
+	}
 
 	if (list) {
 		const char *ztype = cfg_obj_asstring(typeobj);
@@ -233,18 +244,21 @@ configure_zone(const char *vclass, const char *view,
 	 * Skip checks when using an alternate data source.
 	 */
 	cfg_map_get(zoptions, "database", &dbobj);
-	if (dbobj != NULL &&
-	    strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
+	if (dbobj != NULL && strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
 	    strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0)
+	{
 		return (ISC_R_SUCCESS);
+	}
 
 	cfg_map_get(zoptions, "dlz", &dlzobj);
-	if (dlzobj != NULL)
+	if (dlzobj != NULL) {
 		return (ISC_R_SUCCESS);
+	}
 
 	cfg_map_get(zoptions, "file", &fileobj);
-	if (fileobj != NULL)
+	if (fileobj != NULL) {
 		zfile = cfg_obj_asstring(fileobj);
+	}
 
 	/*
 	 * Check hints files for hint zones.
@@ -265,12 +279,14 @@ configure_zone(const char *vclass, const char *view,
 	 */
 	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
 		cfg_map_get(zoptions, "masters", &mastersobj);
-		if (mastersobj != NULL)
+		if (mastersobj != NULL) {
 			return (ISC_R_SUCCESS);
+		}
 	}
 
-	if (zfile == NULL)
+	if (zfile == NULL) {
 		return (ISC_R_FAILURE);
+	}
 
 	obj = NULL;
 	if (get_maps(maps, "check-dup-records", &obj)) {
@@ -314,12 +330,14 @@ configure_zone(const char *vclass, const char *view,
 
 	obj = NULL;
 	if (get_maps(maps, "check-integrity", &obj)) {
-		if (cfg_obj_asboolean(obj))
+		if (cfg_obj_asboolean(obj)) {
 			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-		else
+		} else {
 			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
-	} else
+		}
+	} else {
 		zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+	}
 
 	obj = NULL;
 	if (get_maps(maps, "check-mx-cname", &obj)) {
@@ -363,10 +381,11 @@ configure_zone(const char *vclass, const char *view,
 
 	obj = NULL;
 	if (get_maps(maps, "check-sibling", &obj)) {
-		if (cfg_obj_asboolean(obj))
+		if (cfg_obj_asboolean(obj)) {
 			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-		else
+		} else {
 			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+		}
 	}
 
 	obj = NULL;
@@ -399,8 +418,8 @@ configure_zone(const char *vclass, const char *view,
 			ISC_UNREACHABLE();
 		}
 	} else {
-	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
-	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+		zone_options |= DNS_ZONEOPT_CHECKNAMES;
+		zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
 	}
 
 	masterformat = dns_masterformat_text;
@@ -425,19 +444,19 @@ configure_zone(const char *vclass, const char *view,
 		zone_options |= DNS_ZONEOPT_CHECKTTL;
 	}
 
-	result = load_zone(mctx, zname, zfile, masterformat,
-			   zclass, maxttl, NULL);
-	if (result != ISC_R_SUCCESS)
+	result = load_zone(mctx, zname, zfile, masterformat, zclass, maxttl,
+			   NULL);
+	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
 			dns_result_totext(result));
+	}
 	return (result);
 }
 
 /*% configure a view */
 static isc_result_t
 configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list)
-{
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list) {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *voptions;
 	const cfg_obj_t *zonelist;
@@ -445,32 +464,33 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
 	isc_result_t tresult;
 
 	voptions = NULL;
-	if (vconfig != NULL)
+	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
+	}
 
 	zonelist = NULL;
-	if (voptions != NULL)
+	if (voptions != NULL) {
 		(void)cfg_map_get(voptions, "zone", &zonelist);
-	else
+	} else {
 		(void)cfg_map_get(config, "zone", &zonelist);
+	}
 
-	for (element = cfg_list_first(zonelist);
-	     element != NULL;
+	for (element = cfg_list_first(zonelist); element != NULL;
 	     element = cfg_list_next(element))
 	{
 		const cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, vconfig,
-					 config, mctx, list);
-		if (tresult != ISC_R_SUCCESS)
+		tresult = configure_zone(vclass, view, zconfig, vconfig, config,
+					 mctx, list);
+		if (tresult != ISC_R_SUCCESS) {
 			result = tresult;
+		}
 	}
 	return (result);
 }
 
 static isc_result_t
 config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		dns_rdataclass_t *classp)
-{
+		dns_rdataclass_t *classp) {
 	isc_textregion_t r;
 
 	if (!cfg_obj_isstring(classobj)) {
@@ -485,8 +505,7 @@ config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 /*% load zones from the configuration */
 static isc_result_t
 load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
-		      bool list_zones)
-{
+		      bool list_zones) {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *views;
 	const cfg_obj_t *vconfig;
@@ -496,8 +515,7 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
 	views = NULL;
 
 	(void)cfg_map_get(config, "view", &views);
-	for (element = cfg_list_first(views);
-	     element != NULL;
+	for (element = cfg_list_first(views); element != NULL;
 	     element = cfg_list_next(element))
 	{
 		const cfg_obj_t *classobj;
@@ -506,28 +524,36 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
 		char buf[sizeof("CLASS65535")];
 
 		vconfig = cfg_listelt_value(element);
-		if (vconfig == NULL)
+		if (vconfig == NULL) {
 			continue;
+		}
 
 		classobj = cfg_tuple_get(vconfig, "class");
-		CHECK(config_getclass(classobj, dns_rdataclass_in,
-					 &viewclass));
-		if (dns_rdataclass_ismeta(viewclass))
+		tresult = config_getclass(classobj, dns_rdataclass_in,
+					  &viewclass);
+		if (tresult != ISC_R_SUCCESS) {
+			CHECK(tresult);
+		}
+
+		if (dns_rdataclass_ismeta(viewclass)) {
 			CHECK(ISC_R_FAILURE);
+		}
 
 		dns_rdataclass_format(viewclass, buf, sizeof(buf));
 		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		tresult = configure_view(buf, vname, config, vconfig, mctx,
 					 list_zones);
-		if (tresult != ISC_R_SUCCESS)
+		if (tresult != ISC_R_SUCCESS) {
 			result = tresult;
+		}
 	}
 
 	if (views == NULL) {
 		tresult = configure_view("IN", "_default", config, NULL, mctx,
 					 list_zones);
-		if (tresult != ISC_R_SUCCESS)
+		if (tresult != ISC_R_SUCCESS) {
 			result = tresult;
+		}
 	}
 
 cleanup:
@@ -569,15 +595,23 @@ main(int argc, char **argv) {
 		switch (c) {
 		case 'm':
 			if (strcasecmp(isc_commandline_argument, "record") == 0)
+			{
 				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			}
 			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+			{
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			}
 			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+			{
 				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			if (strcasecmp(isc_commandline_argument, "size") == 0)
+			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0) {
 				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
-			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+			}
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0) {
 				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			}
 			break;
 		default:
 			break;
@@ -641,16 +675,17 @@ main(int argc, char **argv) {
 			break;
 
 		case '?':
-			if (isc_commandline_option != '?')
+			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* FALLTHROUGH */
+			}
+		/* FALLTHROUGH */
 		case 'h':
 			usage();
 
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
 			exit(1);
 		}
 	}
@@ -664,16 +699,19 @@ main(int argc, char **argv) {
 		exit(1);
 	}
 
-	if (isc_commandline_index + 1 < argc)
+	if (isc_commandline_index + 1 < argc) {
 		usage();
-	if (argv[isc_commandline_index] != NULL)
+	}
+	if (argv[isc_commandline_index] != NULL) {
 		conffile = argv[isc_commandline_index];
-	if (conffile == NULL || conffile[0] == '\0')
+	}
+	if (conffile == NULL || conffile[0] == '\0') {
 		conffile = NAMED_CONFFILE;
+	}
 
 #ifdef _WIN32
 	InitSockets();
-#endif
+#endif /* ifdef _WIN32 */
 
 	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
@@ -699,12 +737,14 @@ main(int argc, char **argv) {
 
 	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
 		result = load_zones_fromconfig(config, mctx, list_zones);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			exit_status = 1;
+		}
 	}
 
-	if (print && exit_status == 0)
+	if (print && exit_status == 0) {
 		cfg_printx(config, flags, output, NULL);
+	}
 	cfg_obj_destroy(parser, &config);
 
 	cfg_parser_destroy(&parser);
@@ -715,7 +755,7 @@ main(int argc, char **argv) {
 
 #ifdef _WIN32
 	DestroySockets();
-#endif
+#endif /* ifdef _WIN32 */
 
 	return (exit_status);
 }

bin/check/named-checkconf.docbook

@@ -1,229 +0,0 @@
-<!DOCTYPE book [
-<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
-  <info>
-    <date>2014-01-10</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-checkconf</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2009</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named-checkconf</application></refname>
-    <refpurpose>named configuration file syntax checking tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>named-checkconf</command>
-      <arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-p</option>
-	<arg choice="opt" rep="norepeat"><option>-x</option>
-      </arg></arg>
-      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="req" rep="norepeat">filename</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para><command>named-checkconf</command>
-      checks the syntax, but not the semantics, of a
-      <command>named</command> configuration file.  The file is parsed
-      and checked for syntax errors, along with all files included by it.
-      If no file is specified, <filename>/etc/named.conf</filename> is read
-      by default.
-    </para>
-    <para>
-      Note: files that <command>named</command> reads in separate
-      parser contexts, such as <filename>rndc.key</filename> and
-      <filename>bind.keys</filename>, are not automatically read
-      by <command>named-checkconf</command>.  Configuration
-      errors in these files may cause <command>named</command> to
-      fail to run, even if <command>named-checkconf</command> was
-      successful.  <command>named-checkconf</command> can be run
-      on these files explicitly, however.
-    </para>
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-    <variablelist>
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Print the usage summary and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j</term>
-        <listitem>
-          <para>
-            When loading a zonefile read the journal if it exists.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-l</term>
-        <listitem>
-          <para>
-            List all the configured zones. Each line of output
-            contains the zone name, class (e.g. IN), view, and type
-            (e.g. master or slave).
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c</term>
-        <listitem>
-          <para>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <command>plugin</command> statements to be ignored.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i</term>
-        <listitem>
-          <para>
-	    Ignore warnings on deprecated options.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-        <listitem>
-          <para>
-	    Print out the <filename>named.conf</filename> and included files
-	    in canonical form if no errors were detected.
-            See also the <option>-x</option> option.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Chroot to <filename>directory</filename> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted <command>named</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Print the version of the <command>named-checkconf</command>
-            program and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-x</term>
-        <listitem>
-          <para>
-	    When printing the configuration files in canonical
-            form, obscure shared secrets by replacing them with
-            strings of question marks ('?'). This allows the
-            contents of <filename>named.conf</filename> and related
-            files to be shared &mdash; for example, when submitting
-            bug reports &mdash; without compromising private data.
-            This option cannot be used without <option>-p</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-z</term>
-        <listitem>
-          <para>
-	    Perform a test load of all master zones found in
-	    <filename>named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-        <listitem>
-          <para>
-            The name of the configuration file to be checked.  If not
-            specified, it defaults to <filename>/etc/named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsection>
-
-  <refsection><info><title>RETURN VALUES</title></info>
-
-    <para><command>named-checkconf</command>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsection>
-</refentry>

bin/check/named-checkconf.html

@@ -1,180 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.named-checkconf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">named-checkconf</span>
-     &#8212; named configuration file syntax checking tool
-  </p>
-</div>
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-checkconf</code> 
-       [<code class="option">-chjlvz</code>]
-       [<code class="option">-p</code>
-	 [<code class="option">-x</code>
-      ]]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-checkconf</strong></span>
-      checks the syntax, but not the semantics, of a
-      <span class="command"><strong>named</strong></span> configuration file.  The file is parsed
-      and checked for syntax errors, along with all files included by it.
-      If no file is specified, <code class="filename">/etc/named.conf</code> is read
-      by default.
-    </p>
-    <p>
-      Note: files that <span class="command"><strong>named</strong></span> reads in separate
-      parser contexts, such as <code class="filename">rndc.key</code> and
-      <code class="filename">bind.keys</code>, are not automatically read
-      by <span class="command"><strong>named-checkconf</strong></span>.  Configuration
-      errors in these files may cause <span class="command"><strong>named</strong></span> to
-      fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
-      successful.  <span class="command"><strong>named-checkconf</strong></span> can be run
-      on these files explicitly, however.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-h</span></dt>
-<dd>
-          <p>
-            Print the usage summary and exit.
-          </p>
-        </dd>
-<dt><span class="term">-j</span></dt>
-<dd>
-          <p>
-            When loading a zonefile read the journal if it exists.
-          </p>
-        </dd>
-<dt><span class="term">-l</span></dt>
-<dd>
-          <p>
-            List all the configured zones. Each line of output
-            contains the zone name, class (e.g. IN), view, and type
-            (e.g. master or slave).
-          </p>
-        </dd>
-<dt><span class="term">-c</span></dt>
-<dd>
-          <p>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
-          </p>
-        </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
-          <p>
-	    Ignore warnings on deprecated options.
-          </p>
-        </dd>
-<dt><span class="term">-p</span></dt>
-<dd>
-          <p>
-	    Print out the <code class="filename">named.conf</code> and included files
-	    in canonical form if no errors were detected.
-            See also the <code class="option">-x</code> option.
-          </p>
-        </dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
-            Chroot to <code class="filename">directory</code> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
-          <p>
-            Print the version of the <span class="command"><strong>named-checkconf</strong></span>
-            program and exit.
-          </p>
-        </dd>
-<dt><span class="term">-x</span></dt>
-<dd>
-          <p>
-	    When printing the configuration files in canonical
-            form, obscure shared secrets by replacing them with
-            strings of question marks ('?'). This allows the
-            contents of <code class="filename">named.conf</code> and related
-            files to be shared &#8212; for example, when submitting
-            bug reports &#8212; without compromising private data.
-            This option cannot be used without <code class="option">-p</code>.
-          </p>
-        </dd>
-<dt><span class="term">-z</span></dt>
-<dd>
-          <p>
-	    Perform a test load of all master zones found in
-	    <code class="filename">named.conf</code>.
-          </p>
-        </dd>
-<dt><span class="term">filename</span></dt>
-<dd>
-          <p>
-            The name of the configuration file to be checked.  If not
-            specified, it defaults to <code class="filename">/etc/named.conf</code>.
-          </p>
-        </dd>
-</dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>named-checkconf</strong></span>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkzone</span>(8)
-      </span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-  </div>
-</div></body>
-</html>

bin/check/named-checkconf.rst

@@ -0,0 +1,105 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_named-checkconf:
+
+named-checkconf - named configuration file syntax checking tool
+---------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
+
+Description
+~~~~~~~~~~~
+
+``named-checkconf`` checks the syntax, but not the semantics, of a
+``named`` configuration file. The file is parsed and checked for syntax
+errors, along with all files included by it. If no file is specified,
+``/etc/named.conf`` is read by default.
+
+Note: files that ``named`` reads in separate parser contexts, such as
+``rndc.key`` and ``bind.keys``, are not automatically read by
+``named-checkconf``. Configuration errors in these files may cause
+``named`` to fail to run, even if ``named-checkconf`` was successful.
+``named-checkconf`` can be run on these files explicitly, however.
+
+Options
+~~~~~~~
+
+**-h**
+   Print the usage summary and exit.
+
+**-j**
+   When loading a zonefile read the journal if it exists.
+
+**-l**
+   List all the configured zones. Each line of output contains the zone
+   name, class (e.g. IN), view, and type (e.g. master or slave).
+
+**-c**
+   Check "core" configuration only. This suppresses the loading of
+   plugin modules, and causes all parameters to ``plugin`` statements to
+   be ignored.
+
+**-i**
+   Ignore warnings on deprecated options.
+
+**-p**
+   Print out the ``named.conf`` and included files in canonical form if
+   no errors were detected. See also the ``-x`` option.
+
+**-t** directory
+   Chroot to ``directory`` so that include directives in the
+   configuration file are processed as if run by a similarly chrooted
+   ``named``.
+
+**-v**
+   Print the version of the ``named-checkconf`` program and exit.
+
+**-x**
+   When printing the configuration files in canonical form, obscure
+   shared secrets by replacing them with strings of question marks
+   ('?'). This allows the contents of ``named.conf`` and related files
+   to be shared MDASH for example, when submitting bug reports MDASH
+   without compromising private data. This option cannot be used without
+   ``-p``.
+
+**-z**
+   Perform a test load of all master zones found in ``named.conf``.
+
+filename
+   The name of the configuration file to be checked. If not specified,
+   it defaults to ``/etc/named.conf``.
+
+Return Values
+~~~~~~~~~~~~~
+
+``named-checkconf`` returns an exit status of 1 if errors were detected
+and 0 otherwise.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

bin/check/named-checkzone.8

@@ -1,329 +0,0 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: named-checkzone
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-02-19
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-named-checkzone, named-compilezone \- zone file validity checking or converting tool
-.SH "SYNOPSIS"
-.HP \w'\fBnamed\-checkzone\fR\ 'u
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
-.HP \w'\fBnamed\-compilezone\fR\ 'u
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-checkzone\fR
-checks the syntax and integrity of a zone file\&. It performs the same checks as
-\fBnamed\fR
-does when loading a zone\&. This makes
-\fBnamed\-checkzone\fR
-useful for checking zone files before configuring them into a name server\&.
-.PP
-\fBnamed\-compilezone\fR
-is similar to
-\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
-\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
-\fBnamed\fR
-configuration file\&.
-.SH "OPTIONS"
-.PP
-\-d
-.RS 4
-Enable debugging\&.
-.RE
-.PP
-\-h
-.RS 4
-Print the usage summary and exit\&.
-.RE
-.PP
-\-q
-.RS 4
-Quiet mode \- exit code only\&.
-.RE
-.PP
-\-v
-.RS 4
-Print the version of the
-\fBnamed\-checkzone\fR
-program and exit\&.
-.RE
-.PP
-\-j
-.RS 4
-When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
-\&.jnl\&.
-.RE
-.PP
-\-J \fIfilename\fR
-.RS 4
-When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specify the class of the zone\&. If not specified, "IN" is assumed\&.
-.RE
-.PP
-\-i \fImode\fR
-.RS 4
-Perform post\-load zone integrity checks\&. Possible modes are
-\fB"full"\fR
-(default),
-\fB"full\-sibling"\fR,
-\fB"local"\fR,
-\fB"local\-sibling"\fR
-and
-\fB"none"\fR\&.
-.sp
-Mode
-\fB"full"\fR
-checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
-\fB"local"\fR
-only checks MX records which refer to in\-zone hostnames\&.
-.sp
-Mode
-\fB"full"\fR
-checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
-\fB"local"\fR
-only checks SRV records which refer to in\-zone hostnames\&.
-.sp
-Mode
-\fB"full"\fR
-checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
-\fB"local"\fR
-only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
-.sp
-Mode
-\fB"full\-sibling"\fR
-and
-\fB"local\-sibling"\fR
-disable sibling glue checks but are otherwise the same as
-\fB"full"\fR
-and
-\fB"local"\fR
-respectively\&.
-.sp
-Mode
-\fB"none"\fR
-disables the checks\&.
-.RE
-.PP
-\-f \fIformat\fR
-.RS 4
-Specify the format of the zone file\&. Possible formats are
-\fB"text"\fR
-(default),
-\fB"raw"\fR, and
-\fB"map"\fR\&.
-.RE
-.PP
-\-F \fIformat\fR
-.RS 4
-Specify the format of the output file specified\&. For
-\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
-.sp
-Possible formats are
-\fB"text"\fR
-(default), which is the standard textual representation of the zone, and
-\fB"map"\fR,
-\fB"raw"\fR, and
-\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
-\fBnamed\fR\&.
-\fB"raw=N"\fR
-specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
-\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
-.RE
-.PP
-\-k \fImode\fR
-.RS 4
-Perform
-\fB"check\-names"\fR
-checks with the specified failure mode\&. Possible modes are
-\fB"fail"\fR
-(default for
-\fBnamed\-compilezone\fR),
-\fB"warn"\fR
-(default for
-\fBnamed\-checkzone\fR) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-l \fIttl\fR
-.RS 4
-Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
-\fBmax\-zone\-ttl\fR
-option in
-named\&.conf\&.
-.RE
-.PP
-\-L \fIserial\fR
-.RS 4
-When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
-.RE
-.PP
-\-m \fImode\fR
-.RS 4
-Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-M \fImode\fR
-.RS 4
-Check if a MX record refers to a CNAME\&. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-n \fImode\fR
-.RS 4
-Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
-\fB"fail"\fR
-(default for
-\fBnamed\-compilezone\fR),
-\fB"warn"\fR
-(default for
-\fBnamed\-checkzone\fR) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-o \fIfilename\fR
-.RS 4
-Write zone output to
-filename\&. If
-filename
-is
-\-
-then write to standard out\&. This is mandatory for
-\fBnamed\-compilezone\fR\&.
-.RE
-.PP
-\-r \fImode\fR
-.RS 4
-Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-s \fIstyle\fR
-.RS 4
-Specify the style of the dumped zone file\&. Possible styles are
-\fB"full"\fR
-(default) and
-\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
-\fBnamed\-checkzone\fR
-this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
-.RE
-.PP
-\-S \fImode\fR
-.RS 4
-Check if a SRV record refers to a CNAME\&. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-directory
-so that include directives in the configuration file are processed as if run by a similarly chrooted
-\fBnamed\fR\&.
-.RE
-.PP
-\-T \fImode\fR
-.RS 4
-Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
-\fB"warn"\fR
-(default),
-\fB"ignore"\fR\&.
-.RE
-.PP
-\-w \fIdirectory\fR
-.RS 4
-chdir to
-directory
-so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
-named\&.conf\&.
-.RE
-.PP
-\-D
-.RS 4
-Dump zone file in canonical format\&. This is always enabled for
-\fBnamed\-compilezone\fR\&.
-.RE
-.PP
-\-W \fImode\fR
-.RS 4
-Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR\&.
-.RE
-.PP
-zonename
-.RS 4
-The domain name of the zone being checked\&.
-.RE
-.PP
-filename
-.RS 4
-The name of the zone file\&.
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBnamed\-checkzone\fR
-returns an exit status of 1 if errors were detected and 0 otherwise\&.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnamed-checkconf\fR(8),
-RFC 1035,
-BIND 9 Administrator Reference Manual\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/check/named-checkzone.c

@@ -9,12 +9,11 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
+#include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
-#include <inttypes.h>
 
 #include <isc/app.h>
 #include <isc/commandline.h>
@@ -53,14 +52,14 @@ static const char *prog_name = NULL;
 static const dns_master_style_t *outputstyle = NULL;
 static enum { progmode_check, progmode_compile } progmode;
 
-#define ERRRET(result, function) \
-	do { \
-		if (result != ISC_R_SUCCESS) { \
-			if (!quiet) \
-				fprintf(stderr, "%s() returned %s\n", \
+#define ERRRET(result, function)                                              \
+	do {                                                                  \
+		if (result != ISC_R_SUCCESS) {                                \
+			if (!quiet)                                           \
+				fprintf(stderr, "%s() returned %s\n",         \
 					function, dns_result_totext(result)); \
-			return (result); \
-		} \
+			return (result);                                      \
+		}                                                             \
 	} while (0)
 
 ISC_PLATFORM_NORETURN_PRE static void
@@ -71,9 +70,9 @@ usage(void) {
 	fprintf(stderr,
 		"usage: %s [-djqvD] [-c class] "
 		"[-f inputformat] [-F outputformat] [-J filename] "
-		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
-		"[-r (ignore|warn|fail)] "
+		"[-s (full|relative)] [-t directory] [-w directory] "
+		"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
 		"[-i (full|full-sibling|local|local-sibling|none)] "
 		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
 		"[-W (ignore|warn)] "
@@ -121,18 +120,21 @@ main(int argc, char **argv) {
 	outputstyle = &dns_master_style_full;
 
 	prog_name = strrchr(argv[0], '/');
-	if (prog_name == NULL)
+	if (prog_name == NULL) {
 		prog_name = strrchr(argv[0], '\\');
-	if (prog_name != NULL)
+	}
+	if (prog_name != NULL) {
 		prog_name++;
-	else
+	} else {
 		prog_name = argv[0];
+	}
 	/*
 	 * Libtool doesn't preserve the program name prior to final
 	 * installation.  Remove the libtool prefix ("lt-").
 	 */
-	if (strncmp(prog_name, "lt-", 3) == 0)
+	if (strncmp(prog_name, "lt-", 3) == 0) {
 		prog_name += 3;
+	}
 
 #define PROGCMP(X) \
 	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
@@ -148,24 +150,23 @@ main(int argc, char **argv) {
 
 	/* Compilation specific defaults */
 	if (progmode == progmode_compile) {
-		zone_options |= (DNS_ZONEOPT_CHECKNS |
-				 DNS_ZONEOPT_FATALNS |
-				 DNS_ZONEOPT_CHECKSPF |
-				 DNS_ZONEOPT_CHECKDUPRR |
+		zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF | DNS_ZONEOPT_CHECKDUPRR |
 				 DNS_ZONEOPT_CHECKNAMES |
 				 DNS_ZONEOPT_CHECKNAMESFAIL |
 				 DNS_ZONEOPT_CHECKWILDCARD);
-	} else
-		zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
-				 DNS_ZONEOPT_CHECKSPF);
+	} else {
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF);
+	}
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
 	isc_commandline_errprint = false;
 
 	while ((c = isc_commandline_parse(argc, argv,
-			       "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
-	       != EOF) {
+					  "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:"
+					  "M:S:T:W:")) != EOF)
+	{
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
@@ -269,16 +270,15 @@ main(int argc, char **argv) {
 			}
 			break;
 
-
 		case 'n':
 			if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS |
 						  DNS_ZONEOPT_FATALNS);
 			} else if (ARGCMP("warn")) {
 				zone_options |= DNS_ZONEOPT_CHECKNS;
 				zone_options &= ~DNS_ZONEOPT_FATALNS;
 			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS|
+				zone_options |= DNS_ZONEOPT_CHECKNS |
 						DNS_ZONEOPT_FATALNS;
 			} else {
 				fprintf(stderr, "invalid argument to -n: %s\n",
@@ -330,9 +330,9 @@ main(int argc, char **argv) {
 			break;
 
 		case 's':
-			if (ARGCMP("full"))
+			if (ARGCMP("full")) {
 				outputstyle = &dns_master_style_full;
-			else if (ARGCMP("relative")) {
+			} else if (ARGCMP("relative")) {
 				outputstyle = &dns_master_style_default;
 			} else {
 				fprintf(stderr,
@@ -411,23 +411,25 @@ main(int argc, char **argv) {
 			break;
 
 		case 'W':
-			if (ARGCMP("warn"))
+			if (ARGCMP("warn")) {
 				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-			else if (ARGCMP("ignore"))
+			} else if (ARGCMP("ignore")) {
 				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
+			}
 			break;
 
 		case '?':
-			if (isc_commandline_option != '?')
+			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
-			/* FALLTHROUGH */
+			}
+		/* FALLTHROUGH */
 		case 'h':
 			usage();
 
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				prog_name, isc_commandline_option);
+			fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
+				isc_commandline_option);
 			exit(1);
 		}
 	}
@@ -435,26 +437,26 @@ main(int argc, char **argv) {
 	if (workdir != NULL) {
 		result = isc_dir_chdir(workdir);
 		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
-				workdir, isc_result_totext(result));
+			fprintf(stderr, "isc_dir_chdir: %s: %s\n", workdir,
+				isc_result_totext(result));
 			exit(1);
 		}
 	}
 
 	if (inputformatstr != NULL) {
-		if (strcasecmp(inputformatstr, "text") == 0)
+		if (strcasecmp(inputformatstr, "text") == 0) {
 			inputformat = dns_masterformat_text;
-		else if (strcasecmp(inputformatstr, "raw") == 0)
+		} else if (strcasecmp(inputformatstr, "raw") == 0) {
 			inputformat = dns_masterformat_raw;
-		else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
+		} else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
 			inputformat = dns_masterformat_raw;
-			fprintf(stderr,
-				"WARNING: input format raw, version ignored\n");
+			fprintf(stderr, "WARNING: input format raw, version "
+					"ignored\n");
 		} else if (strcasecmp(inputformatstr, "map") == 0) {
 			inputformat = dns_masterformat_map;
 		} else {
 			fprintf(stderr, "unknown file format: %s\n",
-			    inputformatstr);
+				inputformatstr);
 			exit(1);
 		}
 	}
@@ -471,8 +473,7 @@ main(int argc, char **argv) {
 			rawversion = strtol(outputformatstr + 4, &end, 10);
 			if (end == outputformatstr + 4 || *end != '\0' ||
 			    rawversion > 1U) {
-				fprintf(stderr,
-					"unknown raw format version\n");
+				fprintf(stderr, "unknown raw format version\n");
 				exit(1);
 			}
 		} else if (strcasecmp(outputformatstr, "map") == 0) {
@@ -485,42 +486,45 @@ main(int argc, char **argv) {
 	}
 
 	if (progmode == progmode_compile) {
-		dumpzone = 1;	/* always dump */
+		dumpzone = 1; /* always dump */
 		logdump = !quiet;
 		if (output_filename == NULL) {
-			fprintf(stderr,
-				"output file required, but not specified\n");
+			fprintf(stderr, "output file required, but not "
+					"specified\n");
 			usage();
 		}
 	}
 
-	if (output_filename != NULL)
+	if (output_filename != NULL) {
 		dumpzone = 1;
+	}
 
 	/*
-	 * If we are outputing to stdout then send the informational
+	 * If we are printing to stdout then send the informational
 	 * output to stderr.
 	 */
 	if (dumpzone &&
-	    (output_filename == NULL ||
-	     strcmp(output_filename, "-") == 0 ||
+	    (output_filename == NULL || strcmp(output_filename, "-") == 0 ||
 	     strcmp(output_filename, "/dev/fd/1") == 0 ||
-	     strcmp(output_filename, "/dev/stdout") == 0)) {
+	     strcmp(output_filename, "/dev/stdout") == 0))
+	{
 		errout = stderr;
 		logdump = false;
 	}
 
-	if (isc_commandline_index + 2 != argc)
+	if (isc_commandline_index + 2 != argc) {
 		usage();
+	}
 
 #ifdef _WIN32
 	InitSockets();
-#endif
+#endif /* ifdef _WIN32 */
 
 	isc_mem_create(&mctx);
-	if (!quiet)
-		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
-			      == ISC_R_SUCCESS);
+	if (!quiet) {
+		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) ==
+			      ISC_R_SUCCESS);
+	}
 
 	dns_result_register();
 
@@ -541,20 +545,23 @@ main(int argc, char **argv) {
 			fprintf(errout, "dump zone to %s...", output_filename);
 			fflush(errout);
 		}
-		result = dump_zone(origin, zone, output_filename,
-				   outputformat, outputstyle, rawversion);
-		if (logdump)
+		result = dump_zone(origin, zone, output_filename, outputformat,
+				   outputstyle, rawversion);
+		if (logdump) {
 			fprintf(errout, "done\n");
+		}
 	}
 
-	if (!quiet && result == ISC_R_SUCCESS)
+	if (!quiet && result == ISC_R_SUCCESS) {
 		fprintf(errout, "OK\n");
+	}
 	destroy();
-	if (lctx != NULL)
+	if (lctx != NULL) {
 		isc_log_destroy(&lctx);
+	}
 	isc_mem_destroy(&mctx);
 #ifdef _WIN32
 	DestroySockets();
-#endif
+#endif /* ifdef _WIN32 */
 	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }

bin/check/named-checkzone.docbook

@@ -1,529 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
-  <info>
-    <date>2014-02-19</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-checkzone</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <year>2013</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named-checkzone</application></refname>
-    <refname><application>named-compilezone</application></refname>
-    <refpurpose>zone file validity checking or converting tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>named-checkzone</command>
-      <arg choice="opt" rep="norepeat"><option>-d</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="req" rep="norepeat">zonename</arg>
-      <arg choice="req" rep="norepeat">filename</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>named-compilezone</command>
-      <arg choice="opt" rep="norepeat"><option>-d</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg choice="req" rep="norepeat">zonename</arg>
-      <arg choice="req" rep="norepeat">filename</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para><command>named-checkzone</command>
-      checks the syntax and integrity of a zone file.  It performs the
-      same checks as <command>named</command> does when loading a
-      zone.  This makes <command>named-checkzone</command> useful for
-      checking zone files before configuring them into a name server.
-    </para>
-    <para>
-        <command>named-compilezone</command> is similar to
-	<command>named-checkzone</command>, but it always dumps the
-        zone contents to a specified file in a specified format.
-	Additionally, it applies stricter check levels by default,
-        since the dump output will be used as an actual zone file
-	loaded by <command>named</command>.
-	When manually specified otherwise, the check levels must at
-        least be as strict as those specified in the
-	<command>named</command> configuration file.
-     </para>
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-
-    <variablelist>
-      <varlistentry>
-        <term>-d</term>
-        <listitem>
-          <para>
-            Enable debugging.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Print the usage summary and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-q</term>
-        <listitem>
-          <para>
-            Quiet mode - exit code only.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Print the version of the <command>named-checkzone</command>
-            program and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j</term>
-        <listitem>
-          <para>
-            When loading a zone file, read the journal if it exists.
-            The journal file name is assumed to be the zone file name
-	    appended with the string <filename>.jnl</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-J <replaceable class="parameter">filename</replaceable></term>
-        <listitem>
-          <para>
-            When loading the zone file read the journal from the given
-            file, if it exists. (Implies -j.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Specify the class of the zone.  If not specified, "IN" is assumed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	      Perform post-load zone integrity checks.  Possible modes are
-	      <command>"full"</command> (default),
-	      <command>"full-sibling"</command>,
-	      <command>"local"</command>,
-	      <command>"local-sibling"</command> and
-	      <command>"none"</command>.
-	  </para>
-	  <para>
-	      Mode <command>"full"</command> checks that MX records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <command>"local"</command> only
-	      checks MX records which refer to in-zone hostnames.
-	  </para>
-	  <para>
-	      Mode <command>"full"</command> checks that SRV records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <command>"local"</command> only
-	      checks SRV records which refer to in-zone hostnames.
-	  </para>
-	  <para>
-	      Mode <command>"full"</command> checks that delegation NS
-	      records refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  It also checks that glue address records
-	      in the zone match those advertised by the child.
-	      Mode <command>"local"</command> only checks NS records which
-	      refer to in-zone hostnames or that some required glue exists,
-	      that is when the nameserver is in a child zone.
-	  </para>
-	  <para>
-	      Mode <command>"full-sibling"</command> and
-	      <command>"local-sibling"</command> disable sibling glue
-	      checks but are otherwise the same as <command>"full"</command>
-	      and <command>"local"</command> respectively.
-	  </para>
-	  <para>
-	      Mode <command>"none"</command> disables the checks.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-f <replaceable class="parameter">format</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify the format of the zone file.
-	    Possible formats are <command>"text"</command> (default),
-	    <command>"raw"</command>, and <command>"map"</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-F <replaceable class="parameter">format</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify the format of the output file specified.
-	    For <command>named-checkzone</command>,
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	  </para>
-	  <para>
-	    Possible formats are <command>"text"</command> (default),
-	    which is the standard textual representation of the zone,
-	    and <command>"map"</command>, <command>"raw"</command>,
-            and <command>"raw=N"</command>, which store the zone in a
-            binary format for rapid loading by <command>named</command>.
-            <command>"raw=N"</command> specifies the format version of
-            the raw zone file: if N is 0, the raw file can be read by
-            any version of <command>named</command>; if N is 1, the file
-            can be read by release 9.9.0 or higher; the default is 1.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Perform <command>"check-names"</command> checks with the
-	    specified failure mode.
-            Possible modes are <command>"fail"</command>
-	    (default for <command>named-compilezone</command>),
-            <command>"warn"</command>
-	    (default for <command>named-checkzone</command>) and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-l <replaceable class="parameter">ttl</replaceable></term>
-        <listitem>
-          <para>
-            Sets a maximum permissible TTL for the input file.
-            Any record with a TTL higher than this value will cause
-            the zone to be rejected.  This is similar to using the
-            <command>max-zone-ttl</command> option in
-            <filename>named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-L <replaceable class="parameter">serial</replaceable></term>
-        <listitem>
-          <para>
-            When compiling a zone to "raw" or "map" format, set the
-            "source serial" value in the header to the specified serial
-            number.  (This is expected to be used primarily for testing
-            purposes.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-m <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Specify whether MX records should be checked to see if they
-            are addresses.  Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-M <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-	  <para>
-	    Check if a MX record refers to a CNAME.
-            Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Specify whether NS records should be checked to see if they
-            are addresses.
-	    Possible modes are <command>"fail"</command>
-	    (default for <command>named-compilezone</command>),
-            <command>"warn"</command>
-	    (default for <command>named-checkzone</command>) and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-o <replaceable class="parameter">filename</replaceable></term>
-        <listitem>
-          <para>
-            Write zone output to <filename>filename</filename>.
-	    If <filename>filename</filename> is <filename>-</filename> then
-	    write to standard out.
-	    This is mandatory for <command>named-compilezone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-r <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-	  <para>
-            Check for records that are treated as different by DNSSEC but
-	    are semantically equal in plain DNS.
-            Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s <replaceable class="parameter">style</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify the style of the dumped zone file.
-	    Possible styles are <command>"full"</command> (default)
-	    and <command>"relative"</command>.
-	    The full format is most suitable for processing
-	    automatically by a separate script.
-	    On the other hand, the relative format is more
-	    human-readable and is thus suitable for editing by hand.
-	    For <command>named-checkzone</command>
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	    It also does not have any meaning if the output format
-	    is not text.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-S <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-	  <para>
-	    Check if a SRV record refers to a CNAME.
-            Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Chroot to <filename>directory</filename> so that
-            include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted <command>named</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-T <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	    Check if Sender Policy Framework (SPF) records exist
-	    and issues a warning if an SPF-formatted TXT record is
-	    not also present.  Possible modes are <command>"warn"</command>
-	    (default), <command>"ignore"</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-w <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            chdir to <filename>directory</filename> so that
-            relative
-            filenames in master file $INCLUDE directives work.  This
-            is similar to the directory clause in
-            <filename>named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D</term>
-        <listitem>
-          <para>
-            Dump zone file in canonical format.
-	    This is always enabled for <command>named-compilezone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-W <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Specify whether to check for non-terminal wildcards.
-            Non-terminal wildcards are almost always the result of a
-            failure to understand the wildcard matching algorithm (RFC 1034).
-            Possible modes are <command>"warn"</command> (default)
-            and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>zonename</term>
-        <listitem>
-          <para>
-            The domain name of the zone being checked.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-        <listitem>
-          <para>
-            The name of the zone file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsection>
-
-  <refsection><info><title>RETURN VALUES</title></info>
-
-    <para><command>named-checkzone</command>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>RFC 1035</citetitle>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsection>
-
-</refentry>

bin/check/named-checkzone.html

@@ -1,429 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.named-checkzone"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">named-checkzone</span>, 
-    <span class="application">named-compilezone</span>
-     &#8212; zone file validity checking or converting tool
-  </p>
-</div>
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-checkzone</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-j</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
-       {zonename}
-       {filename}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-compilezone</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-j</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
-       {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
-       {zonename}
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-checkzone</strong></span>
-      checks the syntax and integrity of a zone file.  It performs the
-      same checks as <span class="command"><strong>named</strong></span> does when loading a
-      zone.  This makes <span class="command"><strong>named-checkzone</strong></span> useful for
-      checking zone files before configuring them into a name server.
-    </p>
-    <p>
-        <span class="command"><strong>named-compilezone</strong></span> is similar to
-	<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
-        zone contents to a specified file in a specified format.
-	Additionally, it applies stricter check levels by default,
-        since the dump output will be used as an actual zone file
-	loaded by <span class="command"><strong>named</strong></span>.
-	When manually specified otherwise, the check levels must at
-        least be as strict as those specified in the
-	<span class="command"><strong>named</strong></span> configuration file.
-     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-d</span></dt>
-<dd>
-          <p>
-            Enable debugging.
-          </p>
-        </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
-          <p>
-            Print the usage summary and exit.
-          </p>
-        </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
-          <p>
-            Quiet mode - exit code only.
-          </p>
-        </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
-          <p>
-            Print the version of the <span class="command"><strong>named-checkzone</strong></span>
-            program and exit.
-          </p>
-        </dd>
-<dt><span class="term">-j</span></dt>
-<dd>
-          <p>
-            When loading a zone file, read the journal if it exists.
-            The journal file name is assumed to be the zone file name
-	    appended with the string <code class="filename">.jnl</code>.
-          </p>
-        </dd>
-<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
-          <p>
-            When loading the zone file read the journal from the given
-            file, if it exists. (Implies -j.)
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
-            Specify the class of the zone.  If not specified, "IN" is assumed.
-          </p>
-        </dd>
-<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
-	      Perform post-load zone integrity checks.  Possible modes are
-	      <span class="command"><strong>"full"</strong></span> (default),
-	      <span class="command"><strong>"full-sibling"</strong></span>,
-	      <span class="command"><strong>"local"</strong></span>,
-	      <span class="command"><strong>"local-sibling"</strong></span> and
-	      <span class="command"><strong>"none"</strong></span>.
-	  </p>
-	  <p>
-	      Mode <span class="command"><strong>"full"</strong></span> checks that MX records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
-	      checks MX records which refer to in-zone hostnames.
-	  </p>
-	  <p>
-	      Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
-	      checks SRV records which refer to in-zone hostnames.
-	  </p>
-	  <p>
-	      Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
-	      records refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  It also checks that glue address records
-	      in the zone match those advertised by the child.
-	      Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
-	      refer to in-zone hostnames or that some required glue exists,
-	      that is when the nameserver is in a child zone.
-	  </p>
-	  <p>
-	      Mode <span class="command"><strong>"full-sibling"</strong></span> and
-	      <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
-	      checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
-	      and <span class="command"><strong>"local"</strong></span> respectively.
-	  </p>
-	  <p>
-	      Mode <span class="command"><strong>"none"</strong></span> disables the checks.
-	  </p>
-	</dd>
-<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
-	  <p>
-	    Specify the format of the zone file.
-	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
-	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
-	  </p>
-	</dd>
-<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
-	  <p>
-	    Specify the format of the output file specified.
-	    For <span class="command"><strong>named-checkzone</strong></span>,
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	  </p>
-	  <p>
-	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
-	    which is the standard textual representation of the zone,
-	    and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
-            and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
-            binary format for rapid loading by <span class="command"><strong>named</strong></span>.
-            <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
-            the raw zone file: if N is 0, the raw file can be read by
-            any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
-            can be read by release 9.9.0 or higher; the default is 1.
-	  </p>
-	</dd>
-<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
-            Perform <span class="command"><strong>"check-names"</strong></span> checks with the
-	    specified failure mode.
-            Possible modes are <span class="command"><strong>"fail"</strong></span>
-	    (default for <span class="command"><strong>named-compilezone</strong></span>),
-            <span class="command"><strong>"warn"</strong></span>
-	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
-            <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
-            Sets a maximum permissible TTL for the input file.
-            Any record with a TTL higher than this value will cause
-            the zone to be rejected.  This is similar to using the
-            <span class="command"><strong>max-zone-ttl</strong></span> option in
-            <code class="filename">named.conf</code>.
-          </p>
-        </dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
-          <p>
-            When compiling a zone to "raw" or "map" format, set the
-            "source serial" value in the header to the specified serial
-            number.  (This is expected to be used primarily for testing
-            purposes.)
-          </p>
-        </dd>
-<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
-            Specify whether MX records should be checked to see if they
-            are addresses.  Possible modes are <span class="command"><strong>"fail"</strong></span>,
-            <span class="command"><strong>"warn"</strong></span> (default) and
-            <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
-	    Check if a MX record refers to a CNAME.
-            Possible modes are <span class="command"><strong>"fail"</strong></span>,
-            <span class="command"><strong>"warn"</strong></span> (default) and
-            <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
-<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
-            Specify whether NS records should be checked to see if they
-            are addresses.
-	    Possible modes are <span class="command"><strong>"fail"</strong></span>
-	    (default for <span class="command"><strong>named-compilezone</strong></span>),
-            <span class="command"><strong>"warn"</strong></span>
-	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
-            <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
-          <p>
-            Write zone output to <code class="filename">filename</code>.
-	    If <code class="filename">filename</code> is <code class="filename">-</code> then
-	    write to standard out.
-	    This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
-            Check for records that are treated as different by DNSSEC but
-	    are semantically equal in plain DNS.
-            Possible modes are <span class="command"><strong>"fail"</strong></span>,
-            <span class="command"><strong>"warn"</strong></span> (default) and
-            <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
-<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd>
-	  <p>
-	    Specify the style of the dumped zone file.
-	    Possible styles are <span class="command"><strong>"full"</strong></span> (default)
-	    and <span class="command"><strong>"relative"</strong></span>.
-	    The full format is most suitable for processing
-	    automatically by a separate script.
-	    On the other hand, the relative format is more
-	    human-readable and is thus suitable for editing by hand.
-	    For <span class="command"><strong>named-checkzone</strong></span>
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	    It also does not have any meaning if the output format
-	    is not text.
-	  </p>
-	</dd>
-<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
-	    Check if a SRV record refers to a CNAME.
-            Possible modes are <span class="command"><strong>"fail"</strong></span>,
-            <span class="command"><strong>"warn"</strong></span> (default) and
-            <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
-            Chroot to <code class="filename">directory</code> so that
-            include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
-	    Check if Sender Policy Framework (SPF) records exist
-	    and issues a warning if an SPF-formatted TXT record is
-	    not also present.  Possible modes are <span class="command"><strong>"warn"</strong></span>
-	    (default), <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-	</dd>
-<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
-            chdir to <code class="filename">directory</code> so that
-            relative
-            filenames in master file $INCLUDE directives work.  This
-            is similar to the directory clause in
-            <code class="filename">named.conf</code>.
-          </p>
-        </dd>
-<dt><span class="term">-D</span></dt>
-<dd>
-          <p>
-            Dump zone file in canonical format.
-	    This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
-            Specify whether to check for non-terminal wildcards.
-            Non-terminal wildcards are almost always the result of a
-            failure to understand the wildcard matching algorithm (RFC 1034).
-            Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
-            and
-            <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">zonename</span></dt>
-<dd>
-          <p>
-            The domain name of the zone being checked.
-          </p>
-        </dd>
-<dt><span class="term">filename</span></dt>
-<dd>
-          <p>
-            The name of the zone file.
-          </p>
-        </dd>
-</dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>named-checkzone</strong></span>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>(8)
-      </span>,
-      <em class="citetitle">RFC 1035</em>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-  </div>
-
-</div></body>
-</html>

bin/check/named-checkzone.rst

@@ -0,0 +1,214 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_named-checkzone:
+
+named-checkzone, named-compilezone - zone file validity checking or converting tool
+-----------------------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
+
+:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
+
+Description
+~~~~~~~~~~~
+
+``named-checkzone`` checks the syntax and integrity of a zone file. It
+performs the same checks as ``named`` does when loading a zone. This
+makes ``named-checkzone`` useful for checking zone files before
+configuring them into a name server.
+
+``named-compilezone`` is similar to ``named-checkzone``, but it always
+dumps the zone contents to a specified file in a specified format.
+Additionally, it applies stricter check levels by default, since the
+dump output will be used as an actual zone file loaded by ``named``.
+When manually specified otherwise, the check levels must at least be as
+strict as those specified in the ``named`` configuration file.
+
+Options
+~~~~~~~
+
+**-d**
+   Enable debugging.
+
+**-h**
+   Print the usage summary and exit.
+
+**-q**
+   Quiet mode - exit code only.
+
+**-v**
+   Print the version of the ``named-checkzone`` program and exit.
+
+**-j**
+   When loading a zone file, read the journal if it exists. The journal
+   file name is assumed to be the zone file name appended with the
+   string ``.jnl``.
+
+**-J** filename
+   When loading the zone file read the journal from the given file, if
+   it exists. (Implies -j.)
+
+**-c** class
+   Specify the class of the zone. If not specified, "IN" is assumed.
+
+**-i** mode
+   Perform post-load zone integrity checks. Possible modes are
+   ``"full"`` (default), ``"full-sibling"``, ``"local"``,
+   ``"local-sibling"`` and ``"none"``.
+
+   Mode ``"full"`` checks that MX records refer to A or AAAA record
+   (both in-zone and out-of-zone hostnames). Mode ``"local"`` only
+   checks MX records which refer to in-zone hostnames.
+
+   Mode ``"full"`` checks that SRV records refer to A or AAAA record
+   (both in-zone and out-of-zone hostnames). Mode ``"local"`` only
+   checks SRV records which refer to in-zone hostnames.
+
+   Mode ``"full"`` checks that delegation NS records refer to A or AAAA
+   record (both in-zone and out-of-zone hostnames). It also checks that
+   glue address records in the zone match those advertised by the child.
+   Mode ``"local"`` only checks NS records which refer to in-zone
+   hostnames or that some required glue exists, that is when the
+   nameserver is in a child zone.
+
+   Mode ``"full-sibling"`` and ``"local-sibling"`` disable sibling glue
+   checks but are otherwise the same as ``"full"`` and ``"local"``
+   respectively.
+
+   Mode ``"none"`` disables the checks.
+
+**-f** format
+   Specify the format of the zone file. Possible formats are ``"text"``
+   (default), ``"raw"``, and ``"map"``.
+
+**-F** format
+   Specify the format of the output file specified. For
+   ``named-checkzone``, this does not cause any effects unless it dumps
+   the zone contents.
+
+   Possible formats are ``"text"`` (default), which is the standard
+   textual representation of the zone, and ``"map"``, ``"raw"``, and
+   ``"raw=N"``, which store the zone in a binary format for rapid
+   loading by ``named``. ``"raw=N"`` specifies the format version of the
+   raw zone file: if N is 0, the raw file can be read by any version of
+   ``named``; if N is 1, the file can be read by release 9.9.0 or
+   higher; the default is 1.
+
+**-k** mode
+   Perform ``"check-names"`` checks with the specified failure mode.
+   Possible modes are ``"fail"`` (default for ``named-compilezone``),
+   ``"warn"`` (default for ``named-checkzone``) and ``"ignore"``.
+
+**-l** ttl
+   Sets a maximum permissible TTL for the input file. Any record with a
+   TTL higher than this value will cause the zone to be rejected. This
+   is similar to using the ``max-zone-ttl`` option in ``named.conf``.
+
+**-L** serial
+   When compiling a zone to "raw" or "map" format, set the "source
+   serial" value in the header to the specified serial number. (This is
+   expected to be used primarily for testing purposes.)
+
+**-m** mode
+   Specify whether MX records should be checked to see if they are
+   addresses. Possible modes are ``"fail"``, ``"warn"`` (default) and
+   ``"ignore"``.
+
+**-M** mode
+   Check if a MX record refers to a CNAME. Possible modes are
+   ``"fail"``, ``"warn"`` (default) and ``"ignore"``.
+
+**-n** mode
+   Specify whether NS records should be checked to see if they are
+   addresses. Possible modes are ``"fail"`` (default for
+   ``named-compilezone``), ``"warn"`` (default for ``named-checkzone``)
+   and ``"ignore"``.
+
+**-o** filename
+   Write zone output to ``filename``. If ``filename`` is ``-`` then
+   write to standard out. This is mandatory for ``named-compilezone``.
+
+**-r** mode
+   Check for records that are treated as different by DNSSEC but are
+   semantically equal in plain DNS. Possible modes are ``"fail"``,
+   ``"warn"`` (default) and ``"ignore"``.
+
+**-s** style
+   Specify the style of the dumped zone file. Possible styles are
+   ``"full"`` (default) and ``"relative"``. The full format is most
+   suitable for processing automatically by a separate script. On the
+   other hand, the relative format is more human-readable and is thus
+   suitable for editing by hand. For ``named-checkzone`` this does not
+   cause any effects unless it dumps the zone contents. It also does not
+   have any meaning if the output format is not text.
+
+**-S** mode
+   Check if a SRV record refers to a CNAME. Possible modes are
+   ``"fail"``, ``"warn"`` (default) and ``"ignore"``.
+
+**-t** directory
+   Chroot to ``directory`` so that include directives in the
+   configuration file are processed as if run by a similarly chrooted
+   ``named``.
+
+**-T** mode
+   Check if Sender Policy Framework (SPF) records exist and issues a
+   warning if an SPF-formatted TXT record is not also present. Possible
+   modes are ``"warn"`` (default), ``"ignore"``.
+
+**-w** directory
+   chdir to ``directory`` so that relative filenames in master file
+   $INCLUDE directives work. This is similar to the directory clause in
+   ``named.conf``.
+
+**-D**
+   Dump zone file in canonical format. This is always enabled for
+   ``named-compilezone``.
+
+**-W** mode
+   Specify whether to check for non-terminal wildcards. Non-terminal
+   wildcards are almost always the result of a failure to understand the
+   wildcard matching algorithm (:rfc:`1034`). Possible modes are ``"warn"``
+   (default) and ``"ignore"``.
+
+zonename
+   The domain name of the zone being checked.
+
+filename
+   The name of the zone file.
+
+Return Values
+~~~~~~~~~~~~~
+
+``named-checkzone`` returns an exit status of 1 if errors were detected
+and 0 otherwise.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
+Manual.

bin/check/win32/checkconf.vcxproj.in

@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -79,7 +82,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/check/win32/checktool.vcxproj.in

@@ -48,18 +48,21 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <OutDir>.\$(Configuration)\</OutDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/check/win32/checkzone.vcxproj.in

@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -85,7 +88,8 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/confgen/Makefile.in

@@ -27,9 +27,9 @@ CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -53,12 +53,6 @@ SUBDIRS =	unix
 
 TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
 
-MANPAGES =	rndc-confgen.8 ddns-confgen.8
-
-HTMLPAGES =	rndc-confgen.html ddns-confgen.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
 UOBJS =		unix/os.@O@
 
 @BIND9_MAKE_RULES@
@@ -84,28 +78,16 @@ tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
 	rm -f tsig-keygen@EXEEXT@
 	${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
 
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
 install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
-	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
 	(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
-	(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
 
 uninstall::
-	rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
 	rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
-	rm -f ${DESTDIR}${mandir}/man8/ddns-confgen.8
-	rm -f ${DESTDIR}${mandir}/man8/rndc-confgen.8
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
 

bin/confgen/ddns-confgen.8

@@ -1,148 +0,0 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: ddns-confgen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-03-06
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-ddns-confgen \- ddns key generation tool
-.SH "SYNOPSIS"
-.HP \w'\fBtsig\-keygen\fR\ 'u
-\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [name]
-.HP \w'\fBddns\-confgen\fR\ 'u
-\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
-.SH "DESCRIPTION"
-.PP
-\fBtsig\-keygen\fR
-and
-\fBddns\-confgen\fR
-are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
-\fBrndc\fR
-command channel\&.
-.PP
-When run as
-\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
-\fBtsig\-key\fR\&.
-.PP
-When run as
-\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
-\fBnsupdate\fR
-and
-\fBnamed\fR
-when setting up dynamic DNS, including an example
-\fBupdate\-policy\fR
-statement\&. (This usage similar to the
-\fBrndc\-confgen\fR
-command for setting up command channel security\&.)
-.PP
-Note that
-\fBnamed\fR
-itself can configure a local DDNS key for use with
-\fBnsupdate \-l\fR: it does this when a zone is configured with
-\fBupdate\-policy local;\fR\&.
-\fBddns\-confgen\fR
-is only needed when a more elaborate configuration is required: for instance, if
-\fBnsupdate\fR
-is to be used from a remote system\&.
-.SH "OPTIONS"
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of options and arguments\&.
-.RE
-.PP
-\-k \fIkeyname\fR
-.RS 4
-Specifies the key name of the DDNS authentication key\&. The default is
-\fBddns\-key\fR
-when neither the
-\fB\-s\fR
-nor
-\fB\-z\fR
-option is specified; otherwise, the default is
-\fBddns\-key\fR
-as a separate label followed by the argument of the option, e\&.g\&.,
-\fBddns\-key\&.example\&.com\&.\fR
-The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
-.RE
-.PP
-\-q
-.RS 4
-(\fBddns\-confgen\fR
-only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
-\fBtsig\-keygen\fR\&.
-.RE
-.PP
-\-s \fIname\fR
-.RS 4
-(\fBddns\-confgen\fR
-only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
-\fBnamed\&.conf\fR
-text shows how to set an update policy for the specified
-\fIname\fR
-using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
-\fB\-z\fR
-option\&.
-.RE
-.PP
-\-z \fIzone\fR
-.RS 4
-(\fBddns\-confgen\fR
-only\&.) Generate configuration example to allow dynamic updates of a zone: The example
-\fBnamed\&.conf\fR
-text shows how to set an update policy for the specified
-\fIzone\fR
-using the "zonesub" nametype, allowing updates to all subdomain names within that
-\fIzone\fR\&. This option cannot be used with the
-\fB\-s\fR
-option\&.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBnsupdate\fR(1),
-\fBnamed.conf\fR(5),
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/confgen/ddns-confgen.c

@@ -36,24 +36,25 @@
 
 #if USE_PKCS11
 #include <pk11/result.h>
-#endif
+#endif /* if USE_PKCS11 */
 
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 #include <dns/result.h>
 
 #include <dst/dst.h>
+
 #include <confgen/os.h>
 
-#include "util.h"
 #include "keygen.h"
+#include "util.h"
 
-#define KEYGEN_DEFAULT		"tsig-key"
-#define CONFGEN_DEFAULT		"ddns-key"
+#define KEYGEN_DEFAULT	"tsig-key"
+#define CONFGEN_DEFAULT "ddns-key"
 
 static char program[256];
 const char *progname;
-static enum { progmode_keygen, progmode_confgen} progmode;
+static enum { progmode_keygen, progmode_confgen } progmode;
 bool verbose = false; /* needed by util.c but not used here */
 
 ISC_PLATFORM_NORETURN_PRE static void
@@ -70,16 +71,16 @@ Usage:\n\
   -s name:       domain name to be updated using the created key\n\
   -z zone:       name of the zone as it will be used in named.conf\n\
   -q:            quiet mode: print the key, with no explanatory text\n",
-			 progname);
+			progname);
 	} else {
 		fprintf(stderr, "\
 Usage:\n\
  %s [-a alg] [keyname]\n\
   -a alg:        algorithm (default hmac-sha256)\n\n",
-			 progname);
+			progname);
 	}
 
-	exit (status);
+	exit(status);
 }
 
 int
@@ -102,20 +103,22 @@ main(int argc, char **argv) {
 
 #if USE_PKCS11
 	pk11_result_register();
-#endif
+#endif /* if USE_PKCS11 */
 	dns_result_register();
 
 	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		memmove(program, "tsig-keygen", 11);
+	}
 	progname = program;
 
 	/*
 	 * Libtool doesn't preserve the program name prior to final
 	 * installation.  Remove the libtool prefix ("lt-").
 	 */
-	if (strncmp(progname, "lt-", 3) == 0)
+	if (strncmp(progname, "lt-", 3) == 0) {
 		progname += 3;
+	}
 
 #define PROGCMP(X) \
 	(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
@@ -132,24 +135,26 @@ main(int argc, char **argv) {
 
 	isc_commandline_errprint = false;
 
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:hk:Mmr:qs:y:z:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) !=
+	       -1) {
 		switch (ch) {
 		case 'a':
 			algname = isc_commandline_argument;
 			alg = alg_fromtext(algname);
-			if (alg == DST_ALG_UNKNOWN)
+			if (alg == DST_ALG_UNKNOWN) {
 				fatal("Unsupported algorithm '%s'", algname);
+			}
 			keysize = alg_bits(alg);
 			break;
 		case 'h':
 			usage(0);
 		case 'k':
 		case 'y':
-			if (progmode == progmode_confgen)
+			if (progmode == progmode_confgen) {
 				keyname = isc_commandline_argument;
-			else
+			} else {
 				usage(1);
+			}
 			break;
 		case 'M':
 			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
@@ -158,51 +163,58 @@ main(int argc, char **argv) {
 			show_final_mem = true;
 			break;
 		case 'q':
-			if (progmode == progmode_confgen)
+			if (progmode == progmode_confgen) {
 				quiet = true;
-			else
+			} else {
 				usage(1);
+			}
 			break;
 		case 'r':
 			fatal("The -r option has been deprecated.");
 			break;
 		case 's':
-			if (progmode == progmode_confgen)
+			if (progmode == progmode_confgen) {
 				self_domain = isc_commandline_argument;
-			else
+			} else {
 				usage(1);
+			}
 			break;
 		case 'z':
-			if (progmode == progmode_confgen)
+			if (progmode == progmode_confgen) {
 				zone = isc_commandline_argument;
-			else
+			} else {
 				usage(1);
+			}
 			break;
 		case '?':
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 				usage(1);
-			} else
+			} else {
 				usage(0);
+			}
 			break;
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
 			exit(1);
 		}
 	}
 
-	if (progmode == progmode_keygen)
+	if (progmode == progmode_keygen) {
 		keyname = argv[isc_commandline_index++];
+	}
 
 	POST(argv);
 
-	if (self_domain != NULL && zone != NULL)
-		usage(1);	/* -s and -z cannot coexist */
+	if (self_domain != NULL && zone != NULL) {
+		usage(1); /* -s and -z cannot coexist */
+	}
 
-	if (argc > isc_commandline_index)
+	if (argc > isc_commandline_index) {
 		usage(1);
+	}
 
 	/* Use canonical algorithm name */
 	algname = alg_totext(alg);
@@ -212,18 +224,18 @@ main(int argc, char **argv) {
 	if (keyname == NULL) {
 		const char *suffix = NULL;
 
-		keyname = ((progmode == progmode_keygen)
-			?  KEYGEN_DEFAULT
-			: CONFGEN_DEFAULT);
-		if (self_domain != NULL)
+		keyname = ((progmode == progmode_keygen) ? KEYGEN_DEFAULT
+							 : CONFGEN_DEFAULT);
+		if (self_domain != NULL) {
 			suffix = self_domain;
-		else if (zone != NULL)
+		} else if (zone != NULL) {
 			suffix = zone;
+		}
 		if (suffix != NULL) {
 			len = strlen(keyname) + strlen(suffix) + 2;
 			keybuf = isc_mem_get(mctx, len);
 			snprintf(keybuf, len, "%s.%s", keyname, suffix);
-			keyname = (const char *) keybuf;
+			keyname = (const char *)keybuf;
 		}
 	}
 
@@ -231,20 +243,19 @@ main(int argc, char **argv) {
 
 	generate_key(mctx, alg, keysize, &key_txtbuffer);
 
-
-	if (!quiet)
+	if (!quiet) {
 		printf("\
 # To activate this key, place the following in named.conf, and\n\
 # in a separate keyfile on the system or systems from which nsupdate\n\
 # will be run:\n");
+	}
 
 	printf("\
 key \"%s\" {\n\
 	algorithm %s;\n\
 	secret \"%.*s\";\n\
 };\n",
-	       keyname, algname,
-	       (int)isc_buffer_usedlength(&key_txtbuffer),
+	       keyname, algname, (int)isc_buffer_usedlength(&key_txtbuffer),
 	       (char *)isc_buffer_base(&key_txtbuffer));
 
 	if (!quiet) {
@@ -282,14 +293,15 @@ update-policy {\n\
 # After the keyfile has been placed, the following command will\n\
 # execute nsupdate using this key:\n\
 nsupdate -k <keyfile>\n");
-
 	}
 
-	if (keybuf != NULL)
+	if (keybuf != NULL) {
 		isc_mem_put(mctx, keybuf, len);
+	}
 
-	if (show_final_mem)
+	if (show_final_mem) {
 		isc_mem_stats(mctx, stderr);
+	}
 
 	isc_mem_destroy(&mctx);
 

bin/confgen/ddns-confgen.docbook

@@ -1,213 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
-  <info>
-    <date>2014-03-06</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>ddns-confgen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>ddns-confgen</application></refname>
-    <refpurpose>ddns key generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>tsig-keygen</command>
-      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat">name</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>ddns-confgen</command>
-      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
-      <group choice="opt" rep="norepeat">
-        <arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
-        <arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
-      </group>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para>
-      <command>tsig-keygen</command> and <command>ddns-confgen</command>
-      are invocation methods for a utility that generates keys for use
-      in TSIG signing.  The resulting keys can be used, for example,
-      to secure dynamic DNS updates to a zone or for the
-      <command>rndc</command> command channel.
-    </para>
-
-    <para>
-      When run as <command>tsig-keygen</command>, a domain name
-      can be specified on the command line which will be used as
-      the name of the generated key.  If no name is specified,
-      the default is <constant>tsig-key</constant>.
-    </para>
-
-    <para>
-      When run as <command>ddns-confgen</command>, the generated
-      key is accompanied by configuration text and instructions
-      that can be used with <command>nsupdate</command> and
-      <command>named</command> when setting up dynamic DNS,
-      including an example <command>update-policy</command>
-      statement.  (This usage similar to the
-      <command>rndc-confgen</command> command for setting
-      up command channel security.)
-    </para>
-
-    <para>
-      Note that <command>named</command> itself can configure a
-      local DDNS key for use with <command>nsupdate -l</command>:
-      it does this when a zone is configured with
-      <command>update-policy local;</command>.
-      <command>ddns-confgen</command> is only needed when a
-      more elaborate configuration is required: for instance,
-      if <command>nsupdate</command> is to be used from a remote
-      system.
-    </para>
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-
-    <variablelist>
-      <varlistentry>
-	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
-	<listitem>
-	  <para>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-            Options are case-insensitive, and the "hmac-" prefix
-            may be omitted.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints a short summary of options and arguments.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-k <replaceable class="parameter">keyname</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the key name of the DDNS authentication key.
-	    The default is <constant>ddns-key</constant> when neither
-	    the <option>-s</option> nor <option>-z</option> option is
-	    specified; otherwise, the default
-	    is <constant>ddns-key</constant> as a separate label
-	    followed by the argument of the option, e.g.,
-	    <constant>ddns-key.example.com.</constant>
-	    The key name must have the format of a valid domain name,
-	    consisting of letters, digits, hyphens and periods.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-q</term>
-	<listitem>
-	  <para>
-	    (<command>ddns-confgen</command> only.) Quiet mode:  Print
-            only the key, with no explanatory text or usage examples;
-            This is essentially identical to <command>tsig-keygen</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s <replaceable class="parameter">name</replaceable></term>
-	<listitem>
-	  <para>
-            (<command>ddns-confgen</command> only.)
-	    Generate configuration example to allow dynamic updates
-            of a single hostname.  The example <command>named.conf</command>
-            text shows how to set an update policy for the specified
-            <replaceable class="parameter">name</replaceable>
-	    using the "name" nametype.  The default key name is
-	    ddns-key.<replaceable class="parameter">name</replaceable>.
-	    Note that the "self" nametype cannot be used, since
-	    the name to be updated may differ from the key name.
-	    This option cannot be used with the <option>-z</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-z <replaceable class="parameter">zone</replaceable></term>
-	<listitem>
-	  <para>
-            (<command>ddns-confgen</command> only.)
-	    Generate configuration example to allow dynamic updates
-            of a zone:  The example <command>named.conf</command> text
-            shows how to set an update policy for the specified
-	    <replaceable class="parameter">zone</replaceable>
-	    using the "zonesub" nametype, allowing updates to
-            all subdomain names within that
-            <replaceable class="parameter">zone</replaceable>.
-	    This option cannot be used with the <option>-s</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-	<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsection>
-
-</refentry>

bin/confgen/ddns-confgen.html

@@ -1,187 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>ddns-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.ddns-confgen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">ddns-confgen</span>
-     &#8212; ddns key generation tool
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">tsig-keygen</code> 
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-h</code>]
-       [name]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">ddns-confgen</code> 
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [
-         -s <em class="replaceable"><code>name</code></em> 
-         |   -z <em class="replaceable"><code>zone</code></em> 
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
-      <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
-      are invocation methods for a utility that generates keys for use
-      in TSIG signing.  The resulting keys can be used, for example,
-      to secure dynamic DNS updates to a zone or for the
-      <span class="command"><strong>rndc</strong></span> command channel.
-    </p>
-
-    <p>
-      When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
-      can be specified on the command line which will be used as
-      the name of the generated key.  If no name is specified,
-      the default is <code class="constant">tsig-key</code>.
-    </p>
-
-    <p>
-      When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
-      key is accompanied by configuration text and instructions
-      that can be used with <span class="command"><strong>nsupdate</strong></span> and
-      <span class="command"><strong>named</strong></span> when setting up dynamic DNS,
-      including an example <span class="command"><strong>update-policy</strong></span>
-      statement.  (This usage similar to the
-      <span class="command"><strong>rndc-confgen</strong></span> command for setting
-      up command channel security.)
-    </p>
-
-    <p>
-      Note that <span class="command"><strong>named</strong></span> itself can configure a
-      local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
-      it does this when a zone is configured with
-      <span class="command"><strong>update-policy local;</strong></span>.
-      <span class="command"><strong>ddns-confgen</strong></span> is only needed when a
-      more elaborate configuration is required: for instance,
-      if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
-      system.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-	  <p>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-            Options are case-insensitive, and the "hmac-" prefix
-            may be omitted.
-	  </p>
-	</dd>
-<dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
-	    Prints a short summary of options and arguments.
-	  </p>
-	</dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the key name of the DDNS authentication key.
-	    The default is <code class="constant">ddns-key</code> when neither
-	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
-	    specified; otherwise, the default
-	    is <code class="constant">ddns-key</code> as a separate label
-	    followed by the argument of the option, e.g.,
-	    <code class="constant">ddns-key.example.com.</code>
-	    The key name must have the format of a valid domain name,
-	    consisting of letters, digits, hyphens and periods.
-	  </p>
-	</dd>
-<dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
-	    (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode:  Print
-            only the key, with no explanatory text or usage examples;
-            This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
-	  </p>
-	</dd>
-<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
-            (<span class="command"><strong>ddns-confgen</strong></span> only.)
-	    Generate configuration example to allow dynamic updates
-            of a single hostname.  The example <span class="command"><strong>named.conf</strong></span>
-            text shows how to set an update policy for the specified
-            <em class="replaceable"><code>name</code></em>
-	    using the "name" nametype.  The default key name is
-	    ddns-key.<em class="replaceable"><code>name</code></em>.
-	    Note that the "self" nametype cannot be used, since
-	    the name to be updated may differ from the key name.
-	    This option cannot be used with the <code class="option">-z</code> option.
-	  </p>
-	</dd>
-<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd>
-	  <p>
-            (<span class="command"><strong>ddns-confgen</strong></span> only.)
-	    Generate configuration example to allow dynamic updates
-            of a zone:  The example <span class="command"><strong>named.conf</strong></span> text
-            shows how to set an update policy for the specified
-	    <em class="replaceable"><code>zone</code></em>
-	    using the "zonesub" nametype, allowing updates to
-            all subdomain names within that
-            <em class="replaceable"><code>zone</code></em>.
-	    This option cannot be used with the <code class="option">-s</code> option.
-	  </p>
-	</dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">nsupdate</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-  </div>
-
-</div></body>
-</html>

bin/confgen/ddns-confgen.rst

@@ -0,0 +1,103 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_ddns-confgen:
+
+ddns-confgen - ddns key generation tool
+---------------------------------------
+
+Synopsis
+~~~~~~~~
+:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [**-s** name]
+
+:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
+
+Description
+~~~~~~~~~~~
+
+``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
+utility that generates keys for use in TSIG signing. The resulting keys
+can be used, for example, to secure dynamic DNS updates to a zone or for
+the ``rndc`` command channel.
+
+When run as ``tsig-keygen``, a domain name can be specified on the
+command line which will be used as the name of the generated key. If no
+name is specified, the default is ``tsig-key``.
+
+When run as ``ddns-confgen``, the generated key is accompanied by
+configuration text and instructions that can be used with ``nsupdate``
+and ``named`` when setting up dynamic DNS, including an example
+``update-policy`` statement. (This usage similar to the ``rndc-confgen``
+command for setting up command channel security.)
+
+Note that ``named`` itself can configure a local DDNS key for use with
+``nsupdate -l``: it does this when a zone is configured with
+``update-policy local;``. ``ddns-confgen`` is only needed when a more
+elaborate configuration is required: for instance, if ``nsupdate`` is to
+be used from a remote system.
+
+Options
+~~~~~~~
+
+**-a** algorithm
+   Specifies the algorithm to use for the TSIG key. Available choices
+   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
+   hmac-sha512. The default is hmac-sha256. Options are
+   case-insensitive, and the "hmac-" prefix may be omitted.
+
+**-h**
+   Prints a short summary of options and arguments.
+
+**-k** keyname
+   Specifies the key name of the DDNS authentication key. The default is
+   ``ddns-key`` when neither the ``-s`` nor ``-z`` option is specified;
+   otherwise, the default is ``ddns-key`` as a separate label followed
+   by the argument of the option, e.g., ``ddns-key.example.com.`` The
+   key name must have the format of a valid domain name, consisting of
+   letters, digits, hyphens and periods.
+
+**-q**
+   (``ddns-confgen`` only.) Quiet mode: Print only the key, with no
+   explanatory text or usage examples; This is essentially identical to
+   ``tsig-keygen``.
+
+**-s** name
+   (``ddns-confgen`` only.) Generate configuration example to allow
+   dynamic updates of a single hostname. The example ``named.conf`` text
+   shows how to set an update policy for the specified name using the
+   "name" nametype. The default key name is ddns-key.name. Note that the
+   "self" nametype cannot be used, since the name to be updated may
+   differ from the key name. This option cannot be used with the ``-z``
+   option.
+
+**-z** zone
+   (``ddns-confgen`` only.) Generate configuration example to allow
+   dynamic updates of a zone: The example ``named.conf`` text shows how
+   to set an update policy for the specified zone using the "zonesub"
+   nametype, allowing updates to all subdomain names within that zone.
+   This option cannot be used with the ``-s`` option.
+
+See Also
+~~~~~~~~
+
+:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/include/.clang-format

@@ -0,0 +1 @@
+../../../.clang-format.headers

bin/confgen/include/confgen/os.h

@@ -9,18 +9,19 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
 #ifndef RNDC_OS_H
 #define RNDC_OS_H 1
 
-#include <isc/lang.h>
 #include <stdio.h>
 
+#include <isc/lang.h>
+
 ISC_LANG_BEGINDECLS
 
-int set_user(FILE *fd, const char *user);
+int
+set_user(FILE *fd, const char *user);
 /*%<
  * Set the owner of the file referenced by 'fd' to 'user'.
  * Returns:
@@ -30,4 +31,4 @@ int set_user(FILE *fd, const char *user);
 
 ISC_LANG_ENDDECLS
 
-#endif
+#endif /* ifndef RNDC_OS_H */

bin/confgen/keygen.c

@@ -9,11 +9,11 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
-#include <stdlib.h>
+#include "keygen.h"
 #include <stdarg.h>
+#include <stdlib.h>
 
 #include <isc/base64.h>
 #include <isc/buffer.h>
@@ -29,10 +29,10 @@
 #include <dns/name.h>
 
 #include <dst/dst.h>
+
 #include <confgen/os.h>
 
 #include "util.h"
-#include "keygen.h"
 
 /*%
  * Convert algorithm type to string.
@@ -40,20 +40,20 @@
 const char *
 alg_totext(dns_secalg_t alg) {
 	switch (alg) {
-	    case DST_ALG_HMACMD5:
-		return "hmac-md5";
-	    case DST_ALG_HMACSHA1:
-		return "hmac-sha1";
-	    case DST_ALG_HMACSHA224:
-		return "hmac-sha224";
-	    case DST_ALG_HMACSHA256:
-		return "hmac-sha256";
-	    case DST_ALG_HMACSHA384:
-		return "hmac-sha384";
-	    case DST_ALG_HMACSHA512:
-		return "hmac-sha512";
-	    default:
-		return "(unknown)";
+	case DST_ALG_HMACMD5:
+		return ("hmac-md5");
+	case DST_ALG_HMACSHA1:
+		return ("hmac-sha1");
+	case DST_ALG_HMACSHA224:
+		return ("hmac-sha224");
+	case DST_ALG_HMACSHA256:
+		return ("hmac-sha256");
+	case DST_ALG_HMACSHA384:
+		return ("hmac-sha384");
+	case DST_ALG_HMACSHA512:
+		return ("hmac-sha512");
+	default:
+		return ("(unknown)");
 	}
 }
 
@@ -63,22 +63,29 @@ alg_totext(dns_secalg_t alg) {
 dns_secalg_t
 alg_fromtext(const char *name) {
 	const char *p = name;
-	if (strncasecmp(p, "hmac-", 5) == 0)
+	if (strncasecmp(p, "hmac-", 5) == 0) {
 		p = &name[5];
+	}
 
-	if (strcasecmp(p, "md5") == 0)
-		return DST_ALG_HMACMD5;
-	if (strcasecmp(p, "sha1") == 0)
-		return DST_ALG_HMACSHA1;
-	if (strcasecmp(p, "sha224") == 0)
-		return DST_ALG_HMACSHA224;
-	if (strcasecmp(p, "sha256") == 0)
-		return DST_ALG_HMACSHA256;
-	if (strcasecmp(p, "sha384") == 0)
-		return DST_ALG_HMACSHA384;
-	if (strcasecmp(p, "sha512") == 0)
-		return DST_ALG_HMACSHA512;
-	return DST_ALG_UNKNOWN;
+	if (strcasecmp(p, "md5") == 0) {
+		return (DST_ALG_HMACMD5);
+	}
+	if (strcasecmp(p, "sha1") == 0) {
+		return (DST_ALG_HMACSHA1);
+	}
+	if (strcasecmp(p, "sha224") == 0) {
+		return (DST_ALG_HMACSHA224);
+	}
+	if (strcasecmp(p, "sha256") == 0) {
+		return (DST_ALG_HMACSHA256);
+	}
+	if (strcasecmp(p, "sha384") == 0) {
+		return (DST_ALG_HMACSHA384);
+	}
+	if (strcasecmp(p, "sha512") == 0) {
+		return (DST_ALG_HMACSHA512);
+	}
+	return (DST_ALG_UNKNOWN);
 }
 
 /*%
@@ -87,20 +94,20 @@ alg_fromtext(const char *name) {
 int
 alg_bits(dns_secalg_t alg) {
 	switch (alg) {
-	    case DST_ALG_HMACMD5:
-		return 128;
-	    case DST_ALG_HMACSHA1:
-		return 160;
-	    case DST_ALG_HMACSHA224:
-		return 224;
-	    case DST_ALG_HMACSHA256:
-		return 256;
-	    case DST_ALG_HMACSHA384:
-		return 384;
-	    case DST_ALG_HMACSHA512:
-		return 512;
-	    default:
-		return 0;
+	case DST_ALG_HMACMD5:
+		return (128);
+	case DST_ALG_HMACSHA1:
+		return (160);
+	case DST_ALG_HMACSHA224:
+		return (224);
+	case DST_ALG_HMACSHA256:
+		return (256);
+	case DST_ALG_HMACSHA384:
+		return (384);
+	case DST_ALG_HMACSHA512:
+		return (512);
+	default:
+		return (0);
 	}
 }
 
@@ -117,30 +124,31 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
 	dst_key_t *key = NULL;
 
 	switch (alg) {
-	    case DST_ALG_HMACMD5:
-	    case DST_ALG_HMACSHA1:
-	    case DST_ALG_HMACSHA224:
-	    case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 512)
+	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+		if (keysize < 1 || keysize > 512) {
 			fatal("keysize %d out of range (must be 1-512)\n",
 			      keysize);
+		}
 		break;
-	    case DST_ALG_HMACSHA384:
-	    case DST_ALG_HMACSHA512:
-		if (keysize < 1 || keysize > 1024)
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
+		if (keysize < 1 || keysize > 1024) {
 			fatal("keysize %d out of range (must be 1-1024)\n",
 			      keysize);
+		}
 		break;
-	    default:
+	default:
 		fatal("unsupported algorithm %d\n", alg);
 	}
 
 	DO("initialize dst library", dst_lib_init(mctx, NULL));
 
-	DO("generate key", dst_key_generate(dns_rootname, alg,
-					    keysize, 0, 0, DNS_KEYPROTO_ANY,
-					    dns_rdataclass_in, mctx, &key,
-					    NULL));
+	DO("generate key",
+	   dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
+			    dns_rdataclass_in, mctx, &key, NULL));
 
 	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
 
@@ -148,11 +156,12 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
 
 	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
 
-	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
-						     key_txtbuffer));
+	DO("bsse64 encode secret",
+	   isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer));
 
-	if (key != NULL)
+	if (key != NULL) {
 		dst_key_free(&key);
+	}
 
 	dst_lib_destroy();
 }
@@ -163,9 +172,8 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
  * the name 'keyname' and the secret in the buffer 'secret'.
  */
 void
-write_key_file(const char *keyfile, const char *user,
-	       const char *keyname, isc_buffer_t *secret,
-	       dns_secalg_t alg) {
+write_key_file(const char *keyfile, const char *user, const char *keyname,
+	       isc_buffer_t *secret, dns_secalg_t alg) {
 	isc_result_t result;
 	const char *algname = alg_totext(alg);
 	FILE *fd = NULL;
@@ -173,19 +181,22 @@ write_key_file(const char *keyfile, const char *user,
 	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
 
 	if (user != NULL) {
-		if (set_user(fd, user) == -1)
+		if (set_user(fd, user) == -1) {
 			fatal("unable to set file owner\n");
+		}
 	}
 
-	fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
+	fprintf(fd,
+		"key \"%s\" {\n\talgorithm %s;\n"
 		"\tsecret \"%.*s\";\n};\n",
-		keyname, algname,
-		(int)isc_buffer_usedlength(secret),
+		keyname, algname, (int)isc_buffer_usedlength(secret),
 		(char *)isc_buffer_base(secret));
 	fflush(fd);
-	if (ferror(fd))
+	if (ferror(fd)) {
 		fatal("write to %s failed\n", keyfile);
-	if (fclose(fd))
+	}
+	if (fclose(fd)) {
 		fatal("fclose(%s) failed\n", keyfile);
+	}
 	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
 }

bin/confgen/keygen.h

@@ -9,26 +9,33 @@
  * information regarding copyright ownership.
  */
 
-
 #ifndef RNDC_KEYGEN_H
 #define RNDC_KEYGEN_H 1
 
 /*! \file */
 
+#include <isc/buffer.h>
 #include <isc/lang.h>
+#include <isc/mem.h>
+
+#include <dns/secalg.h>
 
 ISC_LANG_BEGINDECLS
 
-void generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
-		  isc_buffer_t *key_txtbuffer);
+void
+generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
+	     isc_buffer_t *key_txtbuffer);
 
-void write_key_file(const char *keyfile, const char *user,
-		    const char *keyname, isc_buffer_t *secret,
-		    dns_secalg_t alg);
+void
+write_key_file(const char *keyfile, const char *user, const char *keyname,
+	       isc_buffer_t *secret, dns_secalg_t alg);
 
-const char *alg_totext(dns_secalg_t alg);
-dns_secalg_t alg_fromtext(const char *name);
-int alg_bits(dns_secalg_t alg);
+const char *
+alg_totext(dns_secalg_t alg);
+dns_secalg_t
+alg_fromtext(const char *name);
+int
+alg_bits(dns_secalg_t alg);
 
 ISC_LANG_ENDDECLS
 

bin/confgen/rndc-confgen.8

@@ -1,210 +0,0 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: rndc-confgen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2013-03-14
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "RNDC\-CONFGEN" "8" "2013\-03\-14" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-rndc-confgen \- rndc key generation tool
-.SH "SYNOPSIS"
-.HP \w'\fBrndc\-confgen\fR\ 'u
-\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
-.SH "DESCRIPTION"
-.PP
-\fBrndc\-confgen\fR
-generates configuration files for
-\fBrndc\fR\&. It can be used as a convenient alternative to writing the
-rndc\&.conf
-file and the corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements in
-named\&.conf
-by hand\&. Alternatively, it can be run with the
-\fB\-a\fR
-option to set up a
-rndc\&.key
-file and avoid the need for a
-rndc\&.conf
-file and a
-\fBcontrols\fR
-statement altogether\&.
-.SH "OPTIONS"
-.PP
-\-a
-.RS 4
-Do automatic
-\fBrndc\fR
-configuration\&. This creates a file
-rndc\&.key
-in
-/etc
-(or whatever
-\fIsysconfdir\fR
-was specified as when
-BIND
-was built) that is read by both
-\fBrndc\fR
-and
-\fBnamed\fR
-on startup\&. The
-rndc\&.key
-file defines a default command channel and authentication key allowing
-\fBrndc\fR
-to communicate with
-\fBnamed\fR
-on the local host with no further configuration\&.
-.sp
-Running
-\fBrndc\-confgen \-a\fR
-allows BIND 9 and
-\fBrndc\fR
-to be used as drop\-in replacements for BIND 8 and
-\fBndc\fR, with no changes to the existing BIND 8
-named\&.conf
-file\&.
-.sp
-If a more elaborate configuration than that generated by
-\fBrndc\-confgen \-a\fR
-is required, for example if rndc is to be used remotely, you should run
-\fBrndc\-confgen\fR
-without the
-\fB\-a\fR
-option and set up a
-rndc\&.conf
-and
-named\&.conf
-as directed\&.
-.RE
-.PP
-\-A \fIalgorithm\fR
-.RS 4
-Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
-.RE
-.PP
-\-b \fIkeysize\fR
-.RS 4
-Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
-.RE
-.PP
-\-c \fIkeyfile\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify an alternate location for
-rndc\&.key\&.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBrndc\-confgen\fR\&.
-.RE
-.PP
-\-k \fIkeyname\fR
-.RS 4
-Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
-\fBrndc\-key\fR\&.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Specifies the command channel port where
-\fBnamed\fR
-listens for connections from
-\fBrndc\fR\&. The default is 953\&.
-.RE
-.PP
-\-s \fIaddress\fR
-.RS 4
-Specifies the IP address where
-\fBnamed\fR
-listens for command channel connections from
-\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
-.RE
-.PP
-\-t \fIchrootdir\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify a directory where
-\fBnamed\fR
-will run chrooted\&. An additional copy of the
-rndc\&.key
-will be written relative to this directory so that it will be found by the chrooted
-\fBnamed\fR\&.
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to set the owner of the
-rndc\&.key
-file generated\&. If
-\fB\-t\fR
-is also specified only the file in the chroot area has its owner changed\&.
-.RE
-.SH "EXAMPLES"
-.PP
-To allow
-\fBrndc\fR
-to be used with no manual configuration, run
-.PP
-\fBrndc\-confgen \-a\fR
-.PP
-To print a sample
-rndc\&.conf
-file and corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements to be manually inserted into
-named\&.conf, run
-.PP
-\fBrndc\-confgen\fR
-.SH "SEE ALSO"
-.PP
-\fBrndc\fR(8),
-\fBrndc.conf\fR(5),
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/confgen/rndc-confgen.c

@@ -43,14 +43,15 @@
 #include <dns/name.h>
 
 #include <dst/dst.h>
+
 #include <confgen/os.h>
 
-#include "util.h"
 #include "keygen.h"
+#include "util.h"
 
-#define DEFAULT_KEYNAME		"rndc-key"
-#define DEFAULT_SERVER		"127.0.0.1"
-#define DEFAULT_PORT		953
+#define DEFAULT_KEYNAME "rndc-key"
+#define DEFAULT_SERVER	"127.0.0.1"
+#define DEFAULT_PORT	953
 
 static char program[256];
 const char *progname;
@@ -64,7 +65,6 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(int status) {
-
 	fprintf(stderr, "\
 Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] \
@@ -78,9 +78,9 @@ Usage:\n\
   -s addr:	 the address to which rndc should connect\n\
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
-		 progname, keydef);
+		progname, keydef);
 
-	exit (status);
+	exit(status);
 }
 
 int
@@ -108,8 +108,9 @@ main(int argc, char **argv) {
 	keydef = keyfile = RNDC_KEYFILE;
 
 	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		memmove(program, "rndc-confgen", 13);
+	}
 	progname = program;
 
 	keyname = DEFAULT_KEYNAME;
@@ -129,13 +130,15 @@ main(int argc, char **argv) {
 		case 'A':
 			algname = isc_commandline_argument;
 			alg = alg_fromtext(algname);
-			if (alg == DST_ALG_UNKNOWN)
+			if (alg == DST_ALG_UNKNOWN) {
 				fatal("Unsupported algorithm '%s'", algname);
+			}
 			break;
 		case 'b':
 			keysize = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || keysize < 0)
+			if (*p != '\0' || keysize < 0) {
 				fatal("-b requires a non-negative number");
+			}
 			break;
 		case 'c':
 			keyfile = isc_commandline_argument;
@@ -143,7 +146,7 @@ main(int argc, char **argv) {
 		case 'h':
 			usage(0);
 		case 'k':
-		case 'y':	/* Compatible with rndc -y. */
+		case 'y': /* Compatible with rndc -y. */
 			keyname = isc_commandline_argument;
 			break;
 		case 'M':
@@ -155,9 +158,10 @@ main(int argc, char **argv) {
 			break;
 		case 'p':
 			port = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || port < 0 || port > 65535)
+			if (*p != '\0' || port < 0 || port > 65535) {
 				fatal("port '%s' out of range",
 				      isc_commandline_argument);
+			}
 			break;
 		case 'r':
 			fatal("The -r option has been deprecated.");
@@ -166,7 +170,9 @@ main(int argc, char **argv) {
 			serveraddr = isc_commandline_argument;
 			if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
 			    inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
+			{
 				fatal("-s should be an IPv4 or IPv6 address");
+			}
 			break;
 		case 't':
 			chrootdir = isc_commandline_argument;
@@ -182,12 +188,13 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 				usage(1);
-			} else
+			} else {
 				usage(0);
+			}
 			break;
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
 			exit(1);
 		}
 	}
@@ -196,17 +203,19 @@ main(int argc, char **argv) {
 	argv += isc_commandline_index;
 	POST(argv);
 
-	if (argc > 0)
+	if (argc > 0) {
 		usage(1);
-
-	if (alg == DST_ALG_HMACMD5) {
-		fprintf(stderr,
-			"warning: use of hmac-md5 for RNDC keys "
-			"is deprecated; hmac-sha256 is now recommended.\n");
 	}
 
-	if (keysize < 0)
+	if (alg == DST_ALG_HMACMD5) {
+		fprintf(stderr, "warning: use of hmac-md5 for RNDC keys "
+				"is deprecated; hmac-sha256 is now "
+				"recommended.\n");
+	}
+
+	if (keysize < 0) {
 		keysize = alg_bits(alg);
+	}
 	algname = alg_totext(alg);
 
 	isc_mem_create(&mctx);
@@ -256,16 +265,16 @@ options {\n\
 # End of named.conf\n",
 		       keyname, algname,
 		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer),
-		       keyname, serveraddr, port,
-		       keyname, algname,
+		       (char *)isc_buffer_base(&key_txtbuffer), keyname,
+		       serveraddr, port, keyname, algname,
 		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer),
-		       serveraddr, port, serveraddr, keyname);
+		       (char *)isc_buffer_base(&key_txtbuffer), serveraddr,
+		       port, serveraddr, keyname);
 	}
 
-	if (show_final_mem)
+	if (show_final_mem) {
 		isc_mem_stats(mctx, stderr);
+	}
 
 	isc_mem_destroy(&mctx);
 

bin/confgen/rndc-confgen.docbook

@@ -1,271 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
-  <info>
-    <date>2013-03-14</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>rndc-confgen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>rndc-confgen</application></refname>
-    <refpurpose>rndc key generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2001</year>
-      <year>2003</year>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2009</year>
-      <year>2013</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2017</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>rndc-confgen</command>
-      <arg choice="opt" rep="norepeat"><option>-a</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para><command>rndc-confgen</command>
-      generates configuration files
-      for <command>rndc</command>.  It can be used as a
-      convenient alternative to writing the
-      <filename>rndc.conf</filename> file
-      and the corresponding <command>controls</command>
-      and <command>key</command>
-      statements in <filename>named.conf</filename> by hand.
-      Alternatively, it can be run with the <command>-a</command>
-      option to set up a <filename>rndc.key</filename> file and
-      avoid the need for a <filename>rndc.conf</filename> file
-      and a <command>controls</command> statement altogether.
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-        <listitem>
-          <para>
-            Do automatic <command>rndc</command> configuration.
-            This creates a file <filename>rndc.key</filename>
-            in <filename>/etc</filename> (or whatever
-            <varname>sysconfdir</varname>
-            was specified as when <acronym>BIND</acronym> was
-            built)
-            that is read by both <command>rndc</command>
-            and <command>named</command> on startup.  The
-            <filename>rndc.key</filename> file defines a default
-            command channel and authentication key allowing
-            <command>rndc</command> to communicate with
-            <command>named</command> on the local host
-            with no further configuration.
-          </para>
-          <para>
-            Running <command>rndc-confgen -a</command> allows
-            BIND 9 and <command>rndc</command> to be used as
-            drop-in
-            replacements for BIND 8 and <command>ndc</command>,
-            with no changes to the existing BIND 8
-            <filename>named.conf</filename> file.
-          </para>
-          <para>
-            If a more elaborate configuration than that
-            generated by <command>rndc-confgen -a</command>
-            is required, for example if rndc is to be used remotely,
-            you should run <command>rndc-confgen</command> without
-            the
-            <command>-a</command> option and set up a
-            <filename>rndc.conf</filename> and
-            <filename>named.conf</filename>
-            as directed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A <replaceable class="parameter">algorithm</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-b <replaceable class="parameter">keysize</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the size of the authentication key in bits.
-            Must be between 1 and 512 bits; the default is the
-            hash size.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">keyfile</replaceable></term>
-        <listitem>
-          <para>
-            Used with the <command>-a</command> option to specify
-            an alternate location for <filename>rndc.key</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Prints a short summary of the options and arguments to
-            <command>rndc-confgen</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">keyname</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the key name of the rndc authentication key.
-            This must be a valid domain name.
-            The default is <constant>rndc-key</constant>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the command channel port where <command>named</command>
-            listens for connections from <command>rndc</command>.
-            The default is 953.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">address</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the IP address where <command>named</command>
-            listens for command channel connections from
-            <command>rndc</command>.  The default is the loopback
-            address 127.0.0.1.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
-        <listitem>
-          <para>
-            Used with the <command>-a</command> option to specify
-            a directory where <command>named</command> will run
-            chrooted.  An additional copy of the <filename>rndc.key</filename>
-            will be written relative to this directory so that
-            it will be found by the chrooted <command>named</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u <replaceable class="parameter">user</replaceable></term>
-        <listitem>
-          <para>
-            Used with the <command>-a</command> option to set the
-            owner
-            of the <filename>rndc.key</filename> file generated.
-            If
-            <command>-t</command> is also specified only the file
-            in
-            the chroot area has its owner changed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>EXAMPLES</title></info>
-
-    <para>
-      To allow <command>rndc</command> to be used with
-      no manual configuration, run
-    </para>
-    <para><userinput>rndc-confgen -a</userinput>
-    </para>
-    <para>
-      To print a sample <filename>rndc.conf</filename> file and
-      corresponding <command>controls</command> and <command>key</command>
-      statements to be manually inserted into <filename>named.conf</filename>,
-      run
-    </para>
-    <para><userinput>rndc-confgen</userinput>
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsection>
-
-</refentry>

bin/confgen/rndc-confgen.html

@@ -1,226 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.rndc-confgen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">rndc-confgen</span>
-     &#8212; rndc key generation tool
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc-confgen</code> 
-       [<code class="option">-a</code>]
-       [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>rndc-confgen</strong></span>
-      generates configuration files
-      for <span class="command"><strong>rndc</strong></span>.  It can be used as a
-      convenient alternative to writing the
-      <code class="filename">rndc.conf</code> file
-      and the corresponding <span class="command"><strong>controls</strong></span>
-      and <span class="command"><strong>key</strong></span>
-      statements in <code class="filename">named.conf</code> by hand.
-      Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
-      option to set up a <code class="filename">rndc.key</code> file and
-      avoid the need for a <code class="filename">rndc.conf</code> file
-      and a <span class="command"><strong>controls</strong></span> statement altogether.
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a</span></dt>
-<dd>
-          <p>
-            Do automatic <span class="command"><strong>rndc</strong></span> configuration.
-            This creates a file <code class="filename">rndc.key</code>
-            in <code class="filename">/etc</code> (or whatever
-            <code class="varname">sysconfdir</code>
-            was specified as when <acronym class="acronym">BIND</acronym> was
-            built)
-            that is read by both <span class="command"><strong>rndc</strong></span>
-            and <span class="command"><strong>named</strong></span> on startup.  The
-            <code class="filename">rndc.key</code> file defines a default
-            command channel and authentication key allowing
-            <span class="command"><strong>rndc</strong></span> to communicate with
-            <span class="command"><strong>named</strong></span> on the local host
-            with no further configuration.
-          </p>
-          <p>
-            Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
-            BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
-            drop-in
-            replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
-            with no changes to the existing BIND 8
-            <code class="filename">named.conf</code> file.
-          </p>
-          <p>
-            If a more elaborate configuration than that
-            generated by <span class="command"><strong>rndc-confgen -a</strong></span>
-            is required, for example if rndc is to be used remotely,
-            you should run <span class="command"><strong>rndc-confgen</strong></span> without
-            the
-            <span class="command"><strong>-a</strong></span> option and set up a
-            <code class="filename">rndc.conf</code> and
-            <code class="filename">named.conf</code>
-            as directed.
-          </p>
-        </dd>
-<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-          <p>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-          </p>
-        </dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-          <p>
-            Specifies the size of the authentication key in bits.
-            Must be between 1 and 512 bits; the default is the
-            hash size.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-          <p>
-            Used with the <span class="command"><strong>-a</strong></span> option to specify
-            an alternate location for <code class="filename">rndc.key</code>.
-          </p>
-        </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
-          <p>
-            Prints a short summary of the options and arguments to
-            <span class="command"><strong>rndc-confgen</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
-          <p>
-            Specifies the key name of the rndc authentication key.
-            This must be a valid domain name.
-            The default is <code class="constant">rndc-key</code>.
-          </p>
-        </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
-            Specifies the command channel port where <span class="command"><strong>named</strong></span>
-            listens for connections from <span class="command"><strong>rndc</strong></span>.
-            The default is 953.
-          </p>
-        </dd>
-<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
-          <p>
-            Specifies the IP address where <span class="command"><strong>named</strong></span>
-            listens for command channel connections from
-            <span class="command"><strong>rndc</strong></span>.  The default is the loopback
-            address 127.0.0.1.
-          </p>
-        </dd>
-<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd>
-          <p>
-            Used with the <span class="command"><strong>-a</strong></span> option to specify
-            a directory where <span class="command"><strong>named</strong></span> will run
-            chrooted.  An additional copy of the <code class="filename">rndc.key</code>
-            will be written relative to this directory so that
-            it will be found by the chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-          <p>
-            Used with the <span class="command"><strong>-a</strong></span> option to set the
-            owner
-            of the <code class="filename">rndc.key</code> file generated.
-            If
-            <span class="command"><strong>-t</strong></span> is also specified only the file
-            in
-            the chroot area has its owner changed.
-          </p>
-        </dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>EXAMPLES</h2>
-
-    <p>
-      To allow <span class="command"><strong>rndc</strong></span> to be used with
-      no manual configuration, run
-    </p>
-    <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
-    </p>
-    <p>
-      To print a sample <code class="filename">rndc.conf</code> file and
-      corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
-      statements to be manually inserted into <code class="filename">named.conf</code>,
-      run
-    </p>
-    <p><strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-  </div>
-
-</div></body>
-</html>

bin/confgen/rndc-confgen.rst

@@ -0,0 +1,120 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_rndc-confgen:
+
+rndc-confgen - rndc key generation tool
+---------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
+
+Description
+~~~~~~~~~~~
+
+``rndc-confgen`` generates configuration files for ``rndc``. It can be
+used as a convenient alternative to writing the ``rndc.conf`` file and
+the corresponding ``controls`` and ``key`` statements in ``named.conf``
+by hand. Alternatively, it can be run with the ``-a`` option to set up a
+``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
+``controls`` statement altogether.
+
+Arguments
+~~~~~~~~~
+
+**-a**
+   Do automatic ``rndc`` configuration. This creates a file ``rndc.key``
+   in ``/etc`` (or whatever ``sysconfdir`` was specified as when BIND
+   was built) that is read by both ``rndc`` and ``named`` on startup.
+   The ``rndc.key`` file defines a default command channel and
+   authentication key allowing ``rndc`` to communicate with ``named`` on
+   the local host with no further configuration.
+
+   Running ``rndc-confgen -a`` allows BIND 9 and ``rndc`` to be used as
+   drop-in replacements for BIND 8 and ``ndc``, with no changes to the
+   existing BIND 8 ``named.conf`` file.
+
+   If a more elaborate configuration than that generated by
+   ``rndc-confgen -a`` is required, for example if rndc is to be used
+   remotely, you should run ``rndc-confgen`` without the ``-a`` option
+   and set up a ``rndc.conf`` and ``named.conf`` as directed.
+
+**-A** algorithm
+   Specifies the algorithm to use for the TSIG key. Available choices
+   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
+   hmac-sha512. The default is hmac-sha256.
+
+**-b** keysize
+   Specifies the size of the authentication key in bits. Must be between
+   1 and 512 bits; the default is the hash size.
+
+**-c** keyfile
+   Used with the ``-a`` option to specify an alternate location for
+   ``rndc.key``.
+
+**-h**
+   Prints a short summary of the options and arguments to
+   ``rndc-confgen``.
+
+**-k** keyname
+   Specifies the key name of the rndc authentication key. This must be a
+   valid domain name. The default is ``rndc-key``.
+
+**-p** port
+   Specifies the command channel port where ``named`` listens for
+   connections from ``rndc``. The default is 953.
+
+**-s** address
+   Specifies the IP address where ``named`` listens for command channel
+   connections from ``rndc``. The default is the loopback address
+   127.0.0.1.
+
+**-t** chrootdir
+   Used with the ``-a`` option to specify a directory where ``named``
+   will run chrooted. An additional copy of the ``rndc.key`` will be
+   written relative to this directory so that it will be found by the
+   chrooted ``named``.
+
+**-u** user
+   Used with the ``-a`` option to set the owner of the ``rndc.key`` file
+   generated. If ``-t`` is also specified only the file in the chroot
+   area has its owner changed.
+
+Examples
+~~~~~~~~
+
+To allow ``rndc`` to be used with no manual configuration, run
+
+``rndc-confgen -a``
+
+To print a sample ``rndc.conf`` file and corresponding ``controls`` and
+``key`` statements to be manually inserted into ``named.conf``, run
+
+``rndc-confgen``
+
+See Also
+~~~~~~~~
+
+:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/unix/os.c

@@ -9,18 +9,17 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
-#include <confgen/os.h>
-
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <pwd.h>
 #include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <confgen/os.h>
 
 int
 set_user(FILE *fd, const char *user) {

bin/confgen/util.c

@@ -9,18 +9,16 @@
  * information regarding copyright ownership.
  */
 
-
 /*! \file */
 
+#include "util.h"
 #include <stdarg.h>
 #include <stdbool.h>
-#include <stdlib.h>
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <isc/print.h>
 
-#include "util.h"
-
 extern bool verbose;
 extern const char *progname;
 

bin/confgen/util.h

@@ -9,27 +9,25 @@
  * information regarding copyright ownership.
  */
 
-
 #ifndef RNDC_UTIL_H
 #define RNDC_UTIL_H 1
 
 /*! \file */
 
+#include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/platform.h>
 
-#include <isc/formatcheck.h>
-
-#define NS_CONTROL_PORT		953
+#define NS_CONTROL_PORT 953
 
 #undef DO
-#define DO(name, function) \
-	do { \
-		result = function; \
-		if (result != ISC_R_SUCCESS) \
+#define DO(name, function)                                                \
+	do {                                                              \
+		result = function;                                        \
+		if (result != ISC_R_SUCCESS)                              \
 			fatal("%s: %s", name, isc_result_totext(result)); \
-		else \
-			notify("%s", name); \
+		else                                                      \
+			notify("%s", name);                               \
 	} while (0)
 
 ISC_LANG_BEGINDECLS
@@ -39,7 +37,7 @@ notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
 
 ISC_PLATFORM_NORETURN_PRE void
 fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
 
 ISC_LANG_ENDDECLS
 

bin/confgen/win32/confgentool.vcxproj.in

@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -74,7 +77,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -85,7 +88,8 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/confgen/win32/os.c

@@ -9,15 +9,15 @@
  * information regarding copyright ownership.
  */
 
-#include <confgen/os.h>
-
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/types.h>
 #include <errno.h>
-#include <stdio.h>
+#include <fcntl.h>
 #include <io.h>
+#include <stdio.h>
 #include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <confgen/os.h>
 
 int
 set_user(FILE *fd, const char *user) {

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>rndc-confgen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>rndc-confgen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -79,7 +82,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/delv/Makefile.in

@@ -24,9 +24,9 @@ CDEFINES =	-DVERSION=\"${VERSION}\" \
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -47,12 +47,6 @@ OBJS =		delv.@O@
 
 SRCS =		delv.c
 
-MANPAGES =	delv.1
-
-HTMLPAGES =	delv.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
 @BIND9_MAKE_RULES@
 
 delv@EXEEXT@: delv.@O@ ${DEPLIBS}
@@ -62,21 +56,13 @@ delv@EXEEXT@: delv.@O@ ${DEPLIBS}
 
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 
 install:: delv@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
 		delv@EXEEXT@ ${DESTDIR}${bindir}
-	${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
 
 uninstall::
-	rm -f ${DESTDIR}${mandir}/man1/delv.1
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
 
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
 clean distclean maintainer-clean::
 	rm -f ${TARGETS}

bin/delv/delv.1

@@ -1,437 +0,0 @@
-.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: delv
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-04-23
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "DELV" "1" "2014\-04\-23" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-delv \- DNS lookup and validation utility
-.SH "SYNOPSIS"
-.HP \w'\fBdelv\fR\ 'u
-\fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
-.HP \w'\fBdelv\fR\ 'u
-\fBdelv\fR [\fB\-h\fR]
-.HP \w'\fBdelv\fR\ 'u
-\fBdelv\fR [\fB\-v\fR]
-.HP \w'\fBdelv\fR\ 'u
-\fBdelv\fR [queryopt...] [query...]
-.SH "DESCRIPTION"
-.PP
-\fBdelv\fR
-is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
-\fBnamed\fR\&.
-.PP
-\fBdelv\fR
-will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
-.PP
-By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
-\fBdelv\fR
-are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
-\fBdelv\fR
-does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
-.PP
-Unless it is told to query a specific name server,
-\fBdelv\fR
-will try each of the servers listed in
-/etc/resolv\&.conf\&. If no usable server addresses are found,
-\fBdelv\fR
-will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
-.PP
-When no command line arguments or options are given,
-\fBdelv\fR
-will perform an NS query for "\&." (the root zone)\&.
-.SH "SIMPLE USAGE"
-.PP
-A typical invocation of
-\fBdelv\fR
-looks like:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
- delv @server name type 
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-where:
-.PP
-\fBserver\fR
-.RS 4
-is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
-\fIserver\fR
-argument is a hostname,
-\fBdelv\fR
-resolves that name before querying that name server (note, however, that this initial lookup is
-\fInot\fR
-validated by DNSSEC)\&.
-.sp
-If no
-\fIserver\fR
-argument is provided,
-\fBdelv\fR
-consults
-/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
-\fB\-4\fR
-or
-\fB\-6\fR
-options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
-\fBdelv\fR
-will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
-.RE
-.PP
-\fBname\fR
-.RS 4
-is the domain name to be looked up\&.
-.RE
-.PP
-\fBtype\fR
-.RS 4
-indicates what type of query is required \(em ANY, A, MX, etc\&.
-\fItype\fR
-can be any valid query type\&. If no
-\fItype\fR
-argument is supplied,
-\fBdelv\fR
-will perform a lookup for an A record\&.
-.RE
-.SH "OPTIONS"
-.PP
-\-a \fIanchor\-file\fR
-.RS 4
-Specifies a file from which to read DNSSEC trust anchors\&. The default is
-/etc/bind\&.keys, which is included with
-BIND
-9 and contains one or more trust anchors for the root zone ("\&.")\&.
-.sp
-Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
-\fB+root=NAME\fR
-options\&.
-.sp
-Note: When reading the trust anchor file,
-\fBdelv\fR
-treats
-\fBtrust\-anchors\fR\fBinitial\-key\fR
-and
-\fBstatic\-key\fR
-entries identically\&. That is, even if a key is configured with
-\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
-\fBdelv\fR
-as if it had been configured as a
-\fBstatic\-key\fR\&.
-\fBdelv\fR
-does not consult the managed keys database maintained by
-\fBnamed\fR\&. This means that if either of the keys in
-/etc/bind\&.keys
-is revoked and rolled over, it will be necessary to update
-/etc/bind\&.keys
-to use DNSSEC validation in
-\fBdelv\fR\&.
-.RE
-.PP
-\-b \fIaddress\fR
-.RS 4
-Sets the source IP address of the query to
-\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Sets the query class for the requested data\&. Currently, only class "IN" is supported in
-\fBdelv\fR
-and any other value is ignored\&.
-.RE
-.PP
-\-d \fIlevel\fR
-.RS 4
-Set the systemwide debug level to
-\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
-\fBdelv\fR
-become more verbose as the debug level increases\&. See the
-\fB+mtrace\fR,
-\fB+rtrace\fR, and
-\fB+vtrace\fR
-options below for additional debugging details\&.
-.RE
-.PP
-\-h
-.RS 4
-Display the
-\fBdelv\fR
-help usage output and exit\&.
-.RE
-.PP
-\-i
-.RS 4
-Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
-\fBdelv\fR
-to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
-\fBdig +cd\fR\&.)
-.RE
-.PP
-\-m
-.RS 4
-Enables memory usage debugging\&.
-.RE
-.PP
-\-p \fIport#\fR
-.RS 4
-Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
-.RE
-.PP
-\-q \fIname\fR
-.RS 4
-Sets the query name to
-\fIname\fR\&. While the query name can be specified without using the
-\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-Sets the query type to
-\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
-\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
-.sp
-The default query type is "A", unless the
-\fB\-x\fR
-option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
-.RE
-.PP
-\-v
-.RS 4
-Print the
-\fBdelv\fR
-version and exit\&.
-.RE
-.PP
-\-x \fIaddr\fR
-.RS 4
-Performs a reverse lookup, mapping an addresses to a name\&.
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
-\fB\-x\fR
-is used, there is no need to provide the
-\fIname\fR
-or
-\fItype\fR
-arguments\&.
-\fBdelv\fR
-automatically performs a lookup for a name like
-11\&.12\&.13\&.10\&.in\-addr\&.arpa
-and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
-.RE
-.PP
-\-4
-.RS 4
-Forces
-\fBdelv\fR
-to only use IPv4\&.
-.RE
-.PP
-\-6
-.RS 4
-Forces
-\fBdelv\fR
-to only use IPv6\&.
-.RE
-.SH "QUERY OPTIONS"
-.PP
-\fBdelv\fR
-provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
-.PP
-Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
-no
-to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
-\fB+keyword=value\fR\&. The query options are:
-.PP
-\fB+[no]cdflag\fR
-.RS 4
-Controls whether to set the CD (checking disabled) bit in queries sent by
-\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
-\fBdelv\fR
-can then validate internally and report the errors in detail\&.
-.RE
-.PP
-\fB+[no]class\fR
-.RS 4
-Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
-.RE
-.PP
-\fB+[no]ttl\fR
-.RS 4
-Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
-.RE
-.PP
-\fB+[no]rtrace\fR
-.RS 4
-Toggle resolver fetch logging\&. This reports the name and type of each query sent by
-\fBdelv\fR
-in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
-.sp
-This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
-\fB\-d\fR
-option will product the same output (but will affect other logging categories as well)\&.
-.RE
-.PP
-\fB+[no]mtrace\fR
-.RS 4
-Toggle message logging\&. This produces a detailed dump of the responses received by
-\fBdelv\fR
-in the process of carrying out the resolution and validation process\&.
-.sp
-This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
-\fB\-d\fR
-option will produce the same output (but will affect other logging categories as well)\&.
-.RE
-.PP
-\fB+[no]vtrace\fR
-.RS 4
-Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
-.sp
-This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
-\fB\-d\fR
-option will produce the same output (but will affect other logging categories as well)\&.
-.RE
-.PP
-\fB+[no]short\fR
-.RS 4
-Provide a terse answer\&. The default is to print the answer in a verbose form\&.
-.RE
-.PP
-\fB+[no]comments\fR
-.RS 4
-Toggle the display of comment lines in the output\&. The default is to print comments\&.
-.RE
-.PP
-\fB+[no]rrcomments\fR
-.RS 4
-Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
-.RE
-.PP
-\fB+[no]crypto\fR
-.RS 4
-Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
-.RE
-.PP
-\fB+[no]trust\fR
-.RS 4
-Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
-.RE
-.PP
-\fB+[no]split[=W]\fR
-.RS 4
-Split long hex\- or base64\-formatted fields in resource records into chunks of
-\fIW\fR
-characters (where
-\fIW\fR
-is rounded up to the nearest multiple of 4)\&.
-\fI+nosplit\fR
-or
-\fI+split=0\fR
-causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
-.RE
-.PP
-\fB+[no]all\fR
-.RS 4
-Set or clear the display options
-\fB+[no]comments\fR,
-\fB+[no]rrcomments\fR, and
-\fB+[no]trust\fR
-as a group\&.
-.RE
-.PP
-\fB+[no]multiline\fR
-.RS 4
-Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
-\fBdelv\fR
-output\&.
-.RE
-.PP
-\fB+[no]dnssec\fR
-.RS 4
-Indicates whether to display RRSIG records in the
-\fBdelv\fR
-output\&. The default is to do so\&. Note that (unlike in
-\fBdig\fR) this does
-\fInot\fR
-control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
-\fB\-i\fR
-or
-\fB+noroot\fR\&.
-.RE
-.PP
-\fB+[no]root[=ROOT]\fR
-.RS 4
-Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
-\fB\-a\fR
-must be used to specify a file containing the key\&.
-.RE
-.PP
-\fB+[no]tcp\fR
-.RS 4
-Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
-.RE
-.PP
-\fB+[no]unknownformat\fR
-.RS 4
-Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
-.RE
-.PP
-\fB+[no]yaml\fR
-.RS 4
-Print response data in YAML format\&.
-.RE
-.SH "FILES"
-.PP
-/etc/bind\&.keys
-.PP
-/etc/resolv\&.conf
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBnamed\fR(8),
-RFC4034,
-RFC4035,
-RFC4431,
-RFC5074,
-RFC5155\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/delv/delv.docbook

@@ -1,699 +0,0 @@
-<!DOCTYPE book [
-<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
-  <info>
-    <date>2014-04-23</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>delv</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>delv</refname>
-    <refpurpose>DNS lookup and validation utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2017</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>delv</command>
-      <arg choice="opt" rep="norepeat">@server</arg>
-      <group choice="opt" rep="norepeat">
-	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
-	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-i</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-m</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat">name</arg>
-      <arg choice="opt" rep="norepeat">type</arg>
-      <arg choice="opt" rep="norepeat">class</arg>
-      <arg choice="opt" rep="repeat">queryopt</arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis sepchar=" ">
-      <command>delv</command>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis sepchar=" ">
-      <command>delv</command>
-      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis sepchar=" ">
-      <command>delv</command>
-      <arg choice="opt" rep="repeat">queryopt</arg>
-      <arg choice="opt" rep="repeat">query</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para><command>delv</command>
-      is a tool for sending
-      DNS queries and validating the results, using the same internal
-      resolver and validator logic as <command>named</command>.
-    </para>
-    <para>
-      <command>delv</command> will send to a specified name server all
-      queries needed to fetch and validate the requested data; this
-      includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY and DS records
-      to establish a chain of trust for DNSSEC validation.
-      It does not perform iterative resolution, but simulates the
-      behavior of a name server configured for DNSSEC validating and
-      forwarding.
-    </para>
-    <para>
-      By default, responses are validated using built-in DNSSEC trust
-      anchor for the root zone (".").  Records returned by
-      <command>delv</command> are either fully validated or
-      were not signed.  If validation fails, an explanation of
-      the failure is included in the output; the validation process
-      can be traced in detail.  Because <command>delv</command> does
-      not rely on an external server to carry out validation, it can
-      be used to check the validity of DNS responses in environments
-      where local name servers may not be trustworthy.
-    </para>
-    <para>
-      Unless it is told to query a specific name server,
-      <command>delv</command> will try each of the servers listed in
-      <filename>/etc/resolv.conf</filename>. If no usable server
-      addresses are found, <command>delv</command> will send
-      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
-      for IPv6).
-    </para>
-    <para>
-      When no command line arguments or options are given,
-      <command>delv</command> will perform an NS query for "."
-      (the root zone).
-    </para>
-  </refsection>
-
-  <refsection><info><title>SIMPLE USAGE</title></info>
-
-
-    <para>
-      A typical invocation of <command>delv</command> looks like:
-      <programlisting> delv @server name type </programlisting>
-      where:
-
-      <variablelist>
-	<varlistentry>
-	  <term><constant>server</constant></term>
-	  <listitem>
-	    <para>
-	      is the name or IP address of the name server to query.  This
-	      can be an IPv4 address in dotted-decimal notation or an IPv6
-	      address in colon-delimited notation.  When the supplied
-	      <parameter>server</parameter> argument is a hostname,
-	      <command>delv</command> resolves that name before
-	      querying that name server (note, however, that this
-	      initial lookup is <emphasis>not</emphasis> validated
-	      by DNSSEC).
-	    </para>
-	    <para>
-	      If no <parameter>server</parameter> argument is
-	      provided, <command>delv</command> consults
-	      <filename>/etc/resolv.conf</filename>; if an
-	      address is found there, it queries the name server at
-	      that address. If either of the <option>-4</option> or
-	      <option>-6</option> options are in use, then
-	      only addresses for the corresponding transport
-	      will be tried.  If no usable addresses are found,
-	      <command>delv</command> will send queries to
-	      the localhost addresses (127.0.0.1 for IPv4,
-	      ::1 for IPv6).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><constant>name</constant></term>
-	  <listitem>
-	    <para>
-	      is the domain name to be looked up.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><constant>type</constant></term>
-	  <listitem>
-	    <para>
-	      indicates what type of query is required &mdash;
-	      ANY, A, MX, etc.
-	      <parameter>type</parameter> can be any valid query
-	      type.  If no
-	      <parameter>type</parameter> argument is supplied,
-	      <command>delv</command> will perform a lookup for an
-	      A record.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-      </variablelist>
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-    <variablelist>
-
-      <varlistentry>
-	<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies a file from which to read DNSSEC trust anchors.
-	    The default is <filename>/etc/bind.keys</filename>, which
-	    is included with <acronym>BIND</acronym> 9 and contains
-	    one or more trust anchors for the root zone (".").
-	  </para>
-	  <para>
-	    Keys that do not match the root zone name are ignored.
-            An alternate key name can be specified using the
-	    <option>+root=NAME</option> options.
-	  </para>
-	  <para>
-	    Note: When reading the trust anchor file,
-	    <command>delv</command> treats <option>trust-anchors</option>
-	    <option>initial-key</option> and <option>static-key</option>
-	    entries identically.  That is, even if a key is configured
-	    with <command>initial-key</command>, indicating that it is
-	    meant to be used only as an initializing key for RFC 5011
-	    key maintenance, it is still treated by <command>delv</command>
-	    as if it had been configured as a <command>static-key</command>.
-	    <command>delv</command> does not consult the managed keys
-	    database maintained by <command>named</command>. This means
-	    that if either of the keys in
-	    <filename>/etc/bind.keys</filename> is revoked
-	    and rolled over, it will be necessary to update
-	    <filename>/etc/bind.keys</filename> to use DNSSEC
-	    validation in <command>delv</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-b  <replaceable class="parameter">address</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the source IP address of the query to
-	    <parameter>address</parameter>.  This must be a valid address
-	    on one of the host's network interfaces or "0.0.0.0" or "::".
-	    An optional source port may be specified by appending
-	    "#&lt;port&gt;"
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the query class for the requested data. Currently,
-	    only class "IN" is supported in <command>delv</command>
-	    and any other value is ignored.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-d <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	    Set the systemwide debug level to <option>level</option>.
-	    The allowed range is from 0 to 99.
-	    The default is 0 (no debugging).
-	    Debugging traces from <command>delv</command> become
-	    more verbose as the debug level increases.
-	    See the <option>+mtrace</option>, <option>+rtrace</option>,
-	    and <option>+vtrace</option> options below for additional
-	    debugging details.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Display the <command>delv</command> help usage output and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-i</term>
-	<listitem>
-	  <para>
-	    Insecure mode. This disables internal DNSSEC validation.
-	    (Note, however, this does not set the CD bit on upstream
-	    queries. If the server being queried is performing DNSSEC
-	    validation, then it will not return invalid data; this
-	    can cause <command>delv</command> to time out. When it
-	    is necessary to examine invalid data to debug a DNSSEC
-	    problem, use <command>dig +cd</command>.)
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-m</term>
-	<listitem>
-	  <para>
-	    Enables memory usage debugging.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-p <replaceable class="parameter">port#</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies a destination port to use for queries instead of
-	    the standard DNS port number 53.  This option would be used
-	    with a name server that has been configured to listen
-	    for queries on a non-standard port number.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-q <replaceable class="parameter">name</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the query name to <parameter>name</parameter>.
-	    While the query name can be specified without using the
-	    <option>-q</option>, it is sometimes necessary to disambiguate
-	    names from types or classes (for example, when looking up the
-	    name "ns", which could be misinterpreted as the type NS,
-	    or "ch", which could be misinterpreted as class CH).
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-t <replaceable class="parameter">type</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the query type to <parameter>type</parameter>, which
-	    can be any valid query type supported in BIND 9 except
-	    for zone transfer types AXFR and IXFR. As with
-	    <option>-q</option>, this is useful to distinguish
-	    query name type or class when they are ambiguous.
-	    it is sometimes necessary to disambiguate names from types.
-	  </para>
-	  <para>
-	    The default query type is "A", unless the <option>-x</option>
-	    option is supplied to indicate a reverse lookup, in which case
-	    it is "PTR".
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-	    Print the <command>delv</command> version and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-x <replaceable class="parameter">addr</replaceable></term>
-	<listitem>
-	  <para>
-	    Performs a reverse lookup, mapping an addresses to
-	    a name.  <parameter>addr</parameter> is an IPv4 address in
-	    dotted-decimal notation, or a colon-delimited IPv6 address.
-	    When <option>-x</option> is used, there is no need to provide
-	    the <parameter>name</parameter> or <parameter>type</parameter>
-	    arguments.  <command>delv</command> automatically performs a
-	    lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
-	    and sets the query type to PTR.  IPv6 addresses are looked up
-	    using nibble format under the IP6.ARPA domain.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-4</term>
-	<listitem>
-	  <para>
-	    Forces <command>delv</command> to only use IPv4.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-6</term>
-	<listitem>
-	  <para>
-	    Forces <command>delv</command> to only use IPv6.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>QUERY OPTIONS</title></info>
-
-
-    <para><command>delv</command>
-      provides a number of query options which affect the way results are
-      displayed, and in some cases the way lookups are performed.
-    </para>
-
-    <para>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<literal>+</literal>).  Some keywords set or reset an
-      option.  These may be preceded by the string
-      <literal>no</literal> to negate the meaning of that keyword.
-      Other keywords assign values to options like the timeout interval.
-      They have the form <option>+keyword=value</option>.
-      The query options are:
-
-      <variablelist>
-	<varlistentry>
-	  <term><option>+[no]cdflag</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to set the CD (checking disabled) bit in
-	      queries sent by <command>delv</command>. This may be useful
-	      when troubleshooting DNSSEC problems from behind a validating
-	      resolver. A validating resolver will block invalid responses,
-	      making it difficult to retrieve them for analysis. Setting
-	      the CD flag on queries will cause the resolver to return
-	      invalid responses, which <command>delv</command> can then
-	      validate internally and report the errors in detail.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]class</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to display the CLASS when printing
-	      a record. The default is to display the CLASS.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]ttl</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to display the TTL when printing
-	      a record. The default is to display the TTL.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]rtrace</option></term>
-	  <listitem>
-	    <para>
-	      Toggle resolver fetch logging. This reports the
-	      name and type of each query sent by <command>delv</command>
-	      in the process of carrying out the resolution and validation
-	      process: this includes including the original query and
-	      all subsequent queries to follow CNAMEs and to establish a
-	      chain of trust for DNSSEC validation.
-	    </para>
-	    <para>
-	      This is equivalent to setting the debug level to 1 in
-	      the "resolver" logging category. Setting the systemwide
-	      debug level to 1 using the <option>-d</option> option will
-	      product the same output (but will affect other logging
-	      categories as well).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]mtrace</option></term>
-	  <listitem>
-	    <para>
-	      Toggle message logging. This produces a detailed dump of
-	      the responses received by <command>delv</command> in the
-	      process of carrying out the resolution and validation process.
-	    </para>
-	    <para>
-	      This is equivalent to setting the debug level to 10
-	      for the "packets" module of the "resolver" logging
-	      category. Setting the systemwide debug level to 10 using
-	      the <option>-d</option> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]vtrace</option></term>
-	  <listitem>
-	    <para>
-	      Toggle validation logging. This shows the internal
-	      process of the validator as it determines whether an
-	      answer is validly signed, unsigned, or invalid.
-	    </para>
-	    <para>
-	      This is equivalent to setting the debug level to 3
-	      for the "validator" module of the "dnssec" logging
-	      category. Setting the systemwide debug level to 3 using
-	      the <option>-d</option> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]short</option></term>
-	  <listitem>
-	    <para>
-	      Provide a terse answer.  The default is to print the answer in a
-	      verbose form.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]comments</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the display of comment lines in the output.  The default
-	      is to print comments.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]rrcomments</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the display of per-record comments in the output (for
-	      example, human-readable key information about DNSKEY records).
-	      The default is to print per-record comments.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]crypto</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the display of cryptographic fields in DNSSEC records.
-	      The contents of these field are unnecessary to debug most DNSSEC
-	      validation failures and removing them makes it easier to see
-	      the common failures.  The default is to display the fields.
-	      When omitted they are replaced by the string "[omitted]" or
-	      in the DNSKEY case the key id is displayed as the replacement,
-	      e.g. "[ key id = value ]".
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]trust</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to display the trust level when printing
-	      a record. The default is to display the trust level.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]split[=W]</option></term>
-	  <listitem>
-	    <para>
-	      Split long hex- or base64-formatted fields in resource
-	      records into chunks of <parameter>W</parameter> characters
-	      (where <parameter>W</parameter> is rounded up to the nearest
-	      multiple of 4).
-	      <parameter>+nosplit</parameter> or
-	      <parameter>+split=0</parameter> causes fields not to be
-	      split at all.  The default is 56 characters, or 44 characters
-	      when multiline mode is active.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]all</option></term>
-	  <listitem>
-	    <para>
-	      Set or clear the display options
-	      <option>+[no]comments</option>,
-	      <option>+[no]rrcomments</option>, and
-	      <option>+[no]trust</option> as a group.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]multiline</option></term>
-	  <listitem>
-	    <para>
-	      Print long records (such as RRSIG, DNSKEY, and SOA records)
-	      in a verbose multi-line format with human-readable comments.
-	      The default is to print each record on a single line, to
-	      facilitate machine parsing of the <command>delv</command>
-	      output.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]dnssec</option></term>
-	  <listitem>
-	    <para>
-	      Indicates whether to display RRSIG records in the
-	      <command>delv</command> output.  The default is to
-	      do so.  Note that (unlike in <command>dig</command>)
-	      this does <emphasis>not</emphasis> control whether to
-	      request DNSSEC records or whether to validate them.
-	      DNSSEC records are always requested, and validation
-	      will always occur unless suppressed by the use of
-	      <option>-i</option> or <option>+noroot</option>.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]root[=ROOT]</option></term>
-	  <listitem>
-	    <para>
-	      Indicates whether to perform conventional
-	      DNSSEC validation, and if so, specifies the
-	      name of a trust anchor.  The default is to validate using
-	      a trust anchor of "." (the root zone), for which there is
-	      a built-in key.  If specifying a different trust anchor,
-	      then <option>-a</option> must be used to specify a file
-	      containing the key.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]tcp</option></term>
-	  <listitem>
-	    <para>
-	      Controls whether to use TCP when sending queries.
-	      The default is to use UDP unless a truncated
-	      response has been received.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]unknownformat</option></term>
-	  <listitem>
-	    <para>
-	      Print all RDATA in unknown RR type presentation format
-	      (RFC 3597). The default is to print RDATA for known types
-	      in the type's presentation format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]yaml</option></term>
-	  <listitem>
-	    <para>
-	      Print response data in YAML format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-      </variablelist>
-
-    </para>
-  </refsection>
-
-  <refsection><info><title>FILES</title></info>
-
-    <para><filename>/etc/bind.keys</filename></para>
-    <para><filename>/etc/resolv.conf</filename></para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-	<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>RFC4034</citetitle>,
-      <citetitle>RFC4035</citetitle>,
-      <citetitle>RFC4431</citetitle>,
-      <citetitle>RFC5074</citetitle>,
-      <citetitle>RFC5155</citetitle>.
-    </para>
-  </refsection>
-
-</refentry>

bin/delv/delv.html

@@ -1,588 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>delv</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.delv"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    delv
-     &#8212; DNS lookup and validation utility
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [@server]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-m</code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [name]
-       [type]
-       [class]
-       [queryopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [<code class="option">-h</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [<code class="option">-v</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [queryopt...]
-       [query...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>delv</strong></span>
-      is a tool for sending
-      DNS queries and validating the results, using the same internal
-      resolver and validator logic as <span class="command"><strong>named</strong></span>.
-    </p>
-    <p>
-      <span class="command"><strong>delv</strong></span> will send to a specified name server all
-      queries needed to fetch and validate the requested data; this
-      includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY and DS records
-      to establish a chain of trust for DNSSEC validation.
-      It does not perform iterative resolution, but simulates the
-      behavior of a name server configured for DNSSEC validating and
-      forwarding.
-    </p>
-    <p>
-      By default, responses are validated using built-in DNSSEC trust
-      anchor for the root zone (".").  Records returned by
-      <span class="command"><strong>delv</strong></span> are either fully validated or
-      were not signed.  If validation fails, an explanation of
-      the failure is included in the output; the validation process
-      can be traced in detail.  Because <span class="command"><strong>delv</strong></span> does
-      not rely on an external server to carry out validation, it can
-      be used to check the validity of DNS responses in environments
-      where local name servers may not be trustworthy.
-    </p>
-    <p>
-      Unless it is told to query a specific name server,
-      <span class="command"><strong>delv</strong></span> will try each of the servers listed in
-      <code class="filename">/etc/resolv.conf</code>. If no usable server
-      addresses are found, <span class="command"><strong>delv</strong></span> will send
-      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
-      for IPv6).
-    </p>
-    <p>
-      When no command line arguments or options are given,
-      <span class="command"><strong>delv</strong></span> will perform an NS query for "."
-      (the root zone).
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
-
-
-    <p>
-      A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
-      </p>
-<pre class="programlisting"> delv @server name type </pre>
-<p>
-      where:
-
-      </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd>
-	    <p>
-	      is the name or IP address of the name server to query.  This
-	      can be an IPv4 address in dotted-decimal notation or an IPv6
-	      address in colon-delimited notation.  When the supplied
-	      <em class="parameter"><code>server</code></em> argument is a hostname,
-	      <span class="command"><strong>delv</strong></span> resolves that name before
-	      querying that name server (note, however, that this
-	      initial lookup is <span class="emphasis"><em>not</em></span> validated
-	      by DNSSEC).
-	    </p>
-	    <p>
-	      If no <em class="parameter"><code>server</code></em> argument is
-	      provided, <span class="command"><strong>delv</strong></span> consults
-	      <code class="filename">/etc/resolv.conf</code>; if an
-	      address is found there, it queries the name server at
-	      that address. If either of the <code class="option">-4</code> or
-	      <code class="option">-6</code> options are in use, then
-	      only addresses for the corresponding transport
-	      will be tried.  If no usable addresses are found,
-	      <span class="command"><strong>delv</strong></span> will send queries to
-	      the localhost addresses (127.0.0.1 for IPv4,
-	      ::1 for IPv6).
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
-	    <p>
-	      is the domain name to be looked up.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
-	    <p>
-	      indicates what type of query is required &#8212;
-	      ANY, A, MX, etc.
-	      <em class="parameter"><code>type</code></em> can be any valid query
-	      type.  If no
-	      <em class="parameter"><code>type</code></em> argument is supplied,
-	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
-	      A record.
-	    </p>
-	  </dd>
-</dl></div>
-<p>
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies a file from which to read DNSSEC trust anchors.
-	    The default is <code class="filename">/etc/bind.keys</code>, which
-	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
-	    one or more trust anchors for the root zone (".").
-	  </p>
-	  <p>
-	    Keys that do not match the root zone name are ignored.
-            An alternate key name can be specified using the
-	    <code class="option">+root=NAME</code> options.
-	  </p>
-	  <p>
-	    Note: When reading the trust anchor file,
-	    <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
-	    <code class="option">initial-key</code> and <code class="option">static-key</code>
-	    entries identically.  That is, even if a key is configured
-	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
-	    meant to be used only as an initializing key for RFC 5011
-	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
-	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
-	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
-	    database maintained by <span class="command"><strong>named</strong></span>. This means
-	    that if either of the keys in
-	    <code class="filename">/etc/bind.keys</code> is revoked
-	    and rolled over, it will be necessary to update
-	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
-	    validation in <span class="command"><strong>delv</strong></span>.
-	  </p>
-	</dd>
-<dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
-	  <p>
-	    Sets the source IP address of the query to
-	    <em class="parameter"><code>address</code></em>.  This must be a valid address
-	    on one of the host's network interfaces or "0.0.0.0" or "::".
-	    An optional source port may be specified by appending
-	    "#&lt;port&gt;"
-	  </p>
-	</dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Sets the query class for the requested data. Currently,
-	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
-	    and any other value is ignored.
-	  </p>
-	</dd>
-<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
-	    Set the systemwide debug level to <code class="option">level</code>.
-	    The allowed range is from 0 to 99.
-	    The default is 0 (no debugging).
-	    Debugging traces from <span class="command"><strong>delv</strong></span> become
-	    more verbose as the debug level increases.
-	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
-	    and <code class="option">+vtrace</code> options below for additional
-	    debugging details.
-	  </p>
-	</dd>
-<dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
-	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
-	  </p>
-	</dd>
-<dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
-	    Insecure mode. This disables internal DNSSEC validation.
-	    (Note, however, this does not set the CD bit on upstream
-	    queries. If the server being queried is performing DNSSEC
-	    validation, then it will not return invalid data; this
-	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
-	    is necessary to examine invalid data to debug a DNSSEC
-	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
-	  </p>
-	</dd>
-<dt><span class="term">-m</span></dt>
-<dd>
-	  <p>
-	    Enables memory usage debugging.
-	  </p>
-	</dd>
-<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies a destination port to use for queries instead of
-	    the standard DNS port number 53.  This option would be used
-	    with a name server that has been configured to listen
-	    for queries on a non-standard port number.
-	  </p>
-	</dd>
-<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
-	    Sets the query name to <em class="parameter"><code>name</code></em>.
-	    While the query name can be specified without using the
-	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
-	    names from types or classes (for example, when looking up the
-	    name "ns", which could be misinterpreted as the type NS,
-	    or "ch", which could be misinterpreted as class CH).
-	  </p>
-	</dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-	  <p>
-	    Sets the query type to <em class="parameter"><code>type</code></em>, which
-	    can be any valid query type supported in BIND 9 except
-	    for zone transfer types AXFR and IXFR. As with
-	    <code class="option">-q</code>, this is useful to distinguish
-	    query name type or class when they are ambiguous.
-	    it is sometimes necessary to disambiguate names from types.
-	  </p>
-	  <p>
-	    The default query type is "A", unless the <code class="option">-x</code>
-	    option is supplied to indicate a reverse lookup, in which case
-	    it is "PTR".
-	  </p>
-	</dd>
-<dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
-	    Print the <span class="command"><strong>delv</strong></span> version and exit.
-	  </p>
-	</dd>
-<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
-	  <p>
-	    Performs a reverse lookup, mapping an addresses to
-	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
-	    dotted-decimal notation, or a colon-delimited IPv6 address.
-	    When <code class="option">-x</code> is used, there is no need to provide
-	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
-	    arguments.  <span class="command"><strong>delv</strong></span> automatically performs a
-	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
-	    and sets the query type to PTR.  IPv6 addresses are looked up
-	    using nibble format under the IP6.ARPA domain.
-	  </p>
-	</dd>
-<dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
-	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
-	  </p>
-	</dd>
-<dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
-	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
-	  </p>
-	</dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
-
-
-    <p><span class="command"><strong>delv</strong></span>
-      provides a number of query options which affect the way results are
-      displayed, and in some cases the way lookups are performed.
-    </p>
-
-    <p>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<code class="literal">+</code>).  Some keywords set or reset an
-      option.  These may be preceded by the string
-      <code class="literal">no</code> to negate the meaning of that keyword.
-      Other keywords assign values to options like the timeout interval.
-      They have the form <code class="option">+keyword=value</code>.
-      The query options are:
-
-      </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-	    <p>
-	      Controls whether to set the CD (checking disabled) bit in
-	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
-	      when troubleshooting DNSSEC problems from behind a validating
-	      resolver. A validating resolver will block invalid responses,
-	      making it difficult to retrieve them for analysis. Setting
-	      the CD flag on queries will cause the resolver to return
-	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
-	      validate internally and report the errors in detail.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
-	    <p>
-	      Controls whether to display the CLASS when printing
-	      a record. The default is to display the CLASS.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
-<dd>
-	    <p>
-	      Controls whether to display the TTL when printing
-	      a record. The default is to display the TTL.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
-<dd>
-	    <p>
-	      Toggle resolver fetch logging. This reports the
-	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
-	      in the process of carrying out the resolution and validation
-	      process: this includes including the original query and
-	      all subsequent queries to follow CNAMEs and to establish a
-	      chain of trust for DNSSEC validation.
-	    </p>
-	    <p>
-	      This is equivalent to setting the debug level to 1 in
-	      the "resolver" logging category. Setting the systemwide
-	      debug level to 1 using the <code class="option">-d</code> option will
-	      product the same output (but will affect other logging
-	      categories as well).
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
-<dd>
-	    <p>
-	      Toggle message logging. This produces a detailed dump of
-	      the responses received by <span class="command"><strong>delv</strong></span> in the
-	      process of carrying out the resolution and validation process.
-	    </p>
-	    <p>
-	      This is equivalent to setting the debug level to 10
-	      for the "packets" module of the "resolver" logging
-	      category. Setting the systemwide debug level to 10 using
-	      the <code class="option">-d</code> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
-<dd>
-	    <p>
-	      Toggle validation logging. This shows the internal
-	      process of the validator as it determines whether an
-	      answer is validly signed, unsigned, or invalid.
-	    </p>
-	    <p>
-	      This is equivalent to setting the debug level to 3
-	      for the "validator" module of the "dnssec" logging
-	      category. Setting the systemwide debug level to 3 using
-	      the <code class="option">-d</code> option will produce the same output
-	      (but will affect other logging categories as well).
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-	    <p>
-	      Provide a terse answer.  The default is to print the answer in a
-	      verbose form.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
-	    <p>
-	      Toggle the display of comment lines in the output.  The default
-	      is to print comments.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-	    <p>
-	      Toggle the display of per-record comments in the output (for
-	      example, human-readable key information about DNSKEY records).
-	      The default is to print per-record comments.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-	    <p>
-	      Toggle the display of cryptographic fields in DNSSEC records.
-	      The contents of these field are unnecessary to debug most DNSSEC
-	      validation failures and removing them makes it easier to see
-	      the common failures.  The default is to display the fields.
-	      When omitted they are replaced by the string "[omitted]" or
-	      in the DNSKEY case the key id is displayed as the replacement,
-	      e.g. "[ key id = value ]".
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
-<dd>
-	    <p>
-	      Controls whether to display the trust level when printing
-	      a record. The default is to display the trust level.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
-<dd>
-	    <p>
-	      Split long hex- or base64-formatted fields in resource
-	      records into chunks of <em class="parameter"><code>W</code></em> characters
-	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
-	      multiple of 4).
-	      <em class="parameter"><code>+nosplit</code></em> or
-	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
-	      split at all.  The default is 56 characters, or 44 characters
-	      when multiline mode is active.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-	    <p>
-	      Set or clear the display options
-	      <code class="option">+[no]comments</code>,
-	      <code class="option">+[no]rrcomments</code>, and
-	      <code class="option">+[no]trust</code> as a group.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-	    <p>
-	      Print long records (such as RRSIG, DNSKEY, and SOA records)
-	      in a verbose multi-line format with human-readable comments.
-	      The default is to print each record on a single line, to
-	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
-	      output.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-	    <p>
-	      Indicates whether to display RRSIG records in the
-	      <span class="command"><strong>delv</strong></span> output.  The default is to
-	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
-	      this does <span class="emphasis"><em>not</em></span> control whether to
-	      request DNSSEC records or whether to validate them.
-	      DNSSEC records are always requested, and validation
-	      will always occur unless suppressed by the use of
-	      <code class="option">-i</code> or <code class="option">+noroot</code>.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
-<dd>
-	    <p>
-	      Indicates whether to perform conventional
-	      DNSSEC validation, and if so, specifies the
-	      name of a trust anchor.  The default is to validate using
-	      a trust anchor of "." (the root zone), for which there is
-	      a built-in key.  If specifying a different trust anchor,
-	      then <code class="option">-a</code> must be used to specify a file
-	      containing the key.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-	    <p>
-	      Controls whether to use TCP when sending queries.
-	      The default is to use UDP unless a truncated
-	      response has been received.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
-	      Print all RDATA in unknown RR type presentation format
-	      (RFC 3597). The default is to print RDATA for known types
-	      in the type's presentation format.
-	    </p>
-	  </dd>
-<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
-<dd>
-	    <p>
-	      Print response data in YAML format.
-	    </p>
-	  </dd>
-</dl></div>
-<p>
-
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/bind.keys</code></p>
-    <p><code class="filename">/etc/resolv.conf</code></p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <em class="citetitle">RFC4034</em>,
-      <em class="citetitle">RFC4035</em>,
-      <em class="citetitle">RFC4431</em>,
-      <em class="citetitle">RFC5074</em>,
-      <em class="citetitle">RFC5155</em>.
-    </p>
-  </div>
-
-</div></body>
-</html>

bin/delv/delv.rst

@@ -0,0 +1,336 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_delv:
+
+delv - DNS lookup and validation utility
+----------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
+
+:program:`delv` [**-h**]
+
+:program:`delv` [**-v**]
+
+:program:`delv` [queryopt...] [query...]
+
+Description
+~~~~~~~~~~~
+
+``delv`` is a tool for sending DNS queries and validating the results,
+using the same internal resolver and validator logic as ``named``.
+
+``delv`` will send to a specified name server all queries needed to
+fetch and validate the requested data; this includes the original
+requested query, subsequent queries to follow CNAME or DNAME chains, and
+queries for DNSKEY, and DS records to establish a chain of trust for
+DNSSEC validation. It does not perform iterative resolution, but
+simulates the behavior of a name server configured for DNSSEC validating
+and forwarding.
+
+By default, responses are validated using built-in DNSSEC trust anchor
+for the root zone ("."). Records returned by ``delv`` are either fully
+validated or were not signed. If validation fails, an explanation of the
+failure is included in the output; the validation process can be traced
+in detail. Because ``delv`` does not rely on an external server to carry
+out validation, it can be used to check the validity of DNS responses in
+environments where local name servers may not be trustworthy.
+
+Unless it is told to query a specific name server, ``delv`` will try
+each of the servers listed in ``/etc/resolv.conf``. If no usable server
+addresses are found, ``delv`` will send queries to the localhost
+addresses (127.0.0.1 for IPv4, ::1 for IPv6).
+
+When no command line arguments or options are given, ``delv`` will
+perform an NS query for "." (the root zone).
+
+Simple Usage
+~~~~~~~~~~~~
+
+A typical invocation of ``delv`` looks like:
+
+::
+
+    delv @server name type
+
+where:
+
+``server``
+   is the name or IP address of the name server to query. This can be an
+   IPv4 address in dotted-decimal notation or an IPv6 address in
+   colon-delimited notation. When the supplied ``server`` argument is a
+   hostname, ``delv`` resolves that name before querying that name
+   server (note, however, that this initial lookup is *not* validated by
+   DNSSEC).
+
+   If no ``server`` argument is provided, ``delv`` consults
+   ``/etc/resolv.conf``; if an address is found there, it queries the
+   name server at that address. If either of the ``-4`` or ``-6``
+   options are in use, then only addresses for the corresponding
+   transport will be tried. If no usable addresses are found, ``delv``
+   will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+   for IPv6).
+
+``name``
+   is the domain name to be looked up.
+
+``type``
+   indicates what type of query is required MDASH ANY, A, MX, etc.
+   ``type`` can be any valid query type. If no ``type`` argument is
+   supplied, ``delv`` will perform a lookup for an A record.
+
+Options
+~~~~~~~
+
+**-a** anchor-file
+   Specifies a file from which to read DNSSEC trust anchors. The default
+   is ``/etc/bind.keys``, which is included with BIND 9 and contains one
+   or more trust anchors for the root zone (".").
+
+   Keys that do not match the root zone name are ignored. An alternate
+   key name can be specified using the ``+root=NAME`` options.
+
+   Note: When reading the trust anchor file, ``delv`` treat ``trust-anchors``
+   ``initial-key`` and ``static-key`` identically. That is, for a managed key,
+   it is the *initial* key that is trusted; :rfc:`5011` key management is not
+   supported. ``delv`` will not consult the managed-keys database maintained by
+   ``named``. This means that if either of the keys in ``/etc/bind.keys`` is
+   revoked and rolled over, it will be necessary to update ``/etc/bind.keys`` to
+   use DNSSEC validation in ``delv``.
+
+**-b** address
+   Sets the source IP address of the query to ``address``. This must be
+   a valid address on one of the host's network interfaces or "0.0.0.0"
+   or "::". An optional source port may be specified by appending
+   "#<port>"
+
+**-c** class
+   Sets the query class for the requested data. Currently, only class
+   "IN" is supported in ``delv`` and any other value is ignored.
+
+**-d** level
+   Set the systemwide debug level to ``level``. The allowed range is
+   from 0 to 99. The default is 0 (no debugging). Debugging traces from
+   ``delv`` become more verbose as the debug level increases. See the
+   ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
+   additional debugging details.
+
+**-h**
+   Display the ``delv`` help usage output and exit.
+
+**-i**
+   Insecure mode. This disables internal DNSSEC validation. (Note,
+   however, this does not set the CD bit on upstream queries. If the
+   server being queried is performing DNSSEC validation, then it will
+   not return invalid data; this can cause ``delv`` to time out. When it
+   is necessary to examine invalid data to debug a DNSSEC problem, use
+   ``dig +cd``.)
+
+**-m**
+   Enables memory usage debugging.
+
+**-p** port#
+   Specifies a destination port to use for queries instead of the
+   standard DNS port number 53. This option would be used with a name
+   server that has been configured to listen for queries on a
+   non-standard port number.
+
+**-q** name
+   Sets the query name to ``name``. While the query name can be
+   specified without using the ``-q``, it is sometimes necessary to
+   disambiguate names from types or classes (for example, when looking
+   up the name "ns", which could be misinterpreted as the type NS, or
+   "ch", which could be misinterpreted as class CH).
+
+**-t** type
+   Sets the query type to ``type``, which can be any valid query type
+   supported in BIND 9 except for zone transfer types AXFR and IXFR. As
+   with ``-q``, this is useful to distinguish query name type or class
+   when they are ambiguous. it is sometimes necessary to disambiguate
+   names from types.
+
+   The default query type is "A", unless the ``-x`` option is supplied
+   to indicate a reverse lookup, in which case it is "PTR".
+
+**-v**
+   Print the ``delv`` version and exit.
+
+**-x** addr
+   Performs a reverse lookup, mapping an addresses to a name. ``addr``
+   is an IPv4 address in dotted-decimal notation, or a colon-delimited
+   IPv6 address. When ``-x`` is used, there is no need to provide the
+   ``name`` or ``type`` arguments. ``delv`` automatically performs a
+   lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
+   query type to PTR. IPv6 addresses are looked up using nibble format
+   under the IP6.ARPA domain.
+
+**-4**
+   Forces ``delv`` to only use IPv4.
+
+**-6**
+   Forces ``delv`` to only use IPv6.
+
+Query Options
+~~~~~~~~~~~~~
+
+``delv`` provides a number of query options which affect the way results
+are displayed, and in some cases the way lookups are performed.
+
+Each query option is identified by a keyword preceded by a plus sign
+(``+``). Some keywords set or reset an option. These may be preceded by
+the string ``no`` to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+``+keyword=value``. The query options are:
+
+``+[no]cdflag``
+   Controls whether to set the CD (checking disabled) bit in queries
+   sent by ``delv``. This may be useful when troubleshooting DNSSEC
+   problems from behind a validating resolver. A validating resolver
+   will block invalid responses, making it difficult to retrieve them
+   for analysis. Setting the CD flag on queries will cause the resolver
+   to return invalid responses, which ``delv`` can then validate
+   internally and report the errors in detail.
+
+``+[no]class``
+   Controls whether to display the CLASS when printing a record. The
+   default is to display the CLASS.
+
+``+[no]ttl``
+   Controls whether to display the TTL when printing a record. The
+   default is to display the TTL.
+
+``+[no]rtrace``
+   Toggle resolver fetch logging. This reports the name and type of each
+   query sent by ``delv`` in the process of carrying out the resolution
+   and validation process: this includes including the original query
+   and all subsequent queries to follow CNAMEs and to establish a chain
+   of trust for DNSSEC validation.
+
+   This is equivalent to setting the debug level to 1 in the "resolver"
+   logging category. Setting the systemwide debug level to 1 using the
+   ``-d`` option will product the same output (but will affect other
+   logging categories as well).
+
+``+[no]mtrace``
+   Toggle message logging. This produces a detailed dump of the
+   responses received by ``delv`` in the process of carrying out the
+   resolution and validation process.
+
+   This is equivalent to setting the debug level to 10 for the "packets"
+   module of the "resolver" logging category. Setting the systemwide
+   debug level to 10 using the ``-d`` option will produce the same
+   output (but will affect other logging categories as well).
+
+``+[no]vtrace``
+   Toggle validation logging. This shows the internal process of the
+   validator as it determines whether an answer is validly signed,
+   unsigned, or invalid.
+
+   This is equivalent to setting the debug level to 3 for the
+   "validator" module of the "dnssec" logging category. Setting the
+   systemwide debug level to 3 using the ``-d`` option will produce the
+   same output (but will affect other logging categories as well).
+
+``+[no]short``
+   Provide a terse answer. The default is to print the answer in a
+   verbose form.
+
+``+[no]comments``
+   Toggle the display of comment lines in the output. The default is to
+   print comments.
+
+``+[no]rrcomments``
+   Toggle the display of per-record comments in the output (for example,
+   human-readable key information about DNSKEY records). The default is
+   to print per-record comments.
+
+``+[no]crypto``
+   Toggle the display of cryptographic fields in DNSSEC records. The
+   contents of these field are unnecessary to debug most DNSSEC
+   validation failures and removing them makes it easier to see the
+   common failures. The default is to display the fields. When omitted
+   they are replaced by the string "[omitted]" or in the DNSKEY case the
+   key id is displayed as the replacement, e.g. "[ key id = value ]".
+
+``+[no]trust``
+   Controls whether to display the trust level when printing a record.
+   The default is to display the trust level.
+
+``+[no]split[=W]``
+   Split long hex- or base64-formatted fields in resource records into
+   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
+   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
+   split at all. The default is 56 characters, or 44 characters when
+   multiline mode is active.
+
+``+[no]all``
+   Set or clear the display options ``+[no]comments``,
+   ``+[no]rrcomments``, and ``+[no]trust`` as a group.
+
+``+[no]multiline``
+   Print long records (such as RRSIG, DNSKEY, and SOA records) in a
+   verbose multi-line format with human-readable comments. The default
+   is to print each record on a single line, to facilitate machine
+   parsing of the ``delv`` output.
+
+``+[no]dnssec``
+   Indicates whether to display RRSIG records in the ``delv`` output.
+   The default is to do so. Note that (unlike in ``dig``) this does
+   *not* control whether to request DNSSEC records or whether to
+   validate them. DNSSEC records are always requested, and validation
+   will always occur unless suppressed by the use of ``-i`` or
+   ``+noroot``.
+
+``+[no]root[=ROOT]``
+   Indicates whether to perform conventional DNSSEC validation, and if so,
+   specifies the name of a trust anchor. The default is to validate using a
+   trust anchor of "." (the root zone), for which there is a built-in key. If
+   specifying a different trust anchor, then ``-a`` must be used to specify a
+   file containing the key.
+
+``+[no]tcp``
+   Controls whether to use TCP when sending queries. The default is to
+   use UDP unless a truncated response has been received.
+
+``+[no]unknownformat``
+   Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
+   The default is to print RDATA for known types in the type's
+   presentation format.
+
+``+[no]yaml``
+   Print response data in YAML format.
+
+Files
+~~~~~
+
+``/etc/bind.keys``
+
+``/etc/resolv.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

bin/delv/win32/delv.vcxproj.in

@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -77,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/dig/Makefile.in

@@ -26,10 +26,10 @@ CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -57,12 +57,6 @@ UOBJS =
 
 SRCS =		dig.c dighost.c host.c nslookup.c
 
-MANPAGES =	dig.1 host.1 nslookup.1
-
-HTMLPAGES =	dig.html host.html nslookup.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
 @BIND9_MAKE_RULES@
 
 LDFLAGS =	@LDFLAGS@ @LIBIDN2_LDFLAGS@
@@ -82,17 +76,11 @@ nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
 	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
 	${FINALBUILDCMD}
 
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
 clean distclean maintainer-clean::
 	rm -f ${TARGETS}
 
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 
 install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
@@ -101,14 +89,8 @@ install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
 		host@EXEEXT@ ${DESTDIR}${bindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
 		nslookup@EXEEXT@ ${DESTDIR}${bindir}
-	for m in ${MANPAGES}; do \
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
-	done
 
 uninstall::
-	for m in ${MANPAGES}; do \
-		rm -f ${DESTDIR}${mandir}/man1/$$m || exit 1; \
-	done
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@

bin/dig/dig.1

@@ -1,853 +0,0 @@
-.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: dig
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-02-19
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "DIG" "1" "2014\-02\-19" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-dig \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP \w'\fBdig\fR\ 'u
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
-.HP \w'\fBdig\fR\ 'u
-\fBdig\fR [\fB\-h\fR]
-.HP \w'\fBdig\fR\ 'u
-\fBdig\fR [global\-queryopt...] [query...]
-.SH "DESCRIPTION"
-.PP
-\fBdig\fR
-is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
-\fBdig\fR
-to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
-\fBdig\fR\&.
-.PP
-Although
-\fBdig\fR
-is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file\&. A brief summary of its command\-line arguments and options is printed when the
-\fB\-h\fR
-option is given\&. Unlike earlier versions, the BIND 9 implementation of
-\fBdig\fR
-allows multiple lookups to be issued from the command line\&.
-.PP
-Unless it is told to query a specific name server,
-\fBdig\fR
-will try each of the servers listed in
-/etc/resolv\&.conf\&. If no usable server addresses are found,
-\fBdig\fR
-will send the query to the local host\&.
-.PP
-When no command line arguments or options are given,
-\fBdig\fR
-will perform an NS query for "\&." (the root)\&.
-.PP
-It is possible to set per\-user defaults for
-\fBdig\fR
-via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
-\fB\-r\fR
-option disables this feature, for scripts that need predictable behaviour\&.
-.PP
-The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
-\fB\-t\fR
-and
-\fB\-c\fR
-options to specify the type and class, use the
-\fB\-q\fR
-the specify the domain name, or use "IN\&." and "CH\&." when looking up these top level domains\&.
-.SH "SIMPLE USAGE"
-.PP
-A typical invocation of
-\fBdig\fR
-looks like:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
- dig @server name type 
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-where:
-.PP
-\fBserver\fR
-.RS 4
-is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
-\fIserver\fR
-argument is a hostname,
-\fBdig\fR
-resolves that name before querying that name server\&.
-.sp
-If no
-\fIserver\fR
-argument is provided,
-\fBdig\fR
-consults
-/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
-\fB\-4\fR
-or
-\fB\-6\fR
-options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
-\fBdig\fR
-will send the query to the local host\&. The reply from the name server that responds is displayed\&.
-.RE
-.PP
-\fBname\fR
-.RS 4
-is the name of the resource record that is to be looked up\&.
-.RE
-.PP
-\fBtype\fR
-.RS 4
-indicates what type of query is required \(em ANY, A, MX, SIG, etc\&.
-\fItype\fR
-can be any valid query type\&. If no
-\fItype\fR
-argument is supplied,
-\fBdig\fR
-will perform a lookup for an A record\&.
-.RE
-.SH "OPTIONS"
-.PP
-\-4
-.RS 4
-Use IPv4 only\&.
-.RE
-.PP
-\-6
-.RS 4
-Use IPv6 only\&.
-.RE
-.PP
-\-b \fIaddress\fR\fI[#port]\fR
-.RS 4
-Set the source IP address of the query\&. The
-\fIaddress\fR
-must be a valid address on one of the host\*(Aqs network interfaces, or "0\&.0\&.0\&.0" or "::"\&. An optional port may be specified by appending "#<port>"
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Set the query class\&. The default
-\fIclass\fR
-is IN; other classes are HS for Hesiod records or CH for Chaosnet records\&.
-.RE
-.PP
-\-f \fIfile\fR
-.RS 4
-Batch mode:
-\fBdig\fR
-reads a list of lookup requests to process from the given
-\fIfile\fR\&. Each line in the file should be organized in the same way they would be presented as queries to
-\fBdig\fR
-using the command\-line interface\&.
-.RE
-.PP
-\-k \fIkeyfile\fR
-.RS 4
-Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
-\fBtsig-keygen\fR(8)\&. When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used\&. In BIND, this is done by providing appropriate
-\fBkey\fR
-and
-\fBserver\fR
-statements in
-named\&.conf\&.
-.RE
-.PP
-\-m
-.RS 4
-Enable memory usage debugging\&.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Send the query to a non\-standard port on the server, instead of the default port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&.
-.RE
-.PP
-\-q \fIname\fR
-.RS 4
-The domain name to query\&. This is useful to distinguish the
-\fIname\fR
-from other arguments\&.
-.RE
-.PP
-\-r
-.RS 4
-Do not read options from
-${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
-\fB\-x\fR
-option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
-\fItype\fR
-to
-ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
-\fIN\fR\&.
-.sp
-All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
-.RE
-.PP
-\-u
-.RS 4
-Print query times in microseconds instead of milliseconds\&.
-.RE
-.PP
-\-v
-.RS 4
-Print the version number and exit\&.
-.RE
-.PP
-\-x \fIaddr\fR
-.RS 4
-Simplified reverse lookups, for mapping addresses to names\&. The
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When the
-\fB\-x\fR
-is used, there is no need to provide the
-\fIname\fR,
-\fIclass\fR
-and
-\fItype\fR
-arguments\&.
-\fBdig\fR
-automatically performs a lookup for a name like
-94\&.2\&.0\&.192\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
-.RE
-.PP
-\-y \fI[hmac:]\fR\fIkeyname:secret\fR
-.RS 4
-Sign queries using TSIG with the given authentication key\&.
-\fIkeyname\fR
-is the name of the key, and
-\fIsecret\fR
-is the base64 encoded shared secret\&.
-\fIhmac\fR
-is the name of the key algorithm; valid choices are
-hmac\-md5,
-hmac\-sha1,
-hmac\-sha224,
-hmac\-sha256,
-hmac\-sha384, or
-hmac\-sha512\&. If
-\fIhmac\fR
-is not specified, the default is
-hmac\-md5
-or if MD5 was disabled
-hmac\-sha256\&.
-.sp
-NOTE: You should use the
-\fB\-k\fR
-option and avoid the
-\fB\-y\fR
-option, because with
-\fB\-y\fR
-the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
-\fBps\fR(1)
-or in a history file maintained by the user\*(Aqs shell\&.
-.RE
-.SH "QUERY OPTIONS"
-.PP
-\fBdig\fR
-provides a number of query options which affect the way in which lookups are made and the results displayed\&. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies\&.
-.PP
-Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
-no
-to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
-\fB+keyword=value\fR\&. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
-+cd
-is equivalent to
-+cdflag\&. The query options are:
-.PP
-\fB+[no]aaflag\fR
-.RS 4
-A synonym for
-\fI+[no]aaonly\fR\&.
-.RE
-.PP
-\fB+[no]aaonly\fR
-.RS 4
-Sets the "aa" flag in the query\&.
-.RE
-.PP
-\fB+[no]additional\fR
-.RS 4
-Display [do not display] the additional section of a reply\&. The default is to display it\&.
-.RE
-.PP
-\fB+[no]adflag\fR
-.RS 4
-Set [do not set] the AD (authentic data) bit in the query\&. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server\&. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range\&. AD=0 indicate that some part of the answer was insecure or not validated\&. This bit is set by default\&.
-.RE
-.PP
-\fB+[no]all\fR
-.RS 4
-Set or clear all display flags\&.
-.RE
-.PP
-\fB+[no]answer\fR
-.RS 4
-Display [do not display] the answer section of a reply\&. The default is to display it\&.
-.RE
-.PP
-\fB+[no]authority\fR
-.RS 4
-Display [do not display] the authority section of a reply\&. The default is to display it\&.
-.RE
-.PP
-\fB+[no]badcookie\fR
-.RS 4
-Retry lookup with the new server cookie if a BADCOOKIE response is received\&.
-.RE
-.PP
-\fB+[no]besteffort\fR
-.RS 4
-Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
-.RE
-.PP
-\fB+bufsize=B\fR
-.RS 4
-Set the UDP message buffer size advertised using EDNS0 to
-\fIB\fR
-bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
-.RE
-.PP
-\fB+[no]cdflag\fR
-.RS 4
-Set [do not set] the CD (checking disabled) bit in the query\&. This requests the server to not perform DNSSEC validation of responses\&.
-.RE
-.PP
-\fB+[no]class\fR
-.RS 4
-Display [do not display] the CLASS when printing the record\&.
-.RE
-.PP
-\fB+[no]cmd\fR
-.RS 4
-Toggles the printing of the initial comment in the output, identifying the version of
-\fBdig\fR
-and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
-.RE
-.PP
-\fB+[no]comments\fR
-.RS 4
-Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
-.sp
-Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
-\fB+[no]cmd\fR,
-\fB+[no]question\fR,
-\fB+[no]stats\fR, and
-\fB+[no]rrcomments\fR\&.
-.RE
-.PP
-\fB+[no]cookie\fR\fB[=####]\fR
-.RS 4
-Send a COOKIE EDNS option, with optional value\&. Replaying a COOKIE from a previous response will allow the server to identify a previous client\&. The default is
-\fB+cookie\fR\&.
-.sp
-\fB+cookie\fR
-is also set when +trace is set to better emulate the default queries from a nameserver\&.
-.RE
-.PP
-\fB+[no]crypto\fR
-.RS 4
-Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
-.RE
-.PP
-\fB+[no]defname\fR
-.RS 4
-Deprecated, treated as a synonym for
-\fI+[no]search\fR
-.RE
-.PP
-\fB+[no]dnssec\fR
-.RS 4
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query\&.
-.RE
-.PP
-\fB+domain=somename\fR
-.RS 4
-Set the search list to contain the single domain
-\fIsomename\fR, as if specified in a
-\fBdomain\fR
-directive in
-/etc/resolv\&.conf, and enable search list processing as if the
-\fI+search\fR
-option were given\&.
-.RE
-.PP
-\fB+dscp=value\fR
-.RS 4
-Set the DSCP code point to be used when sending the query\&. Valid DSCP code points are in the range [0\&.\&.63]\&. By default no code point is explicitly set\&.
-.RE
-.PP
-\fB+[no]edns[=#]\fR
-.RS 4
-Specify the EDNS version to query with\&. Valid values are 0 to 255\&. Setting the EDNS version will cause a EDNS query to be sent\&.
-\fB+noedns\fR
-clears the remembered EDNS version\&. EDNS is set to 0 by default\&.
-.RE
-.PP
-\fB+[no]ednsflags[=#]\fR
-.RS 4
-Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value\&. Decimal, hex and octal encodings are accepted\&. Setting a named flag (e\&.g\&. DO) will silently be ignored\&. By default, no Z bits are set\&.
-.RE
-.PP
-\fB+[no]ednsnegotiation\fR
-.RS 4
-Enable / disable EDNS version negotiation\&. By default EDNS version negotiation is enabled\&.
-.RE
-.PP
-\fB+[no]ednsopt[=code[:value]]\fR
-.RS 4
-Specify EDNS option with code point
-\fBcode\fR
-and optionally payload of
-\fBvalue\fR
-as a hexadecimal string\&.
-\fBcode\fR
-can be either an EDNS option name (for example,
-NSID
-or
-ECS), or an arbitrary numeric value\&.
-\fB+noednsopt\fR
-clears the EDNS options to be sent\&.
-.RE
-.PP
-\fB+[no]expire\fR
-.RS 4
-Send an EDNS Expire option\&.
-.RE
-.PP
-\fB+[no]expandaaaa\fR
-.RS 4
-When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
-.RE
-.PP
-\fB+[no]fail\fR
-.RS 4
-Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
-.RE
-.PP
-\fB+[no]header\-only\fR
-.RS 4
-Send a query with a DNS header without a question section\&. The default is to add a question section\&. The query type and query name are ignored when this is set\&.
-.RE
-.PP
-\fB+[no]identify\fR
-.RS 4
-Show [or do not show] the IP address and port number that supplied the answer when the
-\fI+short\fR
-option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
-.RE
-.PP
-\fB+[no]idnin\fR
-.RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
-.RE
-.PP
-\fB+[no]idnout\fR
-.RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
-.RE
-.PP
-\fB+[no]ignore\fR
-.RS 4
-Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
-.RE
-.PP
-\fB+[no]keepalive\fR
-.RS 4
-Send [or do not send] an EDNS Keepalive option\&.
-.RE
-.PP
-\fB+[no]keepopen\fR
-.RS 4
-Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
-\fB+nokeepopen\fR\&.
-.RE
-.PP
-\fB+[no]mapped\fR
-.RS 4
-Allow mapped IPv4 over IPv6 addresses to be used\&. The default is
-\fB+mapped\fR\&.
-.RE
-.PP
-\fB+[no]multiline\fR
-.RS 4
-Print records like the SOA records in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
-\fBdig\fR
-output\&.
-.RE
-.PP
-\fB+ndots=D\fR
-.RS 4
-Set the number of dots that have to appear in
-\fIname\fR
-to
-\fID\fR
-for it to be considered absolute\&. The default value is that defined using the ndots statement in
-/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
-/etc/resolv\&.conf
-if
-\fB+search\fR
-is set\&.
-.RE
-.PP
-\fB+[no]nsid\fR
-.RS 4
-Include an EDNS name server ID request when sending a query\&.
-.RE
-.PP
-\fB+[no]nssearch\fR
-.RS 4
-When this option is set,
-\fBdig\fR
-attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&. Addresses of servers that that did not respond are also printed\&.
-.RE
-.PP
-\fB+[no]onesoa\fR
-.RS 4
-Print only one (starting) SOA record when performing an AXFR\&. The default is to print both the starting and ending SOA records\&.
-.RE
-.PP
-\fB+[no]opcode=value\fR
-.RS 4
-Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
-.RE
-.PP
-\fB+padding=value\fR
-.RS 4
-Pad the size of the query packet using the EDNS Padding option to blocks of
-\fIvalue\fR
-bytes\&. For example,
-\fB+padding=32\fR
-would cause a 48\-byte query to be padded to 64 bytes\&. The default block size is 0, which disables padding\&. The maximum is 512\&. Values are ordinarily expected to be powers of two, such as 128; however, this is not mandatory\&. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE\&.
-.RE
-.PP
-\fB+[no]qr\fR
-.RS 4
-Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
-.RE
-.PP
-\fB+[no]question\fR
-.RS 4
-Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
-.RE
-.PP
-\fB+[no]raflag\fR
-.RS 4
-Set [do not set] the RA (Recursion Available) bit in the query\&. The default is +noraflag\&. This bit should be ignored by the server for QUERY\&.
-.RE
-.PP
-\fB+[no]rdflag\fR
-.RS 4
-A synonym for
-\fI+[no]recurse\fR\&.
-.RE
-.PP
-\fB+[no]recurse\fR
-.RS 4
-Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
-\fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when using the
-\fI+nssearch\fR
-option, and when using
-\fI+trace\fR
-except for an initial recursive query to get the list of root servers\&.
-.RE
-.PP
-\fB+retry=T\fR
-.RS 4
-Sets the number of times to retry UDP queries to server to
-\fIT\fR
-instead of the default, 2\&. Unlike
-\fI+tries\fR, this does not include the initial query\&.
-.RE
-.PP
-\fB+[no]rrcomments\fR
-.RS 4
-Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is not to print record comments unless multiline mode is active\&.
-.RE
-.PP
-\fB+[no]search\fR
-.RS 4
-Use [do not use] the search list defined by the searchlist or domain directive in
-resolv\&.conf
-(if any)\&. The search list is not used by default\&.
-.sp
-\*(Aqndots\*(Aq from
-resolv\&.conf
-(default 1) which may be overridden by
-\fI+ndots\fR
-determines if the name will be treated as relative or not and hence whether a search is eventually performed or not\&.
-.RE
-.PP
-\fB+[no]short\fR
-.RS 4
-Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
-.RE
-.PP
-\fB+[no]showsearch\fR
-.RS 4
-Perform [do not perform] a search showing intermediate results\&.
-.RE
-.PP
-\fB+[no]sigchase\fR
-.RS 4
-This feature is now obsolete and has been removed; use
-\fBdelv\fR
-instead\&.
-.RE
-.PP
-\fB+split=W\fR
-.RS 4
-Split long hex\- or base64\-formatted fields in resource records into chunks of
-\fIW\fR
-characters (where
-\fIW\fR
-is rounded up to the nearest multiple of 4)\&.
-\fI+nosplit\fR
-or
-\fI+split=0\fR
-causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
-.RE
-.PP
-\fB+[no]stats\fR
-.RS 4
-Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
-.RE
-.PP
-\fB+[no]subnet=addr[/prefix\-length]\fR
-.RS 4
-Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
-.sp
-\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
-\fBdig +subnet=0\fR
-for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
-\fInot\fR
-be used when resolving this query\&.
-.RE
-.PP
-\fB+[no]tcflag\fR
-.RS 4
-Set [do not set] the TC (TrunCation) bit in the query\&. The default is +notcflag\&. This bit should be ignored by the server for QUERY\&.
-.RE
-.PP
-\fB+[no]tcp\fR
-.RS 4
-Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
-any
-or
-ixfr=N
-query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
-.RE
-.PP
-\fB+timeout=T\fR
-.RS 4
-Sets the timeout for a query to
-\fIT\fR
-seconds\&. The default timeout is 5 seconds\&. An attempt to set
-\fIT\fR
-to less than 1 will result in a query timeout of 1 second being applied\&.
-.RE
-.PP
-\fB+[no]topdown\fR
-.RS 4
-This feature is related to
-\fBdig +sigchase\fR, which is obsolete and has been removed\&. Use
-\fBdelv\fR
-instead\&.
-.RE
-.PP
-\fB+[no]trace\fR
-.RS 4
-Toggle tracing of the delegation path from the root name servers for the name being looked up\&. Tracing is disabled by default\&. When tracing is enabled,
-\fBdig\fR
-makes iterative queries to resolve the name being looked up\&. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup\&.
-.sp
-If @server is also specified, it affects only the initial query for the root zone name servers\&.
-.sp
-\fB+dnssec\fR
-is also set when +trace is set to better emulate the default queries from a nameserver\&.
-.RE
-.PP
-\fB+tries=T\fR
-.RS 4
-Sets the number of times to try UDP queries to server to
-\fIT\fR
-instead of the default, 3\&. If
-\fIT\fR
-is less than or equal to zero, the number of tries is silently rounded up to 1\&.
-.RE
-.PP
-\fB+trusted\-key=####\fR
-.RS 4
-Formerly specified trusted keys for use with
-\fBdig +sigchase\fR\&. This feature is now obsolete and has been removed; use
-\fBdelv\fR
-instead\&.
-.RE
-.PP
-\fB+[no]ttlid\fR
-.RS 4
-Display [do not display] the TTL when printing the record\&.
-.RE
-.PP
-\fB+[no]ttlunits\fR
-.RS 4
-Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
-.RE
-.PP
-\fB+[no]unexpected\fR
-.RS 4
-Accept [do not accept] answers from unexpected sources\&. By default,
-\fBdig\fR
-won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
-.RE
-.PP
-\fB+[no]unknownformat\fR
-.RS 4
-Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
-.RE
-.PP
-\fB+[no]vc\fR
-.RS 4
-Use [do not use] TCP when querying name servers\&. This alternate syntax to
-\fI+[no]tcp\fR
-is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
-.RE
-.PP
-\fB+[no]yaml\fR
-.RS 4
-Print the responses (and, if
-\fB+qr\fR
-is in use, also the outgoing queries) in a detailed YAML format\&.
-.RE
-.PP
-\fB+[no]zflag\fR
-.RS 4
-Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
-.RE
-.SH "MULTIPLE QUERIES"
-.PP
-The BIND 9 implementation of
-\fBdig \fR
-supports specifying multiple queries on the command line (in addition to supporting the
-\fB\-f\fR
-batch file option)\&. Each of those queries can be supplied with its own set of flags, options and query options\&.
-.PP
-In this case, each
-\fIquery\fR
-argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
-.PP
-A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except
-\fB+[no]cmd\fR
-and
-\fB+[no]short\fR
-options) can be overridden by a query\-specific set of query options\&. For example:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-dig +qr www\&.isc\&.org any \-x 127\&.0\&.0\&.1 isc\&.org ns +noqr
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-shows how
-\fBdig\fR
-could be used from the command line to make three lookups: an ANY query for
-www\&.isc\&.org, a reverse lookup of 127\&.0\&.0\&.1 and a query for the NS records of
-isc\&.org\&. A global query option of
-\fI+qr\fR
-is applied, so that
-\fBdig\fR
-shows the initial query it made for each lookup\&. The final query has a local query option of
-\fI+noqr\fR
-which means that
-\fBdig\fR
-will not print the initial query when it looks up the NS records for
-isc\&.org\&.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBdig\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBdig\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
-\fI+noidnin\fR
-and
-\fI+noidnout\fR
-or define the
-\fBIDN_DISABLE\fR
-environment variable\&.
-.SH "FILES"
-.PP
-/etc/resolv\&.conf
-.PP
-${HOME}/\&.digrc
-.SH "SEE ALSO"
-.PP
-\fBdelv\fR(1),
-\fBhost\fR(1),
-\fBnamed\fR(8),
-\fBdnssec-keygen\fR(8),
-RFC 1035\&.
-.SH "BUGS"
-.PP
-There are probably too many query options\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/dig/dig.rst

@@ -0,0 +1,634 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_dig:
+
+dig - DNS lookup utility
+----------------------------------
+
+Synopsis
+~~~~~~~~
+:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
+
+:program:`dig` [**-h**]
+
+:program:`dig` [global-queryopt...] [query...]
+
+Description
+~~~~~~~~~~~
+
+``dig`` is a flexible tool for interrogating DNS name servers. It
+performs DNS lookups and displays the answers that are returned from the
+name server(s) that were queried. Most DNS administrators use ``dig`` to
+troubleshoot DNS problems because of its flexibility, ease of use and
+clarity of output. Other lookup tools tend to have less functionality
+than ``dig``.
+
+Although ``dig`` is normally used with command-line arguments, it also
+has a batch mode of operation for reading lookup requests from a file. A
+brief summary of its command-line arguments and options is printed when
+the ``-h`` option is given. Unlike earlier versions, the BIND 9
+implementation of ``dig`` allows multiple lookups to be issued from the
+command line.
+
+Unless it is told to query a specific name server, ``dig`` will try each
+of the servers listed in ``/etc/resolv.conf``. If no usable server
+addresses are found, ``dig`` will send the query to the local host.
+
+When no command line arguments or options are given, ``dig`` will
+perform an NS query for "." (the root).
+
+It is possible to set per-user defaults for ``dig`` via
+``${HOME}/.digrc``. This file is read and any options in it are applied
+before the command line arguments. The ``-r`` option disables this
+feature, for scripts that need predictable behaviour.
+
+The IN and CH class names overlap with the IN and CH top level domain
+names. Either use the ``-t`` and ``-c`` options to specify the type and
+class, use the ``-q`` the specify the domain name, or use "IN." and
+"CH." when looking up these top level domains.
+
+Simple Usage
+~~~~~~~~~~~~
+
+A typical invocation of ``dig`` looks like:
+
+::
+
+    dig @server name type
+
+where:
+
+``server``
+   is the name or IP address of the name server to query. This can be an
+   IPv4 address in dotted-decimal notation or an IPv6 address in
+   colon-delimited notation. When the supplied ``server`` argument is a
+   hostname, ``dig`` resolves that name before querying that name
+   server.
+
+   If no ``server`` argument is provided, ``dig`` consults
+   ``/etc/resolv.conf``; if an address is found there, it queries the
+   name server at that address. If either of the ``-4`` or ``-6``
+   options are in use, then only addresses for the corresponding
+   transport will be tried. If no usable addresses are found, ``dig``
+   will send the query to the local host. The reply from the name server
+   that responds is displayed.
+
+``name``
+   is the name of the resource record that is to be looked up.
+
+``type``
+   indicates what type of query is required MDASH ANY, A, MX, SIG, etc.
+   ``type`` can be any valid query type. If no ``type`` argument is
+   supplied, ``dig`` will perform a lookup for an A record.
+
+Options
+~~~~~~~
+
+**-4**
+   Use IPv4 only.
+
+**-6**
+   Use IPv6 only.
+
+**-b** address[#port]
+   Set the source IP address of the query. The ``address`` must be a
+   valid address on one of the host's network interfaces, or "0.0.0.0"
+   or "::". An optional port may be specified by appending "#<port>"
+
+**-c** class
+   Set the query class. The default ``class`` is IN; other classes are
+   HS for Hesiod records or CH for Chaosnet records.
+
+**-f** file
+   Batch mode: ``dig`` reads a list of lookup requests to process from
+   the given ``file``. Each line in the file should be organized in the
+   same way they would be presented as queries to ``dig`` using the
+   command-line interface.
+
+**-k** keyfile
+   Sign queries using TSIG using a key read from the given file. Key
+   files can be generated using tsig-keygen8. When using TSIG
+   authentication with ``dig``, the name server that is queried needs to
+   know the key and algorithm that is being used. In BIND, this is done
+   by providing appropriate ``key`` and ``server`` statements in
+   ``named.conf``.
+
+**-m**
+   Enable memory usage debugging.
+
+**-p** port
+   Send the query to a non-standard port on the server, instead of the
+   default port 53. This option would be used to test a name server that
+   has been configured to listen for queries on a non-standard port
+   number.
+
+**-q** name
+   The domain name to query. This is useful to distinguish the ``name``
+   from other arguments.
+
+**-r**
+   Do not read options from ``${HOME}/.digrc``. This is useful for
+   scripts that need predictable behaviour.
+
+**-t** type
+   The resource record type to query. It can be any valid query type. If
+   it is a resource record type supported in BIND 9, it can be given by
+   the type mnemonic (such as "NS" or "AAAA"). The default query type is
+   "A", unless the ``-x`` option is supplied to indicate a reverse
+   lookup. A zone transfer can be requested by specifying a type of
+   AXFR. When an incremental zone transfer (IXFR) is required, set the
+   ``type`` to ``ixfr=N``. The incremental zone transfer will contain
+   the changes made to the zone since the serial number in the zone's
+   SOA record was ``N``.
+
+   All resource record types can be expressed as "TYPEnn", where "nn" is
+   the number of the type. If the resource record type is not supported
+   in BIND 9, the result will be displayed as described in :rfc:`3597`.
+
+**-u**
+   Print query times in microseconds instead of milliseconds.
+
+**-v**
+   Print the version number and exit.
+
+**-x** addr
+   Simplified reverse lookups, for mapping addresses to names. The
+   ``addr`` is an IPv4 address in dotted-decimal notation, or a
+   colon-delimited IPv6 address. When the ``-x`` is used, there is no
+   need to provide the ``name``, ``class`` and ``type`` arguments.
+   ``dig`` automatically performs a lookup for a name like
+   ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
+   and IN respectively. IPv6 addresses are looked up using nibble format
+   under the IP6.ARPA domain.
+
+**-y** [hmac:]keyname:secret
+   Sign queries using TSIG with the given authentication key.
+   ``keyname`` is the name of the key, and ``secret`` is the base64
+   encoded shared secret. ``hmac`` is the name of the key algorithm;
+   valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
+   ``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
+   not specified, the default is ``hmac-md5`` or if MD5 was disabled
+   ``hmac-sha256``.
+
+.. note:: You should use the ``-k`` option and avoid the ``-y`` option,
+   because with ``-y`` the shared secret is supplied as a command line
+   argument in clear text. This may be visible in the output from ps1 or
+   in a history file maintained by the user's shell.
+
+Query Options
+~~~~~~~~~~~~~
+
+``dig`` provides a number of query options which affect the way in which
+lookups are made and the results displayed. Some of these set or reset
+flag bits in the query header, some determine which sections of the
+answer get printed, and others determine the timeout and retry
+strategies.
+
+Each query option is identified by a keyword preceded by a plus sign
+(``+``). Some keywords set or reset an option. These may be preceded by
+the string ``no`` to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+``+keyword=value``. Keywords may be abbreviated, provided the
+abbreviation is unambiguous; for example, ``+cd`` is equivalent to
+``+cdflag``. The query options are:
+
+``+[no]aaflag``
+   A synonym for ``+[no]aaonly``.
+
+``+[no]aaonly``
+   Sets the "aa" flag in the query.
+
+``+[no]additional``
+   Display [do not display] the additional section of a reply. The
+   default is to display it.
+
+``+[no]adflag``
+   Set [do not set] the AD (authentic data) bit in the query. This
+   requests the server to return whether all of the answer and authority
+   sections have all been validated as secure according to the security
+   policy of the server. AD=1 indicates that all records have been
+   validated as secure and the answer is not from a OPT-OUT range. AD=0
+   indicate that some part of the answer was insecure or not validated.
+   This bit is set by default.
+
+``+[no]all``
+   Set or clear all display flags.
+
+``+[no]answer``
+   Display [do not display] the answer section of a reply. The default
+   is to display it.
+
+``+[no]authority``
+   Display [do not display] the authority section of a reply. The
+   default is to display it.
+
+``+[no]badcookie``
+   Retry lookup with the new server cookie if a BADCOOKIE response is
+   received.
+
+``+[no]besteffort``
+   Attempt to display the contents of messages which are malformed. The
+   default is to not display malformed answers.
+
+``+bufsize=B``
+   Set the UDP message buffer size advertised using EDNS0 to ``B``
+   bytes. The maximum and minimum sizes of this buffer are 65535 and 0
+   respectively. Values outside this range are rounded up or down
+   appropriately. Values other than zero will cause a EDNS query to be
+   sent.
+
+``+[no]cdflag``
+   Set [do not set] the CD (checking disabled) bit in the query. This
+   requests the server to not perform DNSSEC validation of responses.
+
+``+[no]class``
+   Display [do not display] the CLASS when printing the record.
+
+``+[no]cmd``
+   Toggles the printing of the initial comment in the output, identifying the
+   version of ``dig`` and the query options that have been applied.  This option
+   always has global effect; it cannot be set globally and then overridden on a
+   per-lookup basis.  The default is to print this comment.
+
+``+[no]comments``
+   Toggles the display of some comment lines in the output, containing
+   information about the packet header and OPT pseudosection, and the names of
+   the response section.  The default is to print these comments.
+
+   Other types of comments in the output are not affected by this option, but
+   can be controlled using other command line switches. These include
+   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
+
+``+[no]cookie=####``
+   Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
+   from a previous response will allow the server to identify a previous
+   client. The default is ``+cookie``.
+
+   ``+cookie`` is also set when +trace is set to better emulate the
+   default queries from a nameserver.
+
+``+[no]crypto``
+   Toggle the display of cryptographic fields in DNSSEC records. The
+   contents of these field are unnecessary to debug most DNSSEC
+   validation failures and removing them makes it easier to see the
+   common failures. The default is to display the fields. When omitted
+   they are replaced by the string "[omitted]" or in the DNSKEY case the
+   key id is displayed as the replacement, e.g. "[ key id = value ]".
+
+``+[no]defname``
+   Deprecated, treated as a synonym for ``+[no]search``
+
+``+[no]dnssec``
+   Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in
+   the OPT record in the additional section of the query.
+
+``+domain=somename``
+   Set the search list to contain the single domain ``somename``, as if
+   specified in a ``domain`` directive in ``/etc/resolv.conf``, and
+   enable search list processing as if the ``+search`` option were
+   given.
+
+``+dscp=value``
+   Set the DSCP code point to be used when sending the query. Valid DSCP
+   code points are in the range [0..63]. By default no code point is
+   explicitly set.
+
+``+[no]edns[=#]``
+   Specify the EDNS version to query with. Valid values are 0 to 255.
+   Setting the EDNS version will cause a EDNS query to be sent.
+   ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
+   default.
+
+``+[no]ednsflags[=#]``
+   Set the must-be-zero EDNS flags bits (Z bits) to the specified value.
+   Decimal, hex and octal encodings are accepted. Setting a named flag
+   (e.g. DO) will silently be ignored. By default, no Z bits are set.
+
+``+[no]ednsnegotiation``
+   Enable / disable EDNS version negotiation. By default EDNS version
+   negotiation is enabled.
+
+``+[no]ednsopt[=code[:value]]``
+   Specify EDNS option with code point ``code`` and optionally payload
+   of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
+   option name (for example, ``NSID`` or ``ECS``), or an arbitrary
+   numeric value. ``+noednsopt`` clears the EDNS options to be sent.
+
+``+[no]expire``
+   Send an EDNS Expire option.
+
+``+[no]fail``
+   Do not try the next server if you receive a SERVFAIL. The default is
+   to not try the next server which is the reverse of normal stub
+   resolver behavior.
+
+``+[no]header-only``
+   Send a query with a DNS header without a question section. The
+   default is to add a question section. The query type and query name
+   are ignored when this is set.
+
+``+[no]identify``
+   Show [or do not show] the IP address and port number that supplied
+   the answer when the ``+short`` option is enabled. If short form
+   answers are requested, the default is not to show the source address
+   and port number of the server that provided the answer.
+
+``+[no]idnin``
+   Process [do not process] IDN domain names on input. This requires IDN
+   SUPPORT to have been enabled at compile time.
+
+   The default is to process IDN input when standard output is a tty.
+   The IDN processing on input is disabled when dig output is redirected
+   to files, pipes, and other non-tty file descriptors.
+
+``+[no]idnout``
+   Convert [do not convert] puny code on output. This requires IDN
+   SUPPORT to have been enabled at compile time.
+
+   The default is to process puny code on output when standard output is
+   a tty. The puny code processing on output is disabled when dig output
+   is redirected to files, pipes, and other non-tty file descriptors.
+
+``+[no]ignore``
+   Ignore truncation in UDP responses instead of retrying with TCP. By
+   default, TCP retries are performed.
+
+``+[no]keepalive``
+   Send [or do not send] an EDNS Keepalive option.
+
+``+[no]keepopen``
+   Keep the TCP socket open between queries and reuse it rather than
+   creating a new TCP socket for each lookup. The default is
+   ``+nokeepopen``.
+
+``+[no]mapped``
+   Allow mapped IPv4 over IPv6 addresses to be used. The default is
+   ``+mapped``.
+
+``+[no]multiline``
+   Print records like the SOA records in a verbose multi-line format
+   with human-readable comments. The default is to print each record on
+   a single line, to facilitate machine parsing of the ``dig`` output.
+
+``+ndots=D``
+   Set the number of dots that have to appear in ``name`` to ``D`` for
+   it to be considered absolute. The default value is that defined using
+   the ndots statement in ``/etc/resolv.conf``, or 1 if no ndots
+   statement is present. Names with fewer dots are interpreted as
+   relative names and will be searched for in the domains listed in the
+   ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
+   ``+search`` is set.
+
+``+[no]nsid``
+   Include an EDNS name server ID request when sending a query.
+
+``+[no]nssearch``
+   When this option is set, ``dig`` attempts to find the authoritative
+   name servers for the zone containing the name being looked up and
+   display the SOA record that each name server has for the zone.
+   Addresses of servers that that did not respond are also printed.
+
+``+[no]onesoa``
+   Print only one (starting) SOA record when performing an AXFR. The
+   default is to print both the starting and ending SOA records.
+
+``+[no]opcode=value``
+   Set [restore] the DNS message opcode to the specified value. The
+   default value is QUERY (0).
+
+``+padding=value``
+   Pad the size of the query packet using the EDNS Padding option to
+   blocks of ``value`` bytes. For example, ``+padding=32`` would cause a
+   48-byte query to be padded to 64 bytes. The default block size is 0,
+   which disables padding. The maximum is 512. Values are ordinarily
+   expected to be powers of two, such as 128; however, this is not
+   mandatory. Responses to padded queries may also be padded, but only
+   if the query uses TCP or DNS COOKIE.
+
+``+[no]qr``
+   Toggles the display of the query message as it is sent. By default, the query
+   is not printed.
+
+``+[no]question``
+   Toggles the display of the question section of a query when an answer is
+   returned.  The default is to print the question section as a comment.
+
+``+[no]raflag``
+   Set [do not set] the RA (Recursion Available) bit in the query. The
+   default is +noraflag. This bit should be ignored by the server for
+   QUERY.
+
+``+[no]rdflag``
+   A synonym for ``+[no]recurse``.
+
+``+[no]recurse``
+   Toggle the setting of the RD (recursion desired) bit in the query.
+   This bit is set by default, which means ``dig`` normally sends
+   recursive queries. Recursion is automatically disabled when the
+   ``+nssearch`` or ``+trace`` query options are used.
+
+``+retry=T``
+   Sets the number of times to retry UDP queries to server to ``T``
+   instead of the default, 2. Unlike ``+tries``, this does not include
+   the initial query.
+
+``+[no]rrcomments``
+   Toggle the display of per-record comments in the output (for example,
+   human-readable key information about DNSKEY records). The default is
+   not to print record comments unless multiline mode is active.
+
+``+[no]search``
+   Use [do not use] the search list defined by the searchlist or domain
+   directive in ``resolv.conf`` (if any). The search list is not used by
+   default.
+
+   'ndots' from ``resolv.conf`` (default 1) which may be overridden by
+   ``+ndots`` determines if the name will be treated as relative or not
+   and hence whether a search is eventually performed or not.
+
+``+[no]short``
+   Provide a terse answer.  The default is to print the answer in a verbose
+   form.  This option always has global effect; it cannot be set globally and
+   then overridden on a per-lookup basis.
+
+``+[no]showsearch``
+   Perform [do not perform] a search showing intermediate results.
+
+``+[no]sigchase``
+   This feature is now obsolete and has been removed; use ``delv``
+   instead.
+
+``+split=W``
+   Split long hex- or base64-formatted fields in resource records into
+   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
+   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
+   split at all. The default is 56 characters, or 44 characters when
+   multiline mode is active.
+
+``+[no]stats``
+   Toggles the printing of statistics: when the query was made, the size of the
+   reply and so on.  The default behavior is to print the query statistics as a
+   comment after each lookup.
+
+``+[no]subnet=addr[/prefix-length]``
+   Send (don't send) an EDNS Client Subnet option with the specified IP
+   address or network prefix.
+
+   ``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
+   sends an EDNS CLIENT-SUBNET option with an empty address and a source
+   prefix-length of zero, which signals a resolver that the client's
+   address information must *not* be used when resolving this query.
+
+``+[no]tcflag``
+   Set [do not set] the TC (TrunCation) bit in the query. The default is
+   +notcflag. This bit should be ignored by the server for QUERY.
+
+``+[no]tcp``
+   Use [do not use] TCP when querying name servers. The default behavior
+   is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested,
+   in which case the default is TCP. AXFR queries always use TCP.
+
+``+timeout=T``
+   Sets the timeout for a query to ``T`` seconds. The default timeout is
+   5 seconds. An attempt to set ``T`` to less than 1 will result in a
+   query timeout of 1 second being applied.
+
+``+[no]topdown``
+   This feature is related to ``dig +sigchase``, which is obsolete and
+   has been removed. Use ``delv`` instead.
+
+``+[no]trace``
+   Toggle tracing of the delegation path from the root name servers for
+   the name being looked up. Tracing is disabled by default. When
+   tracing is enabled, ``dig`` makes iterative queries to resolve the
+   name being looked up. It will follow referrals from the root servers,
+   showing the answer from each server that was used to resolve the
+   lookup.
+
+   If @server is also specified, it affects only the initial query for
+   the root zone name servers.
+
+   ``+dnssec`` is also set when +trace is set to better emulate the
+   default queries from a nameserver.
+
+``+tries=T``
+   Sets the number of times to try UDP queries to server to ``T``
+   instead of the default, 3. If ``T`` is less than or equal to zero,
+   the number of tries is silently rounded up to 1.
+
+``+trusted-key=####``
+   Formerly specified trusted keys for use with ``dig +sigchase``. This
+   feature is now obsolete and has been removed; use ``delv`` instead.
+
+``+[no]ttlid``
+   Display [do not display] the TTL when printing the record.
+
+``+[no]ttlunits``
+   Display [do not display] the TTL in friendly human-readable time
+   units of "s", "m", "h", "d", and "w", representing seconds, minutes,
+   hours, days and weeks. Implies +ttlid.
+
+``+[no]unexpected``
+   Accept [do not accept] answers from unexpected sources.  By default, ``dig``
+   won't accept a reply from a source other than the one to which it sent the
+   query.
+
+``+[no]unknownformat``
+   Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
+   The default is to print RDATA for known types in the type's
+   presentation format.
+
+``+[no]vc``
+   Use [do not use] TCP when querying name servers. This alternate
+   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
+   "vc" stands for "virtual circuit".
+
+``+[no]yaml``
+   Print the responses (and, if <option>+qr</option> is in use, also the
+   outgoing queries) in a detailed YAML format.
+
+``+[no]zflag``
+   Set [do not set] the last unassigned DNS header flag in a DNS query.
+   This flag is off by default.
+
+Multiple Queries
+~~~~~~~~~~~~~~~~
+
+The BIND 9 implementation of ``dig`` supports specifying multiple
+queries on the command line (in addition to supporting the ``-f`` batch
+file option). Each of those queries can be supplied with its own set of
+flags, options and query options.
+
+In this case, each ``query`` argument represent an individual query in
+the command-line syntax described above. Each consists of any of the
+standard options and flags, the name to be looked up, an optional query
+type and class and any query options that should be applied to that
+query.
+
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the first
+tuple of name, class, type, options, flags, and query options supplied
+on the command line. Any global query options (except ``+[no]cmd`` and
+``+[no]short`` options) can be overridden by a query-specific set of
+query options. For example:
+
+::
+
+   dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+
+shows how ``dig`` could be used from the command line to make three
+lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1
+and a query for the NS records of ``isc.org``. A global query option of
+``+qr`` is applied, so that ``dig`` shows the initial query it made for
+each lookup. The final query has a local query option of ``+noqr`` which
+means that ``dig`` will not print the initial query when it looks up the
+NS records for ``isc.org``.
+
+IDN Support
+~~~~~~~~~~~
+
+If ``dig`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``dig``
+appropriately converts character encoding of domain name before sending
+a request to DNS server or displaying a reply from the server. If you'd
+like to turn off the IDN support for some reason, use parameters
+``+noidnin`` and ``+noidnout`` or define the IDN_DISABLE environment
+variable.
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+
+``${HOME}/.digrc``
+
+See Also
+~~~~~~~~
+
+:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
+
+Bugs
+~~~~
+
+There are probably too many query options.

bin/dig/host.1

@@ -1,273 +0,0 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: host
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2009-01-20
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "HOST" "1" "2009\-01\-20" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-host \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP \w'\fBhost\fR\ 'u
-\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
-.SH "DESCRIPTION"
-.PP
-\fBhost\fR
-is a simple utility for performing DNS lookups\&. It is normally used to convert names to IP addresses and vice versa\&. When no arguments or options are given,
-\fBhost\fR
-prints a short summary of its command line arguments and options\&.
-.PP
-\fIname\fR
-is the domain name that is to be looked up\&. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
-\fBhost\fR
-will by default perform a reverse lookup for that address\&.
-\fIserver\fR
-is an optional argument which is either the name or IP address of the name server that
-\fBhost\fR
-should query instead of the server or servers listed in
-/etc/resolv\&.conf\&.
-.SH "OPTIONS"
-.PP
-\-4
-.RS 4
-Use IPv4 only for query transport\&. See also the
-\fB\-6\fR
-option\&.
-.RE
-.PP
-\-6
-.RS 4
-Use IPv6 only for query transport\&. See also the
-\fB\-4\fR
-option\&.
-.RE
-.PP
-\-a
-.RS 4
-"All"\&. The
-\fB\-a\fR
-option is normally equivalent to
-\fB\-v \-t \fR\fBANY\fR\&. It also affects the behaviour of the
-\fB\-l\fR
-list zone option\&.
-.RE
-.PP
-\-A
-.RS 4
-"Almost all"\&. The
-\fB\-A\fR
-option is equivalent to
-\fB\-a\fR
-except RRSIG, NSEC, and NSEC3 records are omitted from the output\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records\&. The default class is IN (Internet)\&.
-.RE
-.PP
-\-C
-.RS 4
-Check consistency:
-\fBhost\fR
-will query the SOA records for zone
-\fIname\fR
-from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
-.RE
-.PP
-\-d
-.RS 4
-Print debugging traces\&. Equivalent to the
-\fB\-v\fR
-verbose option\&.
-.RE
-.PP
-\-l
-.RS 4
-List zone: The
-\fBhost\fR
-command performs a zone transfer of zone
-\fIname\fR
-and prints out the NS, PTR and address records (A/AAAA)\&.
-.sp
-Together, the
-\fB\-l \-a\fR
-options print all records in the zone\&.
-.RE
-.PP
-\-N \fIndots\fR
-.RS 4
-The number of dots that have to be in
-\fIname\fR
-for it to be considered absolute\&. The default value is that defined using the ndots statement in
-/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
-/etc/resolv\&.conf\&.
-.RE
-.PP
-\-r
-.RS 4
-Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
-\fIname\fR\&. The
-\fB\-r\fR
-option enables
-\fBhost\fR
-to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers\&.
-.RE
-.PP
-\-R \fInumber\fR
-.RS 4
-Number of retries for UDP queries: If
-\fInumber\fR
-is negative or zero, the number of retries will default to 1\&. The default value is 1, or the value of the
-\fIattempts\fR
-option in
-/etc/resolv\&.conf, if set\&.
-.RE
-.PP
-\-s
-.RS 4
-Do
-\fInot\fR
-send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-Query type: The
-\fItype\fR
-argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc\&.
-.sp
-When no query type is specified,
-\fBhost\fR
-automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records\&. If the
-\fB\-C\fR
-option is given, queries will be made for SOA records\&. If
-\fIname\fR
-is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
-\fBhost\fR
-will query for PTR records\&.
-.sp
-If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like
-\fB\-t \fR\fBIXFR=12345678\fR)\&.
-.RE
-.PP
-\-T, \-U
-.RS 4
-TCP/UDP: By default,
-\fBhost\fR
-uses UDP when making queries\&. The
-\fB\-T\fR
-option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&. Type ANY queries default to TCP but can be forced to UDP initially using
-\fB\-U\fR\&.
-.RE
-.PP
-\-m \fIflag\fR
-.RS 4
-Memory usage debugging: the flag can be
-\fIrecord\fR,
-\fIusage\fR, or
-\fItrace\fR\&. You can specify the
-\fB\-m\fR
-option more than once to set multiple flags\&.
-.RE
-.PP
-\-v
-.RS 4
-Verbose output\&. Equivalent to the
-\fB\-d\fR
-debug option\&. Verbose output can also be enabled by setting the
-\fIdebug\fR
-option in
-/etc/resolv\&.conf\&.
-.RE
-.PP
-\-V
-.RS 4
-Print the version number and exit\&.
-.RE
-.PP
-\-w
-.RS 4
-Wait forever: The query timeout is set to the maximum possible\&. See also the
-\fB\-W\fR
-option\&.
-.RE
-.PP
-\-W \fIwait\fR
-.RS 4
-Timeout: Wait for up to
-\fIwait\fR
-seconds for a reply\&. If
-\fIwait\fR
-is less than one, the wait interval is set to one second\&.
-.sp
-By default,
-\fBhost\fR
-will wait for 5 seconds for UDP responses and 10 seconds for TCP connections\&. These defaults can be overridden by the
-\fItimeout\fR
-option in
-/etc/resolv\&.conf\&.
-.sp
-See also the
-\fB\-w\fR
-option\&.
-.RE
-.SH "IDN SUPPORT"
-.PP
-If
-\fBhost\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBhost\fR
-runs\&.
-.SH "FILES"
-.PP
-/etc/resolv\&.conf
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBnamed\fR(8)\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/dig/host.c

@@ -12,21 +12,21 @@
 /*! \file */
 
 #include <inttypes.h>
+#include <limits.h>
 #include <stdbool.h>
 #include <stdlib.h>
-#include <limits.h>
 
 #ifdef HAVE_LOCALE_H
 #include <locale.h>
-#endif
+#endif /* ifdef HAVE_LOCALE_H */
 
 #include <isc/app.h>
 #include <isc/commandline.h>
 #include <isc/netaddr.h>
 #include <isc/print.h>
 #include <isc/string.h>
-#include <isc/util.h>
 #include <isc/task.h>
+#include <isc/util.h>
 
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
@@ -35,8 +35,8 @@
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
-#include <dns/rdatatype.h>
 #include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
 
 #include <dig/dig.h>
 
@@ -49,83 +49,56 @@ static dns_rdatatype_t list_type = dns_rdatatype_a;
 static bool printed_server = false;
 static bool ipv4only = false, ipv6only = false;
 
-static const char *opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
+static const char *opcodetext[] = { "QUERY",	  "IQUERY",	"STATUS",
+				    "RESERVED3",  "NOTIFY",	"UPDATE",
+				    "RESERVED6",  "RESERVED7",	"RESERVED8",
+				    "RESERVED9",  "RESERVED10", "RESERVED11",
+				    "RESERVED12", "RESERVED13", "RESERVED14",
+				    "RESERVED15" };
 
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
+static const char *rcodetext[] = { "NOERROR",	 "FORMERR",    "SERVFAIL",
+				   "NXDOMAIN",	 "NOTIMP",     "REFUSED",
+				   "YXDOMAIN",	 "YXRRSET",    "NXRRSET",
+				   "NOTAUTH",	 "NOTZONE",    "RESERVED11",
+				   "RESERVED12", "RESERVED13", "RESERVED14",
+				   "RESERVED15", "BADVERS" };
 
 struct rtype {
 	unsigned int type;
 	const char *text;
 };
 
-struct rtype rtypes[] = {
-	{ 1, 	"has address" },
-	{ 2, 	"name server" },
-	{ 5, 	"is an alias for" },
-	{ 11,	"has well known services" },
-	{ 12,	"domain name pointer" },
-	{ 13,	"host information" },
-	{ 15,	"mail is handled by" },
-	{ 16,	"descriptive text" },
-	{ 19,	"x25 address" },
-	{ 20,	"ISDN address" },
-	{ 24,	"has signature" },
-	{ 25,	"has key" },
-	{ 28,	"has IPv6 address" },
-	{ 29,	"location" },
-	{ 0, NULL }
-};
+struct rtype rtypes[] = { { 1, "has address" },
+			  { 2, "name server" },
+			  { 5, "is an alias for" },
+			  { 11, "has well known services" },
+			  { 12, "domain name pointer" },
+			  { 13, "host information" },
+			  { 15, "mail is handled by" },
+			  { 16, "descriptive text" },
+			  { 19, "x25 address" },
+			  { 20, "ISDN address" },
+			  { 24, "has signature" },
+			  { 25, "has key" },
+			  { 28, "has IPv6 address" },
+			  { 29, "location" },
+			  { 0, NULL } };
 
 static char *
-rcode_totext(dns_rcode_t rcode)
-{
+rcode_totext(dns_rcode_t rcode) {
 	static char buf[sizeof("?65535")];
 	union {
 		const char *consttext;
 		char *deconsttext;
 	} totext;
 
-	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+	if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
 		snprintf(buf, sizeof(buf), "?%u", rcode);
 		totext.deconsttext = buf;
-	} else
+	} else {
 		totext.consttext = rcodetext[rcode];
-	return totext.deconsttext;
+	}
+	return (totext.deconsttext);
 }
 
 ISC_PLATFORM_NORETURN_PRE static void
@@ -133,35 +106,38 @@ show_usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 show_usage(void) {
-	fputs(
-"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]\n"
-"            [-R number] [-m flag] hostname [server]\n"
-"       -a is equivalent to -v -t ANY\n"
-"       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
-"       -c specifies query class for non-IN data\n"
-"       -C compares SOA records on authoritative nameservers\n"
-"       -d is equivalent to -v\n"
-"       -l lists all hosts in a domain, using AXFR\n"
-"       -m set memory debugging flag (trace|record|usage)\n"
-"       -N changes the number of dots allowed before root lookup is done\n"
-"       -r disables recursive processing\n"
-"       -R specifies number of retries for UDP packets\n"
-"       -s a SERVFAIL response should stop query\n"
-"       -t specifies the query type\n"
-"       -T enables TCP/IP mode\n"
-"       -U enables UDP mode\n"
-"       -v enables verbose output\n"
-"       -V print version number and exit\n"
-"       -w specifies to wait forever for a reply\n"
-"       -W specifies how long to wait for a reply\n"
-"       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n", stderr);
+	fputs("Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
+	      "time]\n"
+	      "            [-R number] [-m flag] [-p port] hostname [server]\n"
+	      "       -a is equivalent to -v -t ANY\n"
+	      "       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
+	      "       -c specifies query class for non-IN data\n"
+	      "       -C compares SOA records on authoritative nameservers\n"
+	      "       -d is equivalent to -v\n"
+	      "       -l lists all hosts in a domain, using AXFR\n"
+	      "       -m set memory debugging flag (trace|record|usage)\n"
+	      "       -N changes the number of dots allowed before root lookup "
+	      "is done\n"
+	      "       -p specifies the port on the server to query\n"
+	      "       -r disables recursive processing\n"
+	      "       -R specifies number of retries for UDP packets\n"
+	      "       -s a SERVFAIL response should stop query\n"
+	      "       -t specifies the query type\n"
+	      "       -T enables TCP/IP mode\n"
+	      "       -U enables UDP mode\n"
+	      "       -v enables verbose output\n"
+	      "       -V print version number and exit\n"
+	      "       -w specifies to wait forever for a reply\n"
+	      "       -W specifies how long to wait for a reply\n"
+	      "       -4 use IPv4 query transport only\n"
+	      "       -6 use IPv6 query transport only\n",
+	      stderr);
 	exit(1);
 }
 
 static void
 host_shutdown(void) {
-	(void) isc_app_shutdown();
+	(void)isc_app_shutdown();
 }
 
 static void
@@ -173,9 +149,9 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		char fromtext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
 		TIME_NOW(&now);
-		diff = (int) isc_time_microdiff(&now, &query->time_sent);
-		printf("Received %u bytes from %s in %d ms\n",
-		       bytes, fromtext, diff/1000);
+		diff = (int)isc_time_microdiff(&now, &query->time_sent);
+		printf("Received %u bytes from %s in %d ms\n", bytes, fromtext,
+		       diff / 1000);
 	}
 }
 
@@ -183,14 +159,14 @@ static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(lookup);
 
-	if (!short_form)
+	if (!short_form) {
 		printf("Trying \"%s\"\n", frm);
+	}
 }
 
 static void
 say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
-	    dig_query_t *query)
-{
+	    dig_query_t *query) {
 	isc_buffer_t *b = NULL;
 	char namestr[DNS_NAME_FORMATSIZE];
 	isc_region_t r;
@@ -198,7 +174,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 	unsigned int bufsize = BUFSIZ;
 
 	dns_name_format(name, namestr, sizeof(namestr));
- retry:
+retry:
 	isc_buffer_allocate(mctx, &b, bufsize);
 	result = dns_rdata_totext(rdata, NULL, b);
 	if (result == ISC_R_NOSPACE) {
@@ -209,11 +185,9 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 	check_result(result, "dns_rdata_totext");
 	isc_buffer_usedregion(b, &r);
 	if (query->lookup->identify_previous_line) {
-		printf("Nameserver %s:\n\t",
-			query->servname);
+		printf("Nameserver %s:\n\t", query->servname);
 	}
-	printf("%s %s %.*s", namestr,
-	       msg, (int)r.length, (char *)r.base);
+	printf("%s %s %.*s", namestr, msg, (int)r.length, (char *)r.base);
 	if (query->lookup->identify) {
 		printf(" on server %s", query->servname);
 	}
@@ -223,9 +197,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 
 static isc_result_t
 printsection(dns_message_t *msg, dns_section_t sectionid,
-	     const char *section_name, bool headers,
-	     dig_query_t *query)
-{
+	     const char *section_name, bool headers, dig_query_t *query) {
 	dns_name_t *name, *print_name;
 	dns_rdataset_t *rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -237,21 +209,24 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 	bool first;
 	bool no_rdata;
 
-	if (sectionid == DNS_SECTION_QUESTION)
+	if (sectionid == DNS_SECTION_QUESTION) {
 		no_rdata = true;
-	else
+	} else {
 		no_rdata = false;
+	}
 
-	if (headers)
+	if (headers) {
 		printf(";; %s SECTION:\n", section_name);
+	}
 
 	dns_name_init(&empty_name, NULL);
 
 	result = dns_message_firstname(msg, sectionid);
-	if (result == ISC_R_NOMORE)
+	if (result == ISC_R_NOMORE) {
 		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 
 	for (;;) {
 		name = NULL;
@@ -261,9 +236,9 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 		first = true;
 		print_name = name;
 
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
 			if (query->lookup->rdtype == dns_rdatatype_axfr &&
 			    !((!list_addresses &&
 			       (list_type == dns_rdatatype_any ||
@@ -273,36 +248,39 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 				rdataset->type == dns_rdatatype_aaaa ||
 				rdataset->type == dns_rdatatype_ns ||
 				rdataset->type == dns_rdatatype_ptr))))
+			{
 				continue;
+			}
 			if (list_almost_all &&
-			       (rdataset->type == dns_rdatatype_rrsig ||
-				rdataset->type == dns_rdatatype_nsec ||
-				rdataset->type == dns_rdatatype_nsec3))
+			    (rdataset->type == dns_rdatatype_rrsig ||
+			     rdataset->type == dns_rdatatype_nsec ||
+			     rdataset->type == dns_rdatatype_nsec3))
+			{
 				continue;
+			}
 			if (!short_form) {
 				result = dns_rdataset_totext(rdataset,
-							     print_name,
-							     false,
-							     no_rdata,
-							     &target);
-				if (result != ISC_R_SUCCESS)
+							     print_name, false,
+							     no_rdata, &target);
+				if (result != ISC_R_SUCCESS) {
 					return (result);
+				}
 #ifdef USEINITALWS
 				if (first) {
 					print_name = &empty_name;
 					first = false;
 				}
-#else
+#else  /* ifdef USEINITALWS */
 				UNUSED(first); /* Shut up compiler. */
-#endif
+#endif /* ifdef USEINITALWS */
 			} else {
 				loopresult = dns_rdataset_first(rdataset);
 				while (loopresult == ISC_R_SUCCESS) {
 					struct rtype *t;
 					const char *rtt;
 					char typebuf[DNS_RDATATYPE_FORMATSIZE];
-					char typebuf2[DNS_RDATATYPE_FORMATSIZE
-						     + 20];
+					char typebuf2[DNS_RDATATYPE_FORMATSIZE +
+						      20];
 					dns_rdataset_current(rdataset, &rdata);
 
 					for (t = rtypes; t->text != NULL; t++) {
@@ -319,8 +297,8 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 						 "has %s record", typebuf);
 					rtt = typebuf2;
 				found:
-					say_message(print_name, rtt,
-						    &rdata, query);
+					say_message(print_name, rtt, &rdata,
+						    query);
 					dns_rdata_reset(&rdata);
 					loopresult =
 						dns_rdataset_next(rdataset);
@@ -329,18 +307,19 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 		}
 		if (!short_form) {
 			isc_buffer_usedregion(&target, &r);
-			if (no_rdata)
-				printf(";%.*s", (int)r.length,
-				       (char *)r.base);
-			else
+			if (no_rdata) {
+				printf(";%.*s", (int)r.length, (char *)r.base);
+			} else {
 				printf("%.*s", (int)r.length, (char *)r.base);
+			}
 		}
 
 		result = dns_message_nextname(msg, sectionid);
-		if (result == ISC_R_NOMORE)
+		if (result == ISC_R_NOMORE) {
 			break;
-		else if (result != ISC_R_SUCCESS)
+		} else if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 	}
 
 	return (ISC_R_SUCCESS);
@@ -348,24 +327,23 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 
 static isc_result_t
 printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
-	   const dns_name_t *owner, const char *set_name,
-	   bool headers)
-{
+	   const dns_name_t *owner, const char *set_name, bool headers) {
 	isc_buffer_t target;
 	isc_result_t result;
 	isc_region_t r;
 	char tbuf[4096];
 
 	UNUSED(msg);
-	if (headers)
+	if (headers) {
 		printf(";; %s SECTION:\n", set_name);
+	}
 
 	isc_buffer_init(&target, tbuf, sizeof(tbuf));
 
-	result = dns_rdataset_totext(rdataset, owner, false, false,
-				     &target);
-	if (result != ISC_R_SUCCESS)
+	result = dns_rdataset_totext(rdataset, owner, false, false, &target);
+	if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 	isc_buffer_usedregion(&target, &r);
 	printf("%.*s", (int)r.length, (char *)r.base);
 
@@ -385,8 +363,9 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
 					      dns_rdatatype_cname, 0, NULL,
 					      &rdataset);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			return;
+		}
 		result = dns_rdataset_first(rdataset);
 		check_result(result, "dns_rdataset_first");
 		dns_rdata_reset(&rdata);
@@ -399,9 +378,8 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
+	     bool headers) {
 	bool did_flag = false;
 	dns_rdataset_t *opt, *tsig = NULL;
 	const dns_name_t *tsigname;
@@ -422,8 +400,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 		printf("Using domain server:\n");
 		printf("Name: %s\n", query->userarg);
-		isc_sockaddr_format(&query->sockaddr, sockstr,
-				    sizeof(sockstr));
+		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
 		printf("Address: %s\n", sockstr);
 		printf("Aliases: \n\n");
 		printed_server = true;
@@ -433,17 +410,20 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
 
-		if (query->lookup->identify_previous_line)
+		if (query->lookup->identify_previous_line) {
 			printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
 			       query->servname,
-			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-			       query->lookup->textname, msg->rcode,
-			       rcode_totext(msg->rcode));
-		else
+			       (msg->rcode != dns_rcode_nxdomain)
+				       ? namestr
+				       : query->lookup->textname,
+			       msg->rcode, rcode_totext(msg->rcode));
+		} else {
 			printf("Host %s not found: %d(%s)\n",
-			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-			       query->lookup->textname, msg->rcode,
-			       rcode_totext(msg->rcode));
+			       (msg->rcode != dns_rcode_nxdomain)
+				       ? namestr
+				       : query->lookup->textname,
+			       msg->rcode, rcode_totext(msg->rcode));
+		}
 		return (ISC_R_SUCCESS);
 	}
 
@@ -521,60 +501,70 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 		       msg->counts[DNS_SECTION_AUTHORITY],
 		       msg->counts[DNS_SECTION_ADDITIONAL]);
 		opt = dns_message_getopt(msg);
-		if (opt != NULL)
+		if (opt != NULL) {
 			printf(";; EDNS: version: %u, udp=%u\n",
 			       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
 			       (unsigned int)opt->rdclass);
+		}
 		tsigname = NULL;
 		tsig = dns_message_gettsig(msg, &tsigname);
-		if (tsig != NULL)
+		if (tsig != NULL) {
 			printf(";; PSEUDOSECTIONS: TSIG\n");
+		}
 	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
-	    !short_form) {
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) && !short_form)
+	{
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
 				      true, query);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
-		if (!short_form)
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		if (!short_form) {
 			printf("\n");
+		}
 		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
 				      !short_form, query);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 	}
 
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
 	    !short_form) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
 				      true, query);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
 	    !short_form) {
 		printf("\n");
-		result = printsection(msg, DNS_SECTION_ADDITIONAL,
-				      "ADDITIONAL", true, query);
-		if (result != ISC_R_SUCCESS)
+		result = printsection(msg, DNS_SECTION_ADDITIONAL, "ADDITIONAL",
+				      true, query);
+		if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 	}
 	if ((tsig != NULL) && !short_form) {
 		printf("\n");
-		result = printrdata(msg, tsig, tsigname,
-				    "PSEUDOSECTION TSIG", true);
-		if (result != ISC_R_SUCCESS)
+		result = printrdata(msg, tsig, tsigname, "PSEUDOSECTION TSIG",
+				    true);
+		if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 	}
-	if (!short_form)
+	if (!short_form) {
 		printf("\n");
+	}
 
 	if (short_form && !default_lookups &&
-	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
+	{
 		char namestr[DNS_NAME_FORMATSIZE];
 		char typestr[DNS_RDATATYPE_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
@@ -586,7 +576,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 	return (result);
 }
 
-static const char * optstring = "46aAc:dilnm:rst:vVwCDN:R:TUW:";
+static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
 
 /*% version */
 static void
@@ -603,52 +593,77 @@ pre_parse_args(int argc, char **argv) {
 		case 'm':
 			memdebugging = true;
 			if (strcasecmp("trace", isc_commandline_argument) == 0)
+			{
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			else if (strcasecmp("record",
-					    isc_commandline_argument) == 0)
+			} else if (strcasecmp("record",
+					      isc_commandline_argument) == 0) {
 				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			else if (strcasecmp("usage",
-					    isc_commandline_argument) == 0)
+			} else if (strcasecmp("usage",
+					      isc_commandline_argument) == 0) {
 				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
 			break;
 
 		case '4':
-			if (ipv6only)
+			if (ipv6only) {
 				fatal("only one of -4 and -6 allowed");
+			}
 			ipv4only = true;
 			break;
 		case '6':
-			if (ipv4only)
+			if (ipv4only) {
 				fatal("only one of -4 and -6 allowed");
+			}
 			ipv6only = true;
 			break;
-		case 'a': break;
-		case 'A': break;
-		case 'c': break;
-		case 'C': break;
-		case 'd': break;
+		case 'a':
+			break;
+		case 'A':
+			break;
+		case 'c':
+			break;
+		case 'C':
+			break;
+		case 'd':
+			break;
 		case 'D':
-			if (debugging)
+			if (debugging) {
 				debugtiming = true;
+			}
 			debugging = true;
 			break;
-		case 'i': break;
-		case 'l': break;
-		case 'n': break;
-		case 'N': break;
-		case 'r': break;
-		case 'R': break;
-		case 's': break;
-		case 't': break;
-		case 'T': break;
-		case 'U': break;
-		case 'v': break;
+		case 'i':
+			break;
+		case 'l':
+			break;
+		case 'n':
+			break;
+		case 'N':
+			break;
+		case 'p':
+			break;
+		case 'r':
+			break;
+		case 'R':
+			break;
+		case 's':
+			break;
+		case 't':
+			break;
+		case 'T':
+			break;
+		case 'U':
+			break;
+		case 'v':
+			break;
 		case 'V':
-			  version();
-			  exit(0);
-			  break;
-		case 'w': break;
-		case 'W': break;
+			version();
+			exit(0);
+			break;
+		case 'w':
+			break;
+		case 'W':
+			break;
 		default:
 			show_usage();
 		}
@@ -674,6 +689,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 	lookup = make_empty_lookup();
 
 	lookup->servfail_stops = false;
+	lookup->besteffort = false;
 	lookup->comments = false;
 	short_form = !verbose;
 
@@ -693,8 +709,8 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			lookup->recurse = false;
 			break;
 		case 't':
-			if (strncasecmp(isc_commandline_argument,
-					"ixfr=", 5) == 0) {
+			if (strncasecmp(isc_commandline_argument, "ixfr=", 5) ==
+			    0) {
 				rdtype = dns_rdatatype_ixfr;
 				/* XXXMPA add error checking */
 				serial = strtoul(isc_commandline_argument + 5,
@@ -703,8 +719,8 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			} else {
 				tr.base = isc_commandline_argument;
 				tr.length = strlen(isc_commandline_argument);
-				result = dns_rdatatype_fromtext(&rdtype,
-						   (isc_textregion_t *)&tr);
+				result = dns_rdatatype_fromtext(
+					&rdtype, (isc_textregion_t *)&tr);
 			}
 
 			if (result != ISC_R_SUCCESS) {
@@ -713,8 +729,9 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 				      isc_commandline_argument);
 			}
 			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
+			    lookup->rdtype != dns_rdatatype_axfr) {
 				lookup->rdtype = rdtype;
+			}
 			lookup->rdtypeset = true;
 			if (rdtype == dns_rdatatype_axfr) {
 				/* -l -t any -v */
@@ -726,18 +743,20 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 				lookup->tcp_mode = true;
 				list_type = rdtype;
 			} else if (rdtype == dns_rdatatype_any) {
-				if (!lookup->tcp_mode_set)
+				if (!lookup->tcp_mode_set) {
 					lookup->tcp_mode = true;
-			} else
+				}
+			} else {
 				list_type = rdtype;
+			}
 			list_addresses = false;
 			default_lookups = false;
 			break;
 		case 'c':
 			tr.base = isc_commandline_argument;
 			tr.length = strlen(isc_commandline_argument);
-			result = dns_rdataclass_fromtext(&rdclass,
-						   (isc_textregion_t *)&tr);
+			result = dns_rdataclass_fromtext(
+				&rdclass, (isc_textregion_t *)&tr);
 
 			if (result != ISC_R_SUCCESS) {
 				fatalexit = 2;
@@ -751,11 +770,12 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			break;
 		case 'A':
 			list_almost_all = true;
-			/* FALL THROUGH */
+		/* FALL THROUGH */
 		case 'a':
 			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
+			    lookup->rdtype != dns_rdatatype_axfr) {
 				lookup->rdtype = dns_rdatatype_any;
+			}
 			list_type = dns_rdatatype_any;
 			list_addresses = false;
 			lookup->rdtypeset = true;
@@ -780,13 +800,15 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			break;
 		case 'W':
 			timeout = atoi(isc_commandline_argument);
-			if (timeout < 1)
+			if (timeout < 1) {
 				timeout = 1;
+			}
 			break;
 		case 'R':
 			tries = atoi(isc_commandline_argument) + 1;
-			if (tries < 2)
+			if (tries < 2) {
 				tries = 2;
+			}
 			break;
 		case 'T':
 			lookup->tcp_mode = true;
@@ -808,8 +830,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			default_lookups = false;
 			break;
 		case 'N':
-			debug("setting NDOTS to %s",
-			      isc_commandline_argument);
+			debug("setting NDOTS to %s", isc_commandline_argument);
 			ndots = atoi(isc_commandline_argument);
 			break;
 		case 'D':
@@ -824,26 +845,31 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 		case 's':
 			lookup->servfail_stops = true;
 			break;
+		case 'p':
+			port = atoi(isc_commandline_argument);
+			break;
 		}
 	}
 
 	lookup->retries = tries;
 
-	if (isc_commandline_index >= argc)
+	if (isc_commandline_index >= argc) {
 		show_usage();
+	}
 
 	strlcpy(hostname, argv[isc_commandline_index], sizeof(hostname));
 
 	if (argc > isc_commandline_index + 1) {
-		set_nameserver(argv[isc_commandline_index+1]);
-		debug("server is %s", argv[isc_commandline_index+1]);
+		set_nameserver(argv[isc_commandline_index + 1]);
+		debug("server is %s", argv[isc_commandline_index + 1]);
 		listed_server = true;
-	} else
+	} else {
 		check_ra = true;
+	}
 
 	lookup->pending = false;
-	if (get_reverse(store, sizeof(store), hostname, true)
-	    == ISC_R_SUCCESS) {
+	if (get_reverse(store, sizeof(store), hostname, true) == ISC_R_SUCCESS)
+	{
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = true;
@@ -882,10 +908,11 @@ main(int argc, char **argv) {
 	setup_libs();
 	setup_system(ipv4only, ipv6only);
 	parse_args(false, argc, argv);
-	if (keyfile[0] != 0)
+	if (keyfile[0] != 0) {
 		setup_file_key();
-	else if (keysecret[0] != 0)
+	} else if (keysecret[0] != 0) {
 		setup_text_key();
+	}
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();

bin/dig/host.docbook

@@ -1,406 +0,0 @@
-<!DOCTYPE book [
-<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
-  <info>
-    <date>2009-01-20</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>host</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>host</refname>
-    <refpurpose>DNS lookup utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2017</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>host</command>
-      <arg choice="opt" rep="norepeat"><option>-aACdlnrsTUwv</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
-      <group choice="opt" rep="norepeat">
-	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
-	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
-      <arg choice="req" rep="norepeat">name</arg>
-      <arg choice="opt" rep="norepeat">server</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-
-    <para><command>host</command>
-      is a simple utility for performing DNS lookups.
-      It is normally used to convert names to IP addresses and vice versa.
-      When no arguments or options are given,
-      <command>host</command>
-      prints a short summary of its command line arguments and options.
-    </para>
-
-    <para><parameter>name</parameter> is the domain name that is to be
-      looked
-      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-      IPv6 address, in which case <command>host</command> will by
-      default
-      perform a reverse lookup for that address.
-      <parameter>server</parameter> is an optional argument which
-      is either
-      the name or IP address of the name server that <command>host</command>
-      should query instead of the server or servers listed in
-      <filename>/etc/resolv.conf</filename>.
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-    <variablelist>
-
-      <varlistentry>
-	<term>-4</term>
-	<listitem>
-	  <para>
-	    Use IPv4 only for query transport.
-	    See also the <option>-6</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-6</term>
-	<listitem>
-	  <para>
-	    Use IPv6 only for query transport.
-	    See also the <option>-4</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-a</term>
-	<listitem>
-	  <para>
-	    "All". The <option>-a</option> option is normally equivalent
-	    to <option>-v -t <literal>ANY</literal></option>.
-	    It also affects the behaviour of the <option>-l</option>
-	    list zone option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-A</term>
-	<listitem>
-	  <para>
-	    "Almost all". The <option>-A</option> option is equivalent
-	    to <option>-a</option> except RRSIG, NSEC, and NSEC3
-	    records are omitted from the output.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Query class: This can be used to lookup HS (Hesiod) or CH
-	    (Chaosnet) class resource records. The default class is IN
-	    (Internet).
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-C</term>
-	<listitem>
-	  <para>
-	    Check consistency: <command>host</command> will query the
-	    SOA records for zone <parameter>name</parameter> from all
-	    the listed authoritative name servers for that zone. The
-	    list of name servers is defined by the NS records that are
-	    found for the zone.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-d</term>
-	<listitem>
-	  <para>
-	    Print debugging traces.
-	    Equivalent to the <option>-v</option> verbose option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-l</term>
-	<listitem>
-	  <para>
-	    List zone:
-	    The <command>host</command> command performs a zone transfer of
-	    zone <parameter>name</parameter> and prints out the NS,
-	    PTR and address records (A/AAAA).
-	  </para>
-	  <para>
-	    Together, the <option>-l -a</option>
-	    options print all records in the zone.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-N <replaceable class="parameter">ndots</replaceable></term>
-	<listitem>
-	  <para>
-	    The number of dots that have to be
-	    in <parameter>name</parameter> for it to be considered
-	    absolute. The default value is that defined using the
-	    ndots statement in <filename>/etc/resolv.conf</filename>,
-	    or 1 if no ndots statement is present. Names with fewer
-	    dots are interpreted as relative names and will be
-	    searched for in the domains listed in
-	    the <type>search</type> or <type>domain</type> directive
-	    in <filename>/etc/resolv.conf</filename>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-r</term>
-	<listitem>
-	  <para>
-	    Non-recursive query:
-	    Setting this option clears the RD (recursion desired) bit
-	    in the query. This should mean that the name server
-	    receiving the query will not attempt to
-	    resolve <parameter>name</parameter>.
-	    The <option>-r</option> option
-	    enables <command>host</command> to mimic the behavior of a
-	    name server by making non-recursive queries and expecting
-	    to receive answers to those queries that can be
-	    referrals to other name servers.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-R <replaceable class="parameter">number</replaceable></term>
-	<listitem>
-	  <para>
-	    Number of retries for UDP queries:
-	    If <parameter>number</parameter> is negative or zero, the
-	    number of retries will default to 1. The default value is
-	    1, or the value of the <parameter>attempts</parameter>
-	    option in <filename>/etc/resolv.conf</filename>, if set.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s</term>
-	<listitem>
-	  <para>
-	    Do <emphasis>not</emphasis> send the query to the next
-	    nameserver if any server responds with a SERVFAIL
-	    response, which is the reverse of normal stub resolver
-	    behavior.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-t <replaceable class="parameter">type</replaceable></term>
-	<listitem>
-	  <para>
-	    Query type:
-	    The <parameter>type</parameter> argument can be any
-	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
-	  </para>
-	  <para>
-	    When no query type is specified, <command>host</command>
-	    automatically selects an appropriate query type. By default, it
-	    looks for A, AAAA, and MX records.
-	    If the <option>-C</option> option is given, queries will
-	    be made for SOA records.
-	    If <parameter>name</parameter> is a dotted-decimal IPv4
-	    address or colon-delimited IPv6
-	    address, <command>host</command> will query for PTR
-	    records.
-	  </para>
-	  <para>
-	    If a query type of IXFR is chosen the starting serial
-	    number can be specified by appending an equal followed by
-	    the starting serial number
-	    (like <option>-t <literal>IXFR=12345678</literal></option>).
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-T</term>
-	<term>-U</term>
-	<listitem>
-	  <para>
-	    TCP/UDP:
-	    By default, <command>host</command> uses UDP when making
-	    queries. The <option>-T</option> option makes it use a TCP
-	    connection when querying the name server. TCP will be
-	    automatically selected for queries that require it, such
-	    as zone transfer (AXFR) requests.  Type ANY queries default
-	    to TCP but can be forced to UDP initially using <option>-U</option>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-m <replaceable class="parameter">flag</replaceable></term>
-	<listitem>
-	  <para>
-	    Memory usage debugging: the flag can
-	    be <parameter>record</parameter>, <parameter>usage</parameter>,
-	    or <parameter>trace</parameter>. You can specify
-	    the <option>-m</option> option more than once to set
-	    multiple flags.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-	    Verbose output.
-	    Equivalent to the <option>-d</option> debug option.
-	    Verbose output can also be enabled by setting
-	    the <parameter>debug</parameter> option
-	    in <filename>/etc/resolv.conf</filename>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-	<listitem>
-	  <para>
-	    Print the version number and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-w</term>
-	<listitem>
-	  <para>
-	    Wait forever: The query timeout is set to the maximum possible.
-	    See also the <option>-W</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-W <replaceable class="parameter">wait</replaceable></term>
-	<listitem>
-	  <para>
-	    Timeout: Wait for up to <parameter>wait</parameter>
-	    seconds for a reply. If <parameter>wait</parameter> is
-	    less than one, the wait interval is set to one second.
-	  </para>
-	  <para>
-	    By default, <command>host</command> will wait for 5
-	    seconds for UDP responses and 10 seconds for TCP
-	    connections. These defaults can be overridden by
-	    the <parameter>timeout</parameter> option
-	    in <filename>/etc/resolv.conf</filename>.
-	  </para>
-	  <para>
-	    See also the <option>-w</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsection>
-
-  <refsection><info><title>IDN SUPPORT</title></info>
-
-    <para>
-      If <command>host</command> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <command>host</command> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <envar>IDN_DISABLE</envar> environment variable.
-      The IDN support is disabled if the variable is set when
-      <command>host</command> runs.
-    </para>
-  </refsection>
-
-  <refsection><info><title>FILES</title></info>
-
-    <para><filename>/etc/resolv.conf</filename>
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsection>
-
-</refentry>

bin/dig/host.html

@@ -1,332 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.host"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    host
-     &#8212; DNS lookup utility
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">host</code> 
-       [<code class="option">-aACdlnrsTUwv</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-v</code>]
-       [<code class="option">-V</code>]
-       {name}
-       [server]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><span class="command"><strong>host</strong></span>
-      is a simple utility for performing DNS lookups.
-      It is normally used to convert names to IP addresses and vice versa.
-      When no arguments or options are given,
-      <span class="command"><strong>host</strong></span>
-      prints a short summary of its command line arguments and options.
-    </p>
-
-    <p><em class="parameter"><code>name</code></em> is the domain name that is to be
-      looked
-      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-      IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
-      default
-      perform a reverse lookup for that address.
-      <em class="parameter"><code>server</code></em> is an optional argument which
-      is either
-      the name or IP address of the name server that <span class="command"><strong>host</strong></span>
-      should query instead of the server or servers listed in
-      <code class="filename">/etc/resolv.conf</code>.
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
-	    Use IPv4 only for query transport.
-	    See also the <code class="option">-6</code> option.
-	  </p>
-	</dd>
-<dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
-	    Use IPv6 only for query transport.
-	    See also the <code class="option">-4</code> option.
-	  </p>
-	</dd>
-<dt><span class="term">-a</span></dt>
-<dd>
-	  <p>
-	    "All". The <code class="option">-a</code> option is normally equivalent
-	    to <code class="option">-v -t <code class="literal">ANY</code></code>.
-	    It also affects the behaviour of the <code class="option">-l</code>
-	    list zone option.
-	  </p>
-	</dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-	  <p>
-	    "Almost all". The <code class="option">-A</code> option is equivalent
-	    to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
-	    records are omitted from the output.
-	  </p>
-	</dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Query class: This can be used to lookup HS (Hesiod) or CH
-	    (Chaosnet) class resource records. The default class is IN
-	    (Internet).
-	  </p>
-	</dd>
-<dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
-	    Check consistency: <span class="command"><strong>host</strong></span> will query the
-	    SOA records for zone <em class="parameter"><code>name</code></em> from all
-	    the listed authoritative name servers for that zone. The
-	    list of name servers is defined by the NS records that are
-	    found for the zone.
-	  </p>
-	</dd>
-<dt><span class="term">-d</span></dt>
-<dd>
-	  <p>
-	    Print debugging traces.
-	    Equivalent to the <code class="option">-v</code> verbose option.
-	  </p>
-	</dd>
-<dt><span class="term">-l</span></dt>
-<dd>
-	  <p>
-	    List zone:
-	    The <span class="command"><strong>host</strong></span> command performs a zone transfer of
-	    zone <em class="parameter"><code>name</code></em> and prints out the NS,
-	    PTR and address records (A/AAAA).
-	  </p>
-	  <p>
-	    Together, the <code class="option">-l -a</code>
-	    options print all records in the zone.
-	  </p>
-	</dd>
-<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
-<dd>
-	  <p>
-	    The number of dots that have to be
-	    in <em class="parameter"><code>name</code></em> for it to be considered
-	    absolute. The default value is that defined using the
-	    ndots statement in <code class="filename">/etc/resolv.conf</code>,
-	    or 1 if no ndots statement is present. Names with fewer
-	    dots are interpreted as relative names and will be
-	    searched for in the domains listed in
-	    the <span class="type">search</span> or <span class="type">domain</span> directive
-	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	</dd>
-<dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
-	    Non-recursive query:
-	    Setting this option clears the RD (recursion desired) bit
-	    in the query. This should mean that the name server
-	    receiving the query will not attempt to
-	    resolve <em class="parameter"><code>name</code></em>.
-	    The <code class="option">-r</code> option
-	    enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
-	    name server by making non-recursive queries and expecting
-	    to receive answers to those queries that can be
-	    referrals to other name servers.
-	  </p>
-	</dd>
-<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-	  <p>
-	    Number of retries for UDP queries:
-	    If <em class="parameter"><code>number</code></em> is negative or zero, the
-	    number of retries will default to 1. The default value is
-	    1, or the value of the <em class="parameter"><code>attempts</code></em>
-	    option in <code class="filename">/etc/resolv.conf</code>, if set.
-	  </p>
-	</dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-	  <p>
-	    Do <span class="emphasis"><em>not</em></span> send the query to the next
-	    nameserver if any server responds with a SERVFAIL
-	    response, which is the reverse of normal stub resolver
-	    behavior.
-	  </p>
-	</dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-	  <p>
-	    Query type:
-	    The <em class="parameter"><code>type</code></em> argument can be any
-	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
-	  </p>
-	  <p>
-	    When no query type is specified, <span class="command"><strong>host</strong></span>
-	    automatically selects an appropriate query type. By default, it
-	    looks for A, AAAA, and MX records.
-	    If the <code class="option">-C</code> option is given, queries will
-	    be made for SOA records.
-	    If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
-	    address or colon-delimited IPv6
-	    address, <span class="command"><strong>host</strong></span> will query for PTR
-	    records.
-	  </p>
-	  <p>
-	    If a query type of IXFR is chosen the starting serial
-	    number can be specified by appending an equal followed by
-	    the starting serial number
-	    (like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
-	  </p>
-	</dd>
-<dt>
-<span class="term">-T, </span><span class="term">-U</span>
-</dt>
-<dd>
-	  <p>
-	    TCP/UDP:
-	    By default, <span class="command"><strong>host</strong></span> uses UDP when making
-	    queries. The <code class="option">-T</code> option makes it use a TCP
-	    connection when querying the name server. TCP will be
-	    automatically selected for queries that require it, such
-	    as zone transfer (AXFR) requests.  Type ANY queries default
-	    to TCP but can be forced to UDP initially using <code class="option">-U</code>.
-	  </p>
-	</dd>
-<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
-	    Memory usage debugging: the flag can
-	    be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
-	    or <em class="parameter"><code>trace</code></em>. You can specify
-	    the <code class="option">-m</code> option more than once to set
-	    multiple flags.
-	  </p>
-	</dd>
-<dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
-	    Verbose output.
-	    Equivalent to the <code class="option">-d</code> debug option.
-	    Verbose output can also be enabled by setting
-	    the <em class="parameter"><code>debug</code></em> option
-	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	</dd>
-<dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
-	    Print the version number and exit.
-	  </p>
-	</dd>
-<dt><span class="term">-w</span></dt>
-<dd>
-	  <p>
-	    Wait forever: The query timeout is set to the maximum possible.
-	    See also the <code class="option">-W</code> option.
-	  </p>
-	</dd>
-<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
-<dd>
-	  <p>
-	    Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
-	    seconds for a reply. If <em class="parameter"><code>wait</code></em> is
-	    less than one, the wait interval is set to one second.
-	  </p>
-	  <p>
-	    By default, <span class="command"><strong>host</strong></span> will wait for 5
-	    seconds for UDP responses and 10 seconds for TCP
-	    connections. These defaults can be overridden by
-	    the <em class="parameter"><code>timeout</code></em> option
-	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	  <p>
-	    See also the <code class="option">-w</code> option.
-	  </p>
-	</dd>
-</dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
-
-    <p>
-      If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span class="command"><strong>host</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span class="command"><strong>host</strong></span> runs.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>.
-    </p>
-  </div>
-
-</div></body>
-</html>

bin/dig/host.rst

@@ -0,0 +1,181 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_host:
+
+host - DNS lookup utility
+-------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
+
+Description
+~~~~~~~~~~~
+
+``host`` is a simple utility for performing DNS lookups. It is normally
+used to convert names to IP addresses and vice versa. When no arguments
+or options are given, ``host`` prints a short summary of its command
+line arguments and options.
+
+``name`` is the domain name that is to be looked up. It can also be a
+dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
+case ``host`` will by default perform a reverse lookup for that address.
+``server`` is an optional argument which is either the name or IP
+address of the name server that ``host`` should query instead of the
+server or servers listed in ``/etc/resolv.conf``.
+
+Options
+~~~~~~~
+
+**-4**
+   Use IPv4 only for query transport. See also the ``-6`` option.
+
+**-6**
+   Use IPv6 only for query transport. See also the ``-4`` option.
+
+**-a**
+   "All". The ``-a`` option is normally equivalent to ``-v -t ANY``. It
+   also affects the behaviour of the ``-l`` list zone option.
+
+**-A**
+   "Almost all". The ``-A`` option is equivalent to ``-a`` except RRSIG,
+   NSEC, and NSEC3 records are omitted from the output.
+
+**-c** class
+   Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet)
+   class resource records. The default class is IN (Internet).
+
+**-C**
+   Check consistency: ``host`` will query the SOA records for zone
+   ``name`` from all the listed authoritative name servers for that
+   zone. The list of name servers is defined by the NS records that are
+   found for the zone.
+
+**-d**
+   Print debugging traces. Equivalent to the ``-v`` verbose option.
+
+**-l**
+   List zone: The ``host`` command performs a zone transfer of zone
+   ``name`` and prints out the NS, PTR and address records (A/AAAA).
+
+   Together, the ``-l -a`` options print all records in the zone.
+
+**-N** ndots
+   The number of dots that have to be in ``name`` for it to be
+   considered absolute. The default value is that defined using the
+   ndots statement in ``/etc/resolv.conf``, or 1 if no ndots statement
+   is present. Names with fewer dots are interpreted as relative names
+   and will be searched for in the domains listed in the ``search`` or
+   ``domain`` directive in ``/etc/resolv.conf``.
+
+**-p** port
+   Specify the port on the server to query. The default is 53.
+
+**-r**
+   Non-recursive query: Setting this option clears the RD (recursion
+   desired) bit in the query. This should mean that the name server
+   receiving the query will not attempt to resolve ``name``. The ``-r``
+   option enables ``host`` to mimic the behavior of a name server by
+   making non-recursive queries and expecting to receive answers to
+   those queries that can be referrals to other name servers.
+
+**-R** number
+   Number of retries for UDP queries: If ``number`` is negative or zero,
+   the number of retries will default to 1. The default value is 1, or
+   the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
+
+**-s**
+   Do *not* send the query to the next nameserver if any server responds
+   with a SERVFAIL response, which is the reverse of normal stub
+   resolver behavior.
+
+**-t** type
+   Query type: The ``type`` argument can be any recognized query type:
+   CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+
+   When no query type is specified, ``host`` automatically selects an
+   appropriate query type. By default, it looks for A, AAAA, and MX
+   records. If the ``-C`` option is given, queries will be made for SOA
+   records. If ``name`` is a dotted-decimal IPv4 address or
+   colon-delimited IPv6 address, ``host`` will query for PTR records.
+
+   If a query type of IXFR is chosen the starting serial number can be
+   specified by appending an equal followed by the starting serial
+   number (like ``-t IXFR=12345678``).
+
+**-T**; **-U**
+   TCP/UDP: By default, ``host`` uses UDP when making queries. The
+   ``-T`` option makes it use a TCP connection when querying the name
+   server. TCP will be automatically selected for queries that require
+   it, such as zone transfer (AXFR) requests. Type ANY queries default
+   to TCP but can be forced to UDP initially using ``-U``.
+
+**-m** flag
+   Memory usage debugging: the flag can be ``record``, ``usage``, or
+   ``trace``. You can specify the ``-m`` option more than once to set
+   multiple flags.
+
+**-v**
+   Verbose output. Equivalent to the ``-d`` debug option. Verbose output
+   can also be enabled by setting the ``debug`` option in
+   ``/etc/resolv.conf``.
+
+**-V**
+   Print the version number and exit.
+
+**-w**
+   Wait forever: The query timeout is set to the maximum possible. See
+   also the ``-W`` option.
+
+**-W** wait
+   Timeout: Wait for up to ``wait`` seconds for a reply. If ``wait`` is
+   less than one, the wait interval is set to one second.
+
+   By default, ``host`` will wait for 5 seconds for UDP responses and 10
+   seconds for TCP connections. These defaults can be overridden by the
+   ``timeout`` option in ``/etc/resolv.conf``.
+
+   See also the ``-w`` option.
+
+IDN Support
+~~~~~~~~~~~
+
+If ``host`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``host``
+appropriately converts character encoding of domain name before sending
+a request to DNS server or displaying a reply from the server. If you'd
+like to turn off the IDN support for some reason, define the IDN_DISABLE
+environment variable. The IDN support is disabled if the variable is set
+when ``host`` runs.
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`named(8)`.

bin/dig/include/.clang-format

@@ -0,0 +1 @@
+../../../.clang-format.headers

bin/dig/include/dig/dig.h

@@ -17,10 +17,6 @@
 #include <inttypes.h>
 #include <stdbool.h>
 
-#include <dns/rdatalist.h>
-
-#include <dst/dst.h>
-
 #include <isc/buffer.h>
 #include <isc/bufferlist.h>
 #include <isc/formatcheck.h>
@@ -32,20 +28,24 @@
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
 
+#include <dns/rdatalist.h>
+
+#include <dst/dst.h>
+
 #ifdef __APPLE__
 #include <TargetConditionals.h>
-#endif
+#endif /* ifdef __APPLE__ */
 
 #define MXSERV 20
-#define MXNAME (DNS_NAME_MAXTEXT+1)
-#define MXRD 32
+#define MXNAME (DNS_NAME_MAXTEXT + 1)
+#define MXRD   32
 /*% Buffer Size */
-#define BUFSIZE 512
+#define BUFSIZE	 512
 #define COMMSIZE 0xffff
 #ifndef RESOLV_CONF
 /*% location of resolve.conf */
 #define RESOLV_CONF "/etc/resolv.conf"
-#endif
+#endif /* ifndef RESOLV_CONF */
 /*% output buffer */
 #define OUTPUTBUF 32767
 /*% Max RR Limit */
@@ -77,155 +77,111 @@
 ISC_LANG_BEGINDECLS
 
 typedef struct dig_lookup dig_lookup_t;
-typedef struct dig_query dig_query_t;
+typedef struct dig_query  dig_query_t;
 typedef struct dig_server dig_server_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
-#define DIG_QUERY_MAGIC		ISC_MAGIC('D','i','g','q')
-
-#define DIG_VALID_QUERY(x)	ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
+#define DIG_QUERY_MAGIC ISC_MAGIC('D', 'i', 'g', 'q')
 
+#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
 
 /*% The dig_lookup structure */
 struct dig_lookup {
-	bool
-		pending, /*%< Pending a successful answer */
-		waiting_connect,
-		doing_xfr,
-		ns_search_only, /*%< dig +nssearch, host -C */
+	bool pending, /*%< Pending a successful answer */
+		waiting_connect, doing_xfr, ns_search_only, /*%< dig
+							     * +nssearch,
+							     * host -C */
 		identify, /*%< Append an "on server <foo>" message */
 		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
-					   message, with newline and tab */
-		ignore,
-		recurse,
-		aaonly,
-		adflag,
-		cdflag,
-		raflag,
-		tcflag,
-		zflag,
-		trace, /*% dig +trace */
-		trace_root, /*% initial query for either +trace or +nssearch */
-		tcp_mode,
-		tcp_mode_set,
-		comments,
-		stats,
-		section_question,
-		section_answer,
-		section_authority,
-		section_additional,
-		servfail_stops,
-		new_search,
-		need_search,
-		done_as_is,
-		besteffort,
-		dnssec,
-		expire,
-		sendcookie,
-		seenbadcookie,
-		badcookie,
-		nsid,   /*% Name Server ID (RFC 5001) */
-		tcp_keepalive,
-		header_only,
-		ednsneg,
-		mapped,
-		print_unknown_format,
-		multiline,
-		nottl,
-		noclass,
-		onesoa,
-		use_usec,
-		nocrypto,
-		ttlunits,
-		idnin,
-		idnout,
-		expandaaaa,
-		qr,
-		accept_reply_unexpected_src;  /*%  print replies from unexpected
-						   sources. */
-	char textname[MXNAME]; /*% Name we're going to be looking up */
-	char cmdline[MXNAME];
-	dns_rdatatype_t rdtype;
-	dns_rdatatype_t qrdtype;
+					 * message, with newline and tab */
+		ignore, recurse, aaonly, adflag, cdflag, raflag, tcflag, zflag,
+		trace,	    /*% dig +trace */
+		trace_root, /*% initial query for either +trace or +nssearch
+			     * */
+		tcp_mode, tcp_mode_set, comments, stats, section_question,
+		section_answer, section_authority, section_additional,
+		servfail_stops, new_search, need_search, done_as_is, besteffort,
+		dnssec, expire, sendcookie, seenbadcookie, badcookie,
+		nsid, /*% Name Server ID (RFC 5001) */
+		tcp_keepalive, header_only, ednsneg, mapped,
+		print_unknown_format, multiline, nottl, noclass, onesoa,
+		use_usec, nocrypto, ttlunits, idnin, idnout, expandaaaa, qr,
+		accept_reply_unexpected_src; /*%  print replies from
+					      * unexpected
+					      *   sources. */
+	char textname[MXNAME];		     /*% Name we're going to be
+					      * looking up */
+	char		 cmdline[MXNAME];
+	dns_rdatatype_t	 rdtype;
+	dns_rdatatype_t	 qrdtype;
 	dns_rdataclass_t rdclass;
-	bool rdtypeset;
-	bool rdclassset;
-	char name_space[BUFSIZE];
-	char oname_space[BUFSIZE];
-	isc_buffer_t namebuf;
-	isc_buffer_t onamebuf;
-	isc_buffer_t renderbuf;
-	char *sendspace;
-	dns_name_t *name;
-	isc_interval_t interval;
-	dns_message_t *sendmsg;
-	dns_name_t *oname;
+	bool		 rdtypeset;
+	bool		 rdclassset;
+	char		 name_space[BUFSIZE];
+	char		 oname_space[BUFSIZE];
+	isc_buffer_t	 namebuf;
+	isc_buffer_t	 onamebuf;
+	isc_buffer_t	 renderbuf;
+	char *		 sendspace;
+	dns_name_t *	 name;
+	isc_interval_t	 interval;
+	dns_message_t *	 sendmsg;
+	dns_name_t *	 oname;
 	ISC_LINK(dig_lookup_t) link;
 	ISC_LIST(dig_query_t) q;
 	ISC_LIST(dig_query_t) connecting;
-	dig_query_t *current_query;
-	dig_serverlist_t my_server_list;
+	dig_query_t *	  current_query;
+	dig_serverlist_t  my_server_list;
 	dig_searchlist_t *origin;
-	dig_query_t *xfr_q;
-	uint32_t retries;
-	int nsfound;
-	uint16_t udpsize;
-	int16_t edns;
-	int16_t padding;
-	uint32_t ixfr_serial;
-	isc_buffer_t rdatabuf;
-	char rdatastore[MXNAME];
-	dst_context_t *tsigctx;
-	isc_buffer_t *querysig;
-	uint32_t msgcounter;
-	dns_fixedname_t fdomain;
-	isc_sockaddr_t *ecs_addr;
-	char *cookie;
-	dns_ednsopt_t *ednsopts;
-	unsigned int ednsoptscnt;
-	isc_dscp_t dscp;
-	unsigned int ednsflags;
-	dns_opcode_t opcode;
-	int rrcomments;
-	unsigned int eoferr;
+	dig_query_t *	  xfr_q;
+	uint32_t	  retries;
+	int		  nsfound;
+	uint16_t	  udpsize;
+	int16_t		  edns;
+	int16_t		  padding;
+	uint32_t	  ixfr_serial;
+	isc_buffer_t	  rdatabuf;
+	char		  rdatastore[MXNAME];
+	dst_context_t *	  tsigctx;
+	isc_buffer_t *	  querysig;
+	uint32_t	  msgcounter;
+	dns_fixedname_t	  fdomain;
+	isc_sockaddr_t *  ecs_addr;
+	char *		  cookie;
+	dns_ednsopt_t *	  ednsopts;
+	unsigned int	  ednsoptscnt;
+	isc_dscp_t	  dscp;
+	unsigned int	  ednsflags;
+	dns_opcode_t	  opcode;
+	int		  rrcomments;
+	unsigned int	  eoferr;
 };
 
 /*% The dig_query structure */
 struct dig_query {
-	unsigned int magic;
+	unsigned int  magic;
 	dig_lookup_t *lookup;
-	bool waiting_connect,
-		pending_free,
-		waiting_senddone,
-		first_pass,
-		first_soa_rcvd,
-		second_rr_rcvd,
-		first_repeat_rcvd,
-		recv_made,
-		warn_id,
-		timedout;
-	uint32_t first_rr_serial;
-	uint32_t second_rr_serial;
-	uint32_t msg_count;
-	uint32_t rr_count;
-	bool ixfr_axfr;
-	char *servname;
-	char *userarg;
-	isc_buffer_t recvbuf,
-		lengthbuf,
-		tmpsendbuf,
-		sendbuf;
-	char *recvspace, *tmpsendspace,
-		lengthspace[4];
+	bool waiting_connect, pending_free, waiting_senddone, first_pass,
+		first_soa_rcvd, second_rr_rcvd, first_repeat_rcvd, recv_made,
+		warn_id, timedout;
+	uint32_t      first_rr_serial;
+	uint32_t      second_rr_serial;
+	uint32_t      msg_count;
+	uint32_t      rr_count;
+	bool	      ixfr_axfr;
+	char *	      servname;
+	char *	      userarg;
+	isc_buffer_t  recvbuf, lengthbuf, tmpsendbuf, sendbuf;
+	char *	      recvspace, *tmpsendspace, lengthspace[4];
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
 	ISC_LINK(dig_query_t) clink;
 	isc_sockaddr_t sockaddr;
-	isc_time_t time_sent;
-	isc_time_t time_recv;
-	uint64_t byte_count;
-	isc_timer_t *timer;
+	isc_time_t     time_sent;
+	isc_time_t     time_recv;
+	uint64_t       byte_count;
+	isc_timer_t *  timer;
 };
 
 struct dig_server {
@@ -246,38 +202,38 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
  * Externals from dighost.c
  */
 
-extern dig_lookuplist_t lookup_list;
-extern dig_serverlist_t server_list;
+extern dig_lookuplist_t	    lookup_list;
+extern dig_serverlist_t	    server_list;
 extern dig_searchlistlist_t search_list;
-extern unsigned int extrabytes;
+extern unsigned int	    extrabytes;
 
-extern bool check_ra, have_ipv4, have_ipv6, specified_source,
-	usesearch, showsearch, yaml;
-extern in_port_t port;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern int sendcount;
-extern int ndots;
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t bind_address;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
+extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
+	showsearch, yaml;
+extern in_port_t	 port;
+extern unsigned int	 timeout;
+extern isc_mem_t *	 mctx;
+extern int		 sendcount;
+extern int		 ndots;
+extern int		 lookup_counter;
+extern int		 exitcode;
+extern isc_sockaddr_t	 bind_address;
+extern char		 keynametext[MXNAME];
+extern char		 keyfile[MXNAME];
+extern char		 keysecret[MXNAME];
 extern const dns_name_t *hmacname;
-extern unsigned int digestbits;
-extern dns_tsigkey_t *tsigkey;
-extern bool validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern bool free_now;
-extern bool debugging, debugtiming, memdebugging;
-extern bool keep_open;
+extern unsigned int	 digestbits;
+extern dns_tsigkey_t *	 tsigkey;
+extern bool		 validated;
+extern isc_taskmgr_t *	 taskmgr;
+extern isc_task_t *	 global_task;
+extern bool		 free_now;
+extern bool		 debugging, debugtiming, memdebugging;
+extern bool		 keep_open;
 
 extern char *progname;
-extern int tries;
-extern int fatalexit;
-extern bool verbose;
+extern int   tries;
+extern int   fatalexit;
+extern bool  verbose;
 
 /*
  * Routines in dighost.c.
@@ -293,14 +249,13 @@ get_reverse(char *reverse, size_t len, char *value, bool strict);
 
 ISC_PLATFORM_NORETURN_PRE void
 fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
 
 void
 warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
 ISC_PLATFORM_NORETURN_PRE void
-digexit(void)
-ISC_PLATFORM_NORETURN_POST;
+digexit(void) ISC_PLATFORM_NORETURN_POST;
 
 void
 debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@@ -333,12 +288,10 @@ void
 setup_system(bool ipv4only, bool ipv6only);
 
 isc_result_t
-parse_uint(uint32_t *uip, const char *value, uint32_t max,
-	   const char *desc);
+parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
 
 isc_result_t
-parse_xint(uint32_t *uip, const char *value, uint32_t max,
-	   const char *desc);
+parse_xint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
 
 isc_result_t
 parse_netprefix(isc_sockaddr_t **sap, const char *value);
@@ -365,8 +318,7 @@ void
 set_nameserver(char *opt);
 
 void
-clone_server_list(dig_serverlist_t src,
-		  dig_serverlist_t *dest);
+clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest);
 
 void
 cancel_all(void);
@@ -381,54 +333,50 @@ set_search_domain(char *domain);
  * Routines to be defined in dig.c, host.c, and nslookup.c. and
  * then assigned to the appropriate function pointer
  */
-extern isc_result_t
-(*dighost_printmessage)(dig_query_t *query, const isc_buffer_t *msgbuf,
-			dns_message_t *msg, bool headers);
+extern isc_result_t (*dighost_printmessage)(dig_query_t *	query,
+					    const isc_buffer_t *msgbuf,
+					    dns_message_t *msg, bool headers);
 
 /*
  * Print an error message in the appropriate format.
  */
-extern void
-(*dighost_error)(const char *format, ...);
+extern void (*dighost_error)(const char *format, ...);
 
 /*
  * Print a warning message in the appropriate format.
  */
-extern void
-(*dighost_warning)(const char *format, ...);
+extern void (*dighost_warning)(const char *format, ...);
 
 /*
  * Print a comment in the appropriate format.
  */
-extern void
-(*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
+extern void (*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
 
 /*%<
  * Print the final result of the lookup.
  */
 
-extern void
-(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
-		    dig_query_t *query);
+extern void (*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
+				dig_query_t *query);
 /*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the
  * output of "dig".
  */
 
-extern void
-(*dighost_trying)(char *frm, dig_lookup_t *lookup);
+extern void (*dighost_trying)(char *frm, dig_lookup_t *lookup);
 
-extern void
-(*dighost_shutdown)(void);
+extern void (*dighost_shutdown)(void);
 
-extern void
-(*dighost_pre_exit_hook)(void);
+extern void (*dighost_pre_exit_hook)(void);
 
-void save_opt(dig_lookup_t *lookup, char *code, char *value);
+void
+save_opt(dig_lookup_t *lookup, char *code, char *value);
 
-void setup_file_key(void);
-void setup_text_key(void);
+void
+setup_file_key(void);
+void
+setup_text_key(void);
 
 /*
  * Routines exported from dig.c for use by dig for iOS
@@ -467,4 +415,4 @@ dig_shutdown(void);
 
 ISC_LANG_ENDDECLS
 
-#endif
+#endif /* ifndef DIG_H */

bin/dig/nslookup.1

@@ -1,305 +0,0 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: nslookup
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2014-01-24
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "NSLOOKUP" "1" "2014\-01\-24" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-nslookup \- query Internet name servers interactively
-.SH "SYNOPSIS"
-.HP \w'\fBnslookup\fR\ 'u
-\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
-.SH "DESCRIPTION"
-.PP
-\fBNslookup\fR
-is a program to query Internet domain name servers\&.
-\fBNslookup\fR
-has two modes: interactive and non\-interactive\&. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain\&. Non\-interactive mode is used to print just the name and requested information for a host or domain\&.
-.SH "ARGUMENTS"
-.PP
-Interactive mode is entered in the following cases:
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 1.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  1." 4.2
-.\}
-when no arguments are given (the default name server will be used)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 2.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  2." 4.2
-.\}
-when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server\&.
-.RE
-.PP
-Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument\&. The optional second argument specifies the host name or address of a name server\&.
-.PP
-Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen\&. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-nslookup \-query=hinfo  \-timeout=10
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-The
-\fB\-version\fR
-option causes
-\fBnslookup\fR
-to print the version number and immediately exits\&.
-.SH "INTERACTIVE COMMANDS"
-.PP
-\fBhost\fR [server]
-.RS 4
-Look up information for host using the current default server or using server, if specified\&. If host is an Internet address and the query type is A or PTR, the name of the host is returned\&. If host is a name and does not have a trailing period, the search list is used to qualify the name\&.
-.sp
-To look up a host not in the current domain, append a period to the name\&.
-.RE
-.PP
-\fBserver\fR \fIdomain\fR
-.RS 4
-.RE
-.PP
-\fBlserver\fR \fIdomain\fR
-.RS 4
-Change the default server to
-\fIdomain\fR;
-\fBlserver\fR
-uses the initial server to look up information about
-\fIdomain\fR, while
-\fBserver\fR
-uses the current default server\&. If an authoritative answer can\*(Aqt be found, the names of servers that might have the answer are returned\&.
-.RE
-.PP
-\fBroot\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBfinger\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBls\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBview\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBhelp\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fB?\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBexit\fR
-.RS 4
-Exits the program\&.
-.RE
-.PP
-\fBset\fR \fIkeyword\fR\fI[=value]\fR
-.RS 4
-This command is used to change state information that affects the lookups\&. Valid keywords are:
-.PP
-\fBall\fR
-.RS 4
-Prints the current values of the frequently used options to
-\fBset\fR\&. Information about the current default server and host is also printed\&.
-.RE
-.PP
-\fBclass=\fR\fIvalue\fR
-.RS 4
-Change the query class to one of:
-.PP
-\fBIN\fR
-.RS 4
-the Internet class
-.RE
-.PP
-\fBCH\fR
-.RS 4
-the Chaos class
-.RE
-.PP
-\fBHS\fR
-.RS 4
-the Hesiod class
-.RE
-.PP
-\fBANY\fR
-.RS 4
-wildcard
-.RE
-.sp
-The class specifies the protocol group of the information\&.
-.sp
-(Default = IN; abbreviation = cl)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBdebug\fR
-.RS 4
-Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
-.sp
-(Default = nodebug; abbreviation =
-[no]deb)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBd2\fR
-.RS 4
-Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
-.sp
-(Default = nod2)
-.RE
-.PP
-\fBdomain=\fR\fIname\fR
-.RS 4
-Sets the search list to
-\fIname\fR\&.
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBsearch\fR
-.RS 4
-If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
-.sp
-(Default = search)
-.RE
-.PP
-\fBport=\fR\fIvalue\fR
-.RS 4
-Change the default TCP/UDP name server port to
-\fIvalue\fR\&.
-.sp
-(Default = 53; abbreviation = po)
-.RE
-.PP
-\fBquerytype=\fR\fIvalue\fR
-.RS 4
-.RE
-.PP
-\fBtype=\fR\fIvalue\fR
-.RS 4
-Change the type of the information query\&.
-.sp
-(Default = A; abbreviations = q, ty)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBrecurse\fR
-.RS 4
-Tell the name server to query other servers if it does not have the information\&.
-.sp
-(Default = recurse; abbreviation = [no]rec)
-.RE
-.PP
-\fBndots=\fR\fInumber\fR
-.RS 4
-Set the number of dots (label separators) in a domain that will disable searching\&. Absolute names always stop searching\&.
-.RE
-.PP
-\fBretry=\fR\fInumber\fR
-.RS 4
-Set the number of retries to number\&.
-.RE
-.PP
-\fBtimeout=\fR\fInumber\fR
-.RS 4
-Change the initial timeout interval for waiting for a reply to number seconds\&.
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBvc\fR
-.RS 4
-Always use a virtual circuit when sending requests to the server\&.
-.sp
-(Default = novc)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBfail\fR
-.RS 4
-Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
-.sp
-(Default = nofail)
-.RE
-.sp
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBnslookup\fR
-returns with an exit status of 1 if any query failed, and 0 otherwise\&.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBnslookup\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBnslookup\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBnslookup\fR
-runs or when the standard output is not a tty\&.
-.SH "FILES"
-.PP
-/etc/resolv\&.conf
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBhost\fR(1),
-\fBnamed\fR(8)\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/dig/nslookup.c

@@ -18,22 +18,22 @@
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/event.h>
+#include <isc/netaddr.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/string.h>
-#include <isc/util.h>
 #include <isc/task.h>
-#include <isc/netaddr.h>
+#include <isc/util.h>
 
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
 #include <dns/message.h>
 #include <dns/name.h>
-#include <dns/fixedname.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
-#include <dns/byaddr.h>
 
 #include <dig/dig.h>
 
@@ -42,25 +42,23 @@
 #include <edit/readline/readline.h>
 #if defined(HAVE_EDIT_READLINE_HISTORY_H)
 #include <edit/readline/history.h>
-#endif
+#endif /* if defined(HAVE_EDIT_READLINE_HISTORY_H) */
 #elif defined(HAVE_EDITLINE_READLINE_H)
 #include <editline/readline.h>
 #elif defined(HAVE_READLINE_READLINE_H)
 #include <readline/readline.h>
-#if defined (HAVE_READLINE_HISTORY_H)
+#if defined(HAVE_READLINE_HISTORY_H)
 #include <readline/history.h>
-#endif
-#endif
-#endif
+#endif /* if defined(HAVE_READLINE_HISTORY_H) */
+#endif /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+#endif /* if defined(HAVE_READLINE) */
 
-static bool short_form = true,
-	tcpmode = false, tcpmode_set = false,
-	identify = false, stats = true,
-	comments = true, section_question = true,
-	section_answer = true, section_authority = true,
-	section_additional = true, recurse = true,
-	aaonly = false, nofail = true,
-	default_lookups = true, a_noanswer = false;
+static bool short_form = true, tcpmode = false, tcpmode_set = false,
+	    identify = false, stats = true, comments = true,
+	    section_question = true, section_answer = true,
+	    section_authority = true, section_additional = true, recurse = true,
+	    aaonly = false, nofail = true, default_lookups = true,
+	    a_noanswer = false;
 
 static bool interactive;
 
@@ -72,91 +70,80 @@ static int query_error = 1, print_error = 0;
 
 static char domainopt[DNS_NAME_MAXTEXT];
 
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
+static const char *rcodetext[] = { "NOERROR",	 "FORMERR",    "SERVFAIL",
+				   "NXDOMAIN",	 "NOTIMP",     "REFUSED",
+				   "YXDOMAIN",	 "YXRRSET",    "NXRRSET",
+				   "NOTAUTH",	 "NOTZONE",    "RESERVED11",
+				   "RESERVED12", "RESERVED13", "RESERVED14",
+				   "RESERVED15", "BADVERS" };
 
 static const char *rtypetext[] = {
-	"rtype_0 = ",			/* 0 */
-	"internet address = ",		/* 1 */
-	"nameserver = ",		/* 2 */
-	"md = ",			/* 3 */
-	"mf = ",			/* 4 */
-	"canonical name = ",		/* 5 */
-	"soa = ",			/* 6 */
-	"mb = ",			/* 7 */
-	"mg = ",			/* 8 */
-	"mr = ",			/* 9 */
-	"rtype_10 = ",			/* 10 */
-	"protocol = ",			/* 11 */
-	"name = ",			/* 12 */
-	"hinfo = ",			/* 13 */
-	"minfo = ",			/* 14 */
-	"mail exchanger = ",		/* 15 */
-	"text = ",			/* 16 */
-	"rp = ",       			/* 17 */
-	"afsdb = ",			/* 18 */
-	"x25 address = ",		/* 19 */
-	"isdn address = ",		/* 20 */
-	"rt = ",			/* 21 */
-	"nsap = ",			/* 22 */
-	"nsap_ptr = ",			/* 23 */
-	"signature = ",			/* 24 */
-	"key = ",			/* 25 */
-	"px = ",			/* 26 */
-	"gpos = ",			/* 27 */
-	"has AAAA address ",		/* 28 */
-	"loc = ",			/* 29 */
-	"next = ",			/* 30 */
-	"rtype_31 = ",			/* 31 */
-	"rtype_32 = ",			/* 32 */
-	"service = ",			/* 33 */
-	"rtype_34 = ",			/* 34 */
-	"naptr = ",			/* 35 */
-	"kx = ",			/* 36 */
-	"cert = ",			/* 37 */
-	"v6 address = ",		/* 38 */
-	"dname = ",			/* 39 */
-	"rtype_40 = ",			/* 40 */
-	"optional = "			/* 41 */
+	"rtype_0 = ",	       /* 0 */
+	"internet address = ", /* 1 */
+	"nameserver = ",       /* 2 */
+	"md = ",	       /* 3 */
+	"mf = ",	       /* 4 */
+	"canonical name = ",   /* 5 */
+	"soa = ",	       /* 6 */
+	"mb = ",	       /* 7 */
+	"mg = ",	       /* 8 */
+	"mr = ",	       /* 9 */
+	"rtype_10 = ",	       /* 10 */
+	"protocol = ",	       /* 11 */
+	"name = ",	       /* 12 */
+	"hinfo = ",	       /* 13 */
+	"minfo = ",	       /* 14 */
+	"mail exchanger = ",   /* 15 */
+	"text = ",	       /* 16 */
+	"rp = ",	       /* 17 */
+	"afsdb = ",	       /* 18 */
+	"x25 address = ",      /* 19 */
+	"isdn address = ",     /* 20 */
+	"rt = ",	       /* 21 */
+	"nsap = ",	       /* 22 */
+	"nsap_ptr = ",	       /* 23 */
+	"signature = ",	       /* 24 */
+	"key = ",	       /* 25 */
+	"px = ",	       /* 26 */
+	"gpos = ",	       /* 27 */
+	"has AAAA address ",   /* 28 */
+	"loc = ",	       /* 29 */
+	"next = ",	       /* 30 */
+	"rtype_31 = ",	       /* 31 */
+	"rtype_32 = ",	       /* 32 */
+	"service = ",	       /* 33 */
+	"rtype_34 = ",	       /* 34 */
+	"naptr = ",	       /* 35 */
+	"kx = ",	       /* 36 */
+	"cert = ",	       /* 37 */
+	"v6 address = ",       /* 38 */
+	"dname = ",	       /* 39 */
+	"rtype_40 = ",	       /* 40 */
+	"optional = "	       /* 41 */
 };
 
 #define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
 
-static void flush_lookup_list(void);
-static void getinput(isc_task_t *task, isc_event_t *event);
+static void
+flush_lookup_list(void);
+static void
+getinput(isc_task_t *task, isc_event_t *event);
 
 static char *
-rcode_totext(dns_rcode_t rcode)
-{
+rcode_totext(dns_rcode_t rcode) {
 	static char buf[sizeof("?65535")];
 	union {
 		const char *consttext;
 		char *deconsttext;
 	} totext;
 
-	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+	if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
 		snprintf(buf, sizeof(buf), "?%u", rcode);
 		totext.deconsttext = buf;
-	} else
+	} else {
 		totext.consttext = rcodetext[rcode];
-	return totext.deconsttext;
+	}
+	return (totext.deconsttext);
 }
 
 static void
@@ -215,10 +202,11 @@ printrdata(dns_rdata_t *rdata) {
 	unsigned int size = 1024;
 	bool done = false;
 
-	if (rdata->type < N_KNOWN_RRTYPES)
+	if (rdata->type < N_KNOWN_RRTYPES) {
 		printf("%s", rtypetext[rdata->type]);
-	else
+	} else {
 		printf("rdata_%d = ", rdata->type);
+	}
 
 	while (!done) {
 		isc_buffer_allocate(mctx, &b, size);
@@ -227,8 +215,9 @@ printrdata(dns_rdata_t *rdata) {
 			printf("%.*s\n", (int)isc_buffer_usedlength(b),
 			       (char *)isc_buffer_base(b));
 			done = true;
-		} else if (result != ISC_R_NOSPACE)
+		} else if (result != ISC_R_NOSPACE) {
 			check_result(result, "dns_rdata_totext");
+		}
 		isc_buffer_free(&b);
 		size *= 2;
 	}
@@ -249,25 +238,26 @@ printsection(dig_query_t *query, dns_message_t *msg, bool headers,
 	debug("printsection()");
 
 	result = dns_message_firstname(msg, section);
-	if (result == ISC_R_NOMORE)
+	if (result == ISC_R_NOMORE) {
 		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 	for (;;) {
 		name = NULL;
-		dns_message_currentname(msg, section,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
 			loopresult = dns_rdataset_first(rdataset);
 			while (loopresult == ISC_R_SUCCESS) {
 				dns_rdataset_current(rdataset, &rdata);
 				switch (rdata.type) {
 				case dns_rdatatype_a:
 				case dns_rdatatype_aaaa:
-					if (section != DNS_SECTION_ANSWER)
+					if (section != DNS_SECTION_ANSWER) {
 						goto def_short_section;
+					}
 					dns_name_format(name, namebuf,
 							sizeof(namebuf));
 					printf("Name:\t%s\n", namebuf);
@@ -292,9 +282,9 @@ printsection(dig_query_t *query, dns_message_t *msg, bool headers,
 			}
 		}
 		result = dns_message_nextname(msg, section);
-		if (result == ISC_R_NOMORE)
+		if (result == ISC_R_NOMORE) {
 			break;
-		else if (result != ISC_R_SUCCESS) {
+		} else if (result != ISC_R_SUCCESS) {
 			return (result);
 		}
 	}
@@ -303,7 +293,7 @@ printsection(dig_query_t *query, dns_message_t *msg, bool headers,
 
 static isc_result_t
 detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
-	     dns_section_t section) {
+	      dns_section_t section) {
 	isc_result_t result, loopresult;
 	dns_name_t *name;
 	dns_rdataset_t *rdataset = NULL;
@@ -332,36 +322,32 @@ detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
 	}
 
 	result = dns_message_firstname(msg, section);
-	if (result == ISC_R_NOMORE)
+	if (result == ISC_R_NOMORE) {
 		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 	for (;;) {
 		name = NULL;
-		dns_message_currentname(msg, section,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
 			if (section == DNS_SECTION_QUESTION) {
-				dns_name_format(name, namebuf,
-						sizeof(namebuf));
+				dns_name_format(name, namebuf, sizeof(namebuf));
 				printf("\t%s, ", namebuf);
-				dns_rdatatype_format(rdataset->type,
-						     namebuf,
+				dns_rdatatype_format(rdataset->type, namebuf,
 						     sizeof(namebuf));
 				printf("type = %s, ", namebuf);
 				dns_rdataclass_format(rdataset->rdclass,
-						      namebuf,
-						      sizeof(namebuf));
+						      namebuf, sizeof(namebuf));
 				printf("class = %s\n", namebuf);
 			}
 			loopresult = dns_rdataset_first(rdataset);
 			while (loopresult == ISC_R_SUCCESS) {
 				dns_rdataset_current(rdataset, &rdata);
 
-				dns_name_format(name, namebuf,
-						sizeof(namebuf));
+				dns_name_format(name, namebuf, sizeof(namebuf));
 				printf("    ->  %s\n", namebuf);
 
 				switch (rdata.type) {
@@ -378,9 +364,9 @@ detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
 			}
 		}
 		result = dns_message_nextname(msg, section);
-		if (result == ISC_R_NOMORE)
+		if (result == ISC_R_NOMORE) {
 			break;
-		else if (result != ISC_R_SUCCESS) {
+		} else if (result != ISC_R_SUCCESS) {
 			return (result);
 		}
 	}
@@ -388,8 +374,7 @@ detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
 }
 
 static void
-received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query)
-{
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	UNUSED(bytes);
 	UNUSED(from);
 	UNUSED(query);
@@ -412,9 +397,11 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 	while (i-- > 0) {
 		rdataset = NULL;
 		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
-				dns_rdatatype_cname, 0, NULL, &rdataset);
-		if (result != ISC_R_SUCCESS)
+					      dns_rdatatype_cname, 0, NULL,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS) {
 			return;
+		}
 		result = dns_rdataset_first(rdataset);
 		check_result(result, "dns_rdataset_first");
 		dns_rdata_reset(&rdata);
@@ -427,9 +414,8 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
+	     bool headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
 	UNUSED(msgbuf);
@@ -439,7 +425,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 	debug("printmessage()");
 
-	if(!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
+	if (!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
 		isc_sockaddr_format(&query->sockaddr, servtext,
 				    sizeof(servtext));
 		printf("Server:\t\t%s\n", query->userarg);
@@ -460,10 +446,10 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 	if (msg->rcode != 0) {
 		char nametext[DNS_NAME_FORMATSIZE];
-		dns_name_format(query->lookup->name,
-				nametext, sizeof(nametext));
-		printf("** server can't find %s: %s\n",
-		       nametext, rcode_totext(msg->rcode));
+		dns_name_format(query->lookup->name, nametext,
+				sizeof(nametext));
+		printf("** server can't find %s: %s\n", nametext,
+		       rcode_totext(msg->rcode));
 		debug("returning with rcode == 0");
 
 		/* the lookup failed */
@@ -471,7 +457,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 		return (ISC_R_SUCCESS);
 	}
 
-	if ( default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
+	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dig_lookup_t *lookup;
 		dns_fixedname_t fixed;
@@ -495,29 +481,32 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 	}
 
 	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0 &&
-	    ( !default_lookups || query->lookup->rdtype == dns_rdatatype_a) )
+	    (!default_lookups || query->lookup->rdtype == dns_rdatatype_a))
+	{
 		puts("Non-authoritative answer:");
-	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
+	}
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
 		printsection(query, msg, headers, DNS_SECTION_ANSWER);
-	else {
+	} else {
 		if (default_lookups && query->lookup->rdtype == dns_rdatatype_a)
+		{
 			a_noanswer = true;
-
-		else if (!default_lookups ||
-			 (query->lookup->rdtype == dns_rdatatype_aaaa &&
-			 a_noanswer ) )
+		} else if (!default_lookups ||
+			   (query->lookup->rdtype == dns_rdatatype_aaaa &&
+			    a_noanswer))
+		{
 			printf("*** Can't find %s: No answer\n",
-				query->lookup->textname);
+			       query->lookup->textname);
+		}
 	}
 
 	if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
 	    (query->lookup->rdtype != dns_rdatatype_a) &&
-	    (query->lookup->rdtype != dns_rdatatype_aaaa) ) {
+	    (query->lookup->rdtype != dns_rdatatype_aaaa))
+	{
 		puts("\nAuthoritative answers can be found from:");
-		printsection(query, msg, headers,
-			     DNS_SECTION_AUTHORITY);
-		printsection(query, msg, headers,
-			     DNS_SECTION_ADDITIONAL);
+		printsection(query, msg, headers, DNS_SECTION_AUTHORITY);
+		printsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
 	}
 	return (ISC_R_SUCCESS);
 }
@@ -538,32 +527,32 @@ show_settings(bool full, bool serv_only) {
 		check_result(result, "get_address");
 
 		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
-		printf("Default server: %s\nAddress: %s\n",
-			srv->userarg, sockstr);
-		if (!full)
+		printf("Default server: %s\nAddress: %s\n", srv->userarg,
+		       sockstr);
+		if (!full) {
 			return;
+		}
 		srv = ISC_LIST_NEXT(srv, link);
 	}
-	if (serv_only)
+	if (serv_only) {
 		return;
+	}
 	printf("\nSet options:\n");
-	printf("  %s\t\t\t%s\t\t%s\n",
-	       tcpmode ? "vc" : "novc",
-	       short_form ? "nodebug" : "debug",
-	       debugging ? "d2" : "nod2");
-	printf("  %s\t\t%s\n",
-	       usesearch ? "search" : "nosearch",
+	printf("  %s\t\t\t%s\t\t%s\n", tcpmode ? "vc" : "novc",
+	       short_form ? "nodebug" : "debug", debugging ? "d2" : "nod2");
+	printf("  %s\t\t%s\n", usesearch ? "search" : "nosearch",
 	       recurse ? "recurse" : "norecurse");
-	printf("  timeout = %u\t\tretry = %d\tport = %u\tndots = %d\n",
-	       timeout, tries, port, ndots);
+	printf("  timeout = %u\t\tretry = %d\tport = %u\tndots = %d\n", timeout,
+	       tries, port, ndots);
 	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
 	printf("  srchlist = ");
-	for (listent = ISC_LIST_HEAD(search_list);
-	     listent != NULL;
-	     listent = ISC_LIST_NEXT(listent, link)) {
-		     printf("%s", listent->origin);
-		     if (ISC_LIST_NEXT(listent, link) != NULL)
-			     printf("/");
+	for (listent = ISC_LIST_HEAD(search_list); listent != NULL;
+	     listent = ISC_LIST_NEXT(listent, link))
+	{
+		printf("%s", listent->origin);
+		if (ISC_LIST_NEXT(listent, link) != NULL) {
+			printf("/");
+		}
 	}
 	printf("\n");
 }
@@ -577,9 +566,9 @@ testtype(char *typetext) {
 	tr.base = typetext;
 	tr.length = strlen(typetext);
 	result = dns_rdatatype_fromtext(&rdtype, &tr);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		return (true);
-	else {
+	} else {
 		printf("unknown query type: %s\n", typetext);
 		return (false);
 	}
@@ -594,9 +583,9 @@ testclass(char *typetext) {
 	tr.base = typetext;
 	tr.length = strlen(typetext);
 	result = dns_rdataclass_fromtext(&rdclass, &tr);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		return (true);
-	else {
+	} else {
 		printf("unknown query class: %s\n", typetext);
 		return (false);
 	}
@@ -606,32 +595,36 @@ static void
 set_port(const char *value) {
 	uint32_t n;
 	isc_result_t result = parse_uint(&n, value, 65535, "port");
-	if (result == ISC_R_SUCCESS)
-		port = (uint16_t) n;
+	if (result == ISC_R_SUCCESS) {
+		port = (uint16_t)n;
+	}
 }
 
 static void
 set_timeout(const char *value) {
 	uint32_t n;
 	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		timeout = n;
+	}
 }
 
 static void
 set_tries(const char *value) {
 	uint32_t n;
 	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		tries = n;
+	}
 }
 
 static void
 set_ndots(const char *value) {
 	uint32_t n;
 	isc_result_t result = parse_uint(&n, value, 128, "ndots");
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		ndots = n;
+	}
 }
 
 static void
@@ -649,11 +642,13 @@ setoption(char *opt) {
 	if (CHECKOPT("all", 3)) {
 		show_settings(true, false);
 	} else if (strncasecmp(opt, "class=", 6) == 0) {
-		if (testclass(&opt[6]))
+		if (testclass(&opt[6])) {
 			strlcpy(defclass, &opt[6], sizeof(defclass));
+		}
 	} else if (strncasecmp(opt, "cl=", 3) == 0) {
-		if (testclass(&opt[3]))
+		if (testclass(&opt[3])) {
 			strlcpy(defclass, &opt[3], sizeof(defclass));
+		}
 	} else if (strncasecmp(opt, "type=", 5) == 0) {
 		if (testtype(&opt[5])) {
 			strlcpy(deftype, &opt[5], sizeof(deftype));
@@ -735,9 +730,9 @@ setoption(char *opt) {
 	} else if (CHECKOPT("sil", 3)) {
 		/* deprecation_msg = false; */
 	} else if (CHECKOPT("fail", 3)) {
-		nofail=false;
+		nofail = false;
 	} else if (CHECKOPT("nofail", 5)) {
-		nofail=true;
+		nofail = true;
 	} else if (strncasecmp(opt, "ndots=", 6) == 0) {
 		set_ndots(&opt[6]);
 	} else {
@@ -773,8 +768,7 @@ addlookup(char *opt) {
 		rdclass = dns_rdataclass_in;
 	}
 	lookup = make_empty_lookup();
-	if (get_reverse(store, sizeof(store), opt, true)
-	    == ISC_R_SUCCESS) {
+	if (get_reverse(store, sizeof(store), opt, true) == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = true;
@@ -794,18 +788,21 @@ addlookup(char *opt) {
 	lookup->retries = tries;
 	lookup->udpsize = 0;
 	lookup->comments = comments;
-	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set)
+	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
 		lookup->tcp_mode = true;
-	else
+	} else {
 		lookup->tcp_mode = tcpmode;
+	}
 	lookup->stats = stats;
 	lookup->section_question = section_question;
 	lookup->section_answer = section_answer;
 	lookup->section_authority = section_authority;
 	lookup->section_additional = section_additional;
 	lookup->new_search = true;
-	if (nofail)
+	lookup->besteffort = false;
+	if (nofail) {
 		lookup->servfail_stops = false;
+	}
 	ISC_LIST_INIT(lookup->q);
 	ISC_LINK_INIT(lookup, link);
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -822,11 +819,11 @@ do_next_command(char *input) {
 		return;
 	}
 	arg = strtok_r(NULL, " \t\r\n", &last);
-	if ((strcasecmp(ptr, "set") == 0) &&
-	    (arg != NULL))
+	if ((strcasecmp(ptr, "set") == 0) && (arg != NULL)) {
 		setoption(arg);
-	else if ((strcasecmp(ptr, "server") == 0) ||
-		 (strcasecmp(ptr, "lserver") == 0)) {
+	} else if ((strcasecmp(ptr, "server") == 0) ||
+		   (strcasecmp(ptr, "lserver") == 0))
+	{
 		isc_app_block();
 		set_nameserver(arg);
 		check_ra = false;
@@ -834,16 +831,16 @@ do_next_command(char *input) {
 		show_settings(true, true);
 	} else if (strcasecmp(ptr, "exit") == 0) {
 		in_use = false;
-	} else if (strcasecmp(ptr, "help") == 0 ||
-		   strcasecmp(ptr, "?") == 0) {
+	} else if (strcasecmp(ptr, "help") == 0 || strcasecmp(ptr, "?") == 0) {
 		printf("The '%s' command is not yet implemented.\n", ptr);
 	} else if (strcasecmp(ptr, "finger") == 0 ||
-		   strcasecmp(ptr, "root") == 0 ||
-		   strcasecmp(ptr, "ls") == 0 ||
-		   strcasecmp(ptr, "view") == 0) {
+		   strcasecmp(ptr, "root") == 0 || strcasecmp(ptr, "ls") == 0 ||
+		   strcasecmp(ptr, "view") == 0)
+	{
 		printf("The '%s' command is not implemented.\n", ptr);
-	} else
+	} else {
 		addlookup(ptr);
+	}
 }
 
 static void
@@ -857,24 +854,28 @@ get_next_command(void) {
 	if (interactive) {
 #ifdef HAVE_READLINE
 		ptr = readline("> ");
-		if (ptr != NULL)
+		if (ptr != NULL) {
 			add_history(ptr);
-#else
+		}
+#else  /* ifdef HAVE_READLINE */
 		fputs("> ", stderr);
 		fflush(stderr);
 		ptr = fgets(buf, COMMSIZE, stdin);
-#endif
-	} else
+#endif /* ifdef HAVE_READLINE */
+	} else {
 		ptr = fgets(buf, COMMSIZE, stdin);
+	}
 	isc_app_unblock();
 	if (ptr == NULL) {
 		in_use = false;
-	} else
+	} else {
 		do_next_command(ptr);
+	}
 #ifdef HAVE_READLINE
-	if (interactive)
+	if (interactive) {
 		free(ptr);
-#endif
+	}
+#endif /* ifdef HAVE_READLINE */
 	isc_mem_free(mctx, buf);
 }
 
@@ -883,16 +884,16 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-    fprintf(stderr, "Usage:\n");
-    fprintf(stderr,
-"   nslookup [-opt ...]             # interactive mode using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] - server    # interactive mode using 'server'\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host        # just look up 'host' using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host server # just look up 'host' using 'server'\n");
-    exit(1);
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "   nslookup [-opt ...]             # interactive mode "
+			"using default server\n");
+	fprintf(stderr, "   nslookup [-opt ...] - server    # interactive mode "
+			"using 'server'\n");
+	fprintf(stderr, "   nslookup [-opt ...] host        # just look up "
+			"'host' using default server\n");
+	fprintf(stderr, "   nslookup [-opt ...] host server # just look up "
+			"'host' using 'server'\n");
+	exit(1);
 }
 
 static void
@@ -908,8 +909,9 @@ parse_args(int argc, char **argv) {
 				exit(0);
 			} else if (argv[0][1] != 0) {
 				setoption(&argv[0][1]);
-			} else
+			} else {
 				have_lookup = true;
+			}
 		} else {
 			if (!have_lookup) {
 				have_lookup = true;
@@ -955,10 +957,10 @@ flush_lookup_list(void) {
 			s = ISC_LIST_NEXT(s, link);
 			ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
 			isc_mem_free(mctx, sp);
-
 		}
-		if (l->sendmsg != NULL)
+		if (l->sendmsg != NULL) {
 			dns_message_destroy(&l->sendmsg);
+		}
 		lp = l;
 		l = ISC_LIST_NEXT(l, link);
 		ISC_LIST_DEQUEUE(lookup_list, lp, link);
@@ -969,8 +971,9 @@ flush_lookup_list(void) {
 static void
 getinput(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
-	if (global_event == NULL)
+	if (global_event == NULL) {
 		global_event = event;
+	}
 	while (in_use) {
 		get_next_command();
 		if (ISC_LIST_HEAD(lookup_list) != NULL) {
@@ -1007,17 +1010,19 @@ main(int argc, char **argv) {
 
 	setup_system(false, false);
 	parse_args(argc, argv);
-	if (keyfile[0] != 0)
+	if (keyfile[0] != 0) {
 		setup_file_key();
-	else if (keysecret[0] != 0)
+	} else if (keysecret[0] != 0) {
 		setup_text_key();
-	if (domainopt[0] != '\0')
+	}
+	if (domainopt[0] != '\0') {
 		set_search_domain(domainopt);
-	if (in_use)
-		result = isc_app_onrun(mctx, global_task, onrun_callback,
-				       NULL);
-	else
+	}
+	if (in_use) {
+		result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	} else {
 		result = isc_app_onrun(mctx, global_task, getinput, NULL);
+	}
 	check_result(result, "isc_app_onrun");
 	in_use = !in_use;
 
@@ -1025,8 +1030,9 @@ main(int argc, char **argv) {
 
 	puts("");
 	debug("done, and starting to shut down");
-	if (global_event != NULL)
+	if (global_event != NULL) {
 		isc_event_free(&global_event);
+	}
 	cancel_all();
 	destroy_libs();
 	isc_app_finish();

bin/dig/nslookup.docbook

@@ -1,524 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!--
- - Copyright (c) 1985, 1989
- -    The Regents of the University of California.  All rights reserved.
- -
- - Redistribution and use in source and binary forms, with or without
- - modification, are permitted provided that the following conditions
- - are met:
- - 1. Redistributions of source code must retain the above copyright
- -    notice, this list of conditions and the following disclaimer.
- - 2. Redistributions in binary form must reproduce the above copyright
- -    notice, this list of conditions and the following disclaimer in the
- -    documentation and/or other materials provided with the distribution.
- - 3. Neither the name of the University nor the names of its contributors
- -    may be used to endorse or promote products derived from this software
- -    without specific prior written permission.
- -
- - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- - ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- - SUCH DAMAGE.
--->
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
-  <info>
-    <date>2014-01-24</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>nslookup</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>nslookup</refname>
-    <refpurpose>query Internet name servers interactively</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2010</year>
-      <year>2013</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2017</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>nslookup</command>
-      <arg choice="opt" rep="norepeat"><option>-option</option></arg>
-      <arg choice="opt" rep="norepeat">name | -</arg>
-      <arg choice="opt" rep="norepeat">server</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para><command>Nslookup</command>
-      is a program to query Internet domain name servers.  <command>Nslookup</command>
-      has two modes: interactive and non-interactive.  Interactive mode allows
-      the user to query name servers for information about various hosts and
-      domains or to print a list of hosts in a domain.  Non-interactive mode
-      is
-      used to print just the name and requested information for a host or
-      domain.
-    </para>
-  </refsection>
-
-  <refsection><info><title>ARGUMENTS</title></info>
-
-    <para>
-      Interactive mode is entered in the following cases:
-      <orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
-        <listitem>
-          <para>
-            when no arguments are given (the default name server will be used)
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            when the first argument is a hyphen (-) and the second argument is
-            the host name or Internet address of a name server.
-          </para>
-        </listitem>
-      </orderedlist>
-    </para>
-
-    <para>
-      Non-interactive mode is used when the name or Internet address of the
-      host to be looked up is given as the first argument. The optional second
-      argument specifies the host name or address of a name server.
-    </para>
-
-    <para>
-      Options can also be specified on the command line if they precede the
-      arguments and are prefixed with a hyphen.  For example, to
-      change the default query type to host information, and the initial
-      timeout to 10 seconds, type:
-      <!-- <informalexample> produces bad nroff. -->
-        <programlisting>
-nslookup -query=hinfo  -timeout=10
-</programlisting>
-      <!-- </informalexample> -->
-    </para>
-    <para>
-      The <option>-version</option> option causes
-      <command>nslookup</command> to print the version
-      number and immediately exits.
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>INTERACTIVE COMMANDS</title></info>
-
-    <variablelist>
-      <varlistentry>
-        <term><constant>host</constant> <optional>server</optional></term>
-        <listitem>
-          <para>
-            Look up information for host using the current default server or
-            using server, if specified.  If host is an Internet address and
-            the query type is A or PTR, the name of the host is returned.
-            If host is a name and does not have a trailing period, the
-            search list is used to qualify the name.
-          </para>
-
-          <para>
-            To look up a host not in the current domain, append a period to
-            the name.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
-        <listitem>
-          <para/>
-        </listitem>
-      </varlistentry>
-      <varlistentry>
-        <term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
-        <listitem>
-          <para>
-            Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
-            server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
-            the current default server.  If an authoritative answer can't be
-            found, the names of servers that might have the answer are
-            returned.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>root</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>finger</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>ls</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>view</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>help</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>?</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>exit</constant></term>
-        <listitem>
-          <para>
-            Exits the program.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>set</constant>
-          <replaceable>keyword<optional>=value</optional></replaceable></term>
-        <listitem>
-          <para>
-            This command is used to change state information that affects
-            the lookups.  Valid keywords are:
-            <variablelist>
-              <varlistentry>
-                <term><constant>all</constant></term>
-                <listitem>
-                  <para>
-                    Prints the current values of the frequently used
-                    options to <command>set</command>.
-                    Information about the  current default
-                    server and host is also printed.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>class=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the query class to one of:
-                    <variablelist>
-                      <varlistentry>
-                        <term><constant>IN</constant></term>
-                        <listitem>
-                          <para>
-                            the Internet class
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                      <varlistentry>
-                        <term><constant>CH</constant></term>
-                        <listitem>
-                          <para>
-                            the Chaos class
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                      <varlistentry>
-                        <term><constant>HS</constant></term>
-                        <listitem>
-                          <para>
-                            the Hesiod class
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                      <varlistentry>
-                        <term><constant>ANY</constant></term>
-                        <listitem>
-                          <para>
-                            wildcard
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                    </variablelist>
-                    The class specifies the protocol group of the information.
-
-                  </para>
-                  <para>
-                    (Default = IN; abbreviation = cl)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
-                <listitem>
-                  <para>
-                    Turn on or off the display of the full response packet and
-                    any intermediate response packets when searching.
-                  </para>
-                  <para>
-                    (Default = nodebug; abbreviation = <optional>no</optional>deb)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
-                <listitem>
-                  <para>
-                    Turn debugging mode on or off.  This displays more about
-                    what nslookup is doing.
-                  </para>
-                  <para>
-                    (Default = nod2)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>domain=</constant><replaceable>name</replaceable></term>
-                <listitem>
-                  <para>
-                    Sets the search list to <replaceable>name</replaceable>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
-                <listitem>
-                  <para>
-                    If the lookup request contains at least one period but
-                    doesn't end with a trailing period, append the domain
-                    names in the domain search list to the request until an
-                    answer is received.
-                  </para>
-                  <para>
-                    (Default = search)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>port=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
-                  </para>
-                  <para>
-                    (Default = 53; abbreviation = po)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>querytype=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para/>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>type=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the type of the information query.
-                  </para>
-                  <para>
-                    (Default = A and then AAAA; abbreviations = q, ty)
-                  </para>
-                    <para>
-                      <emphasis role="bold">Note:</emphasis> It is
-                      only possible to specify one query type, only
-                      the default behavior looks up both when an
-                      alternative is not specified.
-                    </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
-                <listitem>
-                  <para>
-                    Tell the name server to query other servers if it does not
-                    have the
-                    information.
-                  </para>
-                  <para>
-                    (Default = recurse; abbreviation = [no]rec)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>ndots=</constant><replaceable>number</replaceable></term>
-                <listitem>
-                  <para>
-                    Set the number of dots (label separators) in a domain
-                    that will disable searching.  Absolute names always
-                    stop searching.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>retry=</constant><replaceable>number</replaceable></term>
-                <listitem>
-                  <para>
-                    Set the number of retries to number.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>timeout=</constant><replaceable>number</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the initial timeout interval for waiting for a
-                    reply to number seconds.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
-                <listitem>
-                  <para>
-                    Always use a virtual circuit when sending requests to the
-                    server.
-                  </para>
-                  <para>
-                    (Default = novc)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
-                <listitem>
-                  <para>
-                    Try the next nameserver if a nameserver responds with
-                    SERVFAIL or a referral (nofail) or terminate query
-                    (fail) on such a response.
-                  </para>
-                  <para>
-                    (Default = nofail)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-            </variablelist>
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>RETURN VALUES</title></info>
-    <para>
-      <command>nslookup</command> returns with an exit status of 1
-      if any query failed, and 0 otherwise.
-    </para>
-  </refsection>
-
-  <refsection><info><title>IDN SUPPORT</title></info>
-
-    <para>
-      If <command>nslookup</command> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <command>nslookup</command> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <envar>IDN_DISABLE</envar> environment variable.
-      The IDN support is disabled if the variable is set when
-      <command>nslookup</command> runs or when the standard output is not
-      a tty.
-    </para>
-  </refsection>
-
-  <refsection><info><title>FILES</title></info>
-
-    <para><filename>/etc/resolv.conf</filename>
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsection>
-</refentry>

bin/dig/nslookup.html

@@ -1,403 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.nslookup"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    nslookup
-     &#8212; query Internet name servers interactively
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nslookup</code> 
-       [<code class="option">-option</code>]
-       [name | -]
-       [server]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>Nslookup</strong></span>
-      is a program to query Internet domain name servers.  <span class="command"><strong>Nslookup</strong></span>
-      has two modes: interactive and non-interactive.  Interactive mode allows
-      the user to query name servers for information about various hosts and
-      domains or to print a list of hosts in a domain.  Non-interactive mode
-      is
-      used to print just the name and requested information for a host or
-      domain.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <p>
-      Interactive mode is entered in the following cases:
-      </p>
-<div class="orderedlist"><ol class="orderedlist" type="a">
-<li class="listitem">
-          <p>
-            when no arguments are given (the default name server will be used)
-          </p>
-        </li>
-<li class="listitem">
-          <p>
-            when the first argument is a hyphen (-) and the second argument is
-            the host name or Internet address of a name server.
-          </p>
-        </li>
-</ol></div>
-<p>
-    </p>
-
-    <p>
-      Non-interactive mode is used when the name or Internet address of the
-      host to be looked up is given as the first argument. The optional second
-      argument specifies the host name or address of a name server.
-    </p>
-
-    <p>
-      Options can also be specified on the command line if they precede the
-      arguments and are prefixed with a hyphen.  For example, to
-      change the default query type to host information, and the initial
-      timeout to 10 seconds, type:
-      
-        </p>
-<pre class="programlisting">
-nslookup -query=hinfo  -timeout=10
-</pre>
-<p>
-      
-    </p>
-    <p>
-      The <code class="option">-version</code> option causes
-      <span class="command"><strong>nslookup</strong></span> to print the version
-      number and immediately exits.
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
-<dd>
-          <p>
-            Look up information for host using the current default server or
-            using server, if specified.  If host is an Internet address and
-            the query type is A or PTR, the name of the host is returned.
-            If host is a name and does not have a trailing period, the
-            search list is used to qualify the name.
-          </p>
-
-          <p>
-            To look up a host not in the current domain, append a period to
-            the name.
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p></p>
-        </dd>
-<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
-            Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
-            server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
-            the current default server.  If an authoritative answer can't be
-            found, the names of servers that might have the answer are
-            returned.
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">root</code></span></dt>
-<dd>
-          <p>
-            not implemented
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd>
-          <p>
-            not implemented
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd>
-          <p>
-            not implemented
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">view</code></span></dt>
-<dd>
-          <p>
-            not implemented
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">help</code></span></dt>
-<dd>
-          <p>
-            not implemented
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">?</code></span></dt>
-<dd>
-          <p>
-            not implemented
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd>
-          <p>
-            Exits the program.
-          </p>
-        </dd>
-<dt><span class="term"><code class="constant">set</code>
-          <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
-<dd>
-          <p>
-            This command is used to change state information that affects
-            the lookups.  Valid keywords are:
-            </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">all</code></span></dt>
-<dd>
-                  <p>
-                    Prints the current values of the frequently used
-                    options to <span class="command"><strong>set</strong></span>.
-                    Information about the  current default
-                    server and host is also printed.
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-                  <p>
-                    Change the query class to one of:
-                    </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd>
-                          <p>
-                            the Internet class
-                          </p>
-                        </dd>
-<dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd>
-                          <p>
-                            the Chaos class
-                          </p>
-                        </dd>
-<dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd>
-                          <p>
-                            the Hesiod class
-                          </p>
-                        </dd>
-<dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd>
-                          <p>
-                            wildcard
-                          </p>
-                        </dd>
-</dl></div>
-<p>
-                    The class specifies the protocol group of the information.
-
-                  </p>
-		  <p>
-                    (Default = IN; abbreviation = cl)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
-<dd>
-                  <p>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
-                  </p>
-		  <p>
-                    (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
-<dd>
-                  <p>
-                    Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
-                  </p>
-		  <p>
-                    (Default = nod2)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-                  <p>
-                    Sets the search list to <em class="replaceable"><code>name</code></em>.
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
-<dd>
-                  <p>
-                    If the lookup request contains at least one period but
-                    doesn't end with a trailing period, append the domain
-                    names in the domain search list to the request until an
-                    answer is received.
-                  </p>
-		  <p>
-                    (Default = search)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-                  <p>
-                    Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
-                  </p>
-		  <p>
-                    (Default = 53; abbreviation = po)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-                  <p></p>
-                </dd>
-<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-                  <p>
-                    Change the type of the information query.
-                  </p>
-		  <p>
-                    (Default = A; abbreviations = q, ty)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
-<dd>
-                  <p>
-                    Tell the name server to query other servers if it does not
-                    have the
-                    information.
-                  </p>
-		  <p>
-                    (Default = recurse; abbreviation = [no]rec)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
-		    Set the number of dots (label separators) in a domain
-		    that will disable searching.  Absolute names always
-		    stop searching.
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
-                    Set the number of retries to number.
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
-                    Change the initial timeout interval for waiting for a
-                    reply to number seconds.
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
-<dd>
-                  <p>
-                    Always use a virtual circuit when sending requests to the
-                    server.
-                  </p>
-		  <p>
-                    (Default = novc)
-                  </p>
-                </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
-<dd>
-                  <p>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </p>
-		  <p>
-                    (Default = nofail)
-                  </p>
-	        </dd>
-</dl></div>
-<p>
-          </p>
-        </dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>RETURN VALUES</h2>
-    <p>
-      <span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
-      if any query failed, and 0 otherwise.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
-      If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
-      a tty.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.13"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">host</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>.
-    </p>
-  </div>
-</div></body>
-</html>

bin/dig/nslookup.rst

@@ -0,0 +1,226 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_nslookup:
+
+nslookup - query Internet name servers interactively
+----------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`nslookup` [-option] [name | -] [server]
+
+Description
+~~~~~~~~~~~
+
+``Nslookup`` is a program to query Internet domain name servers.
+``Nslookup`` has two modes: interactive and non-interactive. Interactive
+mode allows the user to query name servers for information about various
+hosts and domains or to print a list of hosts in a domain.
+Non-interactive mode is used to print just the name and requested
+information for a host or domain.
+
+Arguments
+~~~~~~~~~
+
+Interactive mode is entered in the following cases:
+
+a. when no arguments are given (the default name server will be used)
+
+b. when the first argument is a hyphen (-) and the second argument is
+   the host name or Internet address of a name server.
+
+Non-interactive mode is used when the name or Internet address of the
+host to be looked up is given as the first argument. The optional second
+argument specifies the host name or address of a name server.
+
+Options can also be specified on the command line if they precede the
+arguments and are prefixed with a hyphen. For example, to change the
+default query type to host information, and the initial timeout to 10
+seconds, type:
+
+::
+
+   nslookup -query=hinfo  -timeout=10
+
+The ``-version`` option causes ``nslookup`` to print the version number
+and immediately exits.
+
+Interactive Commands
+~~~~~~~~~~~~~~~~~~~~
+
+``host`` [server]
+   Look up information for host using the current default server or
+   using server, if specified. If host is an Internet address and the
+   query type is A or PTR, the name of the host is returned. If host is
+   a name and does not have a trailing period, the search list is used
+   to qualify the name.
+
+   To look up a host not in the current domain, append a period to the
+   name.
+
+``server`` domain | ``lserver`` domain
+   Change the default server to domain; ``lserver`` uses the initial
+   server to look up information about domain, while ``server`` uses the
+   current default server. If an authoritative answer can't be found,
+   the names of servers that might have the answer are returned.
+
+``root``
+   not implemented
+
+``finger``
+   not implemented
+
+``ls``
+   not implemented
+
+``view``
+   not implemented
+
+``help``
+   not implemented
+
+``?``
+   not implemented
+
+``exit``
+   Exits the program.
+
+``set`` keyword[=value]
+   This command is used to change state information that affects the
+   lookups. Valid keywords are:
+
+   ``all``
+      Prints the current values of the frequently used options to
+      ``set``. Information about the current default server and host is
+      also printed.
+
+   ``class=``\ value
+      Change the query class to one of:
+
+      ``IN``
+         the Internet class
+
+      ``CH``
+         the Chaos class
+
+      ``HS``
+         the Hesiod class
+
+      ``ANY``
+         wildcard
+
+      The class specifies the protocol group of the information.
+
+      (Default = IN; abbreviation = cl)
+
+   ``nodebug``
+      Turn on or off the display of the full response packet and any
+      intermediate response packets when searching.
+
+      (Default = nodebug; abbreviation = [no]deb)
+
+   ``nod2``
+      Turn debugging mode on or off. This displays more about what
+      nslookup is doing.
+
+      (Default = nod2)
+
+   ``domain=``\ name
+      Sets the search list to name.
+
+   ``nosearch``
+      If the lookup request contains at least one period but doesn't end
+      with a trailing period, append the domain names in the domain
+      search list to the request until an answer is received.
+
+      (Default = search)
+
+   ``port=``\ value
+      Change the default TCP/UDP name server port to value.
+
+      (Default = 53; abbreviation = po)
+
+   ``querytype=``\ value | ``type=``\ value
+      Change the type of the information query.
+
+      (Default = A and then AAAA; abbreviations = q, ty)
+
+      **Note:** It is only possible to specify one query type, only the default
+        behavior looks up both when an alternative is not specified.
+
+   ``norecurse``
+      Tell the name server to query other servers if it does not have
+      the information.
+
+      (Default = recurse; abbreviation = [no]rec)
+
+   ``ndots=``\ number
+      Set the number of dots (label separators) in a domain that will
+      disable searching. Absolute names always stop searching.
+
+   ``retry=``\ number
+      Set the number of retries to number.
+
+   ``timeout=``\ number
+      Change the initial timeout interval for waiting for a reply to
+      number seconds.
+
+   ``novc``
+      Always use a virtual circuit when sending requests to the server.
+
+      (Default = novc)
+
+   ``nofail``
+      Try the next nameserver if a nameserver responds with SERVFAIL or
+      a referral (nofail) or terminate query (fail) on such a response.
+
+      (Default = nofail)
+
+Return Values
+~~~~~~~~~~~~~
+
+``nslookup`` returns with an exit status of 1 if any query failed, and 0
+otherwise.
+
+IDN Support
+~~~~~~~~~~~
+
+If ``nslookup`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``nslookup``
+appropriately converts character encoding of domain name before sending
+a request to DNS server or displaying a reply from the server. If you'd
+like to turn off the IDN support for some reason, define the IDN_DISABLE
+environment variable. The IDN support is disabled if the variable is set
+when ``nslookup`` runs or when the standard output is not a tty.
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

bin/dig/win32/dig.vcxproj.in

@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -77,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/dig/win32/dighost.vcxproj.in

@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -75,7 +78,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/dig/win32/host.vcxproj.in

@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -77,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/dig/win32/nslookup.vcxproj.in

@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -77,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>

bin/dnssec/Makefile.in

@@ -21,10 +21,10 @@ CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
@@ -50,18 +50,6 @@ SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
 		dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
 		dnssectool.c
 
-MANPAGES =	dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
-		dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
-		dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
-
-HTMLPAGES =	dnssec-cds.html dnssec-dsfromkey.html \
-		dnssec-importkey.html dnssec-keyfromlabel.html \
-		dnssec-keygen.html dnssec-revoke.html \
-		dnssec-settime.html dnssec-signzone.html \
-		dnssec-verify.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
 @BIND9_MAKE_RULES@
 
 dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
@@ -108,21 +96,14 @@ dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-importkey.@O@ ${OBJS} ${LIBS}
 
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
 install:: ${TARGETS} installdirs
 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
 
 uninstall::
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
 
 clean distclean::

bin/dnssec/dnssec-cds.8

@@ -1,297 +0,0 @@
-.\" Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: dnssec-cds
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2017-10-02
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
-.SH "SYNOPSIS"
-.HP \w'\fBdnssec\-cds\fR\ 'u
-\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
-.SH "DESCRIPTION"
-.PP
-The
-\fBdnssec\-cds\fR
-command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
-\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
-.PP
-Two input files are required\&. The
-\fB\-f \fR\fB\fIchild\-file\fR\fR
-option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
-\fB\-d \fR\fB\fIpath\fR\fR
-option specifies the location of a file containing the current DS records\&. For example, this could be a
-dsset\-
-file generated by
-\fBdnssec\-signzone\fR, or the output of
-\fBdnssec\-dsfromkey\fR, or the output of a previous run of
-\fBdnssec\-cds\fR\&.
-.PP
-The
-\fBdnssec\-cds\fR
-command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typicially be the pre\-existing key\-signing key (KSK)\&.
-.PP
-For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
-\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
-dsset\-
-file, or from the
-\fB\-s\fR
-option\&.
-.PP
-To protect against breaking the delegation,
-\fBdnssec\-cds\fR
-ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
-.PP
-By default, replacement DS records are written to the standard output; with the
-\fB\-i\fR
-option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
-.PP
-Warning: Be careful not to delete the DS records when
-\fBdnssec\-cds\fR
-fails!
-.PP
-Alternatively,
-\fBdnssec\-cds \-u\fR
-writes an
-\fBnsupdate\fR
-script to the standard output\&. You can use the
-\fB\-u\fR
-and
-\fB\-i\fR
-options together to maintain a
-dsset\-
-file as well as emit an
-\fBnsupdate\fR
-script\&.
-.SH "OPTIONS"
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
-.sp
-The
-\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class of the zones\&.
-.RE
-.PP
-\-D
-.RS 4
-Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
-.RE
-.PP
-\-d \fIpath\fR
-.RS 4
-Location of the parent DS records\&. The
-\fIpath\fR
-can be the name of a file containing the DS records, or if it is a directory,
-\fBdnssec\-cds\fR
-looks for a
-dsset\-
-file for the
-\fIdomain\fR
-inside the directory\&.
-.sp
-To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
-dsset\-
-file\&. This can be adjusted with the
-\fB\-s\fR
-option\&.
-.RE
-.PP
-\-f \fIchild\-file\fR
-.RS 4
-File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
-.sp
-The EXAMPLES below describe how to generate this file\&.
-.RE
-.PP
-\-i [\fIextension\fR]
-.RS 4
-Update the
-dsset\-
-file in place, instead of writing DS records to the standard output\&.
-.sp
-There must be no space between the
-\fB\-i\fR
-and the
-\fIextension\fR\&. If you provide no
-\fIextension\fR
-then the old
-dsset\-
-is discarded\&. If an
-\fIextension\fR
-is present, a backup of the old
-dsset\-
-file is kept with the
-\fIextension\fR
-appended to its filename\&.
-.sp
-To protect against replay attacks, the modification time of the
-dsset\-
-file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
-.RE
-.PP
-\-s \fIstart\-time\fR
-.RS 4
-Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
-dsset\-
-file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
-.sp
-If no
-\fIstart\-time\fR
-is specified, the modification time of the
-dsset\-
-file is used\&.
-.RE
-.PP
-\-T \fIttl\fR
-.RS 4
-Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
-.RE
-.PP
-\-u
-.RS 4
-Write an
-\fBnsupdate\fR
-script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
-.sp
-Note: The TTL of new records needs to be specified, either in the original
-dsset\-
-file, or with the
-\fB\-T\fR
-option, or using the
-\fBnsupdate\fR\fBttl\fR
-command\&.
-.RE
-.PP
-\-V
-.RS 4
-Print version information\&.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
-.RE
-.PP
-\fIdomain\fR
-.RS 4
-The name of the delegation point / child zone apex\&.
-.RE
-.SH "EXIT STATUS"
-.PP
-The
-\fBdnssec\-cds\fR
-command exits 0 on success, or non\-zero if an error occurred\&.
-.PP
-In the success case, the DS records might or might not need to be changed\&.
-.SH "EXAMPLES"
-.PP
-Before running
-\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
-\fBdnssec\-cds\fR
-on every
-dsset\-
-file\&.
-.PP
-To fetch the child records required by
-\fBdnssec\-cds\fR
-you can invoke
-\fBdig\fR
-as in the script below\&. It\*(Aqs okay if the
-\fBdig\fR
-fails since
-\fBdnssec\-cds\fR
-performs all the necessary checking\&.
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-for f in dsset\-*
-do
-	d=${f#dsset\-}
-	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-	dnssec\-cds \-i \-f /dev/stdin \-d $f $d
-done
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-When the parent zone is automatically signed by
-\fBnamed\fR, you can use
-\fBdnssec\-cds\fR
-with
-\fBnsupdate\fR
-to maintain a delegation as follows\&. The
-dsset\-
-file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
-nsupdate \-l
-.fi
-.if n \{\
-.RE
-.\}
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBdnssec-settime\fR(8),
-\fBdnssec-signzone\fR(8),
-\fBnsupdate\fR(1),
-BIND 9 Administrator Reference Manual,
-RFC 7344\&.
-.SH "AUTHORS"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.PP
-\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
-.br
-.RS 4
-.RE
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2017-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/dnssec/dnssec-cds.c

@@ -55,7 +55,7 @@
 
 #if USE_PKCS11
 #include <pk11/result.h>
-#endif
+#endif /* if USE_PKCS11 */
 
 #include "dnssectool.h"
 
@@ -75,9 +75,9 @@ static dns_fixedname_t fixed;
 static dns_name_t *name = NULL;
 static dns_rdataclass_t rdclass = dns_rdataclass_in;
 
-static const char *startstr  = NULL;	/* from which we derive notbefore */
-static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
-static dns_rdata_rrsig_t oldestsig;	/* for recording inception time */
+static const char *startstr = NULL; /* from which we derive notbefore */
+static isc_stdtime_t notbefore = 0; /* restrict sig inception times */
+static dns_rdata_rrsig_t oldestsig; /* for recording inception time */
 
 static int nkey; /* number of child zone DNSKEY records */
 
@@ -131,7 +131,7 @@ static dns_rdataset_t old_ds_set, new_ds_set;
 
 static keyinfo_t *old_key_tbl, *new_key_tbl;
 
-isc_buffer_t *new_ds_buf = NULL;	/* backing store for new_ds_set */
+isc_buffer_t *new_ds_buf = NULL; /* backing store for new_ds_set */
 
 static void
 verbose_time(int level, const char *msg, isc_stdtime_t time) {
@@ -150,8 +150,7 @@ verbose_time(int level, const char *msg, isc_stdtime_t time) {
 	if (verbose < 3) {
 		vbprintf(level, "%s %s\n", msg, timestr);
 	} else {
-		vbprintf(level, "%s %s (%" PRIu32 ")\n",
-			 msg, timestr, time);
+		vbprintf(level, "%s %s (%" PRIu32 ")\n", msg, timestr, time);
 	}
 }
 
@@ -173,16 +172,15 @@ initname(char *setname) {
 
 static void
 findset(dns_db_t *db, dns_dbnode_t *node, dns_rdatatype_t type,
-	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
 	isc_result_t result;
 
 	dns_rdataset_init(rdataset);
 	if (sigrdataset != NULL) {
 		dns_rdataset_init(sigrdataset);
 	}
-	result = dns_db_findrdataset(db, node, NULL, type, 0, 0,
-				     rdataset, sigrdataset);
+	result = dns_db_findrdataset(db, node, NULL, type, 0, 0, rdataset,
+				     sigrdataset);
 	if (result != ISC_R_NOTFOUND) {
 		check_result(result, "dns_db_findrdataset()");
 	}
@@ -206,8 +204,7 @@ freelist(dns_rdataset_t *rdataset) {
 
 	dns_rdatalist_fromrdataset(rdataset, &rdlist);
 
-	for (rdata = ISC_LIST_HEAD(rdlist->rdata);
-	     rdata != NULL;
+	for (rdata = ISC_LIST_HEAD(rdlist->rdata); rdata != NULL;
 	     rdata = ISC_LIST_HEAD(rdlist->rdata))
 	{
 		ISC_LIST_UNLINK(rdlist->rdata, rdata, link);
@@ -236,15 +233,14 @@ static void
 load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) {
 	isc_result_t result;
 
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, dbp);
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, dbp);
 	check_result(result, "dns_db_create()");
 
-	result = dns_db_load(*dbp, filename,
-			     dns_masterformat_text, DNS_MASTER_HINT);
+	result = dns_db_load(*dbp, filename, dns_masterformat_text,
+			     DNS_MASTER_HINT);
 	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
-		fatal("can't load %s: %s", filename,
-		      isc_result_totext(result));
+		fatal("can't load %s: %s", filename, isc_result_totext(result));
 	}
 
 	result = dns_db_findnode(*dbp, name, false, nodep);
@@ -272,9 +268,8 @@ load_child_sets(const char *file) {
 }
 
 static void
-get_dsset_name(char *filename, size_t size,
-	       const char *path, const char *suffix)
-{
+get_dsset_name(char *filename, size_t size, const char *path,
+	       const char *suffix) {
 	isc_result_t result;
 	isc_buffer_t buf;
 	size_t len;
@@ -318,7 +313,7 @@ get_dsset_name(char *filename, size_t size,
 static void
 load_parent_set(const char *path) {
 	isc_result_t result;
-	dns_db_t *db   = NULL;
+	dns_db_t *db = NULL;
 	dns_dbnode_t *node = NULL;
 	isc_time_t modtime;
 	char filename[PATH_MAX + 1];
@@ -327,8 +322,8 @@ load_parent_set(const char *path) {
 
 	result = isc_file_getmodtime(filename, &modtime);
 	if (result != ISC_R_SUCCESS) {
-		fatal("could not get modification time of %s: %s",
-		      filename, isc_result_totext(result));
+		fatal("could not get modification time of %s: %s", filename,
+		      isc_result_totext(result));
 	}
 	notbefore = isc_time_seconds(&modtime);
 	if (startstr != NULL) {
@@ -342,8 +337,8 @@ load_parent_set(const char *path) {
 	findset(db, node, dns_rdatatype_ds, &old_ds_set, NULL);
 
 	if (!dns_rdataset_isassociated(&old_ds_set)) {
-		fatal("could not find DS records for %s in %s",
-		      namestr, filename);
+		fatal("could not find DS records for %s in %s", namestr,
+		      filename);
 	}
 
 	free_db(&db, &node);
@@ -365,9 +360,8 @@ formatset(dns_rdataset_t *rdataset) {
 	 * which just separates fields with spaces. The huge tab stop width
 	 * eliminates any tab characters.
 	 */
-	result = dns_master_stylecreate(&style, styleflags,
-					0, 0, 0, 0, 0, 1000000, 0,
-					mctx);
+	result = dns_master_stylecreate(&style, styleflags, 0, 0, 0, 0, 0,
+					1000000, 0, mctx);
 	check_result(result, "dns_master_stylecreate2 failed");
 
 	isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
@@ -387,9 +381,8 @@ formatset(dns_rdataset_t *rdataset) {
 }
 
 static void
-write_parent_set(const char *path, const char *inplace,
-		 bool nsupdate, dns_rdataset_t *rdataset)
-{
+write_parent_set(const char *path, const char *inplace, bool nsupdate,
+		 dns_rdataset_t *rdataset) {
 	isc_result_t result;
 	isc_buffer_t *buf = NULL;
 	isc_region_t r;
@@ -440,8 +433,8 @@ write_parent_set(const char *path, const char *inplace,
 	result = isc_file_settime(tmpname, &filetime);
 	if (result != ISC_R_SUCCESS) {
 		isc_file_remove(tmpname);
-		fatal("can't set modification time of %s: %s",
-		      tmpname, isc_result_totext(result));
+		fatal("can't set modification time of %s: %s", tmpname,
+		      isc_result_totext(result));
 	}
 
 	if (inplace[0] != '\0') {
@@ -456,13 +449,11 @@ typedef enum { LOOSE, TIGHT } strictness_t;
  * Find out if any (C)DS record matches a particular (C)DNSKEY.
  */
 static bool
-match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
-{
+match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness) {
 	isc_result_t result;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 
-	for (result = dns_rdataset_first(dsset);
-	     result == ISC_R_SUCCESS;
+	for (result = dns_rdataset_first(dsset); result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(dsset))
 	{
 		dns_rdata_ds_t ds;
@@ -481,7 +472,8 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
 					   dsbuf, &newdsrdata);
 		if (result != ISC_R_SUCCESS) {
-			vbprintf(3, "dns_ds_buildrdata("
+			vbprintf(3,
+				 "dns_ds_buildrdata("
 				 "keytag=%d, algo=%d, digest=%d): %s\n",
 				 ds.key_tag, ds.algorithm, ds.digest_type,
 				 dns_result_totext(result));
@@ -492,23 +484,22 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		dsrdata.type = dns_rdatatype_ds;
 		if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) {
 			vbprintf(1, "found matching %s %d %d %d\n",
-				 c ? "CDS" : "DS",
-				 ds.key_tag, ds.algorithm, ds.digest_type);
+				 c ? "CDS" : "DS", ds.key_tag, ds.algorithm,
+				 ds.digest_type);
 			return (true);
 		} else if (strictness == TIGHT) {
-			vbprintf(0, "key does not match %s %d %d %d "
-				"when it looks like it should\n",
-				 c ? "CDS" : "DS",
-				 ds.key_tag, ds.algorithm, ds.digest_type);
+			vbprintf(0,
+				 "key does not match %s %d %d %d "
+				 "when it looks like it should\n",
+				 c ? "CDS" : "DS", ds.key_tag, ds.algorithm,
+				 ds.digest_type);
 			return (false);
 		}
 	}
 
 	vbprintf(1, "no matching %s for %s %d %d\n",
-		 dsset->type == dns_rdatatype_cds
-		 ? "CDS" : "DS",
-		 ki->rdata.type == dns_rdatatype_cdnskey
-		 ? "CDNSKEY" : "DNSKEY",
+		 dsset->type == dns_rdatatype_cds ? "CDS" : "DS",
+		 ki->rdata.type == dns_rdatatype_cdnskey ? "CDNSKEY" : "DNSKEY",
 		 ki->tag, ki->algo);
 
 	return (false);
@@ -520,8 +511,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
  */
 static keyinfo_t *
 match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
-		   strictness_t strictness)
-{
+		   strictness_t strictness) {
 	isc_result_t result;
 	keyinfo_t *keytable;
 	int i;
@@ -531,8 +521,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 	keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey);
 
 	for (result = dns_rdataset_first(keyset), i = 0;
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(keyset), i++)
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(keyset), i++)
 	{
 		keyinfo_t *ki;
 		dns_rdata_dnskey_t dnskey;
@@ -558,13 +547,13 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 			continue;
 		}
 
-		result = dns_dnssec_keyfromrdata(name, keyrdata,
-						 mctx, &ki->dst);
+		result = dns_dnssec_keyfromrdata(name, keyrdata, mctx,
+						 &ki->dst);
 		if (result != ISC_R_SUCCESS) {
-			vbprintf(3, "dns_dnssec_keyfromrdata("
+			vbprintf(3,
+				 "dns_dnssec_keyfromrdata("
 				 "keytag=%d, algo=%d): %s\n",
-				 ki->tag, ki->algo,
-				 dns_result_totext(result));
+				 ki->tag, ki->algo, dns_result_totext(result));
 		}
 	}
 
@@ -599,8 +588,7 @@ free_keytable(keyinfo_t **keytable_p) {
  */
 static dns_secalg_t *
 matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
-	      dns_rdataset_t *sigset)
-{
+	      dns_rdataset_t *sigset) {
 	isc_result_t result;
 	dns_secalg_t *algo;
 	int i;
@@ -608,8 +596,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	algo = isc_mem_get(mctx, nkey);
 	memset(algo, 0, nkey);
 
-	for (result = dns_rdataset_first(sigset);
-	     result == ISC_R_SUCCESS;
+	for (result = dns_rdataset_first(sigset); result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(sigset))
 	{
 		dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -630,26 +617,27 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 
 		for (i = 0; i < nkey; i++) {
 			keyinfo_t *ki = &keytbl[i];
-			if (sig.keyid != ki->tag ||
-			    sig.algorithm != ki->algo ||
+			if (sig.keyid != ki->tag || sig.algorithm != ki->algo ||
 			    !dns_name_equal(&sig.signer, name))
 			{
 				continue;
 			}
 			if (ki->dst == NULL) {
-				vbprintf(1, "skip RRSIG by key %d:"
+				vbprintf(1,
+					 "skip RRSIG by key %d:"
 					 " no matching (C)DS\n",
 					 sig.keyid);
 				continue;
 			}
 
 			result = dns_dnssec_verify(name, rdataset, ki->dst,
-						   false, 0, mctx,
-						   &sigrdata, NULL);
+						   false, 0, mctx, &sigrdata,
+						   NULL);
 
 			if (result != ISC_R_SUCCESS &&
 			    result != DNS_R_FROMWILDCARD) {
-				vbprintf(1, "skip RRSIG by key %d:"
+				vbprintf(1,
+					 "skip RRSIG by key %d:"
 					 " verification failed: %s\n",
 					 sig.keyid, isc_result_totext(result));
 				continue;
@@ -663,8 +651,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 			 * only after the signature has been verified
 			 */
 			if (oldestsig.timesigned == 0 ||
-			    isc_serial_lt(sig.timesigned,
-					  oldestsig.timesigned))
+			    isc_serial_lt(sig.timesigned, oldestsig.timesigned))
 			{
 				verbose_time(2, "this is the oldest so far",
 					     sig.timesigned);
@@ -704,8 +691,7 @@ signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
 	isc_result_t result;
 	bool all_ok = true;
 
-	for (result = dns_rdataset_first(dsset);
-	     result == ISC_R_SUCCESS;
+	for (result = dns_rdataset_first(dsset); result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(dsset))
 	{
 		dns_rdata_t dsrdata = DNS_RDATA_INIT;
@@ -724,8 +710,10 @@ signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
 			}
 		}
 		if (!ds_ok) {
-			vbprintf(0, "missing signature for algorithm %d "
-				 "(key %d)\n", ds.algorithm, ds.key_tag);
+			vbprintf(0,
+				 "missing signature for algorithm %d "
+				 "(key %d)\n",
+				 ds.algorithm, ds.key_tag);
 			all_ok = false;
 		}
 	}
@@ -766,26 +754,29 @@ ds_from_cds(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *cds) {
 	dns_rdata_ds_t ds;
 	dns_rdata_t *rdata;
 
+	REQUIRE(buf != NULL);
+
 	rdata = rdata_get();
 
 	result = dns_rdata_tostruct(cds, &ds, NULL);
 	check_result(result, "dns_rdata_tostruct(CDS)");
 	ds.common.rdtype = dns_rdatatype_ds;
 
-	result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds,
-				      &ds, buf);
+	result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds, &ds,
+				      buf);
 
 	return (rdata_put(result, dslist, rdata));
 }
 
 static isc_result_t
 ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
-		 dns_rdata_t *cdnskey)
-{
+		dns_rdata_t *cdnskey) {
 	isc_result_t result;
 	unsigned i, n;
 
-	n = sizeof(dtype)/sizeof(dtype[0]);
+	REQUIRE(buf != NULL);
+
+	n = sizeof(dtype) / sizeof(dtype[0]);
 	for (i = 0; i < n; i++) {
 		if (dtype[i] != 0) {
 			dns_rdata_t *rdata;
@@ -814,9 +805,8 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 }
 
 static void
-make_new_ds_set(ds_maker_func_t *ds_from_rdata,
-		uint32_t ttl, dns_rdataset_t *rdset)
-{
+make_new_ds_set(ds_maker_func_t *ds_from_rdata, uint32_t ttl,
+		dns_rdataset_t *rdset) {
 	unsigned int size = 16;
 	for (;;) {
 		isc_result_t result;
@@ -836,8 +826,7 @@ make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		isc_buffer_allocate(mctx, &new_ds_buf, size);
 
 		for (result = dns_rdataset_first(rdset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(rdset))
+		     result == ISC_R_SUCCESS; result = dns_rdataset_next(rdset))
 		{
 			isc_result_t tresult;
 			dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -891,8 +880,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 
 	arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
 
-	for (result = dns_rdataset_first(dsset), i = 0;
-	     result == ISC_R_SUCCESS;
+	for (result = dns_rdataset_first(dsset), i = 0; result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(dsset), i++)
 	{
 		dns_rdata_init(&arrdata[i]);
@@ -929,10 +917,10 @@ consistent_digests(dns_rdataset_t *dsset) {
 	while (i < n) {
 		key_tag = ds[i].key_tag;
 		algorithm = ds[i].algorithm;
-		for (j = 0; j < d && i+j < n; j++) {
-			if (ds[i+j].key_tag != key_tag ||
-			    ds[i+j].algorithm != algorithm ||
-			    ds[i+j].digest_type != ds[j].digest_type)
+		for (j = 0; j < d && i + j < n; j++) {
+			if (ds[i + j].key_tag != key_tag ||
+			    ds[i + j].algorithm != algorithm ||
+			    ds[i + j].digest_type != ds[j].digest_type)
 			{
 				match = false;
 			}
@@ -969,9 +957,8 @@ print_diff(const char *cmd, dns_rdataset_t *rdataset) {
 }
 
 static void
-update_diff(const char *cmd, uint32_t ttl,
-	    dns_rdataset_t *addset, dns_rdataset_t *delset)
-{
+update_diff(const char *cmd, uint32_t ttl, dns_rdataset_t *addset,
+	    dns_rdataset_t *delset) {
 	isc_result_t result;
 	dns_db_t *db;
 	dns_dbnode_t *node;
@@ -980,8 +967,8 @@ update_diff(const char *cmd, uint32_t ttl,
 	uint32_t save;
 
 	db = NULL;
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
 	check_result(result, "dns_db_create()");
 
 	ver = NULL;
@@ -994,12 +981,11 @@ update_diff(const char *cmd, uint32_t ttl,
 
 	dns_rdataset_init(&diffset);
 
-	result = dns_db_addrdataset(db, node, ver, 0, addset,
-				    DNS_DBADD_MERGE, NULL);
+	result = dns_db_addrdataset(db, node, ver, 0, addset, DNS_DBADD_MERGE,
+				    NULL);
 	check_result(result, "dns_db_addrdataset()");
 
-	result = dns_db_subtractrdataset(db, node, ver, delset,
-					 0, &diffset);
+	result = dns_db_subtractrdataset(db, node, ver, delset, 0, &diffset);
 	if (result == DNS_R_UNCHANGED) {
 		save = addset->ttl;
 		addset->ttl = ttl;
@@ -1045,18 +1031,22 @@ usage(void) {
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
-"    -a <algorithm>     digest algorithm (SHA-1 / SHA-256 / SHA-384)\n"
-"    -c <class>         of domain (default IN)\n"
-"    -D                 prefer CDNSKEY records instead of CDS\n"
-"    -d <file|dir>      where to find parent dsset- file\n"
-"    -f <file>          child DNSKEY+CDNSKEY+CDS+RRSIG records\n"
-"    -i[extension]      update dsset- file in place\n"
-"    -s <start-time>    oldest permitted child signatures\n"
-"    -u                 emit nsupdate script\n"
-"    -T <ttl>           TTL of DS records\n"
-"    -V                 print version\n"
-"    -v <verbosity>\n"
-	);
+			"    -a <algorithm>     digest algorithm (SHA-1 / "
+			"SHA-256 / SHA-384)\n"
+			"    -c <class>         of domain (default IN)\n"
+			"    -D                 prefer CDNSKEY records instead "
+			"of CDS\n"
+			"    -d <file|dir>      where to find parent dsset- "
+			"file\n"
+			"    -f <file>          child DNSKEY+CDNSKEY+CDS+RRSIG "
+			"records\n"
+			"    -i[extension]      update dsset- file in place\n"
+			"    -s <start-time>    oldest permitted child "
+			"signatures\n"
+			"    -u                 emit nsupdate script\n"
+			"    -T <ttl>           TTL of DS records\n"
+			"    -V                 print version\n"
+			"    -v <verbosity>\n");
 	exit(1);
 }
 
@@ -1076,7 +1066,7 @@ main(int argc, char *argv[]) {
 
 #if USE_PKCS11
 	pk11_result_register();
-#endif
+#endif /* if USE_PKCS11 */
 	dns_result_register();
 
 	isc_commandline_errprint = false;
@@ -1105,8 +1095,7 @@ main(int argc, char *argv[]) {
 			 * so that it works just like sed(1).
 			 */
 			if (isc_commandline_argument ==
-			    argv[isc_commandline_index - 1])
-			{
+			    argv[isc_commandline_index - 1]) {
 				isc_commandline_index--;
 				inplace = "";
 			} else {
@@ -1115,7 +1104,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 'm':
 			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-				ISC_MEM_DEBUGRECORD;
+					    ISC_MEM_DEBUGRECORD;
 			break;
 		case 's':
 			startstr = isc_commandline_argument;
@@ -1198,8 +1187,7 @@ main(int argc, char *argv[]) {
 		fatal("missing RRSIG CDNSKEY records for %s", namestr);
 	}
 	if (dns_rdataset_isassociated(&cds_set) &&
-	    !dns_rdataset_isassociated(&cds_sig))
-	{
+	    !dns_rdataset_isassociated(&cds_sig)) {
 		fatal("missing RRSIG CDS records for %s", namestr);
 	}
 
@@ -1220,18 +1208,16 @@ main(int argc, char *argv[]) {
 
 	if (dns_rdataset_isassociated(&cdnskey_set)) {
 		vbprintf(1, "verify CDNSKEY signature(s)\n");
-		if (!signed_loose(matching_sigs(old_key_tbl,
-						&cdnskey_set, &cdnskey_sig)))
-		{
+		if (!signed_loose(matching_sigs(old_key_tbl, &cdnskey_set,
+						&cdnskey_sig))) {
 			fatal("could not validate child CDNSKEY RRset for %s",
 			      namestr);
 		}
 	}
 	if (dns_rdataset_isassociated(&cds_set)) {
 		vbprintf(1, "verify CDS signature(s)\n");
-		if (!signed_loose(matching_sigs(old_key_tbl,
-						&cds_set, &cds_sig)))
-		{
+		if (!signed_loose(
+			    matching_sigs(old_key_tbl, &cds_set, &cds_sig))) {
 			fatal("could not validate child CDS RRset for %s",
 			      namestr);
 		}
@@ -1248,12 +1234,11 @@ main(int argc, char *argv[]) {
 		dns_rdatatype_format(oldestsig.covered, type, sizeof(type));
 		verbose_time(1, "child signature inception time",
 			     oldestsig.timesigned);
-		vbprintf(2, "from RRSIG %s by key %d\n",
-			 type, oldestsig.keyid);
+		vbprintf(2, "from RRSIG %s by key %d\n", type, oldestsig.keyid);
 	}
 
 	/*
-	 * Sucessfully do nothing if there's neither CDNSKEY nor CDS
+	 * Successfully do nothing if there's neither CDNSKEY nor CDS
 	 * RFC 7344 section 4.1 first paragraph
 	 */
 	if (!dns_rdataset_isassociated(&cdnskey_set) &&
@@ -1286,16 +1271,17 @@ main(int argc, char *argv[]) {
 
 	if (!consistent_digests(&new_ds_set)) {
 		fatal("CDS records at %s do not cover each key "
-		      "with the same set of digest types", namestr);
+		      "with the same set of digest types",
+		      namestr);
 	}
 
 	vbprintf(1, "verify DNSKEY signature(s)\n");
-	if (!signed_strict(&new_ds_set,
-			   matching_sigs(new_key_tbl,
-					 &dnskey_set, &dnskey_sig)))
+	if (!signed_strict(&new_ds_set, matching_sigs(new_key_tbl, &dnskey_set,
+						      &dnskey_sig)))
 	{
 		fatal("could not validate child DNSKEY RRset "
-		      "with new DS records for %s", namestr);
+		      "with new DS records for %s",
+		      namestr);
 	}
 
 	free_keytable(&new_key_tbl);

bin/dnssec/dnssec-cds.docbook

@@ -1,390 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-cds">
-  <info>
-    <date>2017-10-02</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-    <author>
-      <personname>Tony Finch</personname>
-      <email>dot@dotat.at</email>
-      <email>fanf2@cam.ac.uk</email>
-      <affiliation>Cambridge University Information Services</affiliation>
-      <personblurb></personblurb>
-    </author>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-cds</application></refentrytitle>
-   <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-cds</application></refname>
-    <refpurpose>change DS records for a child zone based on CDS/CDNSKEY</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2017</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-cds</command>
-      <arg choice="opt" rep="repeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
-      <arg choice="req" rep="norepeat"><option>-d <replaceable class="parameter">dsset-file</replaceable></option></arg>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">child-file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-i</option><arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></arg>
-      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-u</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
-      <arg choice="req" rep="norepeat">domain</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para>
-      The <command>dnssec-cds</command> command changes DS records at
-      a delegation point based on CDS or CDNSKEY records published in
-      the child zone. If both CDS and CDNSKEY records are present in
-      the child zone, the CDS is preferred. This enables a child zone
-      to inform its parent of upcoming changes to its key-signing keys;
-      by polling periodically with <command>dnssec-cds</command>, the
-      parent can keep the DS records up to date and enable automatic
-      rolling of KSKs.
-    </para>
-    <para>
-      Two input files are required.  The
-      <option>-f <replaceable class="parameter">child-file</replaceable></option>
-      option specifies a file containing the child's CDS and/or CDNSKEY
-      records, plus RRSIG and DNSKEY records so that they can be
-      authenticated.  The
-      <option>-d <replaceable class="parameter">path</replaceable></option>
-      option specifies the location of a file containing the current DS
-      records. For example, this could be a <filename>dsset-</filename>
-      file generated by <command>dnssec-signzone</command>, or the output of
-      <command>dnssec-dsfromkey</command>, or the output of a previous
-      run of <command>dnssec-cds</command>.
-    </para>
-    <para>
-      The <command>dnssec-cds</command> command uses special DNSSEC
-      validation logic specified by RFC 7344. It requires that the CDS
-      and/or CDNSKEY records are validly signed by a key represented in the
-      existing DS records. This will typicially be the pre-existing
-      key-signing key (KSK).
-    </para>
-    <para>
-      For protection against replay attacks, the signatures on the
-      child records must not be older than they were on a previous run
-      of <command>dnssec-cds</command>. This time is obtained from the
-      modification time of the <filename>dsset-</filename> file, or
-      from the <option>-s</option> option.
-    </para>
-    <para>
-      To protect against breaking the delegation,
-      <command>dnssec-cds</command> ensures that the DNSKEY RRset can be
-      verified by every key algorithm in the new DS RRset, and that the
-      same set of keys are covered by every DS digest type.
-    </para>
-    <para>
-      By default, replacement DS records are written to the standard
-      output; with the <option>-i</option> option the input file is
-      overwritten in place. The replacement DS records will be the
-      same as the existing records when no change is required. The
-      output can be empty if the CDS / CDNSKEY records specify that
-      the child zone wants to go insecure.
-    </para>
-    <para>
-      Warning: Be careful not to delete the DS records
-      when <command>dnssec-cds</command> fails!
-    </para>
-    <para>
-      Alternatively, <command>dnssec-cds -u</command> writes
-      an <command>nsupdate</command> script to the standard output.
-      You can use the <option>-u</option> and <option>-i</option>
-      options together to maintain a <filename>dsset-</filename> file
-      as well as emit an <command>nsupdate</command> script.
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-    <variablelist>
-
-      <varlistentry>
-	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
-        <listitem>
-          <para>
-	    Specify a digest algorithm to use when converting CDNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each CDNSKEY
-	    record. This option has no effect when using CDS records.
-          </para>
-          <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the DNS class of the zones.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D</term>
-        <listitem>
-          <para>
-	    Generate DS records from CDNSKEY records if both CDS and
-	    CDNSKEY records are present in the child zone. By default
-	    CDS records are preferred.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-d <replaceable class="parameter">path</replaceable></term>
-        <listitem>
-          <para>
-            Location of the parent DS records.
-	    The <replaceable>path</replaceable> can be the name of a file
-	    containing the DS records, or if it is a
-	    directory, <command>dnssec-cds</command> looks for
-	    a <filename>dsset-</filename> file for
-	    the <replaceable>domain</replaceable> inside the directory.
-          </para>
-          <para>
-            To protect against replay attacks, child records are
-            rejected if they were signed earlier than the modification
-            time of the <filename>dsset-</filename> file. This can be
-            adjusted with the <option>-s</option> option.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">child-file</replaceable></term>
-        <listitem>
-          <para>
-	    File containing the child's CDS and/or CDNSKEY records,
-	    plus its DNSKEY records and the covering RRSIG records so
-	    that they can be authenticated.
-          </para>
-	  <para>
-	    The EXAMPLES below describe how to generate this file.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i<arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></term>
-        <listitem>
-          <para>
-            Update the <filename>dsset-</filename> file in place,
-            instead of writing DS records to the standard output.
-          </para>
-	  <para>
-	    There must be no space between the <option>-i</option> and
-	    the <replaceable>extension</replaceable>. If you provide
-	    no <replaceable>extension</replaceable> then the
-	    old <filename>dsset-</filename> is discarded. If
-	    an <replaceable>extension</replaceable> is present, a
-	    backup of the old <filename>dsset-</filename> file is kept
-	    with the <replaceable>extension</replaceable> appended to
-	    its filename.
-	  </para>
-          <para>
-            To protect against replay attacks, the modification time
-            of the <filename>dsset-</filename> file is set to match
-            the signature inception time of the child records,
-            provided that is later than the file's current
-            modification time.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-        <listitem>
-          <para>
-            Specify the date and time after which RRSIG records become
-            acceptable. This can be either an absolute or relative
-            time. An absolute start time is indicated by a number in
-            YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
-            UTC on August 27th, 2017. A time relative to
-            the <filename>dsset-</filename> file is indicated with -N,
-            which is N seconds before the file modification time. A
-            time relative to the current time is indicated with now+N.
-	  </para>
-	  <para>
-            If no <replaceable>start-time</replaceable> is specified, the
-            modification time of the <filename>dsset-</filename> file
-            is used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-T <replaceable class="parameter">ttl</replaceable></term>
-        <listitem>
-          <para>
-            Specifies a TTL to be used for new DS records. If not
-            specified, the default is the TTL of the old DS records.
-            If they had no explicit TTL then the new DS records also
-            have no explicit TTL.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u</term>
-        <listitem>
-          <para>
-	    Write an <command>nsupdate</command> script to the
-	    standard output, instead of printing the new DS reords.
-	    The output will be empty if no change is needed.
-          </para>
-	  <para>
-	    Note: The TTL of new records needs to be specified, either
-	    in the original <filename>dsset-</filename> file, or with
-	    the <option>-T</option> option, or using
-	    the <command>nsupdate</command> <command>ttl</command>
-	    command.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-        <listitem>
-	  <para>
-	    Print version information.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level. Level 1 is intended to be
-            usefully verbose for general users; higher levels are
-            intended for developers.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><replaceable>domain</replaceable></term>
-        <listitem>
-          <para>
-            The name of the delegation point / child zone apex.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>EXIT STATUS</title></info>
-
-    <para>
-      The <command>dnssec-cds</command> command exits 0 on success, or
-      non-zero if an error occurred.
-    </para>
-    <para>
-      In the success case, the DS records might or might not need
-      to be changed.
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>EXAMPLES</title></info>
-
-    <para>
-      Before running <command>dnssec-signzone</command>, you can ensure
-      that the delegations are up-to-date by running
-      <command>dnssec-cds</command> on every <filename>dsset-</filename> file.
-    </para>
-    <para>
-      To fetch the child records required by <command>dnssec-cds</command>
-      you can invoke <command>dig</command> as in the script below.  It's
-      okay if the <command>dig</command> fails since
-      <command>dnssec-cds</command> performs all the necessary checking.
-    </para>
-<programlisting>for f in dsset-*
-do
-	d=${f#dsset-}
-	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-	dnssec-cds -i -f /dev/stdin -d $f $d
-done
-</programlisting>
-
-    <para>
-      When the parent zone is automatically signed by
-      <command>named</command>, you can use <command>dnssec-cds</command>
-      with <command>nsupdate</command> to maintain a delegation as follows.
-      The <filename>dsset-</filename> file allows the script to avoid
-      having to fetch and validate the parent DS records, and it keeps the
-      replay attack protection time.
-    </para>
-<programlisting>
-dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-dnssec-cds -u -i -f /dev/stdin -d $f $d |
-nsupdate -l
-</programlisting>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para>
-      <citerefentry>
-        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 7344</citetitle>.
-    </para>
-
-  </refsection>
-
-</refentry>

bin/dnssec/dnssec-cds.html

@@ -1,343 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-cds</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.dnssec-cds"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">dnssec-cds</span>
-     &#8212; change DS records for a child zone based on CDS/CDNSKEY
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-cds</code> 
-       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-D</code>]
-       {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
-       {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
-       [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
-       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-u</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       {domain}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
-      The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
-      a delegation point based on CDS or CDNSKEY records published in
-      the child zone. If both CDS and CDNSKEY records are present in
-      the child zone, the CDS is preferred. This enables a child zone
-      to inform its parent of upcoming changes to its key-signing keys;
-      by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
-      parent can keep the DS records up to date and enable automatic
-      rolling of KSKs.
-    </p>
-    <p>
-      Two input files are required.  The
-      <code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
-      option specifies a file containing the child's CDS and/or CDNSKEY
-      records, plus RRSIG and DNSKEY records so that they can be
-      authenticated.  The
-      <code class="option">-d <em class="replaceable"><code>path</code></em></code>
-      option specifies the location of a file containing the current DS
-      records. For example, this could be a <code class="filename">dsset-</code>
-      file generated by <span class="command"><strong>dnssec-signzone</strong></span>, or the output of
-      <span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
-      run of <span class="command"><strong>dnssec-cds</strong></span>.
-    </p>
-    <p>
-      The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
-      validation logic specified by RFC 7344. It requires that the CDS
-      and/or CDNSKEY records are validly signed by a key represented in the
-      existing DS records. This will typicially be the pre-existing
-      key-signing key (KSK).
-    </p>
-    <p>
-      For protection against replay attacks, the signatures on the
-      child records must not be older than they were on a previous run
-      of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
-      modification time of the <code class="filename">dsset-</code> file, or
-      from the <code class="option">-s</code> option.
-    </p>
-    <p>
-      To protect against breaking the delegation,
-      <span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
-      verified by every key algorithm in the new DS RRset, and that the
-      same set of keys are covered by every DS digest type.
-    </p>
-    <p>
-      By default, replacement DS records are written to the standard
-      output; with the <code class="option">-i</code> option the input file is
-      overwritten in place. The replacement DS records will be the
-      same as the existing records when no change is required. The
-      output can be empty if the CDS / CDNSKEY records specify that
-      the child zone wants to go insecure.
-    </p>
-    <p>
-      Warning: Be careful not to delete the DS records
-      when <span class="command"><strong>dnssec-cds</strong></span> fails!
-    </p>
-    <p>
-      Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
-      an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
-      You can use the <code class="option">-u</code> and <code class="option">-i</code>
-      options together to maintain a <code class="filename">dsset-</code> file
-      as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-          <p>
-	    Specify a digest algorithm to use when converting CDNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each CDNSKEY
-	    record. This option has no effect when using CDS records.
-          </p>
-          <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
-            Specifies the DNS class of the zones.
-          </p>
-        </dd>
-<dt><span class="term">-D</span></dt>
-<dd>
-          <p>
-	    Generate DS records from CDNSKEY records if both CDS and
-	    CDNSKEY records are present in the child zone. By default
-	    CDS records are preferred.
-          </p>
-        </dd>
-<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
-<dd>
-          <p>
-            Location of the parent DS records.
-	    The <em class="replaceable"><code>path</code></em> can be the name of a file
-	    containing the DS records, or if it is a
-	    directory, <span class="command"><strong>dnssec-cds</strong></span> looks for
-	    a <code class="filename">dsset-</code> file for
-	    the <em class="replaceable"><code>domain</code></em> inside the directory.
-          </p>
-          <p>
-            To protect against replay attacks, child records are
-            rejected if they were signed earlier than the modification
-            time of the <code class="filename">dsset-</code> file. This can be
-            adjusted with the <code class="option">-s</code> option.
-          </p>
-        </dd>
-<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
-<dd>
-          <p>
-	    File containing the child's CDS and/or CDNSKEY records,
-	    plus its DNSKEY records and the covering RRSIG records so
-	    that they can be authenticated.
-          </p>
-	  <p>
-	    The EXAMPLES below describe how to generate this file.
-	  </p>
-        </dd>
-<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
-<dd>
-          <p>
-            Update the <code class="filename">dsset-</code> file in place,
-            instead of writing DS records to the standard output.
-          </p>
-	  <p>
-	    There must be no space between the <code class="option">-i</code> and
-	    the <em class="replaceable"><code>extension</code></em>. If you provide
-	    no <em class="replaceable"><code>extension</code></em> then the
-	    old <code class="filename">dsset-</code> is discarded. If
-	    an <em class="replaceable"><code>extension</code></em> is present, a
-	    backup of the old <code class="filename">dsset-</code> file is kept
-	    with the <em class="replaceable"><code>extension</code></em> appended to
-	    its filename.
-	  </p>
-          <p>
-            To protect against replay attacks, the modification time
-            of the <code class="filename">dsset-</code> file is set to match
-            the signature inception time of the child records,
-            provided that is later than the file's current
-            modification time.
-          </p>
-        </dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd>
-          <p>
-            Specify the date and time after which RRSIG records become
-            acceptable. This can be either an absolute or relative
-            time. An absolute start time is indicated by a number in
-            YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
-            UTC on August 27th, 2017. A time relative to
-            the <code class="filename">dsset-</code> file is indicated with -N,
-            which is N seconds before the file modification time. A
-            time relative to the current time is indicated with now+N.
-	  </p>
-	  <p>
-            If no <em class="replaceable"><code>start-time</code></em> is specified, the
-            modification time of the <code class="filename">dsset-</code> file
-            is used.
-          </p>
-        </dd>
-<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
-            Specifies a TTL to be used for new DS records. If not
-            specified, the default is the TTL of the old DS records.
-            If they had no explicit TTL then the new DS records also
-            have no explicit TTL.
-          </p>
-        </dd>
-<dt><span class="term">-u</span></dt>
-<dd>
-          <p>
-	    Write an <span class="command"><strong>nsupdate</strong></span> script to the
-	    standard output, instead of printing the new DS reords.
-	    The output will be empty if no change is needed.
-          </p>
-	  <p>
-	    Note: The TTL of new records needs to be specified, either
-	    in the original <code class="filename">dsset-</code> file, or with
-	    the <code class="option">-T</code> option, or using
-	    the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
-	    command.
-	  </p>
-        </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
-	    Print version information.
-	  </p>
-        </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
-            Sets the debugging level. Level 1 is intended to be
-            usefully verbose for general users; higher levels are
-            intended for developers.
-          </p>
-        </dd>
-<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
-            The name of the delegation point / child zone apex.
-          </p>
-        </dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>EXIT STATUS</h2>
-
-    <p>
-      The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
-      non-zero if an error occurred.
-    </p>
-    <p>
-      In the success case, the DS records might or might not need
-      to be changed.
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>EXAMPLES</h2>
-
-    <p>
-      Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
-      that the delegations are up-to-date by running
-      <span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
-    </p>
-    <p>
-      To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
-      you can invoke <span class="command"><strong>dig</strong></span> as in the script below.  It's
-      okay if the <span class="command"><strong>dig</strong></span> fails since
-      <span class="command"><strong>dnssec-cds</strong></span> performs all the necessary checking.
-    </p>
-<pre class="programlisting">for f in dsset-*
-do
-	d=${f#dsset-}
-	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-	dnssec-cds -i -f /dev/stdin -d $f $d
-done
-</pre>
-
-    <p>
-      When the parent zone is automatically signed by
-      <span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
-      with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
-      The <code class="filename">dsset-</code> file allows the script to avoid
-      having to fetch and validate the parent DS records, and it keeps the
-      replay attack protection time.
-    </p>
-<pre class="programlisting">
-dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-dnssec-cds -u -i -f /dev/stdin -d $f $d |
-nsupdate -l
-</pre>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-settime</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">nsupdate</span>(1)
-      </span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 7344</em>.
-    </p>
-
-  </div>
-
-</div></body>
-</html>

bin/dnssec/dnssec-cds.rst

@@ -0,0 +1,212 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_dnssec-cds:
+
+dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
+--------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i** [extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
+
+Description
+~~~~~~~~~~~
+
+The ``dnssec-cds`` command changes DS records at a delegation point
+based on CDS or CDNSKEY records published in the child zone. If both CDS
+and CDNSKEY records are present in the child zone, the CDS is preferred.
+This enables a child zone to inform its parent of upcoming changes to
+its key-signing keys; by polling periodically with ``dnssec-cds``, the
+parent can keep the DS records up to date and enable automatic rolling
+of KSKs.
+
+Two input files are required. The ``-f child-file`` option specifies a
+file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
+DNSKEY records so that they can be authenticated. The ``-d path`` option
+specifies the location of a file containing the current DS records. For
+example, this could be a ``dsset-`` file generated by
+``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
+output of a previous run of ``dnssec-cds``.
+
+The ``dnssec-cds`` command uses special DNSSEC validation logic
+specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
+are validly signed by a key represented in the existing DS records. This
+will typically be the pre-existing key-signing key (KSK).
+
+For protection against replay attacks, the signatures on the child
+records must not be older than they were on a previous run of
+``dnssec-cds``. This time is obtained from the modification time of the
+``dsset-`` file, or from the ``-s`` option.
+
+To protect against breaking the delegation, ``dnssec-cds`` ensures that
+the DNSKEY RRset can be verified by every key algorithm in the new DS
+RRset, and that the same set of keys are covered by every DS digest
+type.
+
+By default, replacement DS records are written to the standard output;
+with the ``-i`` option the input file is overwritten in place. The
+replacement DS records will be the same as the existing records when no
+change is required. The output can be empty if the CDS / CDNSKEY records
+specify that the child zone wants to go insecure.
+
+Warning: Be careful not to delete the DS records when ``dnssec-cds``
+fails!
+
+Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
+standard output. You can use the ``-u`` and ``-i`` options together to
+maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
+
+Options
+~~~~~~~
+
+**-a** algorithm
+   Specify a digest algorithm to use when converting CDNSKEY records to
+   DS records. This option can be repeated, so that multiple DS records
+   are created for each CDNSKEY record. This option has no effect when
+   using CDS records.
+
+   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
+   are case insensitive, and the hyphen may be omitted. If no algorithm
+   is specified, the default is SHA-256.
+
+**-c** class
+   Specifies the DNS class of the zones.
+
+**-D**
+   Generate DS records from CDNSKEY records if both CDS and CDNSKEY
+   records are present in the child zone. By default CDS records are
+   preferred.
+
+**-d** path
+   Location of the parent DS records. The path can be the name of a file
+   containing the DS records, or if it is a directory, ``dnssec-cds``
+   looks for a ``dsset-`` file for the domain inside the directory.
+
+   To protect against replay attacks, child records are rejected if they
+   were signed earlier than the modification time of the ``dsset-``
+   file. This can be adjusted with the ``-s`` option.
+
+**-f** child-file
+   File containing the child's CDS and/or CDNSKEY records, plus its
+   DNSKEY records and the covering RRSIG records so that they can be
+   authenticated.
+
+   The EXAMPLES below describe how to generate this file.
+
+**-iextension**
+   Update the ``dsset-`` file in place, instead of writing DS records to
+   the standard output.
+
+   There must be no space between the ``-i`` and the extension. If you
+   provide no extension then the old ``dsset-`` is discarded. If an
+   extension is present, a backup of the old ``dsset-`` file is kept
+   with the extension appended to its filename.
+
+   To protect against replay attacks, the modification time of the
+   ``dsset-`` file is set to match the signature inception time of the
+   child records, provided that is later than the file's current
+   modification time.
+
+**-s** start-time
+   Specify the date and time after which RRSIG records become
+   acceptable. This can be either an absolute or relative time. An
+   absolute start time is indicated by a number in YYYYMMDDHHMMSS
+   notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
+   time relative to the ``dsset-`` file is indicated with -N, which is N
+   seconds before the file modification time. A time relative to the
+   current time is indicated with now+N.
+
+   If no start-time is specified, the modification time of the
+   ``dsset-`` file is used.
+
+**-T** ttl
+   Specifies a TTL to be used for new DS records. If not specified, the
+   default is the TTL of the old DS records. If they had no explicit TTL
+   then the new DS records also have no explicit TTL.
+
+**-u**
+   Write an ``nsupdate`` script to the standard output, instead of
+   printing the new DS reords. The output will be empty if no change is
+   needed.
+
+   Note: The TTL of new records needs to be specified, either in the
+   original ``dsset-`` file, or with the ``-T`` option, or using the
+   ``nsupdate`` ``ttl`` command.
+
+**-V**
+   Print version information.
+
+**-v** level
+   Sets the debugging level. Level 1 is intended to be usefully verbose
+   for general users; higher levels are intended for developers.
+
+domain
+   The name of the delegation point / child zone apex.
+
+Exit Status
+~~~~~~~~~~~
+
+The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
+occurred.
+
+In the success case, the DS records might or might not need to be
+changed.
+
+Examples
+~~~~~~~~
+
+Before running ``dnssec-signzone``, you can ensure that the delegations
+are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
+
+To fetch the child records required by ``dnssec-cds`` you can invoke
+``dig`` as in the script below. It's okay if the ``dig`` fails since
+``dnssec-cds`` performs all the necessary checking.
+
+::
+
+   for f in dsset-*
+   do
+       d=${f#dsset-}
+       dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+       dnssec-cds -i -f /dev/stdin -d $f $d
+   done
+
+When the parent zone is automatically signed by ``named``, you can use
+``dnssec-cds`` with ``nsupdate`` to maintain a delegation as follows.
+The ``dsset-`` file allows the script to avoid having to fetch and
+validate the parent DS records, and it keeps the replay attack
+protection time.
+
+::
+
+   dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+   dnssec-cds -u -i -f /dev/stdin -d $f $d |
+   nsupdate -l
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
+Reference Manual, :rfc:`7344`.

bin/dnssec/dnssec-dsfromkey.8

@@ -1,226 +0,0 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: dnssec-dsfromkey
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-05-08
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-dnssec-dsfromkey \- DNSSEC DS RR generation tool
-.SH "SYNOPSIS"
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
-.SH "DESCRIPTION"
-.PP
-The
-\fBdnssec\-dsfromkey\fR
-command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
-\fB\-C\fR
-option\&.
-.PP
-The input keys can be specified in a number of ways:
-.PP
-By default,
-\fBdnssec\-dsfromkey\fR
-reads a key file named like
-Knnnn\&.+aaa+iiiii\&.key, as generated by
-\fBdnssec\-keygen\fR\&.
-.PP
-With the
-\fB\-f \fR\fB\fIfile\fR\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
-.PP
-With the
-\fB\-s\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads a
-keyset\-
-file, as generated by
-\fBdnssec\-keygen\fR\fB\-C\fR\&.
-.SH "OPTIONS"
-.PP
-\-1
-.RS 4
-An abbreviation for
-\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
-.RE
-.PP
-\-2
-.RS 4
-An abbreviation for
-\fB\-a SHA\-256\fR\&.
-.RE
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
-.sp
-The
-\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
-.RE
-.PP
-\-A
-.RS 4
-Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
-\fB\-f\fR
-zone file mode\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class (default is IN)\&. Useful only in
-\fB\-s\fR
-keyset or
-\fB\-f\fR
-zone file mode\&.
-.RE
-.PP
-\-C
-.RS 4
-Generate CDS records rather than DS records\&.
-.RE
-.PP
-\-f \fIfile\fR
-.RS 4
-Zone file mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name of a zone whose master file can be read from
-\fBfile\fR\&. If the zone name is the same as
-\fBfile\fR, then it may be omitted\&.
-.sp
-If
-\fIfile\fR
-is
-"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
-\fBdig\fR
-command as input, as in:
-.sp
-\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
-.RE
-.PP
-\-h
-.RS 4
-Prints usage information\&.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Look for key files or
-keyset\-
-files in
-\fBdirectory\fR\&.
-.RE
-.PP
-\-s
-.RS 4
-Keyset mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name used to locate a
-keyset\-
-file\&.
-.RE
-.PP
-\-T \fITTL\fR
-.RS 4
-Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level\&.
-.RE
-.PP
-\-V
-.RS 4
-Prints version information\&.
-.RE
-.SH "EXAMPLE"
-.PP
-To build the SHA\-256 DS RR from the
-\fBKexample\&.com\&.+003+26160\fR
-keyfile name, you can issue the following command:
-.PP
-\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
-.PP
-The command would print something like:
-.PP
-\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
-.SH "FILES"
-.PP
-The keyfile can be designated by the key identification
-Knnnn\&.+aaa+iiiii
-or the full file name
-Knnnn\&.+aaa+iiiii\&.key
-as generated by
-dnssec\-keygen(8)\&.
-.PP
-The keyset file name is built from the
-\fBdirectory\fR, the string
-keyset\-
-and the
-\fBdnsname\fR\&.
-.SH "CAVEAT"
-.PP
-A keyfile error can give a "file not found" even if the file exists\&.
-.SH "SEE ALSO"
-.PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 3658
-(DS RRs),
-RFC 4509
-(SHA\-256 for DS RRs),
-RFC 6605
-(SHA\-384 for DS RRs),
-RFC 7344
-(CDS and CDNSKEY RRs)\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/dnssec/dnssec-dsfromkey.c

@@ -43,18 +43,18 @@
 
 #if USE_PKCS11
 #include <pk11/result.h>
-#endif
+#endif /* if USE_PKCS11 */
 
 #include "dnssectool.h"
 
 const char *program = "dnssec-dsfromkey";
 
 static dns_rdataclass_t rdclass;
-static dns_fixedname_t	fixed;
-static dns_name_t	*name = NULL;
-static isc_mem_t	*mctx = NULL;
-static uint32_t	ttl;
-static bool	emitttl = false;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static isc_mem_t *mctx = NULL;
+static uint32_t ttl;
+static bool emitttl = false;
 
 static isc_result_t
 initname(char *setname) {
@@ -76,88 +76,101 @@ db_load_from_stream(dns_db_t *db, FILE *fp) {
 
 	dns_rdatacallbacks_init(&callbacks);
 	result = dns_db_beginload(db, &callbacks);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
+	}
 
-	result = dns_master_loadstream(fp, name, name, rdclass, 0,
-				       &callbacks, mctx);
-	if (result != ISC_R_SUCCESS)
+	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
+				       mctx);
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't load from input: %s", isc_result_totext(result));
+	}
 
 	result = dns_db_endload(db, &callbacks);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("dns_db_endload failed: %s", isc_result_totext(result));
+	}
 }
 
 static isc_result_t
 loadset(const char *filename, dns_rdataset_t *rdataset) {
-	isc_result_t	 result;
-	dns_db_t	 *db = NULL;
-	dns_dbnode_t	 *node = NULL;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
 	char setname[DNS_NAME_FORMATSIZE];
 
 	dns_name_format(name, setname, sizeof(setname));
 
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't create database");
+	}
 
 	if (strcmp(filename, "-") == 0) {
 		db_load_from_stream(db, stdin);
 		filename = "input";
 	} else {
 		result = dns_db_load(db, filename, dns_masterformat_text, 0);
-		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
 			fatal("can't load %s: %s", filename,
 			      isc_result_totext(result));
+		}
 	}
 
 	result = dns_db_findnode(db, name, false, &node);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't find %s node in %s", setname, filename);
+	}
 
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
-				     0, 0, rdataset, NULL);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     rdataset, NULL);
 
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
 		fatal("no DNSKEY RR for %s in %s", setname, filename);
-	else if (result != ISC_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS) {
 		fatal("dns_db_findrdataset");
+	}
 
-	if (node != NULL)
+	if (node != NULL) {
 		dns_db_detachnode(db, &node);
-	if (db != NULL)
+	}
+	if (db != NULL) {
 		dns_db_detach(&db);
+	}
 	return (result);
 }
 
 static isc_result_t
 loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
-	isc_result_t	 result;
-	char		 filename[PATH_MAX + 1];
-	isc_buffer_t	 buf;
+	isc_result_t result;
+	char filename[PATH_MAX + 1];
+	isc_buffer_t buf;
 
 	dns_rdataset_init(rdataset);
 
 	isc_buffer_init(&buf, filename, sizeof(filename));
 	if (dirname != NULL) {
 		/* allow room for a trailing slash */
-		if (strlen(dirname) >= isc_buffer_availablelength(&buf))
+		if (strlen(dirname) >= isc_buffer_availablelength(&buf)) {
 			return (ISC_R_NOSPACE);
+		}
 		isc_buffer_putstr(&buf, dirname);
-		if (dirname[strlen(dirname) - 1] != '/')
+		if (dirname[strlen(dirname) - 1] != '/') {
 			isc_buffer_putstr(&buf, "/");
+		}
 	}
 
-	if (isc_buffer_availablelength(&buf) < 7)
+	if (isc_buffer_availablelength(&buf) < 7) {
 		return (ISC_R_NOSPACE);
+	}
 	isc_buffer_putstr(&buf, "keyset-");
 
 	result = dns_name_tofilenametext(name, false, &buf);
 	check_result(result, "dns_name_tofilenametext()");
-	if (isc_buffer_availablelength(&buf) == 0)
+	if (isc_buffer_availablelength(&buf) == 0) {
 		return (ISC_R_NOSPACE);
+	}
 	isc_buffer_putuint8(&buf, 0);
 
 	return (loadset(filename, rdataset));
@@ -165,22 +178,22 @@ loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
 
 static void
 loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
-	dns_rdata_t *rdata)
-{
-	isc_result_t  result;
-	dst_key_t     *key = NULL;
-	isc_buffer_t  keyb;
-	isc_region_t  r;
+	dns_rdata_t *rdata) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_buffer_t keyb;
+	isc_region_t r;
 
 	dns_rdata_init(rdata);
 
 	isc_buffer_init(&keyb, key_buf, key_buf_size);
 
-	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
-				       mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't load %s.key: %s",
-		      filename, isc_result_totext(result));
+	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
+				       &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't load %s.key: %s", filename,
+		      isc_result_totext(result));
+	}
 
 	if (verbose > 2) {
 		char keystr[DST_KEY_FORMATSIZE];
@@ -190,12 +203,13 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	}
 
 	result = dst_key_todns(key, &keyb);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't decode key");
+	}
 
 	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(rdata, dst_key_class(key),
-			     dns_rdatatype_dnskey, &r);
+	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
+			     &r);
 
 	rdclass = dst_key_class(key);
 
@@ -208,15 +222,16 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 static void
 logkey(dns_rdata_t *rdata) {
 	isc_result_t result;
-	dst_key_t    *key = NULL;
+	dst_key_t *key = NULL;
 	isc_buffer_t buf;
-	char	     keystr[DST_KEY_FORMATSIZE];
+	char keystr[DST_KEY_FORMATSIZE];
 
 	isc_buffer_init(&buf, rdata->data, rdata->length);
 	isc_buffer_add(&buf, rdata->length);
 	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		return;
+	}
 
 	dst_key_format(key, keystr, sizeof(keystr));
 	fprintf(stderr, "%s: %s\n", program, keystr);
@@ -243,35 +258,42 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	dns_rdata_init(&ds);
 
 	result = dns_rdata_tostruct(rdata, &dnskey, NULL);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't convert DNSKEY");
+	}
 
-	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
+	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
 		return;
+	}
 
 	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't build record");
+	}
 
 	result = dns_name_totext(name, false, &nameb);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't print name");
+	}
 
-	result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
+	result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, 0, "",
 				     &textb);
 
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't print rdata");
+	}
 
 	result = dns_rdataclass_totext(rdclass, &classb);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't print class");
+	}
 
 	isc_buffer_usedregion(&nameb, &r);
 	printf("%.*s ", (int)r.length, r.base);
 
-	if (emitttl)
+	if (emitttl) {
 		printf("%u ", ttl);
+	}
 
 	isc_buffer_usedregion(&classb, &r);
 	printf("%.*s", (int)r.length, r.base);
@@ -290,7 +312,7 @@ static void
 emits(bool showall, bool cds, dns_rdata_t *rdata) {
 	unsigned i, n;
 
-	n = sizeof(dtype)/sizeof(dtype[0]);
+	n = sizeof(dtype) / sizeof(dtype[0]);
 	for (i = 0; i < n; i++) {
 		if (dtype[i] != 0) {
 			emit(dtype[i], showall, cds, rdata);
@@ -304,43 +326,46 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
+	fprintf(stderr, "    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
 	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
 	fprintf(stderr, "    %s [-h|-V]\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
-"    -1: digest algorithm SHA-1\n"
-"    -2: digest algorithm SHA-256\n"
-"    -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)\n"
-"    -A: include all keys in DS set, not just KSKs (-f only)\n"
-"    -c class: rdata class for DS set (default IN) (-f or -s only)\n"
-"    -C: print CDS records\n"
-"    -f zonefile: read keys from a zone file\n"
-"    -h: print help information\n"
-"    -K directory: where to find key or keyset files\n"
-"    -s: read keys from keyset-<dnsname> file\n"
-"    -T: TTL of output records (omitted by default)\n"
-"    -v level: verbosity\n"
-"    -V: print version information\n");
+			"    -1: digest algorithm SHA-1\n"
+			"    -2: digest algorithm SHA-256\n"
+			"    -a algorithm: digest algorithm (SHA-1, SHA-256 or "
+			"SHA-384)\n"
+			"    -A: include all keys in DS set, not just KSKs (-f "
+			"only)\n"
+			"    -c class: rdata class for DS set (default IN) (-f "
+			"or -s only)\n"
+			"    -C: print CDS records\n"
+			"    -f zonefile: read keys from a zone file\n"
+			"    -h: print help information\n"
+			"    -K directory: where to find key or keyset files\n"
+			"    -s: read keys from keyset-<dnsname> file\n"
+			"    -T: TTL of output records (omitted by default)\n"
+			"    -v level: verbosity\n"
+			"    -V: print version information\n");
 	fprintf(stderr, "Output: DS or CDS RRs\n");
 
-	exit (-1);
+	exit(-1);
 }
 
 int
 main(int argc, char **argv) {
-	char		*classname = NULL;
-	char		*filename = NULL, *dir = NULL, *namestr;
-	char		*endp, *arg1;
-	int		ch;
-	bool		cds = false;
-	bool		usekeyset = false;
-	bool		showall = false;
-	isc_result_t	result;
-	isc_log_t	*log = NULL;
-	dns_rdataset_t	rdataset;
-	dns_rdata_t	rdata;
+	char *classname = NULL;
+	char *filename = NULL, *dir = NULL, *namestr;
+	char *endp, *arg1;
+	int ch;
+	bool cds = false;
+	bool usekeyset = false;
+	bool showall = false;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
 
 	dns_rdata_init(&rdata);
 
@@ -352,7 +377,7 @@ main(int argc, char **argv) {
 
 #if USE_PKCS11
 	pk11_result_register();
-#endif
+#endif /* if USE_PKCS11 */
 	dns_result_register();
 
 	isc_commandline_errprint = false;
@@ -379,13 +404,16 @@ main(int argc, char **argv) {
 			classname = isc_commandline_argument;
 			break;
 		case 'd':
-			fprintf(stderr, "%s: the -d option is deprecated; "
-					"use -K\n", program);
-			/* fall through */
+			fprintf(stderr,
+				"%s: the -d option is deprecated; "
+				"use -K\n",
+				program);
+		/* fall through */
 		case 'K':
 			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U)
+			if (strlen(dir) == 0U) {
 				fatal("directory must be non-empty string");
+			}
 			break;
 		case 'f':
 			filename = isc_commandline_argument;
@@ -402,17 +430,19 @@ main(int argc, char **argv) {
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
+			if (*endp != '\0') {
 				fatal("-v must be followed by a number");
+			}
 			break;
 		case 'F':
-			/* Reserved for FIPS mode */
-			/* FALLTHROUGH */
+		/* Reserved for FIPS mode */
+		/* FALLTHROUGH */
 		case '?':
-			if (isc_commandline_option != '?')
+			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* FALLTHROUGH */
+			}
+		/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -422,8 +452,8 @@ main(int argc, char **argv) {
 			version(program);
 
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
 			exit(1);
 		}
 	}

bin/dnssec/dnssec-dsfromkey.docbook

@@ -1,355 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
-  <info>
-    <date>2019-05-08</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-dsfromkey</application></refname>
-    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="req" rep="norepeat">keyfile</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="req" rep="norepeat">-s</arg>
-      <arg choice="req" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain" rep="norepeat"><option>-h</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-V</option></arg>
-      </group>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para>
-      The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
-      Signer) resource records (RRs), or CDS (Child DS) RRs with the
-      <option>-C</option> option.
-    </para>
-
-    <para>
-      The input keys can be specified in a number of ways:
-    </para>
-
-    <para>
-      By default, <command>dnssec-dsfromkey</command> reads a key file
-      named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
-      by <command>dnssec-keygen</command>.
-    </para>
-
-    <para>
-      With the <option>-f <replaceable>file</replaceable></option>
-      option, <command>dnssec-dsfromkey</command> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </para>
-
-    <para>
-      With the <option>-s</option>
-      option, <command>dnssec-dsfromkey</command> reads
-      a <filename>keyset-</filename> file, as generated
-      by <command>dnssec-keygen</command> <option>-C</option>.
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-    <variablelist>
-      <varlistentry>
-	<term>-1</term>
-	<listitem>
-	  <para>
-	    An abbreviation for <option>-a SHA-1</option>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-2</term>
-	<listitem>
-	  <para>
-	    An abbreviation for <option>-a SHA-256</option>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </para>
-          <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <option>-f</option> zone file mode.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <option>-s</option> keyset or <option>-f</option>
-	    zone file mode.
-	  </para>
-	  </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-C</term>
-	<listitem>
-	  <para>
-	    Generate CDS records rather than DS records.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-f <replaceable class="parameter">file</replaceable></term>
-	<listitem>
-	  <para>
-	    Zone file mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is
-	    the DNS domain name of a zone whose master file can be read
-	    from <option>file</option>.  If the zone name is the same as
-	    <option>file</option>, then it may be omitted.
-	  </para>
-	  <para>
-	    If <replaceable>file</replaceable> is <literal>"-"</literal>, then
-	    the zone data is read from the standard input.  This makes it
-	    possible to use the output of the <command>dig</command>
-	    command as input, as in:
-	  </para>
-	  <para>
-	    <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints usage information.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-K <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	    Look for key files or <filename>keyset-</filename> files in
-	    <option>directory</option>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s</term>
-	<listitem>
-	  <para>
-	    Keyset mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is the DNS
-	    domain name used to locate a <filename>keyset-</filename> file.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-T <replaceable class="parameter">TTL</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
-	  </para>
-	  </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-	<listitem>
-	  <para>
-	    Prints version information.
-	  </para>
-	</listitem>
-      </varlistentry>
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>EXAMPLE</title></info>
-
-    <para>
-      To build the SHA-256 DS RR from the
-      <userinput>Kexample.com.+003+26160</userinput>
-      keyfile name, you can issue the following command:
-    </para>
-    <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-      The command would print something like:
-    </para>
-    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
-    </para>
-
-  </refsection>
-
-  <refsection><info><title>FILES</title></info>
-
-    <para>
-      The keyfile can be designated by the key identification
-      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
-      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
-      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
-    </para>
-    <para>
-      The keyset file name is built from the <option>directory</option>,
-      the string <filename>keyset-</filename> and the
-      <option>dnsname</option>.
-    </para>
-  </refsection>
-
-  <refsection><info><title>CAVEAT</title></info>
-
-    <para>
-      A keyfile error can give a "file not found" even if the file exists.
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 3658</citetitle> (DS RRs),
-      <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
-      <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
-      <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
-    </para>
-  </refsection>
-
-</refentry>

bin/dnssec/dnssec-dsfromkey.html

@@ -1,307 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-dsfromkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">dnssec-dsfromkey</span>
-     &#8212; DNSSEC DS RR generation tool
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       {keyfile}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       {-s}
-       {dnsname}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
-      The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
-      Signer) resource records (RRs), or CDS (Child DS) RRs with the
-      <code class="option">-C</code> option.
-    </p>
-
-    <p>
-      The input keys can be specified in a number of ways:
-    </p>
-
-    <p>
-      By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
-      named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span>.
-    </p>
-
-    <p>
-      With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </p>
-
-    <p>
-      With the <code class="option">-s</code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
-      a <code class="filename">keyset-</code> file, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-1</span></dt>
-<dd>
-	  <p>
-	    An abbreviation for <code class="option">-a SHA-1</code>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
-	  </p>
-	</dd>
-<dt><span class="term">-2</span></dt>
-<dd>
-	  <p>
-	    An abbreviation for <code class="option">-a SHA-256</code>.
-	  </p>
-	</dd>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-	  <p>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </p>
-          <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
-	  </p>
-	</dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-          <p>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
-	    zone file mode.
-	  </p>
-	  </dd>
-<dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
-	    Generate CDS records rather than DS records.
-	  </p>
-	</dd>
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-	  <p>
-	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is
-	    the DNS domain name of a zone whose master file can be read
-	    from <code class="option">file</code>.  If the zone name is the same as
-	    <code class="option">file</code>, then it may be omitted.
-	  </p>
-	  <p>
-	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
-	    the zone data is read from the standard input.  This makes it
-	    possible to use the output of the <span class="command"><strong>dig</strong></span>
-	    command as input, as in:
-	  </p>
-	  <p>
-	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
-	  </p>
-	</dd>
-<dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
-	    Prints usage information.
-	  </p>
-	</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
-	    Look for key files or <code class="filename">keyset-</code> files in
-	    <code class="option">directory</code>.
-	  </p>
-	</dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-	  <p>
-	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
-	    domain name used to locate a <code class="filename">keyset-</code> file.
-	  </p>
-	</dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
-	  </p>
-	  </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
-	    Sets the debugging level.
-	  </p>
-	</dd>
-<dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
-	    Prints version information.
-	  </p>
-	</dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>EXAMPLE</h2>
-
-    <p>
-      To build the SHA-256 DS RR from the
-      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, you can issue the following command:
-    </p>
-    <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
-    </p>
-    <p>
-      The command would print something like:
-    </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
-    </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.10"></a><h2>FILES</h2>
-
-    <p>
-      The keyfile can be designated by the key identification
-      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
-      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
-      <span class="refentrytitle">dnssec-keygen</span>(8).
-    </p>
-    <p>
-      The keyset file name is built from the <code class="option">directory</code>,
-      the string <code class="filename">keyset-</code> and the
-      <code class="option">dnsname</code>.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.11"></a><h2>CAVEAT</h2>
-
-    <p>
-      A keyfile error can give a "file not found" even if the file exists.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em> (DS RRs),
-      <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
-      <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
-      <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
-    </p>
-  </div>
-
-</div></body>
-</html>

bin/dnssec/dnssec-dsfromkey.rst

@@ -0,0 +1,150 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+..
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+
+.. highlight: console
+
+.. _man_dnssec-dsfromkey:
+
+dnssec-dsfromkey - DNSSEC DS RR generation tool
+-----------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
+
+:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
+
+Description
+~~~~~~~~~~~
+
+The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the ``-C`` option.
+
+The input keys can be specified in a number of ways:
+
+By default, ``dnssec-dsfromkey`` reads a key file named like
+``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
+
+With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
+file or partial zone file (which can contain just the DNSKEY records).
+
+With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
+as generated by ``dnssec-keygen`` ``-C``.
+
+Options
+~~~~~~~
+
+**-1**
+   An abbreviation for ``-a SHA1``
+
+**-2**
+   An abbreviation for ``-a SHA-256``
+
+**-a** algorithm
+   Specify a digest algorithm to use when converting DNSKEY records to
+   DS records. This option can be repeated, so that multiple DS records
+   are created for each DNSKEY record.
+
+   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
+   are case insensitive, and the hyphen may be omitted. If no algorithm
+   is specified, the default is SHA-256.
+
+**-A**
+   Include ZSKs when generating DS records. Without this option, only
+   keys which have the KSK flag set will be converted to DS records and
+   printed. Useful only in ``-f`` zone file mode.
+
+**-c** class
+   Specifies the DNS class (default is IN). Useful only in ``-s`` keyset
+   or ``-f`` zone file mode.
+
+**-C**
+   Generate CDS records rather than DS records.
+
+**-f** file
+   Zone file mode: ``dnssec-dsfromkey``'s final dnsname argument is the
+   DNS domain name of a zone whose master file can be read from
+   ``file``. If the zone name is the same as ``file``, then it may be
+   omitted.
+
+   If file is ``"-"``, then the zone data is read from the standard
+   input. This makes it possible to use the output of the ``dig``
+   command as input, as in:
+
+   ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
+
+**-h**
+   Prints usage information.
+
+**-K** directory
+   Look for key files or ``keyset-`` files in ``directory``.
+
+**-s**
+   Keyset mode: ``dnssec-dsfromkey``'s final dnsname argument is the DNS
+   domain name used to locate a ``keyset-`` file.
+
+**-T** TTL
+   Specifies the TTL of the DS records. By default the TTL is omitted.
+
+**-v** level
+   Sets the debugging level.
+
+**-V**
+   Prints version information.
+
+Example
+~~~~~~~
+
+To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile
+name, you can issue the following command:
+
+``dnssec-dsfromkey -2 Kexample.com.+003+26160``
+
+The command would print something like:
+
+``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
+
+Files
+~~~~~
+
+The keyfile can be designated by the key identification
+``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key`` as
+generated by dnssec-keygen8.
+
+The keyset file name is built from the ``directory``, the string
+``keyset-`` and the ``dnsname``.
+
+Caveat
+~~~~~~
+
+A keyfile error can give a "file not found" even if the file exists.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
+:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
+:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).

bin/dnssec/dnssec-importkey.8

@@ -1,138 +0,0 @@
-.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: dnssec-importkey
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: August 21, 2015
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-dnssec-importkey \- import DNSKEY records from external systems so they can be managed
-.SH "SYNOPSIS"
-.HP \w'\fBdnssec\-importkey\fR\ 'u
-\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
-.HP \w'\fBdnssec\-importkey\fR\ 'u
-\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-importkey\fR
-reads a public DNSKEY record and generates a pair of \&.key/\&.private files\&. The DNSKEY record may be read from an existing \&.key file, in which case a corresponding \&.private file will be generated, or it may be read from any other file or from the standard input, in which case both \&.key and \&.private files will be generated\&.
-.PP
-The newly\-created \&.private file does
-\fInot\fR
-contain private key data, and cannot be used for signing\&. However, having a \&.private file makes it possible to set publication (\fB\-P\fR) and deletion (\fB\-D\fR) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline\&.
-.SH "OPTIONS"
-.PP
-\-f \fIfilename\fR
-.RS 4
-Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
-\fBfile\fR\&. If the domain name is the same as
-\fBfile\fR, then it may be omitted\&.
-.sp
-If
-\fBfile\fR
-is set to
-"\-", then the zone data is read from the standard input\&.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Sets the directory in which the key files are to reside\&.
-.RE
-.PP
-\-L \fIttl\fR
-.RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
-0
-or
-none
-removes it\&.
-.RE
-.PP
-\-h
-.RS 4
-Emit usage message and exit\&.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level\&.
-.RE
-.PP
-\-V
-.RS 4
-Prints version information\&.
-.RE
-.SH "TIMING OPTIONS"
-.PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
-.PP
-\-P \fIdate/offset\fR
-.RS 4
-Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
-.RE
-.PP
-\-P sync \fIdate/offset\fR
-.RS 4
-Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
-.RE
-.PP
-\-D \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
-.RE
-.PP
-\-D sync \fIdate/offset\fR
-.RS 4
-Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
-.RE
-.SH "FILES"
-.PP
-A keyfile can be designed by the key identification
-Knnnn\&.+aaa+iiiii
-or the full file name
-Knnnn\&.+aaa+iiiii\&.key
-as generated by
-dnssec\-keygen(8)\&.
-.SH "SEE ALSO"
-.PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 5011\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-.br

bin/dnssec/dnssec-importkey.c

@@ -42,23 +42,23 @@
 
 #if USE_PKCS11
 #include <pk11/result.h>
-#endif
+#endif /* if USE_PKCS11 */
 
 #include "dnssectool.h"
 
 const char *program = "dnssec-importkey";
 
 static dns_rdataclass_t rdclass;
-static dns_fixedname_t	fixed;
-static dns_name_t	*name = NULL;
-static isc_mem_t	*mctx = NULL;
-static bool	setpub = false, setdel = false;
-static bool	setttl = false;
-static isc_stdtime_t	pub = 0, del = 0;
-static dns_ttl_t	ttl = 0;
-static isc_stdtime_t	syncadd = 0, syncdel = 0;
-static bool	setsyncadd = false;
-static bool	setsyncdel = false;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static isc_mem_t *mctx = NULL;
+static bool setpub = false, setdel = false;
+static bool setttl = false;
+static isc_stdtime_t pub = 0, del = 0;
+static dns_ttl_t ttl = 0;
+static isc_stdtime_t syncadd = 0, syncdel = 0;
+static bool setsyncadd = false;
+static bool setsyncdel = false;
 
 static isc_result_t
 initname(char *setname) {
@@ -80,32 +80,36 @@ db_load_from_stream(dns_db_t *db, FILE *fp) {
 
 	dns_rdatacallbacks_init(&callbacks);
 	result = dns_db_beginload(db, &callbacks);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
+	}
 
-	result = dns_master_loadstream(fp, name, name, rdclass, 0,
-				       &callbacks, mctx);
-	if (result != ISC_R_SUCCESS)
+	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
+				       mctx);
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't load from input: %s", isc_result_totext(result));
+	}
 
 	result = dns_db_endload(db, &callbacks);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("dns_db_endload failed: %s", isc_result_totext(result));
+	}
 }
 
 static isc_result_t
 loadset(const char *filename, dns_rdataset_t *rdataset) {
-	isc_result_t	 result;
-	dns_db_t	 *db = NULL;
-	dns_dbnode_t	 *node = NULL;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
 	char setname[DNS_NAME_FORMATSIZE];
 
 	dns_name_format(name, setname, sizeof(setname));
 
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't create database");
+	}
 
 	if (strcmp(filename, "-") == 0) {
 		db_load_from_stream(db, stdin);
@@ -113,48 +117,53 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 	} else {
 		result = dns_db_load(db, filename, dns_masterformat_text,
 				     DNS_MASTER_NOTTL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
 			fatal("can't load %s: %s", filename,
 			      isc_result_totext(result));
+		}
 	}
 
 	result = dns_db_findnode(db, name, false, &node);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't find %s node in %s", setname, filename);
+	}
 
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
-				     0, 0, rdataset, NULL);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     rdataset, NULL);
 
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
 		fatal("no DNSKEY RR for %s in %s", setname, filename);
-	else if (result != ISC_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS) {
 		fatal("dns_db_findrdataset");
+	}
 
-	if (node != NULL)
+	if (node != NULL) {
 		dns_db_detachnode(db, &node);
-	if (db != NULL)
+	}
+	if (db != NULL) {
 		dns_db_detach(&db);
+	}
 	return (result);
 }
 
 static void
 loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
-	dns_rdata_t *rdata)
-{
-	isc_result_t  result;
-	dst_key_t     *key = NULL;
-	isc_buffer_t  keyb;
-	isc_region_t  r;
+	dns_rdata_t *rdata) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_buffer_t keyb;
+	isc_region_t r;
 
 	dns_rdata_init(rdata);
 
 	isc_buffer_init(&keyb, key_buf, key_buf_size);
 
-	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
-				       mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		fatal("invalid keyfile name %s: %s",
-		      filename, isc_result_totext(result));
+	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
+				       &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("invalid keyfile name %s: %s", filename,
+		      isc_result_totext(result));
+	}
 
 	if (verbose > 2) {
 		char keystr[DST_KEY_FORMATSIZE];
@@ -164,12 +173,13 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	}
 
 	result = dst_key_todns(key, &keyb);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("can't decode key");
+	}
 
 	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(rdata, dst_key_class(key),
-			     dns_rdatatype_dnskey, &r);
+	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
+			     &r);
 
 	rdclass = dst_key_class(key);
 
@@ -208,31 +218,35 @@ emit(const char *dir, dns_rdata_t *rdata) {
 		      isc_result_totext(result));
 	}
 
-	result = dst_key_fromfile(dst_key_name(key), dst_key_id(key),
-				  dst_key_alg(key),
-				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-				  dir, mctx, &tmp);
+	result = dst_key_fromfile(
+		dst_key_name(key), dst_key_id(key), dst_key_alg(key),
+		DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir, mctx, &tmp);
 	if (result == ISC_R_SUCCESS) {
-		if (dst_key_isprivate(tmp) && !dst_key_isexternal(tmp))
+		if (dst_key_isprivate(tmp) && !dst_key_isexternal(tmp)) {
 			fatal("Private key already exists in %s", priname);
+		}
 		dst_key_free(&tmp);
 	}
 
 	dst_key_setexternal(key, true);
-	if (setpub)
+	if (setpub) {
 		dst_key_settime(key, DST_TIME_PUBLISH, pub);
-	if (setdel)
+	}
+	if (setdel) {
 		dst_key_settime(key, DST_TIME_DELETE, del);
-	if (setsyncadd)
+	}
+	if (setsyncadd) {
 		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-	if (setsyncdel)
+	}
+	if (setsyncdel) {
 		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+	}
 
-	if (setttl)
+	if (setttl) {
 		dst_key_setttl(key, ttl);
+	}
 
-	result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-				dir);
+	result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir);
 	if (result != ISC_R_SUCCESS) {
 		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("Failed to write key %s: %s", keystr,
@@ -256,53 +270,54 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-K dir] keyfile\n\n", program);
 	fprintf(stderr, "    %s options -f file [keyname]\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -f file: read key from zone file\n");
 	fprintf(stderr, "    -K <directory>: directory in which to store "
-				"the key files\n");
+			"the key files\n");
 	fprintf(stderr, "    -L ttl:             set default key TTL\n");
 	fprintf(stderr, "    -v <verbose level>\n");
 	fprintf(stderr, "    -V: print version information\n");
 	fprintf(stderr, "    -h: print usage and exit\n");
 	fprintf(stderr, "Timing options:\n");
 	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
-						     "publication date\n");
+			"publication date\n");
 	fprintf(stderr, "    -P sync date/[+-]offset/none: set/unset "
-				"CDS and CDNSKEY publication date\n");
+			"CDS and CDNSKEY publication date\n");
 	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
-						     "deletion date\n");
+			"deletion date\n");
 	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
-				"CDS and CDNSKEY deletion date\n");
+			"CDS and CDNSKEY deletion date\n");
 
-	exit (-1);
+	exit(-1);
 }
 
 int
 main(int argc, char **argv) {
-	char		*classname = NULL;
-	char		*filename = NULL, *dir = NULL, *namestr;
-	char		*endp;
-	int		ch;
-	isc_result_t	result;
-	isc_log_t	*log = NULL;
-	dns_rdataset_t	rdataset;
-	dns_rdata_t	rdata;
-	isc_stdtime_t   now;
+	char *classname = NULL;
+	char *filename = NULL, *dir = NULL, *namestr;
+	char *endp;
+	int ch;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+	isc_stdtime_t now;
 
 	dns_rdata_init(&rdata);
 	isc_stdtime_get(&now);
 
-	if (argc == 1)
+	if (argc == 1) {
 		usage();
+	}
 
 	isc_mem_create(&mctx);
 
 #if USE_PKCS11
 	pk11_result_register();
-#endif
+#endif /* if USE_PKCS11 */
 	dns_result_register();
 
 	isc_commandline_errprint = false;
@@ -313,26 +328,29 @@ main(int argc, char **argv) {
 		case 'D':
 			/* -Dsync ? */
 			if (isoptarg("sync", argv, usage)) {
-				if (setsyncdel)
+				if (setsyncdel) {
 					fatal("-D sync specified more than "
 					      "once");
+				}
 
 				syncdel = strtotime(isc_commandline_argument,
-						   now, now, &setsyncdel);
+						    now, now, &setsyncdel);
 				break;
 			}
 			/* -Ddnskey ? */
 			(void)isoptarg("dnskey", argv, usage);
-			if (setdel)
+			if (setdel) {
 				fatal("-D specified more than once");
+			}
 
-			del = strtotime(isc_commandline_argument,
-					now, now, &setdel);
+			del = strtotime(isc_commandline_argument, now, now,
+					&setdel);
 			break;
 		case 'K':
 			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U)
+			if (strlen(dir) == 0U) {
 				fatal("directory must be non-empty string");
+			}
 			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
@@ -341,35 +359,39 @@ main(int argc, char **argv) {
 		case 'P':
 			/* -Psync ? */
 			if (isoptarg("sync", argv, usage)) {
-				if (setsyncadd)
+				if (setsyncadd) {
 					fatal("-P sync specified more than "
 					      "once");
+				}
 
 				syncadd = strtotime(isc_commandline_argument,
-						   now, now, &setsyncadd);
+						    now, now, &setsyncadd);
 				break;
 			}
 			/* -Pdnskey ? */
 			(void)isoptarg("dnskey", argv, usage);
-			if (setpub)
+			if (setpub) {
 				fatal("-P specified more than once");
+			}
 
-			pub = strtotime(isc_commandline_argument,
-					now, now, &setpub);
+			pub = strtotime(isc_commandline_argument, now, now,
+					&setpub);
 			break;
 		case 'f':
 			filename = isc_commandline_argument;
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
+			if (*endp != '\0') {
 				fatal("-v must be followed by a number");
+			}
 			break;
 		case '?':
-			if (isc_commandline_option != '?')
+			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* FALLTHROUGH */
+			}
+		/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -379,23 +401,26 @@ main(int argc, char **argv) {
 			version(program);
 
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
 			exit(1);
 		}
 	}
 
 	rdclass = strtoclass(classname);
 
-	if (argc < isc_commandline_index + 1 && filename == NULL)
+	if (argc < isc_commandline_index + 1 && filename == NULL) {
 		fatal("the key file name was not specified");
-	if (argc > isc_commandline_index + 1)
+	}
+	if (argc > isc_commandline_index + 1) {
 		fatal("extraneous arguments");
+	}
 
 	result = dst_lib_init(mctx, NULL);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(result));
+	}
 
 	setup_logging(mctx, &log);
 
@@ -405,23 +430,26 @@ main(int argc, char **argv) {
 		if (argc < isc_commandline_index + 1) {
 			/* using filename as zone name */
 			namestr = filename;
-		} else
+		} else {
 			namestr = argv[isc_commandline_index];
+		}
 
 		result = initname(namestr);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			fatal("could not initialize name %s", namestr);
+		}
 
 		result = loadset(filename, &rdataset);
 
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			fatal("could not load DNSKEY set: %s\n",
 			      isc_result_totext(result));
+		}
 
 		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset)) {
-
+		     result = dns_rdataset_next(&rdataset))
+		{
 			dns_rdata_init(&rdata);
 			dns_rdataset_current(&rdataset, &rdata);
 			emit(dir, &rdata);
@@ -429,24 +457,27 @@ main(int argc, char **argv) {
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
 
-		loadkey(argv[isc_commandline_index], key_buf,
-			DST_KEY_MAXSIZE, &rdata);
+		loadkey(argv[isc_commandline_index], key_buf, DST_KEY_MAXSIZE,
+			&rdata);
 
 		emit(dir, &rdata);
 	}
 
-	if (dns_rdataset_isassociated(&rdataset))
+	if (dns_rdataset_isassociated(&rdataset)) {
 		dns_rdataset_disassociate(&rdataset);
+	}
 	cleanup_logging(&log);
 	dst_lib_destroy();
-	if (verbose > 10)
+	if (verbose > 10) {
 		isc_mem_stats(mctx, stdout);
+	}
 	isc_mem_destroy(&mctx);
 
 	fflush(stdout);
 	if (ferror(stdout)) {
 		fprintf(stderr, "write error\n");
 		return (1);
-	} else
+	} else {
 		return (0);
+	}
 }

bin/dnssec/dnssec-importkey.docbook

@@ -1,254 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
-  <info>
-    <date>2014-02-20</date>
-  </info>
-  <refentryinfo>
-    <date>August 21, 2015</date>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-importkey</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-importkey</application></refname>
-    <refpurpose>import DNSKEY records from external systems so they can be managed</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2013</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-importkey</command>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
-      <arg choice="req" rep="norepeat"><option>keyfile</option></arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-importkey</command>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
-      <arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para><command>dnssec-importkey</command>
-      reads a public DNSKEY record and generates a pair of
-      .key/.private files.  The DNSKEY record may be read from an
-      existing .key file, in which case a corresponding .private file
-      will be generated, or it may be read from any other file or
-      from the standard input, in which case both .key and .private
-      files will be generated.
-    </para>
-    <para>
-      The newly-created .private file does <emphasis>not</emphasis>
-      contain private key data, and cannot be used for signing.
-      However, having a .private file makes it possible to set
-      publication (<option>-P</option>) and deletion
-      (<option>-D</option>) times for the key, which means the
-      public key can be added to and removed from the DNSKEY RRset
-      on schedule even if the true private key is stored offline.
-    </para>
-  </refsection>
-
-  <refsection><info><title>OPTIONS</title></info>
-
-
-    <variablelist>
-      <varlistentry>
-	<term>-f <replaceable class="parameter">filename</replaceable></term>
-	<listitem>
-	  <para>
-	    Zone file mode: instead of a public keyfile name, the argument
-	    is the DNS domain name of a zone master file, which can be read
-	    from <option>file</option>.  If the domain name is the same as
-	    <option>file</option>, then it may be omitted.
-	  </para>
-	  <para>
-	    If <option>file</option> is set to <literal>"-"</literal>, then
-	    the zone data is read from the standard input.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-K <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the directory in which the key files are to reside.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-L <replaceable class="parameter">ttl</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the default TTL to use for this key when it is converted
-	    into a DNSKEY RR.  If the key is imported into a zone,
-	    this is the TTL that will be used for it, unless there was
-	    already a DNSKEY RRset in place, in which case the existing TTL
-	    would take precedence.  Setting the default TTL to
-	    <literal>0</literal> or <literal>none</literal> removes it.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Emit usage message and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-	<listitem>
-	  <para>
-	    Prints version information.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>TIMING OPTIONS</title></info>
-
-    <para>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.  To explicitly prevent a date from being
-      set, use 'none' or 'never'.
-    </para>
-
-    <variablelist>
-      <varlistentry>
-	<term>-P <replaceable class="parameter">date/offset</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the date on which a key is to be published to the zone.
-	    After that date, the key will be included in the zone but will
-	    not be used to sign it.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the date on which CDS and CDNSKEY records that match this
-	    key are to be published to the zone.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-D <replaceable class="parameter">date/offset</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the date on which the key is to be deleted.  After that
-	    date, the key will no longer be included in the zone.  (It
-	    may remain in the key repository, however.)
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
-	<listitem>
-	  <para>
-	    Sets the date on which the CDS and CDNSKEY records that match
-	    this key are to be deleted.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>FILES</title></info>
-
-    <para>
-      A keyfile can be designed by the key identification
-      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
-      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
-      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
-    </para>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para><citerefentry>
-	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 5011</citetitle>.
-    </para>
-  </refsection>
-
-</refentry>