cleanup comment.

cleanup grammar so that it is bison friendly.

.clang-format

@@ -1,76 +0,0 @@
-BasedOnStyle: LLVM
-IndentWidth: 8
-UseTab: Always
-BreakBeforeBraces: Custom
-BraceWrapping:
-  AfterClass:      false
-  AfterEnum:       false
-  AfterStruct:     false
-  AfterUnion:      false
-  AfterControlStatement: MultiLine
-  AfterFunction:   false # should also be MultiLine, but not yet supported
-  AfterExternBlock: false
-  BeforeElse:      false
-  BeforeWhile:     false
-  IndentBraces:    false
-  SplitEmptyFunction: true
-AllowShortIfStatementsOnASingleLine: false
-IndentCaseLabels: false
-AlwaysBreakAfterReturnType: All
-Cpp11BracedListStyle: false
-ColumnLimit: 80
-AlignAfterOpenBracket: Align
-AlignConsecutiveBitFields: true
-AlignConsecutiveDeclarations: false
-AlignConsecutiveMacros: true
-AlignTrailingComments: true
-AllowAllArgumentsOnNextLine: true
-AlwaysBreakBeforeMultilineStrings: false
-BreakBeforeBinaryOperators: None
-BreakBeforeTernaryOperators: true
-AlignEscapedNewlines: Left
-DerivePointerAlignment: false
-PointerAlignment: Right
-PointerBindsToType: false
-IncludeBlocks: Regroup
-IncludeCategories:
-  - Regex:           '^<isc/'
-    Priority:        5
-  - Regex:           '^<(pk11|pkcs11)/'
-    Priority:        10
-  - Regex:           '^<dns/'
-    Priority:        15
-  - Regex:           '^<dst/'
-    Priority:        20
-  - Regex:           '^<isccc/'
-    Priority:        25
-  - Regex:           '^<isccfg/'
-    Priority:        30
-  - Regex:           '^<ns/'
-    Priority:        35
-  - Regex:           '^<irs/'
-    Priority:        40
-  - Regex:           '^<bind9/'
-    Priority:        45
-  - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
-    Priority:        50
-  - Regex:           '^<dlz_'
-    Priority:        55
-  - Regex:           '^".*"'
-    Priority:        99
-  - Regex:           '<openssl/'
-    Priority:        1
-  - Regex:           '<(mysql|protobuf-c)/'
-    Priority:        1
-  - Regex:           '.*'
-    Priority:        0
-IndentExternBlock: NoIndent
-KeepEmptyLinesAtTheStartOfBlocks: false
-MaxEmptyLinesToKeep: 1
-PenaltyBreakAssignment: 30
-PenaltyBreakComment: 10
-PenaltyBreakFirstLessLess: 0
-PenaltyBreakString: 80
-PenaltyExcessCharacter: 100
-Standard: Cpp11
-ContinuationIndentWidth: 8

.clang-format.headers

@@ -1,64 +0,0 @@
-BasedOnStyle: LLVM
-IndentWidth: 8
-UseTab: Always
-BreakBeforeBraces: Custom
-BraceWrapping:
-  AfterClass:      false
-  AfterEnum:       false
-  AfterStruct:     false
-  AfterUnion:      false
-  AfterControlStatement: MultiLine
-  AfterFunction:   false # should also be MultiLine, but not yet supported
-  AfterExternBlock: false
-  BeforeElse:      false
-  BeforeWhile:     false
-  IndentBraces:    false
-  SplitEmptyFunction: true
-AllowShortIfStatementsOnASingleLine: false
-IndentCaseLabels: false
-AlwaysBreakAfterReturnType: All
-Cpp11BracedListStyle: false
-ColumnLimit: 80
-AlignAfterOpenBracket: Align
-AlignConsecutiveBitFields: true
-AlignConsecutiveDeclarations: true
-AlignConsecutiveMacros: true
-AlignTrailingComments: true
-AllowAllArgumentsOnNextLine: true
-AlwaysBreakBeforeMultilineStrings: false
-BreakBeforeBinaryOperators: None
-BreakBeforeTernaryOperators: true
-AlignEscapedNewlines: Left
-DerivePointerAlignment: false
-PointerAlignment: Right
-PointerBindsToType: false
-IncludeBlocks: Regroup
-IncludeCategories:
-  - Regex:           '^<isc/'
-    Priority:        2
-  - Regex:           '^<dns/'
-    Priority:        3
-  - Regex:           '^<iscccc/'
-    Priority:        4
-  - Regex:           '^<isccfg/'
-    Priority:        5
-  - Regex:           '^<ns/'
-    Priority:        6
-  - Regex:           '^<bind9/)'
-    Priority:        7
-  - Regex:           '^(<[^/]*)/)'
-    Priority:        8
-  - Regex:           '<[[:alnum:].]+>'
-    Priority:        1
-  - Regex:           '".*"'
-    Priority:        9
-IndentExternBlock: NoIndent
-KeepEmptyLinesAtTheStartOfBlocks: false
-MaxEmptyLinesToKeep: 1
-PenaltyBreakAssignment: 30
-PenaltyBreakComment: 10
-PenaltyBreakFirstLessLess: 0
-PenaltyBreakString: 80
-PenaltyExcessCharacter: 100
-Standard: Cpp11
-ContinuationIndentWidth: 8

.cvsignore

@@ -0,0 +1,7 @@
+Makefile
+config.log
+config.h
+config.cache
+config.status
+libtool
+isc-config.sh

.dir-locals.el

@@ -1,116 +0,0 @@
-;;; Directory Local Variables
-;;; For more information see (info "(emacs) Directory Variables")
-
-((c-mode .
-  ((eval .
-	 (set (make-local-variable 'directory-of-current-dir-locals-file)
-	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
-	      )
-	 )
-   (eval .
-	 (set (make-local-variable 'include-directories)
-	      (list
-
-	       ;; top directory
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "./"))
-
-	       ;; libisc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/netmgr"))
-
-	       ;; libdns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns"))
-
-	       ;; libisccc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
-
-	       ;; libisccfg
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
-
-	       ;; libns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/ns/include"))
-
-	       ;; libirs
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/irs/include"))
-
-	       ;; libbind9
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
-
-	       ;; bin
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/check"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))	       
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dig/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dnssec/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-
-	       (expand-file-name "/usr/include/libxml2")
-	       (expand-file-name "/usr/include/json-c")
-	       
-	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
-	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")
-	       (expand-file-name "/usr/local/include")
-	       )
-	      )
-	 )
-
-   (eval setq flycheck-clang-include-path include-directories)
-   (eval setq flycheck-cppcheck-include-path include-directories)
-   (eval setq flycheck-gcc-include-path include-directories)
-   (eval setq flycheck-clang-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-gcc-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-cppcheck-args
-	 (list
-	  "--enable=all"
-	  "--suppress=missingIncludeSystem"
-	  "--suppress=nullPointerRedundantCheck"
-	  (concat "--suppressions-list=" (expand-file-name
-			       (concat directory-of-current-dir-locals-file "util/suppressions.txt")))
-	  (concat "-include=" (expand-file-name
-			       (concat directory-of-current-dir-locals-file "config.h")))
-	  )
-	 )
-   )
-  ))

.gitattributes

@@ -1,13 +0,0 @@
-*.sln.in eol=crlf
-*.vcxproj.* eol=crlf
-
-/fuzz/dns_rdata_fromwire_text.in/input-* -text
-
-.gitignore			 export-ignore
-/conftools			 export-ignore
-/doc/design			 export-ignore
-/doc/dev			 export-ignore
-/util/**			 export-ignore
-/util/bindkeys.pl		-export-ignore
-/util/check-make-install.in	-export-ignore
-/util/mksymtbl.pl		-export-ignore

.github/workflows/lockdown.yml

@@ -1,15 +0,0 @@
-name: 'Lock down mirror repository'
-
-on:
-  issues:
-    types: opened
-  pull_request:
-    types: opened
-
-jobs:
-  lockdown:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: dessant/repo-lockdown@v2
-        with:
-          github-token: ${{ github.token }}

.gitignore

@@ -1,100 +0,0 @@
-*-symtbl.c
-*.a
-*.gcda
-*.gcno
-*.la
-*.lo
-*.log
-*.o
-*.orig
-*.plist/ # ccc-analyzer store its results in .plist directories
-*.rej
-*.so
-*.trs
-*_test
-*.ipch # vscode/intellisense precompiled header
-*~
-__pycache__/
-.ccache/
-.cproject
-.deps/
-.dirstamp
-.libs/
-.project
-.settings
-/aclocal.m4
-/ar-lib
-/autom4te.cache/
-/bind.keys.h
-/compile
-/config.cache
-/config.guess
-/config.h
-/config.h.in
-/config.log
-/config.status
-/config.sub
-/configure
-/configure.lineno
-/depcomp
-/install-sh
-/isc-config.sh
-/libtool
-/ltmain.sh
-/m4/libtool.m4
-/m4/ltargz.m4
-/m4/ltdl.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
-/missing
-/py-compile
-/stamp-h1
-/test-driver
-Makefile
-Makefile.in
-ans.run
-gen.dSYM/
-named.memstats
-named.run
-timestamp
-/compile_commands.json
-# Gets generated by Build Ear (bear)
-/compile_commands.commands.json
-/cppcheck_html/
-/cppcheck.results
-/tsan
-/util/check-make-install
-/INSTALL
-doc/man/dnssec-cds.8in
-doc/man/dnssec-checkds.8in
-doc/man/dnssec-coverage.8in
-doc/man/dnssec-dsfromkey.8in
-doc/man/dnssec-importkey.8in
-doc/man/dnssec-keyfromlabel.8in
-doc/man/dnssec-keygen.8in
-doc/man/dnssec-keymgr.8in
-doc/man/dnssec-revoke.8in
-doc/man/dnssec-settime.8in
-doc/man/dnssec-signzone.8in
-doc/man/dnssec-verify.8in
-doc/man/named-checkconf.8in
-doc/man/named-checkzone.8in
-doc/man/named-journalprint.8in
-doc/man/named-nzd2nzf.8in
-doc/man/nsec3hash.8in
-doc/man/pkcs11-destroy.8in
-doc/man/pkcs11-keygen.8in
-doc/man/pkcs11-list.8in
-doc/man/pkcs11-tokens.8in
-# clangd index directory
-/\.cache/
-# GNU Global index files
-/GPATH
-/GRTAGS
-/GTAGS
-# Emacs specific files
-\.dir-locals-2.el
-/emacs.desktop
-/emacs.desktop-lock

.gitlab/issue_templates/Bug.md

@@ -1,46 +0,0 @@
-<!--
-If the bug you are reporting is potentially security-related - for example,
-if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please do *NOT* report it here, but send an
-email to [security-officer@isc.org](security-officer@isc.org).
--->
-
-### Summary
-
-(Summarize the bug encountered concisely.)
-
-### BIND version used
-
-(Paste the output of `named -V`.)
-
-### Steps to reproduce
-
-(How one can reproduce the issue - this is very important.)
-
-### What is the current *bug* behavior?
-
-(What actually happens.)
-
-### What is the expected *correct* behavior?
-
-(What you should see instead.)
-
-### Relevant configuration files
-
-(Paste any relevant configuration files - please use code blocks (```)
-to format console output. If submitting the contents of your
-configuration file in a non-confidential Issue, it is advisable to
-obscure key secrets: this can be done automatically by using
-`named-checkconf -px`.)
-
-### Relevant logs and/or screenshots
-
-(Paste any relevant logs - please use code blocks (```) to format console
-output, logs, and code, as it's very hard to read otherwise.)
-
-### Possible fixes
-
-(If you can, link to the line of code that might be responsible for the
-problem.)
-
-/label ~bug

.gitlab/issue_templates/CVE.md

@@ -1,37 +0,0 @@
-<!--
-THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
-
-If the bug you are reporting is potentially security-related - for example,
-if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please do *NOT* report it here, but send an
-email to [security-officer@isc.org](security-officer@isc.org).
--->
-
-### CVE-specific actions
-
-  - [ ] Assign a CVE identifier
-  - [ ] Determine CVSS score
-  - [ ] Determine the range of BIND versions affected (including the Subscription Edition)
-  - [ ] Determine whether workarounds for the problem exists
-  - [ ] Create a draft of the security advisory and put the information above in there
-  - [ ] Prepare a detailed description of the problem which should include the following by default:
-      - instructions for reproducing the problem (a system test is good enough)
-      - explanation of code flow which triggers the problem (a system test is *not* good enough)
-  - [ ] Prepare a private merge request containing the following items in separate commits:
-      - a test for the issue (may be moved to a separate merge request for deferred merging)
-      - a fix for the issue
-      - documentation updates (`CHANGES`, release notes, anything else applicable)
-  - [ ] Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
-  - [ ] Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
-  - [ ] Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
-  - [ ] Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
-
-### Release-specific actions
-
-  - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
-  - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
-  - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order
-
-### Post-disclosure actions
-
-  - [ ] Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

.gitlab/issue_templates/Feature_Request.md

@@ -1,11 +0,0 @@
-### Description
-
-(Describe the problem, use cases, benefits, and/or goals.)
-
-### Request
-
-(Describe the solution you'd like to see.)
-
-### Links / references
-
-/label ~"feature request"

.gitlab/issue_templates/Release.md

@@ -1,97 +0,0 @@
-## Release Schedule
-
-**Code Freeze:**
-
-**Tagging Deadline:**
-
-**Public Release:**
-
-## Documentation Review Links
-
-**Closed issues assigned to the milestone without a release note:**
-
- - []()
- - []()
- - []()
-
-**Merge requests merged into the milestone without a release note:**
-
- - []()
- - []()
- - []()
-
-**Merge requests merged into the milestone without a `CHANGES` entry:**
-
- - []()
- - []()
- - []()
-
-## Release Checklist
-
-### Before the Code Freeze
-
- - [ ] ***(QA)*** Inform Support and Marketing of impending release (and give estimated release dates).
- - [ ] ***(QA)*** Ensure there are no permanent test failures on any platform.
- - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
- - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
- - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
- - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is in effect.
-
-### Before the Tagging Deadline
-
- - [ ] ***(QA)*** Look for outstanding documentation issues (e.g. `CHANGES` mistakes) and address them if any are found.
- - [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well.
- - [ ] ***(QA)*** Update API files for libraries with new version information.
- - [ ] ***(QA)*** Change software version and library versions in `configure.ac` (new major release only).
- - [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- - [ ] ***(QA)*** Update `CHANGES`.
- - [ ] ***(QA)*** Update `CHANGES.SE` (Subscription Edition only).
- - [ ] ***(QA)*** Update `README.md`.
- - [ ] ***(QA)*** Update `version`.
- - [ ] ***(QA)*** Build documentation on `docs.isc.org`.
- - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
- - [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
- - [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9_x_y`).
-
-### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
-
- - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
- - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
- - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
- - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
- - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
- - [ ] ***(QA)*** Notify Support that the releases have been prepared.
- - [ ] ***(Support)*** Send out ASNs (if applicable).
-
-### On the Day of Public Release
-
- - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- - [ ] ***(Support)*** Place tarballs in public location on FTP site.
- - [ ] ***(Support)*** Publish links to downloads on ISC website.
- - [ ] ***(Support)*** Write release email to *bind-announce*.
- - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
- - [ ] ***(Support)*** Update tickets in case of waiting support customers.
- - [ ] ***(QA)*** Build and test any outstanding private packages.
- - [ ] ***(QA)*** Build public RPMs.
- - [ ] ***(SwEng) *** Build Debian/Ubuntu packages.
- - [ ] ***(SwEng) *** Update Docker images.
- - [ ] ***(QA)*** Inform Marketing of the release.
- - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
- - [ ] ***(Marketing)*** Post short note to Twitter.
- - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- - [ ] ***(Marketing)*** Write blog article (if a major release).
- - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- - [ ] ***(QA)*** Push tags for the published releases to the public repository.
- - [ ] ***(QA)*** Merge the automatically prepared `prep 9.x.y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_x`).
- - [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
- - [ ] ***(QA)*** Prepare empty release notes for the next set of releases.
- - [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.
- - [ ] ***(QA)*** Sanitize confidential issues which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].
- - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Flake8, PyLint) by modifying the relevant `Dockerfile`.
-
-[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
-[^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.

.lgtm.yml

@@ -1,35 +0,0 @@
-extraction:
-  cpp:
-    prepare:
-      packages:
-      - "libxml2-dev"
-      - "libjson-c-dev"
-      - "libssl-dev"
-      - "zlib1g-dev"
-      - "libcmocka-dev"
-      - "pkg-config"
-      - "libcap2-dev"
-      - "libedit-dev"
-      - "libidn2-dev"
-      - "libmaxminddb-dev"
-      - "libuv1-dev"
-      - "libnghttp2-dev"
-    configure:
-      command:
-      - "autoreconf -fi"
-      - "CFLAGS=\"-Og -g\" ./configure --enable-developer"
-path_classifiers:
-  test:
-    - "lib/*/tests/"
-    - "bin/tests/"
-  docs:
-    - "**/*.xml"
-    - "**/*.docbook"
-    - "**/*.html"
-    - "**/*.1"
-    - "**/*.5"
-    - "**/*.8"
-queries:
-  - exclude: fuzz/
-  - exclude: "bin/tests/system/*/ans*/*.py"
-  - exclude: cpp/use-of-goto

.pylintrc

@@ -1,9 +0,0 @@
-[MASTER]
-disable=
-    C0103, # invalid-name
-    C0114, # missing-module-docstring
-    C0115, # missing-class-docstring
-    C0116, # missing-function-docstring
-    C0209, # consider-using-f-string
-    C0415, # import-outside-toplevel
-    R0801, # duplicate-code

AUTHORS

@@ -1,53 +0,0 @@
-Mark Andrews
-Andreas Gustafsson
-Evan Hunt
-Brian Wellington
-Bob Halley
-David Lawrence
-Michael Graff
-Michael Sawyer
-Ondřej Surý
-James Brister
-Tatuya JINMEI 神明達哉
-Francis Dupont
-Michał Kępień
-Danny Mayer
-Mukund Sivaraman
-Jeremy C. Reed
-William King
-Stephen Morris
-Witold Kręcicki
-Curtis Blackburn
-Scott Mann
-Rob Austein
-Jim Reid
-Eric Luce
-Olafur Gudmundsson
-Stephen Jacob
-Damien Neil
-Tony Finch
-Jakob Schlyter
-Petr Menšík
-Vernon Schryver
-Matt Nelson
-Shane Kerr
-Paul Ebersman
-Ray Bellis
-Shawn Routhier
-Ben Cottrell
-Tomas Hozza
-johnd
-Bill Parker
-李昶
-Kevin Chen
-Jonathan Casey
-Mary Stahl
-Mathieu Arnold
-David Hankins
-Paul Hoffman
-Paul Vixie
-Brian Conry
-Anay Panvalkar
-colleen
-Robert Edmonds
-João Damas

CODE_OF_CONDUCT.md

@@ -1,71 +0,0 @@
-# BIND 9 Code of Conduct
-
-Like the technical community as a whole, the BIND 9 team and community is made
-up of a mixture of professionals and volunteers from all over the world, working
-on every aspect of the mission - including mentorship, teaching, and connecting
-people.
-
-Diversity is one of our huge strengths, but it can also lead to communication
-issues and unhappiness. To that end, we have a few ground rules that we ask
-people to adhere to. This code applies equally to the core development team,
-open source contributors and those seeking help and guidance.
-
-This isn't an exhaustive list of things that you can't do. Rather, take it in
-the spirit in which it's intended - a guide to make it easier to enrich all of
-us and the technical communities in which we participate.
-
-This code of conduct applies to all spaces managed by the BIND 9 project or
-Internet Systems Consortium. This includes chat, the mailing lists, the issue
-tracker, and any other fora created by the project team which the
-community uses for communication. In addition, violations of this code outside
-these spaces may affect a person's ability to participate within them.
-
-If you believe someone is violating the code of conduct, we ask that you report
-it by emailing [conduct@isc.org](conduct@isc.org). For more details please see
-our [Reporting Guidelines](https://www.isc.org/conductreporting/).
-
-* **Be friendly and patient.**
-* **Be welcoming.** We strive to be a community that welcomes and supports
-  people of all backgrounds and identities. This includes, but is not limited to
-  members of any race, ethnicity, culture, national origin, colour, immigration
-  status, social and economic class, educational level, sex, sexual orientation,
-  gender identity and expression, age, size, family status, political belief,
-  religion, and mental and physical ability.
-* **Be considerate.** Your work will be used by other people, and you in turn
-  will depend on the work of others. Any decision you take will affect users and
-  colleagues, and you should take those consequences into account when making
-  decisions. Remember that we're a world-wide community, so you might not be
-  communicating in someone else's primary language.
-* **Be respectful.** Not all of us will agree all the time, but disagreement is
-  no excuse for poor behavior and poor manners. We might all experience some
-  frustration now and then, but we cannot allow that frustration to turn into a
-  personal attack. It's important to remember that a community where people feel
-  uncomfortable or threatened is not a productive one. Members of the BIND 9
-  community should be respectful when dealing with other members as well as with
-  people outside the BIND 9 community.
-* **Be careful in the words that you choose.** We are a community of
-  professionals, and we conduct ourselves professionally. Be kind to others. Do
-  not insult or put down other participants. Harassment and other exclusionary
-  behavior aren't acceptable. This includes, but is not limited to:
-  * Violent threats or language directed against another person.
-  * Discriminatory jokes and language.
-  * Posting sexually explicit or violent material.
-  * Posting (or threatening to post) other people's personally identifying
-    information ("doxing").
-  * Personal insults, especially those using racist or sexist terms.
-  * Unwelcome sexual attention.
-  * Advocating for, or encouraging, any of the above behavior.
-  * Repeated harassment of others. In general, if someone asks you to stop, then
-    stop.
-* **When we disagree, try to understand why.** Disagreements, both social and
-  technical, happen all the time and BIND 9 is no exception. It is important
-  that we resolve disagreements and differing views constructively. Remember
-  that we're different. The strength of BIND 9 comes from its varied community,
-  people from a wide range of backgrounds. Different people have different
-  perspectives on issues. Being unable to understand why someone holds a
-  viewpoint doesn't mean that they're wrong. Don't forget that it is human to
-  err and blaming each other doesn't get us anywhere. Instead, focus on helping
-  to resolve issues and learning from mistakes.
-
-Original text courtesy of the [Django Code of Conduct](https://www.djangoproject.com/conduct/)
-project.

CONTRIBUTING.md

@@ -1,206 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-## BIND 9 Source Access and Contributor Guidelines
-*May 28, 2020*
-
-### Contents
-
-1. [Access to source code](#access)
-1. [Reporting bugs](#bugs)
-1. [Contributing code](#contrib)
-
-### Introduction
-
-Thank you for using BIND 9!
-
-BIND is open source software that implements the Domain Name System (DNS)
-protocols for the Internet. It is a reference implementation of those
-protocols, but it is also production-grade software, suitable for use in
-high-volume and high-reliability applications.  It is very
-widely used DNS software, providing a robust and stable platform on top of
-which organizations can build distributed computing systems with the
-knowledge that those systems are fully compliant with published DNS
-standards.
-
-BIND is and will always remain free and openly available.  It can be
-used and modified in any way by anyone.
-
-BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
-a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
-anyone can see the source, but only ISC employees have commit access.
-In the past, the source could only be seen once ISC had published
-a release; read access to the source repository was restricted just
-as commit access was.  That has changed, as ISC now provides a
-public git repository of the BIND source tree (see below).
-
-At ISC, we're committed to
-building communities that are welcoming and inclusive: environments where people
-are encouraged to share ideas, treat each other with respect, and collaborate
-towards the best solutions. To reinforce our commitment, ISC
-has adopted a slightly modified version of the Django
-[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
-for the BIND 9 project, as well as for the conduct of our developers throughout
-the industry.
-
-### <a name="access"></a>Access to source code
-
-Public BIND releases are always available from the
-[ISC FTP site](ftp://ftp.isc.org/isc/bind9).
-
-A public-access git repository is also available at
-[https://gitlab.isc.org](https://gitlab.isc.org).  This repository
-contains all public release branches. Upcoming releases can be viewed in
-their current state at any time.  Short-lived development branches
-contain unreviewed work in progress.  Commits which address security
-vulnerablilities are withheld until after public disclosure.
-
-You can browse the source online via
-[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
-
-To clone the repository, use:
-
->       $ git clone https://gitlab.isc.org/isc-projects/bind9.git
-
-Release branch names are of the form `v9_X`, where X represents the second
-number in the BIND 9 version number.  So, to check out the BIND 9.12
-branch, use:
-
->       $ git checkout v9_12
-
-Whenever a branch is ready for publication, a tag is placed of the
-form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
-
-The branch in which the next major release is being developed is called
-`main`.
-
-### <a name="bugs"></a>Reporting bugs
-
-Reports of flaws in the BIND package, including software bugs, errors
-in the documentation, missing files in the tarball, suggested changes
-or requests for new features, etc., can be filed using
-[https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
-
-Due to a large ticket backlog, we are sometimes slow to respond,
-especially if a bug is cosmetic or if a feature request is vague or
-low in priority, but we try at least to acknowledge legitimate
-bug reports within a week.
-
-ISC's GitLab system is publicly readable; however, you must have
-an account to create a new issue. You can either register locally or
-use credentials from an existing account at GitHub, GitLab, Google,
-Twitter, or Facebook.
-
-### Reporting possible security issues
-
-If you think you may be seeing a potential security vulnerability in BIND
-(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
-report it immediately by emailing to security-officer@isc.org. Plain-text
-e-mail is not a secure choice for communications concerning undisclosed
-security issues so please encrypt your communications to us if possible,
-using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
-
-Do not discuss undisclosed security vulnerabilities on any public mailing list.
-ISC has a long history of handling reported vulnerabilities promptly and
-effectively and we respect and acknowledge responsible reporters.
-
-ISC's Security Vulnerability Disclosure Policy is documented at
-[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
-If you have a crash, you may want to consult
-["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
-
-### <a name="contrib"></a>Contributing code
-
-BIND is licensed under the
-[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
-Earlier versions (BIND 9.10 and earlier) were licensed under the
-[ISC License](https://www.isc.org/licenses/)
-
-ISC does not require an explicit copyright assignment for patch
-contributions.  However, by submitting a patch to ISC, you implicitly
-certify that you are the author of the code, that you intend to relinquish
-exclusive copyright, and that you grant permission to publish your work
-under the open source license used for the BIND version(s) to which your
-patch will be applied.
-
-#### <a name="bind"></a>BIND code
-
-Patches for BIND may be submitted directly via merge requests in
-[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
-repository for BIND.
-
-Patches can also be submitted as diffs against a specific version of
-BIND -- preferably the current top of the `main` branch.  Diffs may
-be generated using either `git format-patch` or `git diff`.
-
-Those wanting to write code for BIND may be interested in the
-[developer information](doc/dev/dev.md) page, which includes information
-about BIND design and coding practices, including discussion of internal
-APIs and overall system architecture.
-
-Every patch submitted is reviewed by ISC engineers following our
-[code review process](doc/dev/dev.md#reviews) before it is merged.
-
-It may take considerable time to review patch submissions, especially if
-they don't meet ISC style and quality guidelines.  If a patch is a good
-idea, we can and will do additional work to bring it up to par, but if
-we're busy with other work, it may take us a long time to get to it.
-
-To ensure your patch is acted on as promptly as possible, please:
-
-* Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
-* Run `make check` to ensure your change hasn't caused any
-  functional regressions.
-* Document your work, both in the patch itself and in the
-  accompanying email.
-* In patches that make non-trivial functional changes, include system
-  tests if possible; when introducing or substantially altering a
-  library API, include unit tests. See [Testing](doc/dev/dev.md#testing)
-  for more information.
-
-##### Changes to `configure`
-
-If you need to make changes to `configure`, you should not edit it
-directly; instead, edit `configure.in`, then run `autoconf`.  Similarly,
-instead of editing `config.h.in` directly, edit `configure.in` and run
-`autoheader`.
-
-When submitting a patch as a diff, it's fine to omit the `configure`
-diffs to save space.  Just send the `configure.in` diffs and we'll
-generate the new `configure` during the review process.
-
-##### Documentation
-
-All functional changes should be documented. There are three types
-of documentation in the BIND source tree:
-
-* Man pages are kept alongside the source code for the commands
-  they document, in files ending in `.rst`: for example, the
-  `named` man page is `bin/named/named.rst`.
-* The *BIND 9 Administrator Reference Manual* is in the .rst files in
-  `doc/arm/`; the PDF and HTML versions are automatically generated from
-  the `.rst` files.
-* API documentation is in the header file describing the API, in
-  Doxygen-formatted comments.
-
-Patches to improve existing documentation are also very welcome!
-
-##### Tests
-
-BIND is a large and complex project. We rely heavily on continuous
-automated testing and cannot merge new code without adequate test coverage.
-Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
-for more information.
-
-#### Thanks
-
-Thank you for your interest in contributing to the ongoing development
-of BIND 9.

COPYING

@@ -1 +0,0 @@
-LICENSE

COPYRIGHT

@@ -1,391 +1,14 @@
-Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0. If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- -----------------------------------------------------------------------------
-
-	Portions of this code release fall under one or more of the
-	following Copyright notices.  Please see individual source
-	files for details.
-
-	For binary releases also see: OpenSSL-LICENSE.
-
-Copyright (C) 1996-2001  Nominum, Inc.
+Copyright (C) 1996-2001  Internet Software Consortium.
 
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 
-THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 1995-2000 by Network Associates, Inc.
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
-ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
-FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the
-above copyright notice and this permission notice appear in all
-copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
 DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
-CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
-USE OR PERFORMANCE OF THIS SOFTWARE.
-
-The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
-conceived and contributed by Rob Butler.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the
-above copyright notice and this permission notice appear in all
-copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
-DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
-CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
-USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1987, 1990, 1993, 1994
-     The Regents of the University of California.  All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of the University nor the names of its contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) The Internet Society 2005.  This version of
-this module is part of RFC 4178; see the RFC itself for
-full legal notices.
-
-(The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 2004 Masarykova universita
-(Masaryk University, Brno, Czech Republic)
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-3. Neither the name of the University nor the names of its contributors may
-   be used to endorse or promote products derived from this software
-   without specific prior written permission.
- 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden). 
-All rights reserved. 
-
-Redistribution and use in source and binary forms, with or without 
-modification, are permitted provided that the following conditions 
-are met: 
-
-1. Redistributions of source code must retain the above copyright 
-   notice, this list of conditions and the following disclaimer. 
-
-2. Redistributions in binary form must reproduce the above copyright 
-   notice, this list of conditions and the following disclaimer in the 
-   documentation and/or other materials provided with the distribution. 
-
-3. Neither the name of the Institute nor the names of its contributors 
-   may be used to endorse or promote products derived from this software 
-   without specific prior written permission. 
-
-THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-SUCH DAMAGE. 
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1993 by Digital Equipment Corporation.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies, and that
-the name of Digital Equipment Corporation not be used in advertising or
-publicity pertaining to distribution of the document or software without
-specific, written prior permission.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
-WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
-CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1999-2000 by Nortel Networks Corporation
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
-ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
-BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
-OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
-WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
-ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 2004  Nominet, Ltd.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1996, David Mazieres <dm@uun.org>
-Copyright (c) 2008, Damien Miller <djm@openbsd.org>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
------------------------------------------------------------------------------
-
-Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
-``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
-BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
------------------------------------------------------------------------------
-
-Copyright (C) 2008-2011  Red Hat, Inc.
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS.  IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
------------------------------------------------------------------------------
-
-Copyright (c) 2013-2014, Farsight Security, Inc.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-notice, this list of conditions and the following disclaimer in the
-documentation and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
-CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
-EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
-OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
------------------------------------------------------------------------------
-
-Copyright (c) 2014 by Farsight Security, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
------------------------------------------------------------------------------
-
-Copyright Joyent, Inc. and other Node contributors. All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-IN THE SOFTWARE.
+INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

ChangeLog

@@ -1 +0,0 @@
-CHANGES

EXCLUDED

@@ -0,0 +1,18 @@
+1061.   [bug]           If periodic cache cleaning happened to start
+                        while cleaning due to reaching the configured
+                        maximum cache size was in progress, the server
+                        could catch an assertion failure. [RT #1912]
+
+1054.	[bug]		winnt: cfg_categories and cfg_modules need to be
+			visible outside of the libisccfg DLL.
+
+1050.	[bug]		Log messages reporting malformed IP addresses in
+			address lists such as that of the forwarders option
+			failed to include the correct error code, file
+			name, and line number. [RT #1890]
+
+1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
+			didn't work.
+
+1046.	[bug]		The help message for the --with-openssl configure
+			option was inaccurate. [RT #1880]

FAQ

@@ -0,0 +1,153 @@
+
+
+
+Frequently Asked Questions about BIND 9
+
+
+Q: Why doesn't -u work on Linux 2.2.x?
+
+A: Linux threads do not fully implement the Posix threads (pthreads) standard.
+In particular, setuid() operates only on the current thread, not the full
+process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
+can on all other supported platforms.  setuid() cannot be called before
+creating threads, since the server does not start listening on reserved ports
+until after threads have started.
+
+  In the 2.3.99-pre3 and newer kernels, the ability to preserve capabilities
+across a setuid() call is present.  This allows BIND 9 to call setuid() early,
+while retaining the ability to bind reserved ports.  This is a Linux-specific
+hack.
+
+  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
+of a security risk than a root process that has not dropped privileges.
+
+  If Linux threads ever work correctly, this restriction will go away.
+
+  Configuring BIND9 with the --disable-threads option causes a non-threaded
+version to be built, which will allow -u to be used.
+
+
+Q: Why does named log the error message "no TTL specified" and refuse
+to load my zone file?
+
+A: Your zone file must either have a line like
+
+   $TTL 86400
+
+at the beginning, or the first record in it must have a TTL field,
+like the "84600" in this example:
+
+   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
+
+BIND 8 incorrectly accepted files that had neither.
+
+
+Q: Why do I see 5 (or more) copies of named on Linux?
+
+A: Linux threads each show up as a process under ps.  The approximate
+number of threads running is n+4, where n is the number of CPUs.  Note that
+the amount of memory used is not cumulative; if each process is using 10M of
+memory, only a total of 10M is used.
+
+
+Q: Why does BIND 9 log "permission denied" errors accessing its
+configuration files or zones on my Linux system even though it is running
+as root?
+
+A: On Linux, BIND 9 drops most of its root privileges on startup.
+This including the privilege to open files owned by other users.
+Therefore, if the server is running as root, the configuration files
+and zone files should also be owned by root.
+
+
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
+bar: ran out of space"
+
+A: This is often caused by TXT records with missing close quotes.  Check that
+all TXT records containing quoted strings have both open and close quotes.
+
+
+Q: How do I produce a usable core file on Linux?
+
+A: Apply the kernel patch found in bind9/linux/coredump-patch and rebuild
+the kernel.  This patch causes multithreaded programs to dump the correct
+thread.
+
+
+Q: How do I restrict people from looking up the server version?
+
+A: Put a "version" option containing something other than the real
+version in the "options" section of named.conf.  Note doing this will
+not prevent attacks and may impede people trying to diagnose problems
+with your server.  Also it is possible to "fingerprint" nameservers to
+determine their version.
+
+
+Q: How do I restrict only remote users from looking up the server
+version?
+
+A: The following view statement will intercept lookups as the internal
+view that holds the version information will be matched last.  The
+caveats of the previous answer still apply, of course.
+
+  view "chaos" chaos {
+	  match-clients { <those to be refused>; };
+	  allow-query { none; };
+	  zone "." {
+		  type hint;
+		  file "/dev/null";  // or any empty file
+	  };
+  };
+
+
+Q: What do "no source of entropy found" or "could not open entropy source foo"
+mean?
+
+A: The server requires a source of entropy to perform certain operations,
+mostly DNSSEC related.  These messages indicate that you have no source
+of entropy.  On systems with /dev/random or an equivalent, it is used by
+default.  A source of entropy can also be defined using the random-device
+option in named.conf.
+
+
+Q: I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
+
+A: BIND 9 is installed under /usr/local by default.  BIND 8 is often
+installed under /usr.  Check that the correct named is running.
+
+
+Q: I'm trying to install on AIX and compilation is failing with
+errors like
+
+  "confparser.c", line 8244.1: 1506-343 (S) Redeclaration of
+  token_to_keyword differs from previous declaration on line 348 of
+  "confparser.c".
+
+A: You probably have a buggy version of GNU bison installed on your
+system.  Remove bison it from your path, remove the config.cache file,
+and rerun configure so that it picks up the AIX yacc instead.
+
+
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone
+transfers.  I'm sure I have the keys set up correctly, but the server
+is rejecting the TSIG.  Why?
+
+A: This may be a clock skew problem.  Check that the the clocks on
+the client and server are properly synchronized (e.g., using ntp).
+
+
+Q: I'm trying to compile BIND 9, and "make" is failing due to files not
+being found.  Why?
+
+A: Using a parallel or distributed "make" to build BIND 9 is not
+supported, and doesn't work.  If you are using one of these, use
+normal make or gmake instead.
+
+
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
+logging error messages like "notify to 10.0.0.1#53 failed: unexpected
+end of input".  What's wrong?
+
+A: This error message is caused by a known bug in BIND 8.2.3 and will
+be fixed in 8.2.4.  It can be safely ignored - the notify has been
+acted on by the slave despite the error message.

LICENSE

@@ -1,362 +0,0 @@
-Mozilla Public License, version 2.0
-
-1. Definitions
-
-1.1. "Contributor"
-
-     means each individual or legal entity that creates, contributes to the
-     creation of, or owns Covered Software.
-
-1.2. "Contributor Version"
-
-     means the combination of the Contributions of others (if any) used by a
-     Contributor and that particular Contributor's Contribution.
-
-1.3. "Contribution"
-
-     means Covered Software of a particular Contributor.
-
-1.4. "Covered Software"
-
-     means Source Code Form to which the initial Contributor has attached the
-     notice in Exhibit A, the Executable Form of such Source Code Form, and
-     Modifications of such Source Code Form, in each case including portions
-     thereof.
-
-1.5. "Incompatible With Secondary Licenses"
-     means
-
-     a. that the initial Contributor has attached the notice described in
-        Exhibit B to the Covered Software; or
-
-     b. that the Covered Software was made available under the terms of
-        version 1.1 or earlier of the License, but not also under the terms of
-        a Secondary License.
-
-1.6. "Executable Form"
-
-     means any form of the work other than Source Code Form.
-
-1.7. "Larger Work"
-
-     means a work that combines Covered Software with other material, in a
-     separate file or files, that is not Covered Software.
-
-1.8. "License"
-
-     means this document.
-
-1.9. "Licensable"
-
-     means having the right to grant, to the maximum extent possible, whether
-     at the time of the initial grant or subsequently, any and all of the
-     rights conveyed by this License.
-
-1.10. "Modifications"
-
-     means any of the following:
-
-     a. any file in Source Code Form that results from an addition to,
-        deletion from, or modification of the contents of Covered Software; or
-
-     b. any new file in Source Code Form that contains any Covered Software.
-
-1.11. "Patent Claims" of a Contributor
-
-      means any patent claim(s), including without limitation, method,
-      process, and apparatus claims, in any patent Licensable by such
-      Contributor that would be infringed, but for the grant of the License,
-      by the making, using, selling, offering for sale, having made, import,
-      or transfer of either its Contributions or its Contributor Version.
-
-1.12. "Secondary License"
-
-      means either the GNU General Public License, Version 2.0, the GNU Lesser
-      General Public License, Version 2.1, the GNU Affero General Public
-      License, Version 3.0, or any later versions of those licenses.
-
-1.13. "Source Code Form"
-
-      means the form of the work preferred for making modifications.
-
-1.14. "You" (or "Your")
-
-      means an individual or a legal entity exercising rights under this
-      License. For legal entities, "You" includes any entity that controls, is
-      controlled by, or is under common control with You. For purposes of this
-      definition, "control" means (a) the power, direct or indirect, to cause
-      the direction or management of such entity, whether by contract or
-      otherwise, or (b) ownership of more than fifty percent (50%) of the
-      outstanding shares or beneficial ownership of such entity.
-
-
-2. License Grants and Conditions
-
-2.1. Grants
-
-     Each Contributor hereby grants You a world-wide, royalty-free,
-     non-exclusive license:
-
-     a. under intellectual property rights (other than patent or trademark)
-        Licensable by such Contributor to use, reproduce, make available,
-        modify, display, perform, distribute, and otherwise exploit its
-        Contributions, either on an unmodified basis, with Modifications, or
-        as part of a Larger Work; and
-
-     b. under Patent Claims of such Contributor to make, use, sell, offer for
-        sale, have made, import, and otherwise transfer either its
-        Contributions or its Contributor Version.
-
-2.2. Effective Date
-
-     The licenses granted in Section 2.1 with respect to any Contribution
-     become effective for each Contribution on the date the Contributor first
-     distributes such Contribution.
-
-2.3. Limitations on Grant Scope
-
-     The licenses granted in this Section 2 are the only rights granted under
-     this License. No additional rights or licenses will be implied from the
-     distribution or licensing of Covered Software under this License.
-     Notwithstanding Section 2.1(b) above, no patent license is granted by a
-     Contributor:
-
-     a. for any code that a Contributor has removed from Covered Software; or
-
-     b. for infringements caused by: (i) Your and any other third party's
-        modifications of Covered Software, or (ii) the combination of its
-        Contributions with other software (except as part of its Contributor
-        Version); or
-
-     c. under Patent Claims infringed by Covered Software in the absence of
-        its Contributions.
-
-     This License does not grant any rights in the trademarks, service marks,
-     or logos of any Contributor (except as may be necessary to comply with
-     the notice requirements in Section 3.4).
-
-2.4. Subsequent Licenses
-
-     No Contributor makes additional grants as a result of Your choice to
-     distribute the Covered Software under a subsequent version of this
-     License (see Section 10.2) or under the terms of a Secondary License (if
-     permitted under the terms of Section 3.3).
-
-2.5. Representation
-
-     Each Contributor represents that the Contributor believes its
-     Contributions are its original creation(s) or it has sufficient rights to
-     grant the rights to its Contributions conveyed by this License.
-
-2.6. Fair Use
-
-     This License is not intended to limit any rights You have under
-     applicable copyright doctrines of fair use, fair dealing, or other
-     equivalents.
-
-2.7. Conditions
-
-     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
-     Section 2.1.
-
-
-3. Responsibilities
-
-3.1. Distribution of Source Form
-
-     All distribution of Covered Software in Source Code Form, including any
-     Modifications that You create or to which You contribute, must be under
-     the terms of this License. You must inform recipients that the Source
-     Code Form of the Covered Software is governed by the terms of this
-     License, and how they can obtain a copy of this License. You may not
-     attempt to alter or restrict the recipients' rights in the Source Code
-     Form.
-
-3.2. Distribution of Executable Form
-
-     If You distribute Covered Software in Executable Form then:
-
-     a. such Covered Software must also be made available in Source Code Form,
-        as described in Section 3.1, and You must inform recipients of the
-        Executable Form how they can obtain a copy of such Source Code Form by
-        reasonable means in a timely manner, at a charge no more than the cost
-        of distribution to the recipient; and
-
-     b. You may distribute such Executable Form under the terms of this
-        License, or sublicense it under different terms, provided that the
-        license for the Executable Form does not attempt to limit or alter the
-        recipients' rights in the Source Code Form under this License.
-
-3.3. Distribution of a Larger Work
-
-     You may create and distribute a Larger Work under terms of Your choice,
-     provided that You also comply with the requirements of this License for
-     the Covered Software. If the Larger Work is a combination of Covered
-     Software with a work governed by one or more Secondary Licenses, and the
-     Covered Software is not Incompatible With Secondary Licenses, this
-     License permits You to additionally distribute such Covered Software
-     under the terms of such Secondary License(s), so that the recipient of
-     the Larger Work may, at their option, further distribute the Covered
-     Software under the terms of either this License or such Secondary
-     License(s).
-
-3.4. Notices
-
-     You may not remove or alter the substance of any license notices
-     (including copyright notices, patent notices, disclaimers of warranty, or
-     limitations of liability) contained within the Source Code Form of the
-     Covered Software, except that You may alter any license notices to the
-     extent required to remedy known factual inaccuracies.
-
-3.5. Application of Additional Terms
-
-     You may choose to offer, and to charge a fee for, warranty, support,
-     indemnity or liability obligations to one or more recipients of Covered
-     Software. However, You may do so only on Your own behalf, and not on
-     behalf of any Contributor. You must make it absolutely clear that any
-     such warranty, support, indemnity, or liability obligation is offered by
-     You alone, and You hereby agree to indemnify every Contributor for any
-     liability incurred by such Contributor as a result of warranty, support,
-     indemnity or liability terms You offer. You may include additional
-     disclaimers of warranty and limitations of liability specific to any
-     jurisdiction.
-
-4. Inability to Comply Due to Statute or Regulation
-
-   If it is impossible for You to comply with any of the terms of this License
-   with respect to some or all of the Covered Software due to statute,
-   judicial order, or regulation then You must: (a) comply with the terms of
-   this License to the maximum extent possible; and (b) describe the
-   limitations and the code they affect. Such description must be placed in a
-   text file included with all distributions of the Covered Software under
-   this License. Except to the extent prohibited by statute or regulation,
-   such description must be sufficiently detailed for a recipient of ordinary
-   skill to be able to understand it.
-
-5. Termination
-
-5.1. The rights granted under this License will terminate automatically if You
-     fail to comply with any of its terms. However, if You become compliant,
-     then the rights granted under this License from a particular Contributor
-     are reinstated (a) provisionally, unless and until such Contributor
-     explicitly and finally terminates Your grants, and (b) on an ongoing
-     basis, if such Contributor fails to notify You of the non-compliance by
-     some reasonable means prior to 60 days after You have come back into
-     compliance. Moreover, Your grants from a particular Contributor are
-     reinstated on an ongoing basis if such Contributor notifies You of the
-     non-compliance by some reasonable means, this is the first time You have
-     received notice of non-compliance with this License from such
-     Contributor, and You become compliant prior to 30 days after Your receipt
-     of the notice.
-
-5.2. If You initiate litigation against any entity by asserting a patent
-     infringement claim (excluding declaratory judgment actions,
-     counter-claims, and cross-claims) alleging that a Contributor Version
-     directly or indirectly infringes any patent, then the rights granted to
-     You by any and all Contributors for the Covered Software under Section
-     2.1 of this License shall terminate.
-
-5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
-     license agreements (excluding distributors and resellers) which have been
-     validly granted by You or Your distributors under this License prior to
-     termination shall survive termination.
-
-6. Disclaimer of Warranty
-
-   Covered Software is provided under this License on an "as is" basis,
-   without warranty of any kind, either expressed, implied, or statutory,
-   including, without limitation, warranties that the Covered Software is free
-   of defects, merchantable, fit for a particular purpose or non-infringing.
-   The entire risk as to the quality and performance of the Covered Software
-   is with You. Should any Covered Software prove defective in any respect,
-   You (not any Contributor) assume the cost of any necessary servicing,
-   repair, or correction. This disclaimer of warranty constitutes an essential
-   part of this License. No use of  any Covered Software is authorized under
-   this License except under this disclaimer.
-
-7. Limitation of Liability
-
-   Under no circumstances and under no legal theory, whether tort (including
-   negligence), contract, or otherwise, shall any Contributor, or anyone who
-   distributes Covered Software as permitted above, be liable to You for any
-   direct, indirect, special, incidental, or consequential damages of any
-   character including, without limitation, damages for lost profits, loss of
-   goodwill, work stoppage, computer failure or malfunction, or any and all
-   other commercial damages or losses, even if such party shall have been
-   informed of the possibility of such damages. This limitation of liability
-   shall not apply to liability for death or personal injury resulting from
-   such party's negligence to the extent applicable law prohibits such
-   limitation. Some jurisdictions do not allow the exclusion or limitation of
-   incidental or consequential damages, so this exclusion and limitation may
-   not apply to You.
-
-8. Litigation
-
-   Any litigation relating to this License may be brought only in the courts
-   of a jurisdiction where the defendant maintains its principal place of
-   business and such litigation shall be governed by laws of that
-   jurisdiction, without reference to its conflict-of-law provisions. Nothing
-   in this Section shall prevent a party's ability to bring cross-claims or
-   counter-claims.
-
-9. Miscellaneous
-
-   This License represents the complete agreement concerning the subject
-   matter hereof. If any provision of this License is held to be
-   unenforceable, such provision shall be reformed only to the extent
-   necessary to make it enforceable. Any law or regulation which provides that
-   the language of a contract shall be construed against the drafter shall not
-   be used to construe this License against a Contributor.
-
-
-10. Versions of the License
-
-10.1. New Versions
-
-      Mozilla Foundation is the license steward. Except as provided in Section
-      10.3, no one other than the license steward has the right to modify or
-      publish new versions of this License. Each version will be given a
-      distinguishing version number.
-
-10.2. Effect of New Versions
-
-      You may distribute the Covered Software under the terms of the version
-      of the License under which You originally received the Covered Software,
-      or under the terms of any subsequent version published by the license
-      steward.
-
-10.3. Modified Versions
-
-      If you create software not governed by this License, and you want to
-      create a new license for such software, you may create and use a
-      modified version of this License if you rename the license and remove
-      any references to the name of the license steward (except to note that
-      such modified license differs from this License).
-
-10.4. Distributing Source Code Form that is Incompatible With Secondary
-      Licenses If You choose to distribute Source Code Form that is
-      Incompatible With Secondary Licenses under the terms of this version of
-      the License, the notice described in Exhibit B of this License must be
-      attached.
-
-Exhibit A - Source Code Form License Notice
-
-      This Source Code Form is subject to the
-      terms of the Mozilla Public License, v.
-      2.0. If a copy of the MPL was not
-      distributed with this file, You can
-      obtain one at
-      http://mozilla.org/MPL/2.0/.
-
-If it is not possible or desirable to put the notice in a particular file,
-then You may include the notice in a location (such as a LICENSE file in a
-relevant directory) where a recipient would be likely to look for such a
-notice.
-
-You may add additional accurate notices of copyright ownership.
-
-Exhibit B - "Incompatible With Secondary Licenses" Notice
-
-      This Source Code Form is "Incompatible
-      With Secondary Licenses", as defined by
-      the Mozilla Public License, v. 2.0.

Makefile.am

@@ -1,25 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-SUBDIRS = . lib doc bin fuzz
-
-BUILT_SOURCES = bind.keys.h
-CLEANFILES = bind.keys.h
-
-bind.keys.h: bind.keys Makefile
-	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
-
-dist_sysconf_DATA = bind.keys
-
-.PHONY: doc
-
-EXTRA_DIST = 			\
-	util/bindkeys.pl	\
-	contrib			\
-	CHANGES			\
-	COPYRIGHT		\
-	LICENSE			\
-	*.md
-
-dist-hook:
-	find $(distdir) -type f -name .gitignore -delete
-	git rev-parse --short HEAD | cut -b1-7 > $(distdir)/srcid

Makefile.docs

@@ -1,52 +0,0 @@
-SPHINX_V = $(SPHINX_V_@AM_V@)
-SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
-SPHINX_V_0 = -q
-SPHINX_V_1 = -n
-
-AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
-AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
-AM_V_SPHINX_0 = @echo "  SPHINX   $@";
-
-SPHINXBUILDDIR = $(builddir)/_build
-
-common_SPHINXOPTS =			\
-	-W				\
-	-c $(srcdir)			\
-	-a				\
-	$(SPHINX_V)
-
-ALLSPHINXOPTS =				\
-	$(common_SPHINXOPTS)		\
-	-D version="$(PACKAGE_VERSION)"	\
-	-D today="$(RELEASE_DATE)"	\
-	-D release="$(PACKAGE_VERSION)"	\
-	$(SPHINXOPTS)			\
-	$(srcdir)
-
-man_SPHINXOPTS =			\
-	$(common_SPHINXOPTS)		\
-	-D version="@""PACKAGE_VERSION@"\
-	-D today="@""RELEASE_DATE@"	\
-	-D release="@""PACKAGE_VERSION@"\
-	$(SPHINXOPTS)			\
-	$(srcdir)
-
-AM_V_SED = $(AM_V_SED_@AM_V@)
-AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
-AM_V_SED_0 = @echo "  SED $@";
-
-AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
-AM_V_CFG_TEST_0 = @echo "  CFG_GEN $@";
-
-AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@)
-AM_V_RST_OPTIONS_0 = @echo "  RST_OPTIONS $@";
-
-AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@)
-AM_V_RST_ZONEOPT_0 = @echo "  RST_ZONEOPT $@";
-
-AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@)
-AM_V_RST_GRAMMARS_0 = @echo "  RST_GRAMMARS $@";

Makefile.in

@@ -0,0 +1,47 @@
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.36.2.1 2001/01/09 22:31:05 bwelling Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+SUBDIRS =	make lib bin doc
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+distclean::
+	rm -f config.cache config.h config.log config.status TAGS
+	rm -f libtool isc-config.sh
+	rm -f util/conf.sh
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: isc-config.sh installdirs
+	${INSTALL_PROGRAM} isc-config.sh ${DESTDIR}${bindir}
+
+tags:
+	rm -f TAGS
+	find lib bin -name "*.[ch]" -print | @ETAGS@ -
+
+check: test
+
+test:
+	(cd bin/tests && ${MAKE} ${MAKEDEFS} test)

Makefile.tests

@@ -1,17 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-unit-local: check
-
-TESTS = $(check_PROGRAMS)
-
-LOG_COMPILER = $(builddir)/../../unit-test-driver.sh
-
-AM_CPPFLAGS +=					\
-	$(CMOCKA_CFLAGS)			\
-	-DNAMED_PLUGINDIR=\"$(libdir)/named\"	\
-	-DSKIPPED_TEST_EXIT_CODE=77		\
-	-DTESTS_DIR=\"$(abs_srcdir)\"
-
-LDADD +=					\
-	$(CMOCKA_LIBS)

Makefile.top

@@ -1,64 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
-
-AM_CFLAGS =					\
-	$(STD_CFLAGS)
-
-AM_CPPFLAGS =					\
-	$(STD_CPPFLAGS)				\
-	-include $(top_builddir)/config.h	\
-	-I$(srcdir)/include
-
-AM_LDFLAGS =
-LDADD =
-
-if HOST_MACOS
-AM_LDFLAGS +=					\
-	-Wl,-flat_namespace
-endif HOST_MACOS
-
-LIBISC_CFLAGS =						\
-	-I$(top_srcdir)/include				\
-	-I$(top_srcdir)/lib/isc/include			\
-	-I$(top_builddir)/lib/isc/include
-
-LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
-
-LIBDNS_CFLAGS = \
-	-I$(top_srcdir)/lib/dns/include			\
-	-I$(top_builddir)/lib/dns/include
-
-LIBDNS_LIBS = \
-	$(top_builddir)/lib/dns/libdns.la
-
-LIBNS_CFLAGS = \
-	-I$(top_srcdir)/lib/ns/include
-
-LIBNS_LIBS = \
-	$(top_builddir)/lib/ns/libns.la
-
-LIBIRS_CFLAGS = \
-	-I$(top_srcdir)/lib/irs/include
-
-LIBIRS_LIBS = \
-	$(top_builddir)/lib/irs/libirs.la
-
-LIBISCCFG_CFLAGS = \
-	-I$(top_srcdir)/lib/isccfg/include
-
-LIBISCCFG_LIBS = \
-	$(top_builddir)/lib/isccfg/libisccfg.la
-
-LIBISCCC_CFLAGS = \
-	-I$(top_srcdir)/lib/isccc/include/
-
-LIBISCCC_LIBS = \
-	$(top_builddir)/lib/isccc/libisccc.la
-
-LIBBIND9_CFLAGS = \
-	-I$(top_srcdir)/lib/bind9/include
-
-LIBBIND9_LIBS = \
-	$(top_builddir)/lib/bind9/libbind9.la

NEWS

@@ -1 +0,0 @@
-CHANGES

OPTIONS.md

@@ -1,26 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-Setting the `CPPFLAGS` environment variable before running `configure`
-can be used to enable certain compile-time options that are not
-explicitly defined in `configure`.
-
-Some of these settings are:
-
-| Setting                      | Description                                                                                                                            |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
-| `-DCHECK_LOCAL=0`            | Don't check out-of-zone addresses in `named-checkzone`                                                                                 |
-| `-DCHECK_SIBLING=0`          | Don't check sibling glue in `named-checkzone`                                                                                          |
-| `-DISC_FACILITY=LOG_LOCAL0`  | Change the default syslog facility for `named`                                                                                         |
-| `-DISC_HEAP_CHECK`           | Test heap consistency after every heap operation; used when debugging                                                                  |
-| `-DISC_MEM_DEFAULTFILL=1`    | Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier |
-| `-DISC_MEM_TRACKLINES=0`     | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult                   |
-| `-DNAMED_RUN_PID_DIR=0`      | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`                                           |
-| `-DNS_CLIENT_DROPPORT=0`     | Disable dropping queries from particular well-known ports                                                                              |

PLATFORMS.md

@@ -1,117 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-## Supported platforms
-
-In general, this version of BIND will build and run on any POSIX-compliant
-system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, and POSIX-compliant threads, plus the following mandatory
-libraries:
-
-- `libuv` for asynchronous I/O operations and event loops
-- `libssl` and `libcrypto` from OpenSSL for cryptography
-
-Use of the following libraries is optional:
-
-- `libjemalloc` for improved memory allocation performance
-- `libnghttp2` for DNS-over-HTTPS (DoH) support
-
-The following C11 features are used in BIND 9:
-
-* Atomic operations support, either in the form of C11 atomics or
-  `__atomic` builtin operations.
-
-* Thread Local Storage support, either in the form of C11
-  `_Thread_local`/`thread_local`, or the `__thread` GCC extension.
-
-The C11 variants are preferred.
-
-BIND 9.17 requires a fairly recent version of `libuv` (at least 1.x).  For
-some of the older systems listed below, you will have to install an updated
-`libuv` package from sources such as EPEL, PPA, or other native sources for
-updated packages. The other option is to build and install `libuv` from
-source.
-
-Certain optional BIND features have additional library dependencies.
-These include:
-
-* `libfstrm` and `libprotobuf-c` for DNSTAP
-* `libidn2` for display of internationalized domain names in `dig`
-* `libjson-c` for JSON statistics
-* `libmaxminddb` for geolocation
-* `libnghttp2` for DNS over HTTPS
-* `libxml2` for XML statistics
-* `libz` for compression of the HTTP statistics channel
-* `readline` for line editing in `nsupdate` and `nslookup`
-
-ISC regularly tests BIND on many operating systems and architectures, but
-lacks the resources to test all of them. Consequently, ISC is only able to
-offer support on a "best effort" basis for some.
-
-### Regularly tested platforms
-
-As of Oct 2021, BIND 9.17 is fully supported and regularly tested on the
-following systems:
-
-* Debian 9, 10, 11
-* Ubuntu LTS 18.04, 20.04
-* Fedora 34
-* Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8
-* FreeBSD 11.4, 12.2, 13.0
-* OpenBSD 7.0
-* Alpine Linux 3.14
-
-The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
-
-### Best effort
-
-The following are platforms on which BIND is known to build and run.
-ISC makes every effort to fix bugs on these platforms, but may be unable
-to do so quickly due to lack of hardware, less familiarity on the part
-of engineering staff, and other constraints. None of these are tested
-regularly by ISC.
-
-* macOS 10.12+
-* Solaris 11
-* NetBSD
-* Other Linux distributions still supported by their vendors, such as:
-    * Ubuntu 20.10+
-    * Gentoo
-    * Arch Linux
-* OpenWRT/LEDE 17.01+
-* Other CPU architectures (mips, mipsel, sparc, ...)
-
-### Community maintained
-
-These systems may not all have the required dependencies for building BIND
-easily available, although it will be possible in many cases to compile
-those directly from source. The community and interested parties may wish
-to help with maintenance, and we welcome patch contributions, although we
-cannot guarantee that we will accept them.  All contributions will be
-assessed against the risk of adverse effect on officially supported
-platforms.
-
-* Platforms past or close to their respective EOL dates, such as:
-    * Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported)
-    * CentOS 6
-    * Debian Jessie
-    * FreeBSD 10.x
-
-## Unsupported platforms
-
-These are platforms on which BIND 9.17 is known *not* to build or run:
-
-* Platforms without at least OpenSSL 1.0.2
-* Windows
-* Solaris 10 and older
-* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
-* Platforms that don't support atomic operations (via compiler or library)
-* Linux without NPTL (Native POSIX Thread Library)
-* Platforms on which `libuv` cannot be compiled

README

@@ -0,0 +1,271 @@
+
+BIND 9
+
+	BIND version 9 is a major rewrite of nearly all aspects of the
+	underlying BIND architecture.  Some of the important features of
+	BIND 9 are:
+
+		- DNS Security
+			DNSSEC (signed zones)
+			TSIG (signed DNS requests)
+
+		- IP version 6
+			Answers DNS queries on IPv6 sockets
+			IPv6 resource records (A6, DNAME, etc.)
+			Bitstring Labels
+			Experimental IPv6 Resolver Library
+
+		- DNS Protocol Enhancements
+			IXFR, DDNS, Notify, EDNS0
+			Improved standards conformance
+
+		- Views
+			One server process can provide multiple "views" of
+			the DNS namespace, e.g. an "inside" view to certain
+			clients, and an "outside" view to others.
+
+		- Multiprocessor Support
+
+		- Improved Portability Architecture
+
+
+	BIND version 9 development has been underwritten by the following
+	organizations:
+
+		Sun Microsystems, Inc.
+		Hewlett Packard
+		Compaq Computer Corporation
+		IBM
+		Process Software Corporation
+		Silicon Graphics, Inc.
+		Network Associates, Inc.
+		U.S. Defense Information Systems Agency
+		USENIX Association
+		Stichting NLnet - NLnet Foundation
+
+
+
+BIND 9.1.3
+
+	BIND 9.1.3 is a maintenance release, containing fixes for
+	a number of bugs in 9.1.2 but no new features.
+
+	Features introduced in 9.1.0 included:
+
+	  - Many BIND 8 features previously unimplemented in BIND 9,
+	    including domain-specific forwarding, the $GENERATE
+	    master file directive, and the "blackhole", "dialup", 
+	    and "sortlist" options
+
+	  - Forwarding of dynamic update requests; this is enabled 
+	    by the "allow-update-forwarding" option
+
+	  - A new, simplified database interface and a number of
+	    sample drivers based on it; see doc/misc/sdb for details
+
+	  - Support for building single-threaded servers for 
+	    environments that do not supply POSIX threads
+
+	  - New configuration options: "min-refresh-time",
+	    "max-refresh-time", "min-retry-time", "max-retry-time",
+	    "additional-from-auth", "additional-from-cache",
+	    "notify explicit"
+
+	  - Faster lookups, particularly in large zones.
+
+	BIND 9.1 also includes experimental implementations of a
+	number of DNS protocols extensions still under development
+	in the IETF.  These include transparent processing of
+	unknown RR types and use of the EDNS "DNSSEC OK" bit to
+	explicitly enable DNSSEC processing in responses.
+
+	Cryptographic operations are now based on the OpenSSL
+	library instead of DNSsafe.
+
+	BIND 9.1 is primarily a name server software distribution.
+	In addition to the name server, it also includes a new
+	lightweight stub resolver library and associated resolver
+	daemon that fully support forward and reverse lookups of both
+	IPv4 and IPv6 addresses.  This library is still considered
+	experimental and is not a complete replacement for the BIND 8
+	resolver library.  Applications that use the BIND 8 res_*
+	functions to perform DNS lookups or dynamic updates still need
+	to be linked against the BIND 8 libraries.  For DNS lookups,
+	they can also use the new "getrrsetbyname()" API.
+
+	BIND 9.1 is capable of acting as an authoritative server
+	for DNSSEC secured zones.  This functionality is believed to
+	be stable and complete except for lacking support for wildcard
+	records in secure zones.
+
+	When acting as a caching server, BIND 9.1 can be configured
+	to perform DNSSEC secure resolution on behalf of its clients.
+	This part of the DNSSEC implementation is still considered
+	experimental.  For detailed information about the state of the
+	DNSSEC implementation, see the file doc/misc/dnssec.
+
+	There are a few known bugs:
+
+		On some systems, IPv6 and IPv4 sockets interact in
+		unexpected ways.  For details, see doc/misc/ipv6.
+		To reduce the impact of these problems, the server
+		no longer listens for requests on IPv6 addresses
+		by default.  If you need to accept DNS queries over
+		IPv6, you must specify "listen-on-v6 { any; };"
+		in the named.conf options statement.
+
+		There are known problems with thread signal handling 
+		under Solaris 2.6 and BSD/OS.  We recommend disabling
+		threads with "configure --disable-threads" on these
+		platforms.
+
+		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
+		and OpenBSD prior to 2.8 log messages like
+		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
+		This is due to a bug in "/dev/random" and impacts the
+		server's DNSSEC support.
+
+		--with-libtool does not work on AIX.
+
+	A bug in the Windows 2000 DNS server can cause zone transfers
+	from a BIND 9 server to a W2K server to fail.  For details,
+	see the "Zone Transfers" section in doc/misc/migration.
+ 
+	For a detailed list of user-visible changes from
+	previous releases, see the CHANGES file.
+
+
+Building
+
+	BIND 9 currently requires a UNIX system with an ANSI C compiler,
+	basic POSIX support, and a 64 bit integer type.
+
+	We've had successful builds and tests on the following systems:
+
+		AIX 4.3
+		COMPAQ Tru64 UNIX 4.0D
+		COMPAQ Tru64 UNIX 5 (with IPv6 EAK)
+		FreeBSD 3.4-STABLE, 3.5, 4.0, 4.1
+		HP-UX 11
+		IRIX64 6.5
+		NetBSD 1.5 (with unproven-pthreads-0.17)
+		Red Hat Linux 6.0, 6.1, 6.2, 7.0
+		Solaris 2.6, 7, 8
+
+	Additionally, we have unverified reports of success building
+	previous versions of BIND 9 from users of the following systems:
+
+		AIX 5L
+		Slackware Linux 7.0 with 2.4.0-test6 kernel and glibc 2.1.3
+		Slackware Linux 7.0.1 with glibc 2.1.3
+		Red Hat Linux 7.1
+		OpenBSD 2.6, 2.8, -current
+		UnixWare 7.1.1
+		HP-UX 10.20
+
+	To build, just
+
+		./configure
+		make
+
+	Do not use a parallel "make".
+
+	Several environment variables that can be set before running
+	configure will affect compilation:
+
+	    CC
+		The C compiler to use.	configure tries to figure
+		out the right one for supported systems.
+
+	    CFLAGS
+		C compiler flags.  Defaults to include -g and/or -O2
+		as supported by the compiler.
+
+	    STD_CINCLUDES
+		System header file directories.	 Can be used to specify
+		where add-on thread or IPv6 support is, for example.
+		Defaults to empty string.
+
+	    STD_CDEFINES
+		Any additional preprocessor symbols you want defined.
+		Defaults to empty string.
+
+	To build shared libraries, specify "--with-libtool" on the
+	configure command line.
+
+	To build without multithreading, specify "--disable-threads"
+	on the configure command line.
+
+	If your operating system has integrated support for IPv6, it
+	will be used automatically.  If you have installed KAME IPv6
+	separately, use "--with-kame[=PATH]" to specify its location.
+
+	"make install" will install "named" and the various BIND 9 libraries.
+	By default, installation is into /usr/local, but this can be changed
+	with the "--prefix" option when running "configure".
+
+	You may specify the option "--sysconfdir" to set the directory 
+	where configuration files like "named.conf" go by default,
+	and "--localstatedir" to set the default parent directory
+	of "run/named.pid".   For backwards compatibility with BIND 8,
+	--sysconfdir defaults to "/etc" and --localstatedir defaults to
+	"/var" if no --prefix option is given.  If there is a --prefix
+	option, sysconfdir defaults to "$prefix/etc" and localstatedir
+	defaults to "$prefix/var".
+
+	To see additional configure options, run "configure --help".
+	Note that the help message does not reflect the BIND 8 
+	compatibility defaults for sysconfdir and localstatedir.
+
+	If you're planning on making changes to the BIND 9 source, you
+	should also "make depend".  If you're using Emacs, you might find
+	"make tags" helpful.
+
+	Building with gcc is not supported, unless gcc is the vendor's usual
+	compiler (e.g. the various BSD systems, Linux).
+
+	A limited test suite can be run with "make test".  Many of
+	the tests require you to configure a set of virtual IP addresses
+	on your system, and some require Perl; see bin/tests/system/README
+	for details.
+
+	Linux systems do not provide useful core dumps for multithreaded 
+	programs unless the kernel patch in contrib/linux/coredump-patch
+	has been applied.  We recommend all Linux users to install this
+	patch so that any server crashes can be properly diagnosed.
+
+Documentation
+
+	The BIND 9 Administrator Reference Manual is included with the
+	source distribution in DocBook XML and HTML format, in the
+	doc/arm directory.
+
+	Some of the programs in the BIND 9 distribution have man pages
+	under the doc/man directory.  In particular, the command line
+	options of "named" are documented in doc/man/bind/named.8.
+	There is now also a set of man pages for the lwres library.
+
+	The man pages are currently not installed automatically by
+	"make install".
+
+	If you are upgrading from BIND 8, please read the migration
+	notes in doc/misc/migration.  If you are upgrading from
+	BIND 4, read doc/misc/migration-4to9.
+
+
+Bug Reports and Mailing Lists
+	Bugs reports should be sent to
+
+		bind9-bugs@isc.org
+
+	To join the BIND 9 Users mailing list, send mail to
+
+		bind9-users-request@isc.org
+
+	If you're planning on making changes to the BIND 9 source
+	code, you might want to join the BIND 9 Workers mailing list.
+	Send mail to
+
+		bind9-workers-request@isc.org
+
+

README.md

@@ -1,367 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-# BIND 9
-
-### Contents
-
-1. [Introduction](#intro)
-1. [Reporting bugs and getting help](#help)
-1. [Contributing to BIND](#contrib)
-1. [Building BIND](#build)
-1. [macOS](#macos)
-1. [Dependencies](#dependencies)
-1. [Compile-time options](#opts)
-1. [Automated testing](#testing)
-1. [Documentation](#doc)
-1. [Change log](#changes)
-1. [Acknowledgments](#ack)
-
-### <a name="intro"/> Introduction
-
-BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the Domain Name System (DNS) protocol.
-
-The BIND name server, `named`, can act as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
-implements views for split-horizon DNS, automatic DNSSEC zone signing and
-key management, catalog zones to facilitate provisioning of zone data
-throughout a name server constellation, response policy zones (RPZ) to
-protect clients from malicious data, response rate limiting (RRL) and
-recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
-administrative tools, including the `dig` and `delv` DNS lookup tools,
-`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
-administration, and more.
-
-BIND 9 began as a complete rewrite of the BIND architecture that was
-used in versions 4 and 8.  Internet Systems Consortium
-([https://www.isc.org](https://www.isc.org)), a 501(c)(3) US public benefit
-corporation dedicated to providing software and services in support of the
-Internet infrastructure, developed BIND 9 and is responsible for its
-ongoing maintenance and improvement. BIND is open source software
-licensed under the terms of the Mozilla Public License, version 2.0.
-
-For a detailed list of changes made throughout the history of BIND 9, see
-the file [CHANGES](CHANGES). See [below](#changes) for details on the
-CHANGES file format.
-
-For up-to-date versions and release notes, see
-[https://www.isc.org/download/](https://www.isc.org/download/).
-
-For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
-
-### <a name="help"/> Reporting bugs and getting help
-
-To report non-security-sensitive bugs or request new features, you may
-open an issue in the BIND 9 project on the
-[ISC GitLab server](https://gitlab.isc.org) at
-[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
-
-Please note that, unless you explicitly mark the newly created issue as
-"confidential," it will be publicly readable. Please do not include any
-information in bug reports that you consider to be confidential unless
-the issue has been marked as such. In particular, if submitting the
-contents of your configuration file in a non-confidential issue, it is
-advisable to obscure key secrets; this can be done automatically by
-using `named-checkconf -px`.
-
-If you are reporting a bug that is a potential security issue, such as an
-assertion failure or other crash in `named`, please do *NOT* use GitLab to
-report it. Instead, send mail to
-[security-officer@isc.org](mailto:security-officer@isc.org) using our
-OpenPGP key to secure your message. (Information about OpenPGP and links
-to our key can be found at
-[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
-discuss the bug on any public mailing list.
-
-For a general overview of ISC security policies, read the Knowledgebase
-article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
-Professional support and training for BIND are available from
-ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
-for more information.
-
-To join the __BIND Users__ mailing list, or view the archives, visit
-[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
-
-If you're planning on making changes to the BIND 9 source code, you
-may also want to join the __BIND Workers__ mailing list, at
-[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
-
-### <a name="contrib"/> Contributing to BIND
-
-ISC maintains a public git repository for BIND; details can be found
-at [https://www.isc.org/sourceaccess/](https://www.isc.org/sourceaccess/).
-
-Information for BIND contributors can be found in the following files:
-- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
-- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
-- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
-- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
-
-Patches for BIND may be submitted as
-[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
-on the [ISC GitLab server](https://gitlab.isc.org).
-
-By default, external contributors do not have the ability to fork BIND on the
-GitLab server; if you wish to contribute code to BIND, you may request
-permission to do so. Thereafter, you can create git branches and directly
-submit requests that they be reviewed and merged.
-
-If you prefer, you may also submit code by opening a
-[GitLab issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
-including your patch as an attachment, preferably generated by
-`git format-patch`.
-
-### <a name="build"/> Building BIND 9
-
-At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. BIND also requires the
-`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, the
-`jemalloc` memory allocation library, and the OpenSSL cryptography
-library.  On Linux, BIND requires the `libcap` library to set process
-privileges, though this requirement can be overridden by disabling
-capability support at compile time. See [Compile-time options](#opts)
-below for details on other libraries that may be required to support
-optional features.
-
-Successful builds have been observed on many versions of Linux and Unix,
-including RHEL/CentOS/Oracle Linux, Fedora, Debian, Ubuntu, SLES, openSUSE,
-Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana,
-OmniOS CE, HP-UX, and OpenWRT.
-
-To build on a Unix or Linux system, use:
-
-		$ autoreconf -fi (if you are building in the git repository)
-		$ ./configure
-		$ make
-
-If you're using Emacs, you might find `make tags` helpful.
-
-Several environment variables, which can be set before running `configure`,
-affect compilation.  Significant ones are:
-
-|Variable|Description |
-|--------------------|-----------------------------------------------|
-|`CC`|The C compiler to use.  `configure` tries to figure out the right one for supported systems.|
-|`CFLAGS`|C compiler flags.  Defaults to include -g and/or -O2 as supported by the compiler.  Please include '-g' if you need to set `CFLAGS`. |
-|`LDFLAGS`|Linker flags. Defaults to empty string.|
-
-Additional environment variables affecting the build are listed at the
-end of the `configure` help text, which can be obtained by running the
-command:
-
-    $ ./configure --help
-
-#### <a name="macos"> macOS
-
-Building on macOS assumes that the "Command Tools for Xcode" are installed.
-These can be downloaded from
-[https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
-or, if you have Xcode already installed, you can run `xcode-select --install`.
-(Note that an Apple ID may be required to access the download page.)
-
-#### <a name="dependencies"> Dependencies
-
-To build BIND you need to have the following packages installed:
-
-    libuv
-    pkg-config / pkgconfig / pkgconf
-
-To build BIND from the git repository, you need the following tools
-installed:
-
-    autoconf (includes autoreconf)
-    automake
-    libtool
-
-#### <a name="opts"/> Compile-time options
-
-To see a full list of configuration options, run `configure --help`.
-
-For the server to support DNSSEC, you need to build it with crypto support.
-To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the
-OpenSSL library is installed in a nonstandard location, specify the prefix
-using `--with-openssl=<PREFIX>` on the configure command line. To use a
-PKCS#11 hardware service module for cryptographic operations, it will
-be necessary to compile and use engine_pkcs11 from the OpenSC project.
-
-To support DNS over HTTPS, the server must be linked with `libnghttp2`.
-
-To support the HTTP statistics channel, the server must be linked with at
-least one of the following libraries: `libxml2`
-[http://xmlsoft.org](http://xmlsoft.org) or `json-c`
-[https://github.com/json-c/json-c](https://github.com/json-c/json-c).
-If these are installed at a nonstandard location, then:
-
-* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`.
-* for `json-c`, adjust `PKG_CONFIG_PATH`.
-
-To support compression on the HTTP statistics channel, the server must be
-linked against `libzlib`. If this is installed in a nonstandard location,
-specify the prefix using `--with-zlib=/prefix`.
-
-To support storing configuration data for runtime-added zones in an LMDB
-database, the server must be linked with `liblmdb`. If this is installed in a
-nonstandard location, specify the prefix using `with-lmdb=/prefix`.
-
-To support MaxMind GeoIP2 location-based ACLs, the server must be linked
-with `libmaxminddb`. This is turned on by default if the library is
-found; if the library is installed in a nonstandard location,
-specify the prefix using `--with-maxminddb=/prefix`. GeoIP2 support
-can be switched off with `--disable-geoip`.
-
-For DNSTAP packet logging, you must have installed `libfstrm`
-[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
-and `libprotobuf-c`
-[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
-and BIND must be configured with `--enable-dnstap`.
-
-Certain compiled-in constants and default settings can be decreased to
-values better suited to small machines, e.g. OpenWRT boxes, by specifying
-`--with-tuning=small` on the `configure` command line. This decreases
-memory usage by using smaller structures, but degrades performance.
-
-On Linux, process capabilities are managed in user space using
-the `libcap` library, which can be installed on most Linux systems via
-the `libcap-dev` or `libcap-devel` package. Process capability support can
-also be disabled by configuring with `--disable-linux-caps`.
-
-On some platforms it is necessary to explicitly request large file support
-to handle files bigger than 2GB.  This can be done by using
-`--enable-largefile` on the `configure` command line.
-
-Support for the "fixed" rrset-order option can be enabled or disabled by
-specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
-configure command line. By default, fixed rrset-order is disabled to
-reduce memory footprint.
-
-The `--enable-querytrace` option causes `named` to log every step of
-processing every query. The `--enable-singletrace` option turns on the
-same verbose tracing, but allows an individual query to be separately
-traced by setting its query ID to 0. These options should only be enabled
-when debugging, because they have a significant negative impact on query
-performance.
-
-`make install` installs `named` and the various BIND 9 libraries. By
-default, installation is into /usr/local, but this can be changed with the
-`--prefix` option when running `configure`.
-
-You may specify the option `--sysconfdir` to set the directory where
-configuration files like `named.conf` go by default, and `--localstatedir`
-to set the default parent directory of `run/named.pid`. `--sysconfdir`
-defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
-
-### <a name="testing"/> Automated testing
-
-A system test suite can be run with `make check`. The system tests require
-you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with each other). These
-IP addresses can be configured by running the command
-`bin/tests/system/ifconfig.sh up` as root.
-
-Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
-and are skipped if these are not available. Some tests require Python
-and the `dnspython` module and are skipped if these are not available.
-See bin/tests/system/README for further details.
-
-Unit tests are implemented using the CMocka unit testing framework. To build
-them, use `configure --with-cmocka`. Execution of tests is done by the automake
-parallel test driver; unit tests are also run by `make check`.
-
-### <a name="doc"/> Documentation
-
-The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
-distribution, and in .rst format, in the `doc/arm`
-directory. HTML and PDF versions are automatically generated and can
-be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
-
-Man pages for some of the programs in the BIND 9 distribution
-are also included in the BIND ARM.
-
-Frequently (and not-so-frequently) asked questions and their answers
-can be found in the ISC Knowledgebase at
-[https://kb.isc.org](https://kb.isc.org).
-
-Additional information on various subjects can be found in other
-`README` files throughout the source tree.
-
-### <a name="changes"/> Change log
-
-A detailed list of all changes that have been made throughout the
-development of BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
-the change that was made; these categories are:
-
-|Category	|Description	        			|
-|--------------	|-----------------------------------------------|
-| [func] | New feature |
-| [bug] | General bug fix |
-| [security] | Fix for a significant security flaw |
-| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
-| [port] | Portability enhancement |
-| [maint] | Updates to built-in data such as root server addresses and keys |
-| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
-| [performance] | Other changes to improve server performance |
-| [protocol] | Updates to the DNS protocol such as new RR types |
-| [test] | Changes to the automatic tests, not affecting server functionality |
-| [cleanup] | Minor corrections and refactoring |
-| [doc] | Documentation |
-| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
-| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
-
-In general, [func] and [experimental] tags only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
-functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently supported releases.
-
-#### Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
-and referred to entries in the "bind9-bugs" RT database, which was not open
-to the public. More recent entries use the form `[GL #NNN]` or, less often,
-`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security-sensitive.
-
-To look up a GitLab issue by its number, use the URL
-[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
-To look up a merge request, use
-[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-GitLab instance, which is not visible to the public.
-
-### <a name="ack"/> Acknowledgments
-
-* The original development of BIND 9 was underwritten by the
-  following organizations:
-
-		Sun Microsystems, Inc.
-		Hewlett Packard
-		Compaq Computer Corporation
-		IBM
-		Process Software Corporation
-		Silicon Graphics, Inc.
-		Network Associates, Inc.
-		U.S. Defense Information Systems Agency
-		USENIX Association
-		Stichting NLnet - NLnet Foundation
-		Nominum, Inc.
-
-* This product includes software developed by the OpenSSL Project for use
-  in the OpenSSL Toolkit.
-  [https://www.OpenSSL.org/](https://www.OpenSSL.org/)
-* This product includes cryptographic software written by Eric Young
-  (eay@cryptsoft.com).
-* This product includes software written by Tim Hudson (tjh@cryptsoft.com).

acconfig.h

@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acconfig.h,v 1.31.2.2 2001/02/07 19:26:16 gson Exp $ */
+
+/***
+ *** This file is not to be included by any public header files, because
+ *** it does not get installed.
+ ***/
+@TOP@
+
+/* define on DEC OSF to enable 4.4BSD style sa_len support */
+#undef _SOCKADDR_LEN
+
+/* define if your system needs pthread_init() before using pthreads */
+#undef NEED_PTHREAD_INIT
+
+/* define if your system has sigwait() */
+#undef HAVE_SIGWAIT
+
+/* define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
+/* define on Solaris to get sigwait() to work using pthreads semantics */
+#undef _POSIX_PTHREAD_SEMANTICS
+
+/* define if LinuxThreads is in use */
+#undef HAVE_LINUXTHREADS
+
+/* define if sysconf() is available */
+#undef HAVE_SYSCONF
+
+/* define if catgets() is available */
+#undef HAVE_CATGETS
+
+/* define if you have the NET_RT_IFLIST sysctl variable. */
+#undef HAVE_IFLIST_SYSCTL
+
+/* define if you need to #define _XPG4_2 before including sys/socket.h */
+#undef NEED_XPG4_2_BEFORE_SOCKET_H
+
+/* define if you need to #define _XOPEN_SOURCE_ENTENDED before including
+ * sys/socket.h
+ */
+#undef NEED_XSE_BEFORE_SOCKET_H
+
+/* define if chroot() is available */
+#undef HAVE_CHROOT
+
+/* define if struct addrinfo exists */
+#undef HAVE_ADDRINFO
+
+/* define if getaddrinfo() exists */
+#undef HAVE_GETADDRINFO
+
+/* define if gai_strerror() exists */
+#undef HAVE_GAISTRERROR
+
+/* define if pthread_setconcurrency() should be called to tell the
+ * OS how many threads we might want to run.
+ */
+#undef CALL_PTHREAD_SETCONCURRENCY
+
+/* define if IPv6 is not disabled */
+#undef WANT_IPV6
+
+/* define if flockfile() is available */
+#undef HAVE_FLOCKFILE
+
+/* define if rlim_t is defined via sys/types.h or sys/resource.h */
+#undef HAVE_RLIM_T
+
+/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+
+/* Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+#undef SHUTUP_SIGWAIT
+#ifdef SHUTUP_SIGWAIT
+int sigwait(const unsigned int *set, int *sig);
+#endif
+
+/* Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+#undef SHUTUP_STDARG_CAST
+#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
+#include <stdarg.h>		/* Grr.  Must be included *every time*. */
+/*
+ * The silly continuation line is to keep configure from
+ * commenting out the #undef.
+ */
+#undef \
+	va_start
+#define	va_start(ap, last) \
+	do { \
+		union { const void *konst; long *var; } _u; \
+		_u.konst = &(last); \
+		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
+	} while (0)
+#endif /* SHUTUP_STDARG_CAST && __GNUC__ */
+
+/* define if the system has a random number generating device */
+#undef PATH_RANDOMDEV
+
+/* define if pthread_attr_getstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE

aclocal.m4

@@ -0,0 +1,2 @@
+sinclude(./libtool.m4)dnl
+

bin/Makefile.am

@@ -1 +0,0 @@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins

bin/Makefile.in

@@ -0,0 +1,25 @@
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.21.2.1 2001/01/09 22:31:11 bwelling Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	named rndc dig dnssec tests nsupdate check
+TARGETS =
+
+@BIND9_MAKE_RULES@

bin/check/.cvsignore

@@ -0,0 +1,6 @@
+Makefile
+.libs
+*.la
+*.lo
+named-checkconf
+named-checkzone

bin/check/.gitignore

@@ -1,3 +0,0 @@
-.libs
-named-checkconf
-named-checkzone

bin/check/Makefile.am

@@ -1,34 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	$(LIBNS_CFLAGS)		\
-	$(LIBISCCFG_CFLAGS)	\
-	$(LIBBIND9_CFLAGS)
-
-AM_CPPFLAGS +=			\
-	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-
-noinst_LTLIBRARIES = libcheck-tool.la
-
-libcheck_tool_la_SOURCES =	\
-	check-tool.h		\
-	check-tool.c
-
-LDADD +=			\
-	libcheck-tool.la	\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)		\
-	$(LIBNS_LIBS)		\
-	$(LIBISCCFG_LIBS)	\
-	$(LIBBIND9_LIBS)
-
-bin_PROGRAMS = named-checkconf named-checkzone
-
-install-exec-hook:
-	ln -f $(DESTDIR)$(bindir)/named-checkzone \
-	      $(DESTDIR)$(bindir)/named-compilezone
-
-uninstall-hook:
-	-rm -f $(DESTDIR)$(bindir)/named-compilezone

bin/check/Makefile.in

@@ -0,0 +1,63 @@
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5.2.1 2001/01/09 22:31:13 bwelling Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =
+
+# Alphabetically
+TARGETS =	named-checkconf named-checkzone
+
+# Alphabetically
+SRCS =		named-checkconf.c named-checkzone.c check-tool.c
+
+@BIND9_MAKE_RULES@
+
+named-checkconf: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ named-checkconf.@O@ check-tool.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+named-checkzone: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ named-checkzone.@O@ check-tool.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: named-checkconf named-checkzone
+	${LIBTOOL} ${INSTALL_PROGRAM} named-checkconf ${DESTDIR}${sbindir}
+	${LIBTOOL} ${INSTALL_PROGRAM} named-checkzone ${DESTDIR}${sbindir}

bin/check/check-tool.c

@@ -1,688 +1,56 @@
 /*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*! \file */
+/* $Id: check-tool.c,v 1.2.2.1 2001/01/09 22:31:14 bwelling Exp $ */
+
+#include <config.h>
 
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdio.h>
 
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/netdb.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/symtab.h>
-#include <isc/types.h>
+#include "check-tool.h"
 #include <isc/util.h>
 
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
+#include <isc/log.h>
+#include <isc/types.h>
+
 #include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/types.h>
-#include <dns/zone.h>
-
-#include <isccfg/log.h>
-
-#include <ns/log.h>
-
-#include "check-tool.h"
-
-#ifndef CHECK_SIBLING
-#define CHECK_SIBLING 1
-#endif /* ifndef CHECK_SIBLING */
-
-#ifndef CHECK_LOCAL
-#define CHECK_LOCAL 1
-#endif /* ifndef CHECK_LOCAL */
-
-#define CHECK(r)                             \
-	do {                                 \
-		result = (r);                \
-		if (result != ISC_R_SUCCESS) \
-			goto cleanup;        \
-	} while (0)
-
-#define ERR_IS_CNAME	   1
-#define ERR_NO_ADDRESSES   2
-#define ERR_LOOKUP_FAILURE 3
-#define ERR_EXTRA_A	   4
-#define ERR_EXTRA_AAAA	   5
-#define ERR_MISSING_GLUE   5
-#define ERR_IS_MXCNAME	   6
-#define ERR_IS_SRVCNAME	   7
-
-static const char *dbtype[] = { "rbt" };
-
-int debug = 0;
-const char *journal = NULL;
-bool nomerge = true;
-#if CHECK_LOCAL
-bool docheckmx = true;
-bool dochecksrv = true;
-bool docheckns = true;
-#else  /* if CHECK_LOCAL */
-bool docheckmx = false;
-bool dochecksrv = false;
-bool docheckns = false;
-#endif /* if CHECK_LOCAL */
-dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
-			     DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES |
-			     DNS_ZONEOPT_CHECKINTEGRITY |
-#if CHECK_SIBLING
-			     DNS_ZONEOPT_CHECKSIBLING |
-#endif /* if CHECK_SIBLING */
-			     DNS_ZONEOPT_CHECKWILDCARD |
-			     DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME;
-
-/*
- * This needs to match the list in bin/named/log.c.
- */
-static isc_logcategory_t categories[] = { { "", 0 },
-					  { "unmatched", 0 },
-					  { NULL, 0 } };
-
-static isc_symtab_t *symtab = NULL;
-static isc_mem_t *sym_mctx;
-
-static void
-freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
-	UNUSED(type);
-	UNUSED(value);
-	isc_mem_free(userarg, key);
-}
-
-static void
-add(char *key, int value) {
-	isc_result_t result;
-	isc_symvalue_t symvalue;
-
-	if (sym_mctx == NULL) {
-		isc_mem_create(&sym_mctx);
-	}
-
-	if (symtab == NULL) {
-		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
-					   false, &symtab);
-		if (result != ISC_R_SUCCESS) {
-			return;
-		}
-	}
-
-	key = isc_mem_strdup(sym_mctx, key);
-
-	symvalue.as_pointer = NULL;
-	result = isc_symtab_define(symtab, key, value, symvalue,
-				   isc_symexists_reject);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_free(sym_mctx, key);
-	}
-}
-
-static bool
-logged(char *key, int value) {
-	isc_result_t result;
-
-	if (symtab == NULL) {
-		return (false);
-	}
-
-	result = isc_symtab_lookup(symtab, key, value, NULL);
-	if (result == ISC_R_SUCCESS) {
-		return (true);
-	}
-	return (false);
-}
-
-static bool
-checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
-	dns_rdataset_t *a, dns_rdataset_t *aaaa) {
-	dns_rdataset_t *rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct addrinfo hints, *ai, *cur;
-	char namebuf[DNS_NAME_FORMATSIZE + 1];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
-	bool answer = true;
-	bool match;
-	const char *type;
-	void *ptr = NULL;
-	int result;
-
-	REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
-		a->type == dns_rdatatype_a);
-	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
-		aaaa->type == dns_rdatatype_aaaa);
-
-	if (a == NULL || aaaa == NULL) {
-		return (answer);
-	}
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags = AI_CANONNAME;
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_protocol = IPPROTO_TCP;
-
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	/*
-	 * Turn off search.
-	 */
-	if (dns_name_countlabels(name) > 1U) {
-		strlcat(namebuf, ".", sizeof(namebuf));
-	}
-	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-
-	result = getaddrinfo(namebuf, NULL, &hints, &ai);
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	switch (result) {
-	case 0:
-		/*
-		 * Work around broken getaddrinfo() implementations that
-		 * fail to set ai_canonname on first entry.
-		 */
-		cur = ai;
-		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL) {
-			cur = cur->ai_next;
-		}
-		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0 &&
-		    !logged(namebuf, ERR_IS_CNAME))
-		{
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/NS '%s' (out of zone) "
-				     "is a CNAME '%s' (illegal)",
-				     ownerbuf, namebuf, cur->ai_canonname);
-			/* XXX950 make fatal for 9.5.0 */
-			/* answer = false; */
-			add(namebuf, ERR_IS_CNAME);
-		}
-		break;
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
-		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/NS '%s' (out of zone) "
-				     "has no addresses records (A or AAAA)",
-				     ownerbuf, namebuf);
-			add(namebuf, ERR_NO_ADDRESSES);
-		}
-		/* XXX950 make fatal for 9.5.0 */
-		return (true);
-
-	default:
-		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s", namebuf,
-				     gai_strerror(result));
-			add(namebuf, ERR_LOOKUP_FAILURE);
-		}
-		return (true);
-	}
-
-	/*
-	 * Check that all glue records really exist.
-	 */
-	if (!dns_rdataset_isassociated(a)) {
-		goto checkaaaa;
-	}
-	result = dns_rdataset_first(a);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(a, &rdata);
-		match = false;
-		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET) {
-				continue;
-			}
-			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
-			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
-				match = true;
-				break;
-			}
-		}
-		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/NS '%s' "
-				     "extra GLUE A record (%s)",
-				     ownerbuf, namebuf,
-				     inet_ntop(AF_INET, rdata.data, addrbuf,
-					       sizeof(addrbuf)));
-			add(namebuf, ERR_EXTRA_A);
-			/* XXX950 make fatal for 9.5.0 */
-			/* answer = false; */
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(a);
-	}
-
-checkaaaa:
-	if (!dns_rdataset_isassociated(aaaa)) {
-		goto checkmissing;
-	}
-	result = dns_rdataset_first(aaaa);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(aaaa, &rdata);
-		match = false;
-		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET6) {
-				continue;
-			}
-			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
-				       ->sin6_addr;
-			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
-				match = true;
-				break;
-			}
-		}
-		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/NS '%s' "
-				     "extra GLUE AAAA record (%s)",
-				     ownerbuf, namebuf,
-				     inet_ntop(AF_INET6, rdata.data, addrbuf,
-					       sizeof(addrbuf)));
-			add(namebuf, ERR_EXTRA_AAAA);
-			/* XXX950 make fatal for 9.5.0. */
-			/* answer = false; */
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(aaaa);
-	}
-
-checkmissing:
-	/*
-	 * Check that all addresses appear in the glue.
-	 */
-	if (!logged(namebuf, ERR_MISSING_GLUE)) {
-		bool missing_glue = false;
-		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			switch (cur->ai_family) {
-			case AF_INET:
-				rdataset = a;
-				ptr = &((struct sockaddr_in *)(cur->ai_addr))
-					       ->sin_addr;
-				type = "A";
-				break;
-			case AF_INET6:
-				rdataset = aaaa;
-				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
-					       ->sin6_addr;
-				type = "AAAA";
-				break;
-			default:
-				continue;
-			}
-			match = false;
-			if (dns_rdataset_isassociated(rdataset)) {
-				result = dns_rdataset_first(rdataset);
-			} else {
-				result = ISC_R_FAILURE;
-			}
-			while (result == ISC_R_SUCCESS && !match) {
-				dns_rdataset_current(rdataset, &rdata);
-				if (memcmp(ptr, rdata.data, rdata.length) == 0)
-				{
-					match = true;
-				}
-				dns_rdata_reset(&rdata);
-				result = dns_rdataset_next(rdataset);
-			}
-			if (!match) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "%s/NS '%s' "
-					     "missing GLUE %s record (%s)",
-					     ownerbuf, namebuf, type,
-					     inet_ntop(cur->ai_family, ptr,
-						       addrbuf,
-						       sizeof(addrbuf)));
-				/* XXX950 make fatal for 9.5.0. */
-				/* answer = false; */
-				missing_glue = true;
-			}
-		}
-		if (missing_glue) {
-			add(namebuf, ERR_MISSING_GLUE);
-		}
-	}
-	freeaddrinfo(ai);
-	return (answer);
-}
-
-static bool
-checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
-	struct addrinfo hints, *ai, *cur;
-	char namebuf[DNS_NAME_FORMATSIZE + 1];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	int result;
-	int level = ISC_LOG_ERROR;
-	bool answer = true;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags = AI_CANONNAME;
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_protocol = IPPROTO_TCP;
-
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	/*
-	 * Turn off search.
-	 */
-	if (dns_name_countlabels(name) > 1U) {
-		strlcat(namebuf, ".", sizeof(namebuf));
-	}
-	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-
-	result = getaddrinfo(namebuf, NULL, &hints, &ai);
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	switch (result) {
-	case 0:
-		/*
-		 * Work around broken getaddrinfo() implementations that
-		 * fail to set ai_canonname on first entry.
-		 */
-		cur = ai;
-		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL) {
-			cur = cur->ai_next;
-		}
-		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0)
-		{
-			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) {
-				level = ISC_LOG_WARNING;
-			}
-			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
-				if (!logged(namebuf, ERR_IS_MXCNAME)) {
-					dns_zone_log(zone, level,
-						     "%s/MX '%s' (out of zone)"
-						     " is a CNAME '%s' "
-						     "(illegal)",
-						     ownerbuf, namebuf,
-						     cur->ai_canonname);
-					add(namebuf, ERR_IS_MXCNAME);
-				}
-				if (level == ISC_LOG_ERROR) {
-					answer = false;
-				}
-			}
-		}
-		freeaddrinfo(ai);
-		return (answer);
-
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
-		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/MX '%s' (out of zone) "
-				     "has no addresses records (A or AAAA)",
-				     ownerbuf, namebuf);
-			add(namebuf, ERR_NO_ADDRESSES);
-		}
-		/* XXX950 make fatal for 9.5.0. */
-		return (true);
-
-	default:
-		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s", namebuf,
-				     gai_strerror(result));
-			add(namebuf, ERR_LOOKUP_FAILURE);
-		}
-		return (true);
-	}
-}
-
-static bool
-checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
-	struct addrinfo hints, *ai, *cur;
-	char namebuf[DNS_NAME_FORMATSIZE + 1];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	int result;
-	int level = ISC_LOG_ERROR;
-	bool answer = true;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags = AI_CANONNAME;
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_protocol = IPPROTO_TCP;
-
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	/*
-	 * Turn off search.
-	 */
-	if (dns_name_countlabels(name) > 1U) {
-		strlcat(namebuf, ".", sizeof(namebuf));
-	}
-	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-
-	result = getaddrinfo(namebuf, NULL, &hints, &ai);
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	switch (result) {
-	case 0:
-		/*
-		 * Work around broken getaddrinfo() implementations that
-		 * fail to set ai_canonname on first entry.
-		 */
-		cur = ai;
-		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL) {
-			cur = cur->ai_next;
-		}
-		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0)
-		{
-			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) {
-				level = ISC_LOG_WARNING;
-			}
-			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
-				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
-					dns_zone_log(zone, level,
-						     "%s/SRV '%s'"
-						     " (out of zone) is a "
-						     "CNAME '%s' (illegal)",
-						     ownerbuf, namebuf,
-						     cur->ai_canonname);
-					add(namebuf, ERR_IS_SRVCNAME);
-				}
-				if (level == ISC_LOG_ERROR) {
-					answer = false;
-				}
-			}
-		}
-		freeaddrinfo(ai);
-		return (answer);
-
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
-		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/SRV '%s' (out of zone) "
-				     "has no addresses records (A or AAAA)",
-				     ownerbuf, namebuf);
-			add(namebuf, ERR_NO_ADDRESSES);
-		}
-		/* XXX950 make fatal for 9.5.0. */
-		return (true);
-
-	default:
-		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s", namebuf,
-				     gai_strerror(result));
-			add(namebuf, ERR_LOOKUP_FAILURE);
-		}
-		return (true);
-	}
-}
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
+setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	isc_logdestination_t destination;
 	isc_logconfig_t *logconfig = NULL;
 	isc_log_t *log = NULL;
 
-	isc_log_create(mctx, &log, &logconfig);
-	isc_log_registercategories(log, categories);
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
 	isc_log_setcontext(log);
 	dns_log_init(log);
 	dns_log_setcontext(log);
-	cfg_log_init(log);
-	ns_log_init(log);
 
-	destination.file.stream = errout;
+	destination.file.stream = stdout;
 	destination.file.name = NULL;
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
-	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
-			      ISC_LOG_DYNAMIC, &destination, 0);
-
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
-		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
+				       ISC_LOG_TOFILEDESC,
+				       ISC_LOG_DYNAMIC,
+				       &destination, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+					 NULL, NULL) == ISC_R_SUCCESS);
 
 	*logp = log;
 	return (ISC_R_SUCCESS);
 }
-
-/*% load the zone */
-isc_result_t
-load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  dns_masterformat_t fileformat, const char *classname,
-	  dns_ttl_t maxttl, dns_zone_t **zonep) {
-	isc_result_t result;
-	dns_rdataclass_t rdclass;
-	isc_textregion_t region;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-	dns_zone_t *zone = NULL;
-
-	REQUIRE(zonep == NULL || *zonep == NULL);
-
-	if (debug) {
-		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
-			zonename, filename, classname);
-	}
-
-	CHECK(dns_zone_create(&zone, mctx));
-
-	dns_zone_settype(zone, dns_zone_primary);
-
-	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
-	isc_buffer_add(&buffer, strlen(zonename));
-	origin = dns_fixedname_initname(&fixorigin);
-	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
-	CHECK(dns_zone_setorigin(zone, origin));
-	dns_zone_setdbtype(zone, 1, (const char *const *)dbtype);
-	if (strcmp(filename, "-") == 0) {
-		CHECK(dns_zone_setstream(zone, stdin, fileformat,
-					 &dns_master_style_default));
-	} else {
-		CHECK(dns_zone_setfile(zone, filename, fileformat,
-				       &dns_master_style_default));
-	}
-	if (journal != NULL) {
-		CHECK(dns_zone_setjournal(zone, journal));
-	}
-
-	DE_CONST(classname, region.base);
-	region.length = strlen(classname);
-	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
-
-	dns_zone_setclass(zone, rdclass);
-	dns_zone_setoption(zone, zone_options, true);
-	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
-
-	dns_zone_setmaxttl(zone, maxttl);
-
-	if (docheckmx) {
-		dns_zone_setcheckmx(zone, checkmx);
-	}
-	if (docheckns) {
-		dns_zone_setcheckns(zone, checkns);
-	}
-	if (dochecksrv) {
-		dns_zone_setchecksrv(zone, checksrv);
-	}
-
-	CHECK(dns_zone_load(zone, false));
-
-	if (zonep != NULL) {
-		*zonep = zone;
-		zone = NULL;
-	}
-
-cleanup:
-	if (zone != NULL) {
-		dns_zone_detach(&zone);
-	}
-	return (result);
-}
-
-/*% dump the zone */
-isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
-	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const uint32_t rawversion) {
-	isc_result_t result;
-	FILE *output = stdout;
-	const char *flags;
-
-	flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
-
-	if (debug) {
-		if (filename != NULL && strcmp(filename, "-") != 0) {
-			fprintf(stderr, "dumping \"%s\" to \"%s\"\n", zonename,
-				filename);
-		} else {
-			fprintf(stderr, "dumping \"%s\"\n", zonename);
-		}
-	}
-
-	if (filename != NULL && strcmp(filename, "-") != 0) {
-		result = isc_stdio_open(filename, flags, &output);
-
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr,
-				"could not open output "
-				"file \"%s\" for writing\n",
-				filename);
-			return (ISC_R_FAILURE);
-		}
-	}
-
-	result = dns_zone_dumptostream(zone, output, fileformat, style,
-				       rawversion);
-	if (output != stdout) {
-		(void)isc_stdio_close(output);
-	}
-
-	return (result);
-}

bin/check/check-tool.h

@@ -1,50 +1,34 @@
 /*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#pragma once
+/* $Id: check-tool.h,v 1.1.2.1 2001/01/09 22:31:15 bwelling Exp $ */
 
-/*! \file */
-
-#include <inttypes.h>
-#include <stdbool.h>
+#ifndef CHECK_TOOL_H
+#define CHECK_TOOL_H
 
 #include <isc/lang.h>
-#include <isc/stdio.h>
-#include <isc/types.h>
 
-#include <dns/masterdump.h>
-#include <dns/types.h>
-#include <dns/zone.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
-
-isc_result_t
-load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  dns_masterformat_t fileformat, const char *classname,
-	  dns_ttl_t maxttl, dns_zone_t **zonep);
-
-isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
-	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const uint32_t rawversion);
-
-extern int debug;
-extern const char *journal;
-extern bool nomerge;
-extern bool docheckmx;
-extern bool docheckns;
-extern bool dochecksrv;
-extern dns_zoneopt_t zone_options;
+setup_logging(isc_mem_t *mctx, isc_log_t **logp);
 
 ISC_LANG_ENDDECLS
+
+#endif

bin/check/named-checkconf.c

@@ -1,747 +1,87 @@
 /*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*! \file */
+/* $Id: named-checkconf.c,v 1.2.2.1 2001/01/09 22:31:16 bwelling Exp $ */
+
+#include <config.h>
 
 #include <errno.h>
-#include <stdbool.h>
-#include <stdio.h>
 #include <stdlib.h>
 
-#include <isc/attributes.h>
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/hash.h>
-#include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
-#include <dns/db.h>
-#include <dns/fixedname.h>
 #include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/rootns.h>
-#include <dns/zone.h>
-
-#include <isccfg/grammar.h>
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
+#include <dns/namedconf.h>
 
 #include "check-tool.h"
 
-static const char *program = "named-checkconf";
-
-static bool loadplugins = true;
-
-isc_log_t *logc = NULL;
-
-#define CHECK(r)                             \
-	do {                                 \
-		result = (r);                \
-		if (result != ISC_R_SUCCESS) \
-			goto cleanup;        \
-	} while (0)
-
-/*% usage */
-ISC_NORETURN static void
-usage(void);
-
-static void
-usage(void) {
-	fprintf(stderr,
-		"usage: %s [-chijlvz] [-p [-x]] [-t directory] "
-		"[named.conf]\n",
-		program);
-	exit(1);
-}
-
-/*% directory callback */
 static isc_result_t
-directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
-	isc_result_t result;
-	const char *directory;
+zonecbk(dns_c_ctx_t *ctx, dns_c_zone_t *zone, dns_c_view_t *view, void *uap) {
 
-	REQUIRE(strcasecmp("directory", clausename) == 0);
-
-	UNUSED(arg);
-	UNUSED(clausename);
-
-	/*
-	 * Change directory.
-	 */
-	directory = cfg_obj_asstring(obj);
-	result = isc_dir_chdir(directory);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s\n", directory,
-			    isc_result_totext(result));
-		return (result);
-	}
+	UNUSED(ctx);
+	UNUSED(uap);
+	UNUSED(zone);
+	UNUSED(view);
 
 	return (ISC_R_SUCCESS);
 }
 
-static bool
-get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
-	int i;
-	for (i = 0;; i++) {
-		if (maps[i] == NULL) {
-			return (false);
-		}
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
-			return (true);
-		}
-	}
-}
-
-static bool
-get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *checknames;
-	const cfg_obj_t *type;
-	const cfg_obj_t *value;
-	isc_result_t result;
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL) {
-			return (false);
-		}
-		checknames = NULL;
-		result = cfg_map_get(maps[i], "check-names", &checknames);
-		if (result != ISC_R_SUCCESS) {
-			continue;
-		}
-		if (checknames != NULL && !cfg_obj_islist(checknames)) {
-			*obj = checknames;
-			return (true);
-		}
-		for (element = cfg_list_first(checknames); element != NULL;
-		     element = cfg_list_next(element))
-		{
-			value = cfg_listelt_value(element);
-			type = cfg_tuple_get(value, "type");
-			if ((strcasecmp(cfg_obj_asstring(type), "primary") !=
-			     0) &&
-			    (strcasecmp(cfg_obj_asstring(type), "master") != 0))
-			{
-				continue;
-			}
-			*obj = cfg_tuple_get(value, "mode");
-			return (true);
-		}
-	}
-}
-
 static isc_result_t
-configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_rdataclass_t rdclass;
-	isc_textregion_t r;
+optscbk(dns_c_ctx_t *ctx, void *uap) {
+	UNUSED(ctx);
+	UNUSED(uap);
 
-	if (zfile == NULL) {
-		return (ISC_R_FAILURE);
-	}
-
-	DE_CONST(zclass, r.base);
-	r.length = strlen(zclass);
-	result = dns_rdataclass_fromtext(&rdclass, &r);
-	if (result != ISC_R_SUCCESS) {
-		return (result);
-	}
-
-	result = dns_rootns_create(mctx, rdclass, zfile, &db);
-	if (result != ISC_R_SUCCESS) {
-		return (result);
-	}
-
-	dns_db_detach(&db);
 	return (ISC_R_SUCCESS);
 }
 
-/*% configure the zone */
-static isc_result_t
-configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
-	       const cfg_obj_t *vconfig, const cfg_obj_t *config,
-	       isc_mem_t *mctx, bool list) {
-	int i = 0;
-	isc_result_t result;
-	const char *zclass;
-	const char *zname;
-	const char *zfile = NULL;
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *primariesobj = NULL;
-	const cfg_obj_t *inviewobj = NULL;
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *classobj = NULL;
-	const cfg_obj_t *typeobj = NULL;
-	const cfg_obj_t *fileobj = NULL;
-	const cfg_obj_t *dlzobj = NULL;
-	const cfg_obj_t *dbobj = NULL;
-	const cfg_obj_t *obj = NULL;
-	const cfg_obj_t *fmtobj = NULL;
-	dns_masterformat_t masterformat;
-	dns_ttl_t maxttl = 0;
-
-	zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	classobj = cfg_tuple_get(zconfig, "class");
-	if (!cfg_obj_isstring(classobj)) {
-		zclass = vclass;
-	} else {
-		zclass = cfg_obj_asstring(classobj);
-	}
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-	maps[i++] = zoptions;
-	if (vconfig != NULL) {
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	}
-	if (config != NULL) {
-		cfg_map_get(config, "options", &obj);
-		if (obj != NULL) {
-			maps[i++] = obj;
-		}
-	}
-	maps[i] = NULL;
-
-	cfg_map_get(zoptions, "in-view", &inviewobj);
-	if (inviewobj != NULL && list) {
-		const char *inview = cfg_obj_asstring(inviewobj);
-		printf("%s %s %s in-view %s\n", zname, zclass, view, inview);
-	}
-	if (inviewobj != NULL) {
-		return (ISC_R_SUCCESS);
-	}
-
-	cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL) {
-		return (ISC_R_FAILURE);
-	}
-
-	if (list) {
-		const char *ztype = cfg_obj_asstring(typeobj);
-		printf("%s %s %s %s\n", zname, zclass, view, ztype);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Skip checks when using an alternate data source.
-	 */
-	cfg_map_get(zoptions, "database", &dbobj);
-	if (dbobj != NULL && strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
-	    strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0)
-	{
-		return (ISC_R_SUCCESS);
-	}
-
-	cfg_map_get(zoptions, "dlz", &dlzobj);
-	if (dlzobj != NULL) {
-		return (ISC_R_SUCCESS);
-	}
-
-	cfg_map_get(zoptions, "file", &fileobj);
-	if (fileobj != NULL) {
-		zfile = cfg_obj_asstring(fileobj);
-	}
-
-	/*
-	 * Check hints files for hint zones.
-	 * Skip loading checks for any type other than
-	 * master and redirect
-	 */
-	if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0) {
-		return (configure_hint(zfile, zclass, mctx));
-	} else if ((strcasecmp(cfg_obj_asstring(typeobj), "primary") != 0) &&
-		   (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) &&
-		   (strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
-	{
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Is the redirect zone configured as a secondary?
-	 */
-	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
-		cfg_map_get(zoptions, "primaries", &primariesobj);
-		if (primariesobj == NULL) {
-			cfg_map_get(zoptions, "masters", &primariesobj);
-		}
-
-		if (primariesobj != NULL) {
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	if (zfile == NULL) {
-		return (ISC_R_FAILURE);
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-dup-records", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-			zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
-			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-mx", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKMX;
-			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKMX;
-			zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKMX;
-			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKMX;
-		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-integrity", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
-			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-		} else {
-			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-mx-cname", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-srv-cname", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-sibling", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
-			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-		} else {
-			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-		}
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-spf", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKSPF;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKSPF;
-	}
-
-	obj = NULL;
-	if (get_checknames(maps, &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKNAMES;
-			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKNAMES;
-			zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
-			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKNAMES;
-		zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
-	}
-
-	masterformat = dns_masterformat_text;
-	fmtobj = NULL;
-	if (get_maps(maps, "masterfile-format", &fmtobj)) {
-		const char *masterformatstr = cfg_obj_asstring(fmtobj);
-		if (strcasecmp(masterformatstr, "text") == 0) {
-			masterformat = dns_masterformat_text;
-		} else if (strcasecmp(masterformatstr, "raw") == 0) {
-			masterformat = dns_masterformat_raw;
-		} else {
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "max-zone-ttl", &obj)) {
-		maxttl = cfg_obj_asduration(obj);
-		zone_options |= DNS_ZONEOPT_CHECKTTL;
-	}
-
-	result = load_zone(mctx, zname, zfile, masterformat, zclass, maxttl,
-			   NULL);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
-			isc_result_totext(result));
-	}
-	return (result);
-}
-
-/*% configure a view */
-static isc_result_t
-configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *voptions;
-	const cfg_obj_t *zonelist;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	voptions = NULL;
-	if (vconfig != NULL) {
-		voptions = cfg_tuple_get(vconfig, "options");
-	}
-
-	zonelist = NULL;
-	if (voptions != NULL) {
-		(void)cfg_map_get(voptions, "zone", &zonelist);
-	} else {
-		(void)cfg_map_get(config, "zone", &zonelist);
-	}
-
-	for (element = cfg_list_first(zonelist); element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, vconfig, config,
-					 mctx, list);
-		if (tresult != ISC_R_SUCCESS) {
-			result = tresult;
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		dns_rdataclass_t *classp) {
-	isc_textregion_t r;
-
-	if (!cfg_obj_isstring(classobj)) {
-		*classp = defclass;
-		return (ISC_R_SUCCESS);
-	}
-	DE_CONST(cfg_obj_asstring(classobj), r.base);
-	r.length = strlen(r.base);
-	return (dns_rdataclass_fromtext(classp, &r));
-}
-
-/*% load zones from the configuration */
-static isc_result_t
-load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
-		      bool list_zones) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *views;
-	const cfg_obj_t *vconfig;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	views = NULL;
-
-	(void)cfg_map_get(config, "view", &views);
-	for (element = cfg_list_first(views); element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *classobj;
-		dns_rdataclass_t viewclass;
-		const char *vname;
-		char buf[sizeof("CLASS65535")];
-
-		vconfig = cfg_listelt_value(element);
-		if (vconfig == NULL) {
-			continue;
-		}
-
-		classobj = cfg_tuple_get(vconfig, "class");
-		tresult = config_getclass(classobj, dns_rdataclass_in,
-					  &viewclass);
-		if (tresult != ISC_R_SUCCESS) {
-			CHECK(tresult);
-		}
-
-		if (dns_rdataclass_ismeta(viewclass)) {
-			CHECK(ISC_R_FAILURE);
-		}
-
-		dns_rdataclass_format(viewclass, buf, sizeof(buf));
-		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		tresult = configure_view(buf, vname, config, vconfig, mctx,
-					 list_zones);
-		if (tresult != ISC_R_SUCCESS) {
-			result = tresult;
-		}
-	}
-
-	if (views == NULL) {
-		tresult = configure_view("IN", "_default", config, NULL, mctx,
-					 list_zones);
-		if (tresult != ISC_R_SUCCESS) {
-			result = tresult;
-		}
-	}
-
-cleanup:
-	return (result);
-}
-
-static void
-output(void *closure, const char *text, int textlen) {
-	UNUSED(closure);
-	if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
-		perror("fwrite");
-		exit(1);
-	}
-}
-
-/*% The main processing routine */
 int
 main(int argc, char **argv) {
-	int c;
-	cfg_parser_t *parser = NULL;
-	cfg_obj_t *config = NULL;
+	dns_c_ctx_t *configctx = NULL;
 	const char *conffile = NULL;
 	isc_mem_t *mctx = NULL;
-	isc_result_t result;
-	int exit_status = 0;
-	bool load_zones = false;
-	bool list_zones = false;
-	bool print = false;
-	bool nodeprecate = false;
-	unsigned int flags = 0;
+	dns_c_cbks_t callbacks;
+	isc_log_t *log = NULL;
 
-	isc_commandline_errprint = false;
+	callbacks.zonecbk = zonecbk;
+	callbacks.optscbk = optscbk;
+	callbacks.zonecbkuap = NULL;
+	callbacks.optscbkuap = NULL;
 
-	/*
-	 * Process memory debugging argument first.
-	 */
-#define CMDLINE_FLAGS "cdhijlm:t:pvxz"
-	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (c) {
-		case 'm':
-			if (strcasecmp(isc_commandline_argument, "record") == 0)
-			{
-				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			}
-			if (strcasecmp(isc_commandline_argument, "trace") == 0)
-			{
-				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			}
-			if (strcasecmp(isc_commandline_argument, "usage") == 0)
-			{
-				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			}
-			break;
-		default:
-			break;
-		}
-	}
-	isc_commandline_reset = true;
+	if (argc > 1)
+		conffile = argv[1];
+	if (conffile == NULL || conffile[0] == '\0')
+		conffile = "/etc/named.conf";
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
-	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
-		switch (c) {
-		case 'c':
-			loadplugins = false;
-			break;
+	RUNTIME_CHECK(setup_logging(mctx, &log) == ISC_R_SUCCESS);
 
-		case 'd':
-			debug++;
-			break;
-
-		case 'i':
-			nodeprecate = true;
-			break;
-
-		case 'j':
-			nomerge = false;
-			break;
-
-		case 'l':
-			list_zones = true;
-			break;
-
-		case 'm':
-			break;
-
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
-			break;
-
-		case 'p':
-			print = true;
-			break;
-
-		case 'v':
-			printf("%s\n", PACKAGE_VERSION);
-			exit(0);
-
-		case 'x':
-			flags |= CFG_PRINTER_XKEY;
-			break;
-
-		case 'z':
-			load_zones = true;
-			docheckmx = false;
-			docheckns = false;
-			dochecksrv = false;
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (((flags & CFG_PRINTER_XKEY) != 0) && !print) {
-		fprintf(stderr, "%s: -x cannot be used without -p\n", program);
-		exit(1);
-	}
-	if (print && list_zones) {
-		fprintf(stderr, "%s: -l cannot be used with -p\n", program);
+	if (dns_c_parse_namedconf(conffile, mctx, &configctx, &callbacks) !=
+	    ISC_R_SUCCESS) {
 		exit(1);
 	}
 
-	if (isc_commandline_index + 1 < argc) {
-		usage();
-	}
-	if (argv[isc_commandline_index] != NULL) {
-		conffile = argv[isc_commandline_index];
-	}
-	if (conffile == NULL || conffile[0] == '\0') {
-		conffile = NAMED_CONFFILE;
-	}
+	dns_c_ctx_delete(&configctx);
 
-	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
-
-	if (nodeprecate) {
-		cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
-	}
-	cfg_parser_setcallback(parser, directory_callback, NULL);
-
-	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
-	    ISC_R_SUCCESS)
-	{
-		exit(1);
-	}
-
-	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
-	if (result != ISC_R_SUCCESS) {
-		exit_status = 1;
-	}
-
-	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
-		result = load_zones_fromconfig(config, mctx, list_zones);
-		if (result != ISC_R_SUCCESS) {
-			exit_status = 1;
-		}
-	}
-
-	if (print && exit_status == 0) {
-		cfg_printx(config, flags, output, NULL);
-	}
-	cfg_obj_destroy(parser, &config);
-
-	cfg_parser_destroy(&parser);
-
-	isc_log_destroy(&logc);
+	isc_log_destroy(&log);
 
 	isc_mem_destroy(&mctx);
 
-	return (exit_status);
+	return (0);
 }

bin/check/named-checkconf.rst

@@ -1,105 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_named-checkconf:
-
-named-checkconf - named configuration file syntax checking tool
----------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
-
-Description
-~~~~~~~~~~~
-
-``named-checkconf`` checks the syntax, but not the semantics, of a
-``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
-errors. If no file is specified,
-``/etc/named.conf`` is read by default.
-
-Note: files that ``named`` reads in separate parser contexts, such as
-``rndc.key`` and ``bind.keys``, are not automatically read by
-``named-checkconf``. Configuration errors in these files may cause
-``named`` to fail to run, even if ``named-checkconf`` was successful.
-However, ``named-checkconf`` can be run on these files explicitly.
-
-Options
-~~~~~~~
-
-``-h``
-   This option prints the usage summary and exits.
-
-``-j``
-   When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
-
-``-l``
-   This option lists all the configured zones. Each line of output contains the zone
-   name, class (e.g. IN), view, and type (e.g. primary or secondary).
-
-``-c``
-   This option specifies that only the "core" configuration should be checked. This suppresses the loading of
-   plugin modules, and causes all parameters to ``plugin`` statements to
-   be ignored.
-
-``-i``
-   This option ignores warnings on deprecated options.
-
-``-p``
-   This option prints out the ``named.conf`` and included files in canonical form if
-   no errors were detected. See also the ``-x`` option.
-
-``-t directory``
-   This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   ``named``.
-
-``-v``
-   This option prints the version of the ``named-checkconf`` program and exits.
-
-``-x``
-   When printing the configuration files in canonical form, this option obscures
-   shared secrets by replacing them with strings of question marks
-   (``?``). This allows the contents of ``named.conf`` and related files
-   to be shared - for example, when submitting bug reports -
-   without compromising private data. This option cannot be used without
-   ``-p``.
-
-``-z``
-   This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
-
-``filename``
-   This indicates the name of the configuration file to be checked. If not specified,
-   it defaults to ``/etc/named.conf``.
-
-Return Values
-~~~~~~~~~~~~~
-
-``named-checkconf`` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

bin/check/named-checkzone.c

@@ -1,30 +1,31 @@
 /*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*! \file */
+/* $Id: named-checkzone.c,v 1.6.2.2 2001/01/11 18:30:28 gson Exp $ */
+
+#include <config.h>
 
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 
 #include <isc/app.h>
-#include <isc/attributes.h>
 #include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/file.h>
-#include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
+#include <isc/socket.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/timer.h>
@@ -33,534 +34,136 @@
 #include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
-#include <dns/types.h>
+#include <dns/result.h>
 #include <dns/zone.h>
 
 #include "check-tool.h"
 
+static int debug = 0;
 static int quiet = 0;
 static isc_mem_t *mctx = NULL;
 dns_zone_t *zone = NULL;
-dns_zonetype_t zonetype = dns_zone_primary;
-static int dumpzone = 0;
-static const char *output_filename;
-static const char *prog_name = NULL;
-static const dns_master_style_t *outputstyle = NULL;
-static enum { progmode_check, progmode_compile } progmode;
+dns_zonetype_t zonetype = dns_zone_master;
+static const char *dbtype[] = { "rbt" };
 
-#define ERRRET(result, function)                                              \
-	do {                                                                  \
-		if (result != ISC_R_SUCCESS) {                                \
-			if (!quiet)                                           \
-				fprintf(stderr, "%s() returned %s\n",         \
-					function, isc_result_totext(result)); \
-			return (result);                                      \
-		}                                                             \
+#define ERRRET(result, function) \
+	do { \
+		if (result != ISC_R_SUCCESS) { \
+			if (!quiet) \
+				fprintf(stderr, "%s() returned %s\n", \
+					function, dns_result_totext(result)); \
+			return (result); \
+		} \
 	} while (0)
 
-ISC_NORETURN static void
-usage(void);
-
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: %s [-djqvD] [-c class] "
-		"[-f inputformat] [-F outputformat] [-J filename] "
-		"[-s (full|relative)] [-t directory] [-w directory] "
-		"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
-		"[-i (full|full-sibling|local|local-sibling|none)] "
-		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
-		"[-W (ignore|warn)] "
-		"%s zonename [ (filename|-) ]\n",
-		prog_name,
-		progmode == progmode_check ? "[-o filename]" : "-o filename");
+		"usage: named-checkzone [-dq] [-c class] zone [filename]\n");
 	exit(1);
 }
 
+static isc_result_t
+setup(char *zonename, char *filename, char *classname) {
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+	isc_textregion_t region;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+
+	if (debug)
+		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
+			zonename, filename, classname);
+	result = dns_zone_create(&zone, mctx);
+	ERRRET(result, "dns_zone_new");
+
+	dns_zone_settype(zone, zonetype);
+
+	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_add(&buffer, strlen(zonename));
+	dns_fixedname_init(&fixorigin);
+	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
+			  	   &buffer, dns_rootname, ISC_FALSE, NULL);
+	ERRRET(result, "dns_name_fromtext");
+	origin = dns_fixedname_name(&fixorigin);
+
+	result = dns_zone_setorigin(zone, origin);
+	ERRRET(result, "dns_zone_setorigin");
+
+	result = dns_zone_setdbtype(zone, 1, (const char * const *) dbtype);
+	ERRRET(result, "dns_zone_setdatabase");
+
+	result = dns_zone_setfile(zone, filename);
+	ERRRET(result, "dns_zone_setdatabase");
+
+	region.base = classname;
+	region.length = strlen(classname);
+	result = dns_rdataclass_fromtext(&rdclass, &region);
+	ERRRET(result, "dns_rdataclass_fromtext");
+
+	dns_zone_setclass(zone, rdclass);
+
+	result = dns_zone_load(zone);
+
+	return (result);
+}
+
 static void
 destroy(void) {
-	if (zone != NULL) {
+	if (zone != NULL)
 		dns_zone_detach(&zone);
-	}
 }
 
-/*% main processing routine */
 int
 main(int argc, char **argv) {
 	int c;
 	char *origin = NULL;
-	const char *filename = NULL;
+	char *filename = NULL;
+	char *classname;
 	isc_log_t *lctx = NULL;
 	isc_result_t result;
 	char classname_in[] = "IN";
-	char *classname = classname_in;
-	const char *workdir = NULL;
-	const char *inputformatstr = NULL;
-	const char *outputformatstr = NULL;
-	dns_masterformat_t inputformat = dns_masterformat_text;
-	dns_masterformat_t outputformat = dns_masterformat_text;
-	dns_masterrawheader_t header;
-	uint32_t rawversion = 1, serialnum = 0;
-	dns_ttl_t maxttl = 0;
-	bool snset = false;
-	bool logdump = false;
-	FILE *errout = stdout;
-	char *endp;
 
-	/*
-	 * Uncomment the following line if memory debugging is needed:
-	 * isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-	 */
+	classname = classname_in;
 
-	outputstyle = &dns_master_style_full;
-
-	prog_name = strrchr(argv[0], '/');
-	if (prog_name == NULL) {
-		prog_name = strrchr(argv[0], '\\');
-	}
-	if (prog_name != NULL) {
-		prog_name++;
-	} else {
-		prog_name = argv[0];
-	}
-	/*
-	 * Libtool doesn't preserve the program name prior to final
-	 * installation.  Remove the libtool prefix ("lt-").
-	 */
-	if (strncmp(prog_name, "lt-", 3) == 0) {
-		prog_name += 3;
-	}
-
-#define PROGCMP(X) \
-	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
-
-	if (PROGCMP("named-checkzone")) {
-		progmode = progmode_check;
-	} else if (PROGCMP("named-compilezone")) {
-		progmode = progmode_compile;
-	} else {
-		INSIST(0);
-		ISC_UNREACHABLE();
-	}
-
-	/* Compilation specific defaults */
-	if (progmode == progmode_compile) {
-		zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS |
-				 DNS_ZONEOPT_CHECKSPF | DNS_ZONEOPT_CHECKDUPRR |
-				 DNS_ZONEOPT_CHECKNAMES |
-				 DNS_ZONEOPT_CHECKNAMESFAIL |
-				 DNS_ZONEOPT_CHECKWILDCARD);
-	} else {
-		zone_options |= (DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF);
-	}
-
-#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
-
-	isc_commandline_errprint = false;
-
-	while ((c = isc_commandline_parse(argc, argv,
-					  "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:"
-					  "M:S:T:W:")) != EOF)
-	{
+	while ((c = isc_commandline_parse(argc, argv, "c:dqs")) != EOF) {
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
-
 		case 'd':
 			debug++;
 			break;
-
-		case 'i':
-			if (ARGCMP("full")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
-						DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = true;
-				docheckns = true;
-				dochecksrv = true;
-			} else if (ARGCMP("full-sibling")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = true;
-				docheckns = true;
-				dochecksrv = true;
-			} else if (ARGCMP("local")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = false;
-				docheckns = false;
-				dochecksrv = false;
-			} else if (ARGCMP("local-sibling")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = false;
-				docheckns = false;
-				dochecksrv = false;
-			} else if (ARGCMP("none")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = false;
-				docheckns = false;
-				dochecksrv = false;
-			} else {
-				fprintf(stderr, "invalid argument to -i: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'f':
-			inputformatstr = isc_commandline_argument;
-			break;
-
-		case 'F':
-			outputformatstr = isc_commandline_argument;
-			break;
-
-		case 'j':
-			nomerge = false;
-			break;
-
-		case 'J':
-			journal = isc_commandline_argument;
-			nomerge = false;
-			break;
-
-		case 'k':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES;
-				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES |
-						DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
-						  DNS_ZONEOPT_CHECKNAMESFAIL);
-			} else {
-				fprintf(stderr, "invalid argument to -k: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'L':
-			snset = true;
-			endp = NULL;
-			serialnum = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fprintf(stderr, "source serial number "
-						"must be numeric");
-				exit(1);
-			}
-			break;
-
-		case 'l':
-			zone_options |= DNS_ZONEOPT_CHECKTTL;
-			endp = NULL;
-			maxttl = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fprintf(stderr, "maximum TTL "
-						"must be numeric");
-				exit(1);
-			}
-			break;
-
-		case 'n':
-			if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNS |
-						  DNS_ZONEOPT_FATALNS);
-			} else if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS;
-				zone_options &= ~DNS_ZONEOPT_FATALNS;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS |
-						DNS_ZONEOPT_FATALNS;
-			} else {
-				fprintf(stderr, "invalid argument to -n: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'm':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKMX;
-				zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKMX |
-						DNS_ZONEOPT_CHECKMXFAIL;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKMX |
-						  DNS_ZONEOPT_CHECKMXFAIL);
-			} else {
-				fprintf(stderr, "invalid argument to -m: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'o':
-			output_filename = isc_commandline_argument;
-			break;
-
 		case 'q':
 			quiet++;
 			break;
-
-		case 'r':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-				zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKDUPRR |
-						DNS_ZONEOPT_CHECKDUPRRFAIL;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
-						  DNS_ZONEOPT_CHECKDUPRRFAIL);
-			} else {
-				fprintf(stderr, "invalid argument to -r: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 's':
-			if (ARGCMP("full")) {
-				outputstyle = &dns_master_style_full;
-			} else if (ARGCMP("relative")) {
-				outputstyle = &dns_master_style_default;
-			} else {
-				fprintf(stderr,
-					"unknown or unsupported style: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
-					isc_commandline_argument,
-					isc_result_totext(result));
-				exit(1);
-			}
-			break;
-
-		case 'v':
-			printf("%s\n", PACKAGE_VERSION);
-			exit(0);
-
-		case 'w':
-			workdir = isc_commandline_argument;
-			break;
-
-		case 'D':
-			dumpzone++;
-			break;
-
-		case 'M':
-			if (ARGCMP("fail")) {
-				zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-			} else if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-			} else if (ARGCMP("ignore")) {
-				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-				zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-			} else {
-				fprintf(stderr, "invalid argument to -M: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'S':
-			if (ARGCMP("fail")) {
-				zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-			} else if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-			} else if (ARGCMP("ignore")) {
-				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-				zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-			} else {
-				fprintf(stderr, "invalid argument to -S: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'T':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKSPF;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-			} else {
-				fprintf(stderr, "invalid argument to -T: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'W':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
-			}
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					prog_name, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			usage();
-
 		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (workdir != NULL) {
-		result = isc_dir_chdir(workdir);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "isc_dir_chdir: %s: %s\n", workdir,
-				isc_result_totext(result));
-			exit(1);
-		}
-	}
-
-	if (inputformatstr != NULL) {
-		if (strcasecmp(inputformatstr, "text") == 0) {
-			inputformat = dns_masterformat_text;
-		} else if (strcasecmp(inputformatstr, "raw") == 0) {
-			inputformat = dns_masterformat_raw;
-		} else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
-			inputformat = dns_masterformat_raw;
-			fprintf(stderr, "WARNING: input format raw, version "
-					"ignored\n");
-		} else {
-			fprintf(stderr, "unknown file format: %s\n",
-				inputformatstr);
-			exit(1);
-		}
-	}
-
-	if (outputformatstr != NULL) {
-		if (strcasecmp(outputformatstr, "text") == 0) {
-			outputformat = dns_masterformat_text;
-		} else if (strcasecmp(outputformatstr, "raw") == 0) {
-			outputformat = dns_masterformat_raw;
-		} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
-			char *end;
-
-			outputformat = dns_masterformat_raw;
-			rawversion = strtol(outputformatstr + 4, &end, 10);
-			if (end == outputformatstr + 4 || *end != '\0' ||
-			    rawversion > 1U) {
-				fprintf(stderr, "unknown raw format version\n");
-				exit(1);
-			}
-		} else {
-			fprintf(stderr, "unknown file format: %s\n",
-				outputformatstr);
-			exit(1);
-		}
-	}
-
-	if (progmode == progmode_compile) {
-		dumpzone = 1; /* always dump */
-		logdump = !quiet;
-		if (output_filename == NULL) {
-			fprintf(stderr, "output file required, but not "
-					"specified\n");
 			usage();
 		}
 	}
 
-	if (output_filename != NULL) {
-		dumpzone = 1;
-	}
-
-	/*
-	 * If we are printing to stdout then send the informational
-	 * output to stderr.
-	 */
-	if (dumpzone &&
-	    (output_filename == NULL || strcmp(output_filename, "-") == 0 ||
-	     strcmp(output_filename, "/dev/fd/1") == 0 ||
-	     strcmp(output_filename, "/dev/stdout") == 0))
-	{
-		errout = stderr;
-		logdump = false;
-	}
-
-	if (argc - isc_commandline_index < 1 ||
-	    argc - isc_commandline_index > 2) {
+	if (argv[isc_commandline_index] == NULL)
 		usage();
-	}
 
-	isc_mem_create(&mctx);
-	if (!quiet) {
-		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) ==
-			      ISC_R_SUCCESS);
-	}
-
-	origin = argv[isc_commandline_index++];
-
-	if (isc_commandline_index == argc) {
-		/* "-" will be interpreted as stdin */
-		filename = "-";
-	} else {
-		filename = argv[isc_commandline_index];
-	}
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+	if (!quiet)
+		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
 
+	origin = argv[isc_commandline_index];
 	isc_commandline_index++;
-
-	result = load_zone(mctx, origin, filename, inputformat, classname,
-			   maxttl, &zone);
-
-	if (snset) {
-		dns_master_initrawheader(&header);
-		header.flags = DNS_MASTERRAW_SOURCESERIALSET;
-		header.sourceserial = serialnum;
-		dns_zone_setrawdata(zone, &header);
-	}
-
-	if (result == ISC_R_SUCCESS && dumpzone) {
-		if (logdump) {
-			fprintf(errout, "dump zone to %s...", output_filename);
-			fflush(errout);
-		}
-		result = dump_zone(origin, zone, output_filename, outputformat,
-				   outputstyle, rawversion);
-		if (logdump) {
-			fprintf(errout, "done\n");
-		}
-	}
-
-	if (!quiet && result == ISC_R_SUCCESS) {
-		fprintf(errout, "OK\n");
-	}
+	if (argv[isc_commandline_index] != NULL)
+		filename = argv[isc_commandline_index];
+	else
+		filename = origin;
+	result = setup(origin, filename, (char *)classname);
+	if (!quiet && result == ISC_R_SUCCESS)
+		fprintf(stdout, "OK\n");
 	destroy();
-	if (lctx != NULL) {
+	if (lctx != NULL)
 		isc_log_destroy(&lctx);
-	}
 	isc_mem_destroy(&mctx);
-
 	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }

bin/check/named-checkzone.rst

@@ -1,212 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-named-checkzone, named-compilezone - zone file validity checking or converting tool
------------------------------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
-
-:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
-
-Description
-~~~~~~~~~~~
-
-``named-checkzone`` checks the syntax and integrity of a zone file. It
-performs the same checks as ``named`` does when loading a zone. This
-makes ``named-checkzone`` useful for checking zone files before
-configuring them into a name server.
-
-``named-compilezone`` is similar to ``named-checkzone``, but it always
-dumps the zone contents to a specified file in a specified format.
-It also applies stricter check levels by default, since the
-dump output is used as an actual zone file loaded by ``named``.
-When manually specified otherwise, the check levels must at least be as
-strict as those specified in the ``named`` configuration file.
-
-Options
-~~~~~~~
-
-``-d``
-   This option enables debugging.
-
-``-h``
-   This option prints the usage summary and exits.
-
-``-q``
-   This option sets quiet mode, which only sets an exit code to indicate
-   successful or failed completion.
-
-``-v``
-   This option prints the version of the ``named-checkzone`` program and exits.
-
-``-j``
-   When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
-   file name is assumed to be the zone file name with the
-   string ``.jnl`` appended.
-
-``-J filename``
-   When loading the zone file, this option tells ``named`` to read the journal from the given file, if
-   it exists. This implies ``-j``.
-
-``-c class``
-   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
-
-``-i mode``
-   This option performs post-load zone integrity checks. Possible modes are
-   ``full`` (the default), ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none``.
-
-   Mode ``full`` checks that MX records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks MX records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that SRV records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks SRV records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that delegation NS records refer to A or AAAA
-   records (both in-zone and out-of-zone hostnames). It also checks that
-   glue address records in the zone match those advertised by the child.
-   Mode ``local`` only checks NS records which refer to in-zone
-   hostnames or verifies that some required glue exists, i.e., when the
-   name server is in a child zone.
-
-   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
-   checks, but are otherwise the same as ``full`` and ``local``,
-   respectively.
-
-   Mode ``none`` disables the checks.
-
-``-f format``
-   This option specifies the format of the zone file. Possible formats are
-   ``text`` (the default), and ``raw``.
-
-``-F format``
-   This option specifies the format of the output file specified. For
-   ``named-checkzone``, this does not have any effect unless it dumps
-   the zone contents.
-
-   Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``raw`` and ``raw=N``, which
-   store the zone in a binary format for rapid loading by ``named``.
-   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
-   0, the raw file can be read by any version of ``named``; if N is 1, the
-   file can only be read by release 9.9.0 or higher. The default is 1.
-
-``-k mode``
-   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail`` (the default for ``named-compilezone``),
-   ``warn`` (the default for ``named-checkzone``), and ``ignore``.
-
-``-l ttl``
-   This option sets a maximum permissible TTL for the input file. Any record with a
-   TTL higher than this value causes the zone to be rejected. This
-   is similar to using the ``max-zone-ttl`` option in ``named.conf``.
-
-``-L serial``
-   When compiling a zone to ``raw`` format, this option sets the "source
-   serial" value in the header to the specified serial number. This is
-   expected to be used primarily for testing purposes.
-
-``-m mode``
-   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and
-   ``ignore``.
-
-``-M mode``
-   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
-
-``-n mode``
-   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail`` (the default for
-   ``named-compilezone``), ``warn`` (the default for ``named-checkzone``),
-   and ``ignore``.
-
-``-o filename``
-   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output. This is mandatory for ``named-compilezone``.
-
-``-r mode``
-   This option checks for records that are treated as different by DNSSEC but are
-   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn`` (the default), and ``ignore``.
-
-``-s style``
-   This option specifies the style of the dumped zone file. Possible styles are
-   ``full`` (the default) and ``relative``. The ``full`` format is most
-   suitable for processing automatically by a separate script.
-   The relative format is more human-readable and is thus
-   suitable for editing by hand. For ``named-checkzone``, this does not
-   have any effect unless it dumps the zone contents. It also does not
-   have any meaning if the output format is not text.
-
-``-S mode``
-   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
-
-``-t directory``
-   This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   ``named``.
-
-``-T mode``
-   This option checks whether Sender Policy Framework (SPF) records exist and issues a
-   warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` (the default) and ``ignore``.
-
-``-w directory``
-   This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
-   ``$INCLUDE`` directives work. This is similar to the directory clause in
-   ``named.conf``.
-
-``-D``
-   This option dumps the zone file in canonical format. This is always enabled for
-   ``named-compilezone``.
-
-``-W mode``
-   This option specifies whether to check for non-terminal wildcards. Non-terminal
-   wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn``
-   (the default) and ``ignore``.
-
-``zonename``
-   This indicates the domain name of the zone being checked.
-
-``filename``
-   This is the name of the zone file.
-
-Return Values
-~~~~~~~~~~~~~
-
-``named-checkzone`` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
-Manual.

bin/confgen/.gitignore

@@ -1,3 +0,0 @@
-ddns-confgen
-rndc-confgen
-tsig-keygen

bin/confgen/Makefile.am

@@ -1,30 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
-
-LDADD +=			\
-	libconfgen.la		\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)
-
-noinst_LTLIBRARIES = libconfgen.la
-
-libconfgen_la_SOURCES =		\
-	include/confgen/os.h	\
-	keygen.c		\
-	keygen.h		\
-	os.c			\
-	util.c			\
-	util.h
-
-sbin_PROGRAMS = tsig-keygen rndc-confgen
-
-install-exec-hook:
-	ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
-	      $(DESTDIR)$(sbindir)/ddns-confgen
-
-uninstall-hook:
-	-rm -f $(DESTDIR)$(sbindir)/ddns-confgen

bin/confgen/include/.clang-format

@@ -1 +0,0 @@
-../../../.clang-format.headers

bin/confgen/include/confgen/os.h

@@ -1,31 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#pragma once
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-int
-set_user(FILE *fd, const char *user);
-/*%<
- * Set the owner of the file referenced by 'fd' to 'user'.
- * Returns:
- *   0 		success
- *   -1 	insufficient permissions, or 'user' does not exist.
- */
-
-ISC_LANG_ENDDECLS

bin/confgen/keygen.c

@@ -1,199 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include "keygen.h"
-#include <stdarg.h>
-#include <stdlib.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-
-#include <confgen/os.h>
-
-#include "util.h"
-
-/*%
- * Convert algorithm type to string.
- */
-const char *
-alg_totext(dns_secalg_t alg) {
-	switch (alg) {
-	case DST_ALG_HMACMD5:
-		return ("hmac-md5");
-	case DST_ALG_HMACSHA1:
-		return ("hmac-sha1");
-	case DST_ALG_HMACSHA224:
-		return ("hmac-sha224");
-	case DST_ALG_HMACSHA256:
-		return ("hmac-sha256");
-	case DST_ALG_HMACSHA384:
-		return ("hmac-sha384");
-	case DST_ALG_HMACSHA512:
-		return ("hmac-sha512");
-	default:
-		return ("(unknown)");
-	}
-}
-
-/*%
- * Convert string to algorithm type.
- */
-dns_secalg_t
-alg_fromtext(const char *name) {
-	const char *p = name;
-	if (strncasecmp(p, "hmac-", 5) == 0) {
-		p = &name[5];
-	}
-
-	if (strcasecmp(p, "md5") == 0) {
-		return (DST_ALG_HMACMD5);
-	}
-	if (strcasecmp(p, "sha1") == 0) {
-		return (DST_ALG_HMACSHA1);
-	}
-	if (strcasecmp(p, "sha224") == 0) {
-		return (DST_ALG_HMACSHA224);
-	}
-	if (strcasecmp(p, "sha256") == 0) {
-		return (DST_ALG_HMACSHA256);
-	}
-	if (strcasecmp(p, "sha384") == 0) {
-		return (DST_ALG_HMACSHA384);
-	}
-	if (strcasecmp(p, "sha512") == 0) {
-		return (DST_ALG_HMACSHA512);
-	}
-	return (DST_ALG_UNKNOWN);
-}
-
-/*%
- * Return default keysize for a given algorithm type.
- */
-int
-alg_bits(dns_secalg_t alg) {
-	switch (alg) {
-	case DST_ALG_HMACMD5:
-		return (128);
-	case DST_ALG_HMACSHA1:
-		return (160);
-	case DST_ALG_HMACSHA224:
-		return (224);
-	case DST_ALG_HMACSHA256:
-		return (256);
-	case DST_ALG_HMACSHA384:
-		return (384);
-	case DST_ALG_HMACSHA512:
-		return (512);
-	default:
-		return (0);
-	}
-}
-
-/*%
- * Generate a key of size 'keysize' and place it in 'key_txtbuffer'
- */
-void
-generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
-	     isc_buffer_t *key_txtbuffer) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_buffer_t key_rawbuffer;
-	isc_region_t key_rawregion;
-	char key_rawsecret[64];
-	dst_key_t *key = NULL;
-
-	switch (alg) {
-	case DST_ALG_HMACMD5:
-	case DST_ALG_HMACSHA1:
-	case DST_ALG_HMACSHA224:
-	case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 512) {
-			fatal("keysize %d out of range (must be 1-512)\n",
-			      keysize);
-		}
-		break;
-	case DST_ALG_HMACSHA384:
-	case DST_ALG_HMACSHA512:
-		if (keysize < 1 || keysize > 1024) {
-			fatal("keysize %d out of range (must be 1-1024)\n",
-			      keysize);
-		}
-		break;
-	default:
-		fatal("unsupported algorithm %d\n", alg);
-	}
-
-	DO("initialize dst library", dst_lib_init(mctx, NULL));
-
-	DO("generate key",
-	   dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
-			    dns_rdataclass_in, mctx, &key, NULL));
-
-	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
-	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
-	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
-	DO("bsse64 encode secret",
-	   isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer));
-
-	if (key != NULL) {
-		dst_key_free(&key);
-	}
-
-	dst_lib_destroy();
-}
-
-/*%
- * Write a key file to 'keyfile'.  If 'user' is non-NULL,
- * make that user the owner of the file.  The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-void
-write_key_file(const char *keyfile, const char *user, const char *keyname,
-	       isc_buffer_t *secret, dns_secalg_t alg) {
-	isc_result_t result;
-	const char *algname = alg_totext(alg);
-	FILE *fd = NULL;
-
-	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
-
-	if (user != NULL) {
-		if (set_user(fd, user) == -1) {
-			fatal("unable to set file owner\n");
-		}
-	}
-
-	fprintf(fd,
-		"key \"%s\" {\n\talgorithm %s;\n"
-		"\tsecret \"%.*s\";\n};\n",
-		keyname, algname, (int)isc_buffer_usedlength(secret),
-		(char *)isc_buffer_base(secret));
-	fflush(fd);
-	if (ferror(fd)) {
-		fatal("write to %s failed\n", keyfile);
-	}
-	if (fclose(fd)) {
-		fatal("fclose(%s) failed\n", keyfile);
-	}
-}

bin/confgen/keygen.h

@@ -1,39 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file */
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/mem.h>
-
-#include <dns/secalg.h>
-
-ISC_LANG_BEGINDECLS
-
-void
-generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
-	     isc_buffer_t *key_txtbuffer);
-
-void
-write_key_file(const char *keyfile, const char *user, const char *keyname,
-	       isc_buffer_t *secret, dns_secalg_t alg);
-
-const char *
-alg_totext(dns_secalg_t alg);
-dns_secalg_t
-alg_fromtext(const char *name);
-int
-alg_bits(dns_secalg_t alg);
-
-ISC_LANG_ENDDECLS

bin/confgen/os.c

@@ -1,34 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <confgen/os.h>
-
-int
-set_user(FILE *fd, const char *user) {
-	struct passwd *pw;
-
-	pw = getpwnam(user);
-	if (pw == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-	return (fchown(fileno(fd), pw->pw_uid, -1));
-}

bin/confgen/rndc-confgen.c

@@ -1,292 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-/**
- * rndc-confgen generates configuration files for rndc. It can be used
- * as a convenient alternative to writing the rndc.conf file and the
- * corresponding controls and key statements in named.conf by hand.
- * Alternatively, it can be run with the -a option to set up a
- * rndc.key file and avoid the need for a rndc.conf file and a
- * controls statement altogether.
- */
-
-#include <stdarg.h>
-#include <stdbool.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/attributes.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-
-#include <confgen/os.h>
-
-#include "keygen.h"
-#include "util.h"
-
-#define DEFAULT_KEYNAME "rndc-key"
-#define DEFAULT_SERVER	"127.0.0.1"
-#define DEFAULT_PORT	953
-
-static char program[256];
-const char *progname;
-
-bool verbose = false;
-
-const char *keyfile, *keydef;
-
-ISC_NORETURN static void
-usage(int status);
-
-static void
-usage(int status) {
-	fprintf(stderr, "\
-Usage:\n\
- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] \
-[-s addr] [-t chrootdir] [-u user]\n\
-  -a:		 generate just the key clause and write it to keyfile (%s)\n\
-  -A alg:	 algorithm (default hmac-sha256)\n\
-  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
-  -c keyfile:	 specify an alternate key file (requires -a)\n\
-  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
-  -p port:	 the port named will listen on and rndc will connect to\n\
-  -q:		 suppress printing written key path\n\
-  -s addr:	 the address to which rndc should connect\n\
-  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
-  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
-		progname, keydef);
-
-	exit(status);
-}
-
-int
-main(int argc, char **argv) {
-	bool show_final_mem = false;
-	isc_buffer_t key_txtbuffer;
-	char key_txtsecret[256];
-	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	const char *keyname = NULL;
-	const char *serveraddr = NULL;
-	dns_secalg_t alg;
-	const char *algname;
-	char *p;
-	int ch;
-	int port;
-	int keysize = -1;
-	struct in_addr addr4_dummy;
-	struct in6_addr addr6_dummy;
-	char *chrootdir = NULL;
-	char *user = NULL;
-	bool keyonly = false;
-	bool quiet = false;
-	int len;
-
-	keydef = keyfile = RNDC_KEYFILE;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS) {
-		memmove(program, "rndc-confgen", 13);
-	}
-	progname = program;
-
-	keyname = DEFAULT_KEYNAME;
-	alg = DST_ALG_HMACSHA256;
-	serveraddr = DEFAULT_SERVER;
-	port = DEFAULT_PORT;
-
-	isc_commandline_errprint = false;
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
-	{
-		switch (ch) {
-		case 'a':
-			keyonly = true;
-			break;
-		case 'A':
-			algname = isc_commandline_argument;
-			alg = alg_fromtext(algname);
-			if (alg == DST_ALG_UNKNOWN) {
-				fatal("Unsupported algorithm '%s'", algname);
-			}
-			break;
-		case 'b':
-			keysize = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || keysize < 0) {
-				fatal("-b requires a non-negative number");
-			}
-			break;
-		case 'c':
-			keyfile = isc_commandline_argument;
-			break;
-		case 'h':
-			usage(0);
-		case 'k':
-		case 'y': /* Compatible with rndc -y. */
-			keyname = isc_commandline_argument;
-			break;
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-
-		case 'm':
-			show_final_mem = true;
-			break;
-		case 'p':
-			port = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || port < 0 || port > 65535) {
-				fatal("port '%s' out of range",
-				      isc_commandline_argument);
-			}
-			break;
-		case 'q':
-			quiet = true;
-			break;
-		case 'r':
-			fatal("The -r option has been deprecated.");
-			break;
-		case 's':
-			serveraddr = isc_commandline_argument;
-			if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
-			    inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
-			{
-				fatal("-s should be an IPv4 or IPv6 address");
-			}
-			break;
-		case 't':
-			chrootdir = isc_commandline_argument;
-			break;
-		case 'u':
-			user = isc_commandline_argument;
-			break;
-		case 'V':
-			verbose = true;
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-				usage(1);
-			} else {
-				usage(0);
-			}
-			break;
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-	POST(argv);
-
-	if (argc > 0) {
-		usage(1);
-	}
-
-	if (alg == DST_ALG_HMACMD5) {
-		fprintf(stderr, "warning: use of hmac-md5 for RNDC keys "
-				"is deprecated; hmac-sha256 is now "
-				"recommended.\n");
-	}
-
-	if (keysize < 0) {
-		keysize = alg_bits(alg);
-	}
-	algname = alg_totext(alg);
-
-	isc_mem_create(&mctx);
-	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-
-	generate_key(mctx, alg, keysize, &key_txtbuffer);
-
-	if (keyonly) {
-		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
-			       keyname, &key_txtbuffer, alg);
-		if (!quiet) {
-			printf("wrote key file \"%s\"\n", keyfile);
-		}
-
-		if (chrootdir != NULL) {
-			char *buf;
-			len = strlen(chrootdir) + strlen(keyfile) + 2;
-			buf = isc_mem_get(mctx, len);
-			snprintf(buf, len, "%s%s%s", chrootdir,
-				 (*keyfile != '/') ? "/" : "", keyfile);
-
-			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
-			if (!quiet) {
-				printf("wrote key file \"%s\"\n", buf);
-			}
-			isc_mem_put(mctx, buf, len);
-		}
-	} else {
-		printf("\
-# Start of rndc.conf\n\
-key \"%s\" {\n\
-	algorithm %s;\n\
-	secret \"%.*s\";\n\
-};\n\
-\n\
-options {\n\
-	default-key \"%s\";\n\
-	default-server %s;\n\
-	default-port %d;\n\
-};\n\
-# End of rndc.conf\n\
-\n\
-# Use with the following in named.conf, adjusting the allow list as needed:\n\
-# key \"%s\" {\n\
-# 	algorithm %s;\n\
-# 	secret \"%.*s\";\n\
-# };\n\
-# \n\
-# controls {\n\
-# 	inet %s port %d\n\
-# 		allow { %s; } keys { \"%s\"; };\n\
-# };\n\
-# End of named.conf\n",
-		       keyname, algname,
-		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer), keyname,
-		       serveraddr, port, keyname, algname,
-		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer), serveraddr,
-		       port, serveraddr, keyname);
-	}
-
-	if (show_final_mem) {
-		isc_mem_stats(mctx, stderr);
-	}
-
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}

bin/confgen/rndc-confgen.rst

@@ -1,119 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_rndc-confgen:
-
-rndc-confgen - rndc key generation tool
----------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
-
-Description
-~~~~~~~~~~~
-
-``rndc-confgen`` generates configuration files for ``rndc``. It can be
-used as a convenient alternative to writing the ``rndc.conf`` file and
-the corresponding ``controls`` and ``key`` statements in ``named.conf``
-by hand. Alternatively, it can be run with the ``-a`` option to set up a
-``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
-``controls`` statement altogether.
-
-Options
-~~~~~~~
-
-``-a``
-   This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
-   in ``/etc`` (or a different ``sysconfdir`` specified when BIND
-   was built) that is read by both ``rndc`` and ``named`` on startup.
-   The ``rndc.key`` file defines a default command channel and
-   authentication key allowing ``rndc`` to communicate with ``named`` on
-   the local host with no further configuration.
-
-   If a more elaborate configuration than that generated by
-   ``rndc-confgen -a`` is required, for example if rndc is to be used
-   remotely, run ``rndc-confgen`` without the ``-a`` option
-   and set up ``rndc.conf`` and ``named.conf`` as directed.
-
-``-A algorithm``
-   This option specifies the algorithm to use for the TSIG key. Available choices
-   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
-   hmac-sha512. The default is hmac-sha256.
-
-``-b keysize``
-   This option specifies the size of the authentication key in bits. The size must be between
-   1 and 512 bits; the default is the hash size.
-
-``-c keyfile``
-   This option is used with the ``-a`` option to specify an alternate location for
-   ``rndc.key``.
-
-``-h``
-   This option prints a short summary of the options and arguments to
-   ``rndc-confgen``.
-
-``-k keyname``
-   This option specifies the key name of the ``rndc`` authentication key. This must be a
-   valid domain name. The default is ``rndc-key``.
-
-``-p port``
-   This option specifies the command channel port where ``named`` listens for
-   connections from ``rndc``. The default is 953.
-
-``-q``
-   This option prevets printing the written path in automatic configuration mode.
-
-``-s address``
-   This option specifies the IP address where ``named`` listens for command-channel
-   connections from ``rndc``. The default is the loopback address
-   127.0.0.1.
-
-``-t chrootdir``
-   This option is used with the ``-a`` option to specify a directory where ``named``
-   runs chrooted. An additional copy of the ``rndc.key`` is
-   written relative to this directory, so that it is found by the
-   chrooted ``named``.
-
-``-u user``
-   This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
-   If ``-t`` is also specified, only the file in the chroot
-   area has its owner changed.
-
-Examples
-~~~~~~~~
-
-To allow ``rndc`` to be used with no manual configuration, run:
-
-``rndc-confgen -a``
-
-To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
-``key`` statements to be manually inserted into ``named.conf``, run:
-
-``rndc-confgen``
-
-See Also
-~~~~~~~~
-
-:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/tsig-keygen.c

@@ -1,299 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-/**
- * tsig-keygen generates TSIG keys that can be used in named configuration
- * files for dynamic DNS.
- */
-
-#include <stdarg.h>
-#include <stdbool.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/attributes.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-
-#include <confgen/os.h>
-
-#include "keygen.h"
-#include "util.h"
-
-#define KEYGEN_DEFAULT	"tsig-key"
-#define CONFGEN_DEFAULT "ddns-key"
-
-static char program[256];
-const char *progname;
-static enum { progmode_keygen, progmode_confgen } progmode;
-bool verbose = false; /* needed by util.c but not used here */
-
-ISC_NORETURN static void
-usage(int status);
-
-static void
-usage(int status) {
-	if (progmode == progmode_confgen) {
-		fprintf(stderr, "\
-Usage:\n\
- %s [-a alg] [-k keyname] [-q] [-s name | -z zone]\n\
-  -a alg:        algorithm (default hmac-sha256)\n\
-  -k keyname:    name of the key as it will be used in named.conf\n\
-  -s name:       domain name to be updated using the created key\n\
-  -z zone:       name of the zone as it will be used in named.conf\n\
-  -q:            quiet mode: print the key, with no explanatory text\n",
-			progname);
-	} else {
-		fprintf(stderr, "\
-Usage:\n\
- %s [-a alg] [keyname]\n\
-  -a alg:        algorithm (default hmac-sha256)\n\n",
-			progname);
-	}
-
-	exit(status);
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result = ISC_R_SUCCESS;
-	bool show_final_mem = false;
-	bool quiet = false;
-	isc_buffer_t key_txtbuffer;
-	char key_txtsecret[256];
-	isc_mem_t *mctx = NULL;
-	const char *keyname = NULL;
-	const char *zone = NULL;
-	const char *self_domain = NULL;
-	char *keybuf = NULL;
-	dns_secalg_t alg = DST_ALG_HMACSHA256;
-	const char *algname;
-	int keysize = 256;
-	int len = 0;
-	int ch;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS) {
-		memmove(program, "tsig-keygen", 11);
-	}
-	progname = program;
-
-	/*
-	 * Libtool doesn't preserve the program name prior to final
-	 * installation.  Remove the libtool prefix ("lt-").
-	 */
-	if (strncmp(progname, "lt-", 3) == 0) {
-		progname += 3;
-	}
-
-#define PROGCMP(X) \
-	(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
-
-	if (PROGCMP("tsig-keygen")) {
-		progmode = progmode_keygen;
-		quiet = true;
-	} else if (PROGCMP("ddns-confgen")) {
-		progmode = progmode_confgen;
-	} else {
-		INSIST(0);
-		ISC_UNREACHABLE();
-	}
-
-	isc_commandline_errprint = false;
-
-	while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) !=
-	       -1) {
-		switch (ch) {
-		case 'a':
-			algname = isc_commandline_argument;
-			alg = alg_fromtext(algname);
-			if (alg == DST_ALG_UNKNOWN) {
-				fatal("Unsupported algorithm '%s'", algname);
-			}
-			keysize = alg_bits(alg);
-			break;
-		case 'h':
-			usage(0);
-		case 'k':
-		case 'y':
-			if (progmode == progmode_confgen) {
-				keyname = isc_commandline_argument;
-			} else {
-				usage(1);
-			}
-			break;
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-		case 'm':
-			show_final_mem = true;
-			break;
-		case 'q':
-			if (progmode == progmode_confgen) {
-				quiet = true;
-			} else {
-				usage(1);
-			}
-			break;
-		case 'r':
-			fatal("The -r option has been deprecated.");
-			break;
-		case 's':
-			if (progmode == progmode_confgen) {
-				self_domain = isc_commandline_argument;
-			} else {
-				usage(1);
-			}
-			break;
-		case 'z':
-			if (progmode == progmode_confgen) {
-				zone = isc_commandline_argument;
-			} else {
-				usage(1);
-			}
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-				usage(1);
-			} else {
-				usage(0);
-			}
-			break;
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (progmode == progmode_keygen) {
-		keyname = argv[isc_commandline_index++];
-	}
-
-	POST(argv);
-
-	if (self_domain != NULL && zone != NULL) {
-		usage(1); /* -s and -z cannot coexist */
-	}
-
-	if (argc > isc_commandline_index) {
-		usage(1);
-	}
-
-	/* Use canonical algorithm name */
-	algname = alg_totext(alg);
-
-	isc_mem_create(&mctx);
-
-	if (keyname == NULL) {
-		const char *suffix = NULL;
-
-		keyname = ((progmode == progmode_keygen) ? KEYGEN_DEFAULT
-							 : CONFGEN_DEFAULT);
-		if (self_domain != NULL) {
-			suffix = self_domain;
-		} else if (zone != NULL) {
-			suffix = zone;
-		}
-		if (suffix != NULL) {
-			len = strlen(keyname) + strlen(suffix) + 2;
-			keybuf = isc_mem_get(mctx, len);
-			snprintf(keybuf, len, "%s.%s", keyname, suffix);
-			keyname = (const char *)keybuf;
-		}
-	}
-
-	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-
-	generate_key(mctx, alg, keysize, &key_txtbuffer);
-
-	if (!quiet) {
-		printf("\
-# To activate this key, place the following in named.conf, and\n\
-# in a separate keyfile on the system or systems from which nsupdate\n\
-# will be run:\n");
-	}
-
-	printf("\
-key \"%s\" {\n\
-	algorithm %s;\n\
-	secret \"%.*s\";\n\
-};\n",
-	       keyname, algname, (int)isc_buffer_usedlength(&key_txtbuffer),
-	       (char *)isc_buffer_base(&key_txtbuffer));
-
-	if (!quiet) {
-		if (self_domain != NULL) {
-			printf("\n\
-# Then, in the \"zone\" statement for the zone containing the\n\
-# name \"%s\", place an \"update-policy\" statement\n\
-# like this one, adjusted as needed for your preferred permissions:\n\
-update-policy {\n\
-	  grant %s name %s ANY;\n\
-};\n",
-			       self_domain, keyname, self_domain);
-		} else if (zone != NULL) {
-			printf("\n\
-# Then, in the \"zone\" definition statement for \"%s\",\n\
-# place an \"update-policy\" statement like this one, adjusted as \n\
-# needed for your preferred permissions:\n\
-update-policy {\n\
-	  grant %s zonesub ANY;\n\
-};\n",
-			       zone, keyname);
-		} else {
-			printf("\n\
-# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
-# update, place an \"update-policy\" statement granting update permission\n\
-# to this key.  For example, the following statement grants this key\n\
-# permission to update any name within the zone:\n\
-update-policy {\n\
-	grant %s zonesub ANY;\n\
-};\n",
-			       keyname);
-		}
-
-		printf("\n\
-# After the keyfile has been placed, the following command will\n\
-# execute nsupdate using this key:\n\
-nsupdate -k <keyfile>\n");
-	}
-
-	if (keybuf != NULL) {
-		isc_mem_put(mctx, keybuf, len);
-	}
-
-	if (show_final_mem) {
-		isc_mem_stats(mctx, stderr);
-	}
-
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}

bin/confgen/tsig-keygen.rst

@@ -1,101 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-tsig-keygen, ddns-confgen - TSIG key generation tool
-----------------------------------------------------
-
-Synopsis
-~~~~~~~~
-:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name]
-
-:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
-
-Description
-~~~~~~~~~~~
-
-``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
-utility that generates keys for use in TSIG signing. The resulting keys
-can be used, for example, to secure dynamic DNS updates to a zone, or for
-the ``rndc`` command channel.
-
-When run as ``tsig-keygen``, a domain name can be specified on the
-command line to be used as the name of the generated key. If no
-name is specified, the default is ``tsig-key``.
-
-When run as ``ddns-confgen``, the key name can specified using ``-k``
-parameter and defaults to ``ddns-key``. The generated key is accompanied
-by configuration text and instructions that can be used with ``nsupdate``
-and ``named`` when setting up dynamic DNS, including an example
-``update-policy`` statement. (This usage is similar to the ``rndc-confgen``
-command for setting up command-channel security.)
-
-Note that ``named`` itself can configure a local DDNS key for use with
-``nsupdate -l``; it does this when a zone is configured with
-``update-policy local;``. ``ddns-confgen`` is only needed when a more
-elaborate configuration is required: for instance, if ``nsupdate`` is to
-be used from a remote system.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   This option specifies the algorithm to use for the TSIG key. Available
-   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
-   and hmac-sha512. The default is hmac-sha256. Options are
-   case-insensitive, and the "hmac-" prefix may be omitted.
-
-``-h``
-   This option prints a short summary of options and arguments.
-
-``-k keyname``
-   This option specifies the key name of the DDNS authentication key. The
-   default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is
-   specified; otherwise, the default is ``ddns-key`` as a separate label
-   followed by the argument of the option, e.g., ``ddns-key.example.com.``
-   The key name must have the format of a valid domain name, consisting of
-   letters, digits, hyphens, and periods.
-
-``-q`` (``ddns-confgen`` only)
-   This option enables quiet mode, which prints only the key, with no
-   explanatory text or usage examples. This is essentially identical to
-   ``tsig-keygen``.
-
-``-s name`` (``ddns-confgen`` only)
-   This option generates a configuration example to allow dynamic updates
-   of a single hostname. The example ``named.conf`` text shows how to set
-   an update policy for the specified name using the "name" nametype. The
-   default key name is ``ddns-key.name``. Note that the "self" nametype
-   cannot be used, since the name to be updated may differ from the key
-   name. This option cannot be used with the ``-z`` option.
-
-``-z zone`` (``ddns-confgen`` only)
-   This option generates a configuration example to allow
-   dynamic updates of a zone. The example ``named.conf`` text shows how
-   to set an update policy for the specified zone using the "zonesub"
-   nametype, allowing updates to all subdomain names within that zone.
-   This option cannot be used with the ``-s`` option.
-
-See Also
-~~~~~~~~
-
-:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/util.c

@@ -1,47 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include "util.h"
-#include <stdarg.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/print.h>
-
-extern bool verbose;
-extern const char *progname;
-
-void
-notify(const char *fmt, ...) {
-	va_list ap;
-
-	if (verbose) {
-		va_start(ap, fmt);
-		vfprintf(stderr, fmt, ap);
-		va_end(ap);
-		fprintf(stderr, "\n");
-	}
-}
-
-void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}

bin/confgen/util.h

@@ -1,40 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file */
-
-#include <isc/attributes.h>
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-
-#define NS_CONTROL_PORT 953
-
-#undef DO
-#define DO(name, function)                                                \
-	do {                                                              \
-		result = function;                                        \
-		if (result != ISC_R_SUCCESS)                              \
-			fatal("%s: %s", name, isc_result_totext(result)); \
-		else                                                      \
-			notify("%s", name);                               \
-	} while (0)
-
-ISC_LANG_BEGINDECLS
-
-void
-notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
-
-ISC_NORETURN void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-ISC_LANG_ENDDECLS

bin/delv/.gitignore

@@ -1 +0,0 @@
-/delv

bin/delv/Makefile.am

@@ -1,21 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=				\
-	-I$(top_builddir)/include	\
-	$(LIBISC_CFLAGS)		\
-	$(LIBDNS_CFLAGS)		\
-	$(LIBISCCFG_CFLAGS)		\
-	$(LIBIRS_CFLAGS)
-
-AM_CPPFLAGS +=				\
-	-DSYSCONFDIR=\"${sysconfdir}\"
-
-bin_PROGRAMS = delv
-
-delv_SOURCES =				\
-	delv.c
-delv_LDADD =				\
-	$(LIBISC_LIBS)			\
-	$(LIBDNS_LIBS)			\
-	$(LIBISCCFG_LIBS)		\
-	$(LIBIRS_LIBS)

bin/delv/delv.rst

@@ -1,336 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_delv:
-
-delv - DNS lookup and validation utility
-----------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
-
-:program:`delv` [**-h**]
-
-:program:`delv` [**-v**]
-
-:program:`delv` [queryopt...] [query...]
-
-Description
-~~~~~~~~~~~
-
-``delv`` is a tool for sending DNS queries and validating the results,
-using the same internal resolver and validator logic as ``named``.
-
-``delv`` sends to a specified name server all queries needed to
-fetch and validate the requested data; this includes the original
-requested query, subsequent queries to follow CNAME or DNAME chains,
-queries for DNSKEY, and DS records to establish a chain of trust for
-DNSSEC validation. It does not perform iterative resolution, but
-simulates the behavior of a name server configured for DNSSEC validating
-and forwarding.
-
-By default, responses are validated using the built-in DNSSEC trust anchor
-for the root zone ("."). Records returned by ``delv`` are either fully
-validated or were not signed. If validation fails, an explanation of the
-failure is included in the output; the validation process can be traced
-in detail. Because ``delv`` does not rely on an external server to carry
-out validation, it can be used to check the validity of DNS responses in
-environments where local name servers may not be trustworthy.
-
-Unless it is told to query a specific name server, ``delv`` tries
-each of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, ``delv`` sends queries to the localhost
-addresses (127.0.0.1 for IPv4, ::1 for IPv6).
-
-When no command-line arguments or options are given, ``delv``
-performs an NS query for "." (the root zone).
-
-Simple Usage
-~~~~~~~~~~~~
-
-A typical invocation of ``delv`` looks like:
-
-::
-
-    delv @server name type
-
-where:
-
-``server``
-   is the name or IP address of the name server to query. This can be an
-   IPv4 address in dotted-decimal notation or an IPv6 address in
-   colon-delimited notation. When the supplied ``server`` argument is a
-   hostname, ``delv`` resolves that name before querying that name
-   server (note, however, that this initial lookup is *not* validated by
-   DNSSEC).
-
-   If no ``server`` argument is provided, ``delv`` consults
-   ``/etc/resolv.conf``; if an address is found there, it queries the
-   name server at that address. If either of the ``-4`` or ``-6``
-   options is in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, ``delv``
-   sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
-   for IPv6).
-
-``name``
-   is the domain name to be looked up.
-
-``type``
-   indicates what type of query is required - ANY, A, MX, etc.
-   ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, ``delv`` performs a lookup for an A record.
-
-Options
-~~~~~~~
-
-``-a anchor-file``
-   This option specifies a file from which to read DNSSEC trust anchors. The default
-   is ``/etc/bind.keys``, which is included with BIND 9 and contains one
-   or more trust anchors for the root zone (".").
-
-   Keys that do not match the root zone name are ignored. An alternate
-   key name can be specified using the ``+root=NAME`` options.
-
-   Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
-   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
-   it is the *initial* key that is trusted; :rfc:`5011` key management is not
-   supported. ``delv`` does not consult the managed-keys database maintained by
-   ``named``, which means that if either of the keys in ``/etc/bind.keys`` is
-   revoked and rolled over, ``/etc/bind.keys`` must be updated to
-   use DNSSEC validation in ``delv``.
-
-``-b address``
-   This option sets the source IP address of the query to ``address``. This must be
-   a valid address on one of the host's network interfaces, or ``0.0.0.0``,
-   or ``::``. An optional source port may be specified by appending
-   ``#<port>``
-
-``-c class``
-   This option sets the query class for the requested data. Currently, only class
-   "IN" is supported in ``delv`` and any other value is ignored.
-
-``-d level``
-   This option sets the systemwide debug level to ``level``. The allowed range is
-   from 0 to 99. The default is 0 (no debugging). Debugging traces from
-   ``delv`` become more verbose as the debug level increases. See the
-   ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
-   additional debugging details.
-
-``-h``
-   This option displays the ``delv`` help usage output and exits.
-
-``-i``
-   This option sets insecure mode, which disables internal DNSSEC validation. (Note,
-   however, that this does not set the CD bit on upstream queries. If the
-   server being queried is performing DNSSEC validation, then it does
-   not return invalid data; this can cause ``delv`` to time out. When it
-   is necessary to examine invalid data to debug a DNSSEC problem, use
-   ``dig +cd``.)
-
-``-m``
-   This option enables memory usage debugging.
-
-``-p port#``
-   This option specifies a destination port to use for queries, instead of the
-   standard DNS port number 53. This option is used with a name
-   server that has been configured to listen for queries on a
-   non-standard port number.
-
-``-q name``
-   This option sets the query name to ``name``. While the query name can be
-   specified without using the ``-q`` option, it is sometimes necessary to
-   disambiguate names from types or classes (for example, when looking
-   up the name "ns", which could be misinterpreted as the type NS, or
-   "ch", which could be misinterpreted as class CH).
-
-``-t type``
-   This option sets the query type to ``type``, which can be any valid query type
-   supported in BIND 9 except for zone transfer types AXFR and IXFR. As
-   with ``-q``, this is useful to distinguish query-name types or classes
-   when they are ambiguous. It is sometimes necessary to disambiguate
-   names from types.
-
-   The default query type is "A", unless the ``-x`` option is supplied
-   to indicate a reverse lookup, in which case it is "PTR".
-
-``-v``
-   This option prints the ``delv`` version and exits.
-
-``-x addr``
-   This option performs a reverse lookup, mapping an address to a name. ``addr``
-   is an IPv4 address in dotted-decimal notation, or a colon-delimited
-   IPv6 address. When ``-x`` is used, there is no need to provide the
-   ``name`` or ``type`` arguments; ``delv`` automatically performs a
-   lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
-   query type to PTR. IPv6 addresses are looked up using nibble format
-   under the IP6.ARPA domain.
-
-``-4``
-   This option forces ``delv`` to only use IPv4.
-
-``-6``
-   This option forces ``delv`` to only use IPv6.
-
-Query Options
-~~~~~~~~~~~~~
-
-``delv`` provides a number of query options which affect the way results
-are displayed, and in some cases the way lookups are performed.
-
-Each query option is identified by a keyword preceded by a plus sign
-(``+``). Some keywords set or reset an option. These may be preceded by
-the string ``no`` to negate the meaning of that keyword. Other keywords
-assign values to options like the timeout interval. They have the form
-``+keyword=value``. The query options are:
-
-``+[no]cdflag``
-   This option controls whether to set the CD (checking disabled) bit in queries
-   sent by ``delv``. This may be useful when troubleshooting DNSSEC
-   problems from behind a validating resolver. A validating resolver
-   blocks invalid responses, making it difficult to retrieve them
-   for analysis. Setting the CD flag on queries causes the resolver
-   to return invalid responses, which ``delv`` can then validate
-   internally and report the errors in detail.
-
-``+[no]class``
-   This option controls whether to display the CLASS when printing a record. The
-   default is to display the CLASS.
-
-``+[no]ttl``
-   This option controls whether to display the TTL when printing a record. The
-   default is to display the TTL.
-
-``+[no]rtrace``
-   This option toggles resolver fetch logging. This reports the name and type of each
-   query sent by ``delv`` in the process of carrying out the resolution
-   and validation process, including the original query
-   and all subsequent queries to follow CNAMEs and to establish a chain
-   of trust for DNSSEC validation.
-
-   This is equivalent to setting the debug level to 1 in the "resolver"
-   logging category. Setting the systemwide debug level to 1 using the
-   ``-d`` option produces the same output, but affects other
-   logging categories as well.
-
-``+[no]mtrace``
-   This option toggles message logging. This produces a detailed dump of the
-   responses received by ``delv`` in the process of carrying out the
-   resolution and validation process.
-
-   This is equivalent to setting the debug level to 10 for the "packets"
-   module of the "resolver" logging category. Setting the systemwide
-   debug level to 10 using the ``-d`` option produces the same
-   output, but affects other logging categories as well.
-
-``+[no]vtrace``
-   This option toggles validation logging. This shows the internal process of the
-   validator as it determines whether an answer is validly signed,
-   unsigned, or invalid.
-
-   This is equivalent to setting the debug level to 3 for the
-   "validator" module of the "dnssec" logging category. Setting the
-   systemwide debug level to 3 using the ``-d`` option produces the
-   same output, but affects other logging categories as well.
-
-``+[no]short``
-   This option toggles between verbose and terse answers. The default is to print the answer in a
-   verbose form.
-
-``+[no]comments``
-   This option toggles the display of comment lines in the output. The default is to
-   print comments.
-
-``+[no]rrcomments``
-   This option toggles the display of per-record comments in the output (for example,
-   human-readable key information about DNSKEY records). The default is
-   to print per-record comments.
-
-``+[no]crypto``
-   This option toggles the display of cryptographic fields in DNSSEC records. The
-   contents of these fields are unnecessary to debug most DNSSEC
-   validation failures and removing them makes it easier to see the
-   common failures. The default is to display the fields. When omitted,
-   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
-   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
-
-``+[no]trust``
-   This option controls whether to display the trust level when printing a record.
-   The default is to display the trust level.
-
-``+[no]split[=W]``
-   This option splits long hex- or base64-formatted fields in resource records into
-   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
-   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
-   split at all. The default is 56 characters, or 44 characters when
-   multiline mode is active.
-
-``+[no]all``
-   This option sets or clears the display options ``+[no]comments``,
-   ``+[no]rrcomments``, and ``+[no]trust`` as a group.
-
-``+[no]multiline``
-   This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
-   verbose multi-line format with human-readable comments. The default
-   is to print each record on a single line, to facilitate machine
-   parsing of the ``delv`` output.
-
-``+[no]dnssec``
-   This option indicates whether to display RRSIG records in the ``delv`` output.
-   The default is to do so. Note that (unlike in ``dig``) this does
-   *not* control whether to request DNSSEC records or to
-   validate them. DNSSEC records are always requested, and validation
-   always occurs unless suppressed by the use of ``-i`` or
-   ``+noroot``.
-
-``+[no]root[=ROOT]``
-   This option indicates whether to perform conventional DNSSEC validation, and if so,
-   specifies the name of a trust anchor. The default is to validate using a
-   trust anchor of "." (the root zone), for which there is a built-in key. If
-   specifying a different trust anchor, then ``-a`` must be used to specify a
-   file containing the key.
-
-``+[no]tcp``
-   This option controls whether to use TCP when sending queries. The default is to
-   use UDP unless a truncated response has been received.
-
-``+[no]unknownformat``
-   This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
-   The default is to print RDATA for known types in the type's
-   presentation format.
-
-``+[no]yaml``
-   This option prints response data in YAML format.
-
-Files
-~~~~~
-
-``/etc/bind.keys``
-
-``/etc/resolv.conf``
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

bin/dig/.cvsignore

@@ -0,0 +1,6 @@
+Makefile
+dig
+host
+nslookup
+*.lo
+.libs

bin/dig/.gitignore

@@ -1,7 +0,0 @@
-/dig
-/host
-/nslookup
-.libs
-dig-symtbl.c
-host-symtbl.c
-nslookup-symtbl.c

bin/dig/Makefile.am

@@ -1,39 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)	\
-	$(LIBISCCFG_CFLAGS)	\
-	$(LIBIRS_CFLAGS)	\
-	$(LIBBIND9_CFLAGS)	\
-	$(LIBIDN2_CFLAGS)
-
-LDADD +=			\
-	libdighost.la		\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)		\
-	$(LIBISCCFG_LIBS)	\
-	$(LIBIRS_LIBS)		\
-	$(LIBBIND9_LIBS)	\
-	$(LIBIDN2_LIBS)
-
-noinst_LTLIBRARIES = libdighost.la
-
-libdighost_la_SOURCES =		\
-	dighost.h		\
-	dighost.c
-
-bin_PROGRAMS = dig host nslookup
-
-nslookup_CPPFLAGS =		\
-	$(AM_CPPFLAGS)
-
-nslookup_LDADD =		\
-	$(LDADD)
-
-if HAVE_READLINE
-nslookup_CPPFLAGS +=		\
-	$(READLINE_CFLAGS)
-nslookup_LDADD +=		\
-	$(READLINE_LIBS)
-endif HAVE_READLINE

bin/dig/Makefile.in

@@ -0,0 +1,71 @@
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.17.4.1 2001/01/09 22:31:19 bwelling Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =	-DVERSION=\"${VERSION}\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	dig host nslookup
+
+OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
+
+UOBJS =
+
+SRCS =		dig.c dighost.c host.c nslookup.c
+
+@BIND9_MAKE_RULES@
+
+dig: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+host: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+nslookup: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: dig host nslookup installdirs
+	${LIBTOOL} ${INSTALL_PROGRAM} dig ${DESTDIR}${bindir}
+	${LIBTOOL} ${INSTALL_PROGRAM} host ${DESTDIR}${bindir}
+	${LIBTOOL} ${INSTALL_PROGRAM} nslookup ${DESTDIR}${bindir}

bin/dig/dig.rst

@@ -1,690 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dig:
-
-dig - DNS lookup utility
-------------------------
-
-Synopsis
-~~~~~~~~
-:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
-
-:program:`dig` [**-h**]
-
-:program:`dig` [global-queryopt...] [query...]
-
-Description
-~~~~~~~~~~~
-
-``dig`` is a flexible tool for interrogating DNS name servers. It
-performs DNS lookups and displays the answers that are returned from the
-name server(s) that were queried. Most DNS administrators use ``dig`` to
-troubleshoot DNS problems because of its flexibility, ease of use, and
-clarity of output. Other lookup tools tend to have less functionality
-than ``dig``.
-
-Although ``dig`` is normally used with command-line arguments, it also
-has a batch mode of operation for reading lookup requests from a file. A
-brief summary of its command-line arguments and options is printed when
-the ``-h`` option is given. The BIND 9
-implementation of ``dig`` allows multiple lookups to be issued from the
-command line.
-
-Unless it is told to query a specific name server, ``dig`` tries each
-of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, ``dig`` sends the query to the local host.
-
-When no command-line arguments or options are given, ``dig``
-performs an NS query for "." (the root).
-
-It is possible to set per-user defaults for ``dig`` via
-``${HOME}/.digrc``. This file is read and any options in it are applied
-before the command-line arguments. The ``-r`` option disables this
-feature, for scripts that need predictable behavior.
-
-The IN and CH class names overlap with the IN and CH top-level domain
-names. Either use the ``-t`` and ``-c`` options to specify the type and
-class, use the ``-q`` to specify the domain name, or use "IN." and
-"CH." when looking up these top-level domains.
-
-Simple Usage
-~~~~~~~~~~~~
-
-A typical invocation of ``dig`` looks like:
-
-::
-
-    dig @server name type
-
-where:
-
-``server``
-   is the name or IP address of the name server to query. This can be an
-   IPv4 address in dotted-decimal notation or an IPv6 address in
-   colon-delimited notation. When the supplied ``server`` argument is a
-   hostname, ``dig`` resolves that name before querying that name
-   server.
-
-   If no ``server`` argument is provided, ``dig`` consults
-   ``/etc/resolv.conf``; if an address is found there, it queries the
-   name server at that address. If either of the ``-4`` or ``-6``
-   options are in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, ``dig``
-   sends the query to the local host. The reply from the name server
-   that responds is displayed.
-
-``name``
-   is the name of the resource record that is to be looked up.
-
-``type``
-   indicates what type of query is required - ANY, A, MX, SIG, etc.
-   ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, ``dig`` performs a lookup for an A record.
-
-Options
-~~~~~~~
-
-``-4``
-   This option indicates that only IPv4 should be used.
-
-``-6``
-   This option indicates that only IPv6 should be used.
-
-``-b address[#port]``
-   This option sets the source IP address of the query. The ``address`` must be a
-   valid address on one of the host's network interfaces, or "0.0.0.0"
-   or "::". An optional port may be specified by appending ``#port``.
-
-``-c class``
-   This option sets the query class. The default ``class`` is IN; other classes are
-   HS for Hesiod records or CH for Chaosnet records.
-
-``-f file``
-   This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
-   the given ``file``. Each line in the file should be organized in the
-   same way it would be presented as a query to ``dig`` using the
-   command-line interface.
-
-``-k keyfile``
-   This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
-   files can be generated using ``tsig-keygen``. When using TSIG
-   authentication with ``dig``, the name server that is queried needs to
-   know the key and algorithm that is being used. In BIND, this is done
-   by providing appropriate ``key`` and ``server`` statements in
-   ``named.conf``.
-
-``-m``
-   This option enables memory usage debugging.
-
-``-p port``
-   This option sends the query to a non-standard port on the server, instead of the
-   default port 53. This option is used to test a name server that
-   has been configured to listen for queries on a non-standard port
-   number.
-
-``-q name``
-   This option specifies the domain name to query. This is useful to distinguish the ``name``
-   from other arguments.
-
-``-r``
-   This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
-   scripts that need predictable behavior.
-
-``-t type``
-   This option indicates the resource record type to query, which can be any valid query type. If
-   it is a resource record type supported in BIND 9, it can be given by
-   the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
-   ``A``, unless the ``-x`` option is supplied to indicate a reverse
-   lookup. A zone transfer can be requested by specifying a type of
-   AXFR. When an incremental zone transfer (IXFR) is required, set the
-   ``type`` to ``ixfr=N``. The incremental zone transfer contains
-   all changes made to the zone since the serial number in the zone's
-   SOA record was ``N``.
-
-   All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
-   the number of the type. If the resource record type is not supported
-   in BIND 9, the result is displayed as described in :rfc:`3597`.
-
-``-u``
-   This option indicates that print query times should be provided in microseconds instead of milliseconds.
-
-``-v``
-   This option prints the version number and exits.
-
-``-x addr``
-   This option sets simplified reverse lookups, for mapping addresses to names. The
-   ``addr`` is an IPv4 address in dotted-decimal notation, or a
-   colon-delimited IPv6 address. When the ``-x`` option is used, there is no
-   need to provide the ``name``, ``class``, and ``type`` arguments.
-   ``dig`` automatically performs a lookup for a name like
-   ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
-   and IN respectively. IPv6 addresses are looked up using nibble format
-   under the IP6.ARPA domain.
-
-``-y [hmac:]keyname:secret``
-   This option signs queries using TSIG with the given authentication key.
-   ``keyname`` is the name of the key, and ``secret`` is the
-   base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
-   valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
-   ``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
-   not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
-   ``hmac-sha256``.
-
-.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
-   because with ``-y`` the shared secret is supplied as a command-line
-   argument in clear text. This may be visible in the output from ``ps1`` or
-   in a history file maintained by the user's shell.
-
-Query Options
-~~~~~~~~~~~~~
-
-``dig`` provides a number of query options which affect the way in which
-lookups are made and the results displayed. Some of these set or reset
-flag bits in the query header, some determine which sections of the
-answer get printed, and others determine the timeout and retry
-strategies.
-
-Each query option is identified by a keyword preceded by a plus sign
-(``+``). Some keywords set or reset an option; these may be preceded by
-the string ``no`` to negate the meaning of that keyword. Other keywords
-assign values to options, like the timeout interval. They have the form
-``+keyword=value``. Keywords may be abbreviated, provided the
-abbreviation is unambiguous; for example, ``+cd`` is equivalent to
-``+cdflag``. The query options are:
-
-``+[no]aaflag``
-   This option is a synonym for ``+[no]aaonly``.
-
-``+[no]aaonly``
-   This option sets the ``aa`` flag in the query.
-
-``+[no]additional``
-   This option displays [or does not display] the additional section of a reply. The
-   default is to display it.
-
-``+[no]adflag``
-   This option sets [or does not set] the AD (authentic data) bit in the query. This
-   requests the server to return whether all of the answer and authority
-   sections have been validated as secure, according to the security
-   policy of the server. ``AD=1`` indicates that all records have been
-   validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
-   indicates that some part of the answer was insecure or not validated.
-   This bit is set by default.
-
-``+[no]all``
-   This option sets or clears all display flags.
-
-``+[no]answer``
-   This option displays [or does not display] the answer section of a reply. The default
-   is to display it.
-
-``+[no]authority``
-   This option displays [or does not display] the authority section of a reply. The
-   default is to display it.
-
-``+[no]badcookie``
-   This option retries the lookup with a new server cookie if a BADCOOKIE response is
-   received.
-
-``+[no]besteffort``
-   This option attempts to display the contents of messages which are malformed. The
-   default is to not display malformed answers.
-
-``+bufsize[=B]``
-   This option sets the UDP message buffer size advertised using EDNS0 to
-   ``B`` bytes.  The maximum and minimum sizes of this buffer are 65535 and
-   0, respectively.  ``+bufsize`` restores the default buffer size.
-
-``+[no]cdflag``
-   This option sets [or does not set] the CD (checking disabled) bit in the query. This
-   requests the server to not perform DNSSEC validation of responses.
-
-``+[no]class``
-   This option displays [or does not display] the CLASS when printing the record.
-
-``+[no]cmd``
-   This option toggles the printing of the initial comment in the output, identifying the
-   version of ``dig`` and the query options that have been applied. This option
-   always has a global effect; it cannot be set globally and then overridden on a
-   per-lookup basis. The default is to print this comment.
-
-``+[no]comments``
-   This option toggles the display of some comment lines in the output, with
-   information about the packet header and OPT pseudosection, and the names of
-   the response section. The default is to print these comments.
-
-   Other types of comments in the output are not affected by this option, but
-   can be controlled using other command-line switches. These include
-   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
-
-``+[no]cookie=####``
-   This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
-   from a previous response allows the server to identify a previous
-   client. The default is ``+cookie``.
-
-   ``+cookie`` is also set when ``+trace`` is set to better emulate the
-   default queries from a nameserver.
-
-``+[no]crypto``
-   This option toggles the display of cryptographic fields in DNSSEC records. The
-   contents of these fields are unnecessary for debugging most DNSSEC
-   validation failures and removing them makes it easier to see the
-   common failures. The default is to display the fields. When omitted,
-   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
-   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
-
-``+[no]defname``
-   This option, which is deprecated, is treated as a synonym for ``+[no]search``.
-
-``+[no]dns64prefix``
-   Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
-
-``+[no]dnssec``
-   This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
-   the OPT record in the additional section of the query.
-
-``+domain=somename``
-   This option sets the search list to contain the single domain ``somename``, as if
-   specified in a ``domain`` directive in ``/etc/resolv.conf``, and
-   enables search list processing as if the ``+search`` option were
-   given.
-
-``+dscp=value``
-   This option sets the DSCP code point to be used when sending the query. Valid DSCP
-   code points are in the range [0...63]. By default no code point is
-   explicitly set.
-
-``+[no]edns[=#]``
-   This option specifies the EDNS version to query with. Valid values are 0 to 255.
-   Setting the EDNS version causes an EDNS query to be sent.
-   ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
-   default.
-
-``+[no]ednsflags[=#]``
-   This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
-   Decimal, hex, and octal encodings are accepted. Setting a named flag
-   (e.g., DO) is silently ignored. By default, no Z bits are set.
-
-``+[no]ednsnegotiation``
-   This option enables/disables EDNS version negotiation. By default, EDNS version
-   negotiation is enabled.
-
-``+[no]ednsopt[=code[:value]]``
-   This option specifies the EDNS option with code point ``code`` and an optional payload
-   of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
-   option name (for example, ``NSID`` or ``ECS``) or an arbitrary
-   numeric value. ``+noednsopt`` clears the EDNS options to be sent.
-
-``+[no]expire``
-   This option sends an EDNS Expire option.
-
-``+[no]fail``
-   This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
-   to not try the next server, which is the reverse of normal stub
-   resolver behavior.
-
-``+[no]header-only``
-   This option sends a query with a DNS header without a question section. The
-   default is to add a question section. The query type and query name
-   are ignored when this is set.
-
-``+[no]https[=value]``
-   This option indicates whether to use DNS-over-HTTPS (DoH) when querying
-   name servers.  When this option is in use, the port number defaults to 443.
-   The HTTP POST request mode is used when sending the query.
-
-   If ``value`` is specified, it will be used as the HTTP endpoint in the
-   query URI; the default is ``/dns-query``. So, for example, ``dig
-   @example.com +https`` will use the URI ``https://example.com/dns-query``.
-
-``+[no]https-get[=value]``
-   Similar to ``+https``, except that the HTTP GET request mode is used
-   when sending the query.
-
-``+[no]https-post[=value]``
-   Same as ``+https``.
-
-``+[no]http-plain[=value]``
-   Similar to ``+https``, except that HTTP queries will be sent over a
-   non-encrypted channel. When this option is in use, the port number
-   defaults to 80 and the HTTP request mode is POST.
-
-``+[no]http-plain-get[=value]``
-   Similar to ``+http-plain``, except that the HTTP request mode is GET.
-
-``+[no]http-plain-post[=value]``
-   Same as ``+http-plain``.
-
-``+[no]identify``
-   This option shows [or does not show] the IP address and port number that
-   supplied the answer, when the ``+short`` option is enabled. If short
-   form answers are requested, the default is not to show the source
-   address and port number of the server that provided the answer.
-
-``+[no]idnin``
-   This option processes [or does not process] IDN domain names on input. This requires
-   ``IDN SUPPORT`` to have been enabled at compile time.
-
-   The default is to process IDN input when standard output is a tty.
-   The IDN processing on input is disabled when ``dig`` output is redirected
-   to files, pipes, and other non-tty file descriptors.
-
-``+[no]idnout``
-   This option converts [or does not convert] puny code on output. This requires
-   ``IDN SUPPORT`` to have been enabled at compile time.
-
-   The default is to process puny code on output when standard output is
-   a tty. The puny code processing on output is disabled when ``dig`` output
-   is redirected to files, pipes, and other non-tty file descriptors.
-
-``+[no]ignore``
-   This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
-   default, TCP retries are performed.
-
-``+[no]keepalive``
-   This option sends [or does not send] an EDNS Keepalive option.
-
-``+[no]keepopen``
-   This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
-   creating a new TCP socket for each lookup. The default is
-   ``+nokeepopen``.
-
-``+[no]mapped``
-   This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
-   ``+mapped``.
-
-``+[no]multiline``
-   This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
-   with human-readable comments. The default is to print each record on
-   a single line to facilitate machine parsing of the ``dig`` output.
-
-``+ndots=D``
-   This option sets the number of dots (``D``) that must appear in ``name`` for
-   it to be considered absolute. The default value is that defined using
-   the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
-   statement is present. Names with fewer dots are interpreted as
-   relative names, and are searched for in the domains listed in the
-   ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
-   ``+search`` is set.
-
-``+[no]nsid``
-   When enabled, this option includes an EDNS name server ID request when sending a query.
-
-``+[no]nssearch``
-   When this option is set, ``dig`` attempts to find the authoritative
-   name servers for the zone containing the name being looked up, and
-   display the SOA record that each name server has for the zone.
-   Addresses of servers that did not respond are also printed.
-
-``+[no]onesoa``
-   When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
-   default is to print both the starting and ending SOA records.
-
-``+[no]opcode=value``
-   When enabled, this option sets (restores) the DNS message opcode to the specified value. The
-   default value is QUERY (0).
-
-``+padding=value``
-   This option pads the size of the query packet using the EDNS Padding option to
-   blocks of ``value`` bytes. For example, ``+padding=32`` causes a
-   48-byte query to be padded to 64 bytes. The default block size is 0,
-   which disables padding; the maximum is 512. Values are ordinarily
-   expected to be powers of two, such as 128; however, this is not
-   mandatory. Responses to padded queries may also be padded, but only
-   if the query uses TCP or DNS COOKIE.
-
-``+qid=value``
-   This option specifies the query ID to use when sending queries.
-
-``+[no]qr``
-   This option toggles the display of the query message as it is sent. By default, the query
-   is not printed.
-
-``+[no]question``
-   This option toggles the display of the question section of a query when an answer is
-   returned. The default is to print the question section as a comment.
-
-``+[no]raflag``
-   This option sets [or does not set] the RA (Recursion Available) bit in the query. The
-   default is ``+noraflag``. This bit is ignored by the server for
-   QUERY.
-
-``+[no]rdflag``
-   This option is a synonym for ``+[no]recurse``.
-
-``+[no]recurse``
-   This option toggles the setting of the RD (recursion desired) bit in the query.
-   This bit is set by default, which means ``dig`` normally sends
-   recursive queries. Recursion is automatically disabled when the
-   ``+nssearch`` or ``+trace`` query option is used.
-
-``+retry=T``
-   This option sets the number of times to retry UDP and TCP queries to server to ``T``
-   instead of the default, 2.  Unlike ``+tries``, this does not include
-   the initial query.
-
-``+[no]rrcomments``
-   This option toggles the display of per-record comments in the output (for example,
-   human-readable key information about DNSKEY records). The default is
-   not to print record comments unless multiline mode is active.
-
-``+[no]search``
-   This option uses [or does not use] the search list defined by the searchlist or domain
-   directive in ``resolv.conf``, if any. The search list is not used by
-   default.
-
-   ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
-   ``+ndots``, determines whether the name is treated as relative
-   and hence whether a search is eventually performed.
-
-``+[no]short``
-   This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
-   form. This option always has a global effect; it cannot be set globally and
-   then overridden on a per-lookup basis.
-
-``+[no]showbadcookie``
-   This option toggles whether to show the message containing the
-   BADCOOKIE rcode before retrying the request or not. The default
-   is to not show the messages.
-
-``+[no]showsearch``
-   This option performs [or does not perform] a search showing intermediate results.
-
-``+[no]sigchase``
-   This feature is now obsolete and has been removed; use ``delv``
-   instead.
-
-``+split=W``
-   This option splits long hex- or base64-formatted fields in resource records into
-   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
-   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
-   split at all. The default is 56 characters, or 44 characters when
-   multiline mode is active.
-
-``+[no]stats``
-   This option toggles the printing of statistics: when the query was made, the size of the
-   reply, etc. The default behavior is to print the query statistics as a
-   comment after each lookup.
-
-``+[no]subnet=addr[/prefix-length]``
-   This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
-   address or network prefix.
-
-   ``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
-   sends an EDNS CLIENT-SUBNET option with an empty address and a source
-   prefix-length of zero, which signals a resolver that the client's
-   address information must *not* be used when resolving this query.
-
-``+[no]tcflag``
-   This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
-   ``+notcflag``. This bit is ignored by the server for QUERY.
-
-``+[no]tcp``
-   This option indicates whether to use TCP when querying name servers.
-   The default behavior is to use UDP unless a type ``any`` or ``ixfr=N``
-   query is requested, in which case the default is TCP. AXFR queries
-   always use TCP.
-
-``+timeout=T``
-   This option sets the timeout for a query to ``T`` seconds. The default timeout is
-   5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
-
-``+[no]tls``
-   This option indicates whether to use DNS-over-TLS (DoT) when querying
-   name servers. When this option is in use, the port number defaults
-   to 853.
-
-``+[no]topdown``
-   This feature is related to ``dig +sigchase``, which is obsolete and
-   has been removed. Use ``delv`` instead.
-
-``+[no]trace``
-   This option toggles tracing of the delegation path from the root name servers for
-   the name being looked up. Tracing is disabled by default. When
-   tracing is enabled, ``dig`` makes iterative queries to resolve the
-   name being looked up. It follows referrals from the root servers,
-   showing the answer from each server that was used to resolve the
-   lookup.
-
-   If ``@server`` is also specified, it affects only the initial query for
-   the root zone name servers.
-
-   ``+dnssec`` is also set when ``+trace`` is set, to better emulate the
-   default queries from a name server.
-
-``+tries=T``
-   This option sets the number of times to try UDP and TCP queries to server to ``T``
-   instead of the default, 3. If ``T`` is less than or equal to zero,
-   the number of tries is silently rounded up to 1.
-
-``+trusted-key=####``
-   This option formerly specified trusted keys for use with ``dig +sigchase``. This
-   feature is now obsolete and has been removed; use ``delv`` instead.
-
-``+[no]ttlid``
-   This option displays [or does not display] the TTL when printing the record.
-
-``+[no]ttlunits``
-   This option displays [or does not display] the TTL in friendly human-readable time
-   units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
-   hours, days, and weeks. This implies ``+ttlid``.
-
-``+[no]unknownformat``
-   This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
-   The default is to print RDATA for known types in the type's
-   presentation format.
-
-``+[no]vc``
-   This option uses [or does not use] TCP when querying name servers. This alternate
-   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
-   ``vc`` stands for "virtual circuit."
-
-``+[no]yaml``
-   When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
-   outgoing queries) in a detailed YAML format.
-
-``+[no]zflag``
-   This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
-   This flag is off by default.
-
-Multiple Queries
-~~~~~~~~~~~~~~~~
-
-The BIND 9 implementation of ``dig`` supports specifying multiple
-queries on the command line (in addition to supporting the ``-f`` batch
-file option). Each of those queries can be supplied with its own set of
-flags, options, and query options.
-
-In this case, each ``query`` argument represents an individual query in
-the command-line syntax described above. Each consists of any of the
-standard options and flags, the name to be looked up, an optional query
-type and class, and any query options that should be applied to that
-query.
-
-A global set of query options, which should be applied to all queries,
-can also be supplied. These global query options must precede the first
-tuple of name, class, type, options, flags, and query options supplied
-on the command line. Any global query options (except ``+[no]cmd`` and
-``+[no]short`` options) can be overridden by a query-specific set of
-query options. For example:
-
-::
-
-   dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-
-shows how ``dig`` can be used from the command line to make three
-lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
-and a query for the NS records of ``isc.org``. A global query option of
-``+qr`` is applied, so that ``dig`` shows the initial query it made for
-each lookup. The final query has a local query option of ``+noqr`` which
-means that ``dig`` does not print the initial query when it looks up the
-NS records for ``isc.org``.
-
-IDN Support
-~~~~~~~~~~~
-
-If ``dig`` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. ``dig``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, use the parameters
-``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
-variable.
-
-Return Codes
-~~~~~~~~~~~~
-
-``dig`` return codes are:
-
-``0``
-   DNS response received, including NXDOMAIN status
-
-``1``
-   Usage error
-
-``8``
-   Couldn't open batch file
-
-``9``
-   No reply from server
-
-``10``
-   Internal error
-
-Files
-~~~~~
-
-``/etc/resolv.conf``
-
-``${HOME}/.digrc``
-
-See Also
-~~~~~~~~
-
-:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
-
-Bugs
-~~~~
-
-There are probably too many query options.

bin/dig/dighost.h

@@ -1,447 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file */
-
-#include <inttypes.h>
-#include <stdbool.h>
-
-#include <isc/attributes.h>
-#include <isc/buffer.h>
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/list.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/netmgr.h>
-#include <isc/print.h>
-#include <isc/refcount.h>
-#include <isc/sockaddr.h>
-#include <isc/time.h>
-
-#include <dns/rdatalist.h>
-
-#include <dst/dst.h>
-
-#ifdef __APPLE__
-#include <TargetConditionals.h>
-#endif /* ifdef __APPLE__ */
-
-#define MXSERV 20
-#define MXNAME (DNS_NAME_MAXTEXT + 1)
-#define MXRD   32
-/*% Buffer Size */
-#define BUFSIZE	 512
-#define COMMSIZE 0xffff
-#ifndef RESOLV_CONF
-/*% location of resolve.conf */
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif /* ifndef RESOLV_CONF */
-/*% output buffer */
-#define OUTPUTBUF 32767
-/*% Max RR Limit */
-#define MAXRRLIMIT 0xffffffff
-#define MAXTIMEOUT 0xffff
-/*% Max number of tries */
-#define MAXTRIES 0xffffffff
-/*% Max number of dots */
-#define MAXNDOTS 0xffff
-/*% Max number of ports */
-#define MAXPORT 0xffff
-/*% Max serial number */
-#define MAXSERIAL 0xffffffff
-/*% Max query ID */
-#define MAXQID 0xffff
-
-/*% Default TCP Timeout */
-#define TCP_TIMEOUT 10
-/*% Default UDP Timeout */
-#define UDP_TIMEOUT 5
-
-#define SERVER_TIMEOUT 1
-
-#define LOOKUP_LIMIT 64
-
-#define DEFAULT_EDNS_VERSION 0
-#define DEFAULT_EDNS_BUFSIZE 1232
-
-#define DEFAULT_HTTPS_QUERY "?dns="
-
-/*%
- * Lookup_limit is just a limiter, keeping too many lookups from being
- * created.  It's job is mainly to prevent the program from running away
- * in a tight loop of constant lookups.  It's value is arbitrary.
- */
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dig_lookup dig_lookup_t;
-typedef struct dig_query dig_query_t;
-typedef struct dig_server dig_server_t;
-typedef ISC_LIST(dig_server_t) dig_serverlist_t;
-typedef struct dig_searchlist dig_searchlist_t;
-
-#define DIG_LOOKUP_MAGIC ISC_MAGIC('D', 'i', 'g', 'l')
-
-#define DIG_VALID_LOOKUP(x) ISC_MAGIC_VALID((x), DIG_LOOKUP_MAGIC)
-
-#define DIG_QUERY_MAGIC ISC_MAGIC('D', 'i', 'g', 'q')
-
-#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
-
-/*% The dig_lookup structure */
-struct dig_lookup {
-	unsigned int magic;
-	isc_refcount_t references;
-	bool aaonly, adflag, badcookie, besteffort, cdflag, comments,
-		dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa,
-		expire, header_only, identify, /*%< Append an "on server <foo>"
-						  message */
-		identify_previous_line,	       /*% Prepend a "Nameserver <foo>:"
-						  message, with newline and tab */
-		idnin, idnout, ignore, mapped, multiline, need_search,
-		new_search, noclass, nocrypto, nottl,
-		ns_search_only,	 /*%< dig +nssearch, host -C */
-		nsid,		 /*% Name Server ID (RFC 5001) */
-		onesoa, pending, /*%< Pending a successful answer */
-		print_unknown_format, qr, raflag, recurse, section_additional,
-		section_answer, section_authority, section_question,
-		seenbadcookie, sendcookie, servfail_stops,
-		setqid, /*% use a speciied query ID */
-		showbadcookie, stats, tcflag, tcp_keepalive, tcp_mode,
-		tcp_mode_set, tls_mode, /*% connect using TLS */
-		trace,			/*% dig +trace */
-		trace_root, /*% initial query for either +trace or +nssearch */
-		ttlunits, use_usec, waiting_connect, zflag;
-	char textname[MXNAME]; /*% Name we're going to be looking up */
-	char cmdline[MXNAME];
-	dns_rdatatype_t rdtype;
-	dns_rdatatype_t qrdtype;
-	dns_rdataclass_t rdclass;
-	bool rdtypeset;
-	bool rdclassset;
-	char name_space[BUFSIZE];
-	char oname_space[BUFSIZE];
-	isc_buffer_t namebuf;
-	isc_buffer_t onamebuf;
-	isc_buffer_t renderbuf;
-	char *sendspace;
-	dns_name_t *name;
-	isc_interval_t interval;
-	dns_message_t *sendmsg;
-	dns_name_t *oname;
-	ISC_LINK(dig_lookup_t) link;
-	ISC_LIST(dig_query_t) q;
-	ISC_LIST(dig_query_t) connecting;
-	dig_query_t *current_query;
-	dig_serverlist_t my_server_list;
-	dig_searchlist_t *origin;
-	dig_query_t *xfr_q;
-	uint32_t retries;
-	int nsfound;
-	int16_t udpsize;
-	int16_t edns;
-	int16_t padding;
-	uint32_t ixfr_serial;
-	isc_buffer_t rdatabuf;
-	char rdatastore[MXNAME];
-	dst_context_t *tsigctx;
-	isc_buffer_t *querysig;
-	uint32_t msgcounter;
-	dns_fixedname_t fdomain;
-	isc_sockaddr_t *ecs_addr;
-	char *cookie;
-	dns_ednsopt_t *ednsopts;
-	unsigned int ednsoptscnt;
-	isc_dscp_t dscp;
-	unsigned int ednsflags;
-	dns_opcode_t opcode;
-	int rrcomments;
-	unsigned int eoferr;
-	uint16_t qid;
-	struct {
-		bool http_plain;
-		bool https_mode;
-		bool https_get;
-		char *https_path;
-	};
-};
-
-/*% The dig_query structure */
-struct dig_query {
-	unsigned int magic;
-	dig_lookup_t *lookup;
-	bool first_pass;
-	bool first_soa_rcvd;
-	bool second_rr_rcvd;
-	bool first_repeat_rcvd;
-	bool warn_id;
-	uint32_t first_rr_serial;
-	uint32_t second_rr_serial;
-	uint32_t msg_count;
-	uint32_t rr_count;
-	bool ixfr_axfr;
-	char *servname;
-	char *userarg;
-	isc_buffer_t sendbuf;
-	char *recvspace, *tmpsendspace, lengthspace[4];
-	isc_refcount_t references;
-	isc_nmhandle_t *handle;
-	isc_nmhandle_t *readhandle;
-	isc_nmhandle_t *sendhandle;
-	ISC_LINK(dig_query_t) link;
-	ISC_LINK(dig_query_t) clink;
-	isc_sockaddr_t sockaddr;
-	isc_time_t time_sent;
-	isc_time_t time_recv;
-	uint64_t byte_count;
-	isc_timer_t *timer;
-	isc_tlsctx_t *tlsctx;
-};
-
-struct dig_server {
-	char servername[MXNAME];
-	char userarg[MXNAME];
-	ISC_LINK(dig_server_t) link;
-};
-
-struct dig_searchlist {
-	char origin[MXNAME];
-	ISC_LINK(dig_searchlist_t) link;
-};
-
-typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
-typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
-
-/*
- * Externals from dighost.c
- */
-
-extern dig_lookuplist_t lookup_list;
-extern dig_serverlist_t server_list;
-extern dig_searchlistlist_t search_list;
-extern unsigned int extrabytes;
-
-extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
-	showsearch, yaml;
-extern in_port_t port;
-extern bool port_set;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern isc_refcount_t sendcount;
-extern int ndots;
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t localaddr;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
-extern const dns_name_t *hmacname;
-extern unsigned int digestbits;
-extern dns_tsigkey_t *tsigkey;
-extern bool validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern bool free_now;
-extern bool debugging, debugtiming, memdebugging;
-extern bool keep_open;
-
-extern char *progname;
-extern int tries;
-extern int fatalexit;
-extern bool verbose;
-
-/*
- * Routines in dighost.c.
- */
-isc_result_t
-get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr);
-
-int
-getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
-
-isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict);
-
-ISC_NORETURN void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-ISC_NORETURN void
-digexit(void);
-
-void
-debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-check_result(isc_result_t result, const char *msg);
-
-bool
-setup_lookup(dig_lookup_t *lookup);
-
-void
-destroy_lookup(dig_lookup_t *lookup);
-
-void
-do_lookup(dig_lookup_t *lookup);
-
-void
-start_lookup(void);
-
-void
-onrun_callback(isc_task_t *task, isc_event_t *event);
-
-int
-dhmain(int argc, char **argv);
-
-void
-setup_libs(void);
-
-void
-setup_system(bool ipv4only, bool ipv6only);
-
-isc_result_t
-parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
-
-isc_result_t
-parse_xint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
-
-isc_result_t
-parse_netprefix(isc_sockaddr_t **sap, const char *value);
-
-void
-parse_hmac(const char *hmacstr);
-
-dig_lookup_t *
-requeue_lookup(dig_lookup_t *lookold, bool servers);
-
-dig_lookup_t *
-make_empty_lookup(void);
-
-dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, bool servers);
-
-dig_server_t *
-make_server(const char *servname, const char *userarg);
-
-void
-flush_server_list(void);
-
-void
-set_nameserver(char *opt);
-
-void
-clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest);
-
-void
-cancel_all(void);
-
-void
-destroy_libs(void);
-
-void
-set_search_domain(char *domain);
-
-/*
- * Routines to be defined in dig.c, host.c, and nslookup.c. and
- * then assigned to the appropriate function pointer
- */
-extern isc_result_t (*dighost_printmessage)(dig_query_t *query,
-					    const isc_buffer_t *msgbuf,
-					    dns_message_t *msg, bool headers);
-
-/*
- * Print an error message in the appropriate format.
- */
-extern void (*dighost_error)(const char *format, ...);
-
-/*
- * Print a warning message in the appropriate format.
- */
-extern void (*dighost_warning)(const char *format, ...);
-
-/*
- * Print a comment in the appropriate format.
- */
-extern void (*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
-
-/*%<
- * Print the final result of the lookup.
- */
-
-extern void (*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
-				dig_query_t *query);
-/*%<
- * Print a message about where and when the response
- * was received from, like the final comment in the
- * output of "dig".
- */
-
-extern void (*dighost_trying)(char *frm, dig_lookup_t *lookup);
-
-extern void (*dighost_shutdown)(void);
-
-extern void (*dighost_pre_exit_hook)(void);
-
-void
-save_opt(dig_lookup_t *lookup, char *code, char *value);
-
-void
-setup_file_key(void);
-void
-setup_text_key(void);
-
-/*
- * Routines exported from dig.c for use by dig for iOS
- */
-
-/*%
- * Call once only to set up libraries, parse global
- * parameters and initial command line query parameters
- */
-void
-dig_setup(int argc, char **argv);
-
-/*%
- * Call to supply new parameters for the next lookup
- */
-void
-dig_query_setup(bool, bool, int argc, char **argv);
-
-/*%
- * set the main application event cycle running
- */
-void
-dig_startup(void);
-
-/*%
- * Initiates the next lookup cycle
- */
-void
-dig_query_start(void);
-
-/*%
- * Activate/deactivate IDN filtering of output.
- */
-void
-dig_idnsetup(dig_lookup_t *lookup, bool active);
-
-/*%
- * Cleans up the application
- */
-void
-dig_shutdown(void);
-
-ISC_LANG_ENDDECLS

bin/dig/host.rst

@@ -1,181 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_host:
-
-host - DNS lookup utility
--------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
-
-Description
-~~~~~~~~~~~
-
-``host`` is a simple utility for performing DNS lookups. It is normally
-used to convert names to IP addresses and vice versa. When no arguments
-or options are given, ``host`` prints a short summary of its
-command-line arguments and options.
-
-``name`` is the domain name that is to be looked up. It can also be a
-dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
-case ``host`` by default performs a reverse lookup for that address.
-``server`` is an optional argument which is either the name or IP
-address of the name server that ``host`` should query instead of the
-server or servers listed in ``/etc/resolv.conf``.
-
-Options
-~~~~~~~
-
-``-4``
-   This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
-
-``-6``
-   This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
-
-``-a``
-   The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
-   also affects the behavior of the ``-l`` list zone option.
-
-``-A``
-   The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
-   NSEC, and NSEC3 records are omitted from the output.
-
-``-c class``
-   This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
-   class resource records. The default class is IN (Internet).
-
-``-C``
-   This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
-   ``name`` from all the listed authoritative name servers for that
-   zone. The list of name servers is defined by the NS records that are
-   found for the zone.
-
-``-d``
-   This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
-
-``-l``
-   This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone
-   ``name`` and prints out the NS, PTR, and address records (A/AAAA).
-
-   Together, the ``-l -a`` options print all records in the zone.
-
-``-N ndots``
-   This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
-   considered absolute. The default value is that defined using the
-   ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
-   is present. Names with fewer dots are interpreted as relative names,
-   and are searched for in the domains listed in the ``search`` or
-   ``domain`` directive in ``/etc/resolv.conf``.
-
-``-p port``
-   This option specifies the port to query on the server. The default is 53.
-
-``-r``
-   This option specifies a non-recursive query; setting this option clears the RD (recursion
-   desired) bit in the query. This means that the name server
-   receiving the query does not attempt to resolve ``name``. The ``-r``
-   option enables ``host`` to mimic the behavior of a name server by
-   making non-recursive queries, and expecting to receive answers to
-   those queries that can be referrals to other name servers.
-
-``-R number``
-   This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
-   the number of retries is silently set to 1. The default value is 1, or
-   the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
-
-``-s``
-   This option tells ``named`` *not* to send the query to the next nameserver if any server responds
-   with a SERVFAIL response, which is the reverse of normal stub
-   resolver behavior.
-
-``-t type``
-   This option specifies the query type. The ``type`` argument can be any recognized query type:
-   CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
-
-   When no query type is specified, ``host`` automatically selects an
-   appropriate query type. By default, it looks for A, AAAA, and MX
-   records. If the ``-C`` option is given, queries are made for SOA
-   records. If ``name`` is a dotted-decimal IPv4 address or
-   colon-delimited IPv6 address, ``host`` queries for PTR records.
-
-   If a query type of IXFR is chosen, the starting serial number can be
-   specified by appending an equals sign (=), followed by the starting serial
-   number, e.g., ``-t IXFR=12345678``.
-
-``-T``; ``-U``
-   This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
-   ``-T`` option makes it use a TCP connection when querying the name
-   server. TCP is automatically selected for queries that require
-   it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
-   to TCP, but can be forced to use UDP initially via ``-U``.
-
-``-m flag``
-   This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
-   ``trace``. The ``-m`` option can be specified more than once to set
-   multiple flags.
-
-``-v``
-   This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
-   can also be enabled by setting the ``debug`` option in
-   ``/etc/resolv.conf``.
-
-``-V``
-   This option prints the version number and exits.
-
-``-w``
-   This option sets "wait forever": the query timeout is set to the maximum possible. See
-   also the ``-W`` option.
-
-``-W wait``
-   This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
-   less than 1, the wait interval is set to 1 second.
-
-   By default, ``host`` waits for 5 seconds for UDP responses and 10
-   seconds for TCP connections. These defaults can be overridden by the
-   ``timeout`` option in ``/etc/resolv.conf``.
-
-   See also the ``-w`` option.
-
-IDN Support
-~~~~~~~~~~~
-
-If ``host`` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. ``host``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, define the ``IDN_DISABLE``
-environment variable. IDN support is disabled if the variable is set
-when ``host`` runs.
-
-Files
-~~~~~
-
-``/etc/resolv.conf``
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`named(8)`.

bin/dig/include/dig/dig.h

@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dig.h,v 1.60.4.2 2001/11/15 01:30:44 marka Exp $ */
+
+#ifndef DIG_H
+#define DIG_H
+
+#include <dns/rdatalist.h>
+#include <dst/dst.h>
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/lang.h>
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+
+#define MXSERV 6
+#define MXNAME (DNS_NAME_MAXTEXT+1)
+#define MXRD 32
+#define BUFSIZE 512
+#define COMMSIZE 0xffff
+#define RESOLVCONF "/etc/resolv.conf"
+#define OUTPUTBUF 32767
+#define MAXRRLIMIT 0xffffffff
+#define MAXTIMEOUT 0xffff
+#define MAXTRIES 0xffffffff
+#define MAXNDOTS 0xffff
+#define MAXPORT 0xffff
+#define MAXSERIAL 0xffffffff
+
+/*
+ * Default timeout values
+ */
+#define TCP_TIMEOUT 10
+#define UDP_TIMEOUT 5
+
+#define SERVER_TIMEOUT 1
+
+#define LOOKUP_LIMIT 64
+/*
+ * Lookup_limit is just a limiter, keeping too many lookups from being
+ * created.  It's job is mainly to prevent the program from running away
+ * in a tight loop of constant lookups.  It's value is arbitrary.
+ */
+
+#define ROOTNS 1
+/*
+ * Set the number of root servers to ask for information when running in
+ * trace mode.
+ * XXXMWS -- trace mode is currently semi-broken, and this number *MUST*
+ * be 1.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dig_lookup dig_lookup_t;
+typedef struct dig_query dig_query_t;
+typedef struct dig_server dig_server_t;
+typedef ISC_LIST(dig_server_t) dig_serverlist_t;
+typedef struct dig_searchlist dig_searchlist_t;
+
+struct dig_lookup {
+	isc_boolean_t
+	        pending, /* Pending a successful answer */
+		waiting_connect,
+		doing_xfr,
+		ns_search_only,
+		identify,
+		ignore,
+		recurse,
+		aaonly,
+		adflag,
+		cdflag,
+		trace,
+		trace_root,
+		defname,
+		tcp_mode,
+		nibble,
+		comments,
+		stats,
+		section_question,
+		section_answer,
+		section_authority,
+		section_additional,
+		servfail_stops,
+		new_search,
+		besteffort,
+		dnssec;
+	char textname[MXNAME]; /* Name we're going to be looking up */
+	char cmdline[MXNAME];
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	isc_boolean_t rdtypeset;
+	isc_boolean_t rdclassset;
+	char namespace[BUFSIZE];
+	char onamespace[BUFSIZE];
+	isc_buffer_t namebuf;
+	isc_buffer_t onamebuf;
+	isc_buffer_t sendbuf;
+	char *sendspace;
+	dns_name_t *name;
+	isc_timer_t *timer;
+	isc_interval_t interval;
+	dns_message_t *sendmsg;
+	dns_name_t *oname;
+	ISC_LINK(dig_lookup_t) link;
+	ISC_LIST(dig_query_t) q;
+	dig_query_t *current_query;
+	dig_serverlist_t my_server_list;
+	dig_searchlist_t *origin;
+	dig_query_t *xfr_q;
+	isc_uint32_t retries;
+	int nsfound;
+	isc_uint16_t udpsize;
+	isc_uint32_t ixfr_serial;
+	isc_buffer_t rdatabuf;
+	char rdatastore[MXNAME];
+	dst_context_t *tsigctx;
+	isc_buffer_t *querysig;
+	isc_uint32_t msgcounter;
+};
+
+struct dig_query {
+	dig_lookup_t *lookup;
+	isc_boolean_t waiting_connect,
+		first_pass,
+		first_soa_rcvd,
+		second_rr_rcvd,
+		first_repeat_rcvd,
+		recv_made;
+	isc_uint32_t first_rr_serial;
+	isc_uint32_t second_rr_serial;
+	isc_uint32_t rr_count;
+	char *servname;
+	isc_bufferlist_t sendlist,
+		recvlist,
+		lengthlist;
+	isc_buffer_t recvbuf,
+		lengthbuf,
+		slbuf;
+	char *recvspace,
+		lengthspace[4],
+		slspace[4];
+	isc_socket_t *sock;
+	ISC_LINK(dig_query_t) link;
+	isc_sockaddr_t sockaddr;
+	isc_time_t time_sent;
+};
+
+struct dig_server {
+	char servername[MXNAME];
+	ISC_LINK(dig_server_t) link;
+};
+
+struct dig_searchlist {
+	char origin[MXNAME];
+	ISC_LINK(dig_searchlist_t) link;
+};
+
+/*
+ * Routines in dighost.c.
+ */
+void
+get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
+
+isc_result_t
+get_reverse(char reverse[MXNAME], char *value, isc_boolean_t nibble);
+
+void
+fatal(const char *format, ...);
+
+void
+debug(const char *format, ...);
+
+void
+check_result(isc_result_t result, const char *msg);
+
+void
+setup_lookup(dig_lookup_t *lookup);
+
+void
+do_lookup(dig_lookup_t *lookup);
+
+void
+start_lookup(void);
+
+void
+onrun_callback(isc_task_t *task, isc_event_t *event);
+
+int
+dhmain(int argc, char **argv);
+
+void
+setup_libs(void);
+
+void
+setup_system(void);
+
+dig_lookup_t *
+requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
+
+dig_lookup_t *
+make_empty_lookup(void);
+
+dig_lookup_t *
+clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
+
+dig_server_t *
+make_server(const char *servname);
+
+void
+clone_server_list(dig_serverlist_t src,
+		  dig_serverlist_t *dest);
+
+void
+cancel_all(void);
+
+void
+destroy_libs(void);
+
+/*
+ * Routines needed in dig.c and host.c.
+ */
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
+
+void
+received(int bytes, int frmsize, char *frm, dig_query_t *query);
+
+void
+trying(int frmsize, char *frm, dig_lookup_t *lookup);
+
+void
+dighost_shutdown(void);
+
+char *
+next_token(char **stringp, const char *delim);
+
+ISC_LANG_ENDDECLS
+
+#endif

bin/dig/nslookup.rst

@@ -1,216 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_nslookup:
-
-nslookup - query Internet name servers interactively
-----------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`nslookup` [-option] [name | -] [server]
-
-Description
-~~~~~~~~~~~
-
-``nslookup`` is a program to query Internet domain name servers.
-``nslookup`` has two modes: interactive and non-interactive. Interactive
-mode allows the user to query name servers for information about various
-hosts and domains or to print a list of hosts in a domain.
-Non-interactive mode prints just the name and requested
-information for a host or domain.
-
-Arguments
-~~~~~~~~~
-
-Interactive mode is entered in the following cases:
-
-a. when no arguments are given (the default name server is used);
-
-b. when the first argument is a hyphen (-) and the second argument is
-   the host name or Internet address of a name server.
-
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen. For example, to change the
-default query type to host information, with an initial timeout of 10
-seconds, type:
-
-::
-
-   nslookup -query=hinfo  -timeout=10
-
-The ``-version`` option causes ``nslookup`` to print the version number
-and immediately exit.
-
-Interactive Commands
-~~~~~~~~~~~~~~~~~~~~
-
-``host [server]``
-   This command looks up information for ``host`` using the current default server or
-   using ``server``, if specified. If ``host`` is an Internet address and the
-   query type is A or PTR, the name of the host is returned. If ``host`` is
-   a name and does not have a trailing period (``.``), the search list is used
-   to qualify the name.
-
-   To look up a host not in the current domain, append a period to the
-   name.
-
-``server domain`` | ``lserver domain``
-   These commands change the default server to ``domain``; ``lserver`` uses the initial
-   server to look up information about ``domain``, while ``server`` uses the
-   current default server. If an authoritative answer cannot be found,
-   the names of servers that might have the answer are returned.
-
-``root``
-   This command is not implemented.
-
-``finger``
-   This command is not implemented.
-
-``ls``
-   This command is not implemented.
-
-``view``
-   This command is not implemented.
-
-``help``
-   This command is not implemented.
-
-``?``
-   This command is not implemented.
-
-``exit``
-   This command exits the program.
-
-``set keyword[=value]``
-   This command is used to change state information that affects the
-   lookups. Valid keywords are:
-
-   ``all``
-      This keyword prints the current values of the frequently used options to
-      ``set``. Information about the current default server and host is
-      also printed.
-
-   ``class=value``
-      This keyword changes the query class to one of:
-
-      ``IN``
-         the Internet class
-
-      ``CH``
-         the Chaos class
-
-      ``HS``
-         the Hesiod class
-
-      ``ANY``
-         wildcard
-
-      The class specifies the protocol group of the information. The default
-      is ``IN``; the abbreviation for this keyword is ``cl``.
-
-   ``nodebug``
-      This keyword turns on or off the display of the full response packet, and any
-      intermediate response packets, when searching. The default for this keyword is
-      ``nodebug``; the abbreviation for this keyword is ``[no]deb``.
-
-   ``nod2``
-      This keyword turns debugging mode on or off. This displays more about what
-      nslookup is doing. The default is ``nod2``.
-
-   ``domain=name``
-      This keyword sets the search list to ``name``.
-
-   ``nosearch``
-      If the lookup request contains at least one period, but does not end
-      with a trailing period, this keyword appends the domain names in the domain
-      search list to the request until an answer is received. The default is ``search``.
-
-   ``port=value``
-      This keyword changes the default TCP/UDP name server port to ``value`` from
-      its default, port 53. The abbreviation for this keyword is ``po``.
-
-   ``querytype=value`` | ``type=value``
-      This keyword changes the type of the information query to ``value``. The
-      defaults are A and then AAAA; the abbreviations for these keywords are
-      ``q`` and ``ty``.
-
-      Please note that it is only possible to specify one query type. Only the default
-      behavior looks up both when an alternative is not specified.
-
-   ``norecurse``
-      This keyword tells the name server to query other servers if it does not have
-      the information. The default is ``recurse``; the abbreviation for this
-      keyword is ``[no]rec``.
-
-   ``ndots=number``
-      This keyword sets the number of dots (label separators) in a domain that
-      disables searching. Absolute names always stop searching.
-
-   ``retry=number``
-      This keyword sets the number of retries to ``number``.
-
-   ``timeout=number``
-      This keyword changes the initial timeout interval to wait for a reply to
-      ``number``, in seconds.
-
-   ``novc``
-      This keyword indicates that a virtual circuit should always be used when sending requests to the server.
-      ``novc`` is the default.
-
-   ``nofail``
-      This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
-      a referral (nofail), or terminates the query (fail) on such a response. The
-      default is ``nofail``.
-
-Return Values
-~~~~~~~~~~~~~
-
-``nslookup`` returns with an exit status of 1 if any query failed, and 0
-otherwise.
-
-IDN Support
-~~~~~~~~~~~
-
-If ``nslookup`` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. ``nslookup``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, define the ``IDN_DISABLE``
-environment variable. IDN support is disabled if the variable is set
-when ``nslookup`` runs, or when the standard output is not a tty.
-
-Files
-~~~~~
-
-``/etc/resolv.conf``
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

bin/dig/readline.h

@@ -1,56 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*
- * A little wrapper around readline(), add_history() and free() to make using
- * the readline code simpler.
- */
-
-#if defined(HAVE_READLINE_LIBEDIT)
-#include <editline/readline.h>
-#elif defined(HAVE_READLINE_EDITLINE)
-#include <editline.h>
-#elif defined(HAVE_READLINE_READLINE)
-/* Prevent deprecated functions being declared. */
-#define _FUNCTION_DEF 1
-/* Ensure rl_message() gets prototype. */
-#define USE_VARARGS   1
-#define PREFER_STDARG 1
-#include <readline/history.h>
-#include <readline/readline.h>
-#endif
-
-#if !defined(HAVE_READLINE_LIBEDIT) && !defined(HAVE_READLINE_EDITLINE) && \
-	!defined(HAVE_READLINE_READLINE)
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#define RL_MAXCMD (128 * 1024)
-
-static inline char *
-readline(const char *prompt) {
-	char *line, *buf = malloc(RL_MAXCMD);
-	fprintf(stdout, "%s", prompt);
-	fflush(stdout);
-	line = fgets(buf, RL_MAXCMD, stdin);
-	if (line == NULL) {
-		free(buf);
-		return (NULL);
-	}
-	return (buf);
-};
-
-#define add_history(line)
-
-#endif

bin/dnssec/.cvsignore

@@ -0,0 +1,7 @@
+Makefile
+dnssec-keygen
+dnssec-makekeyset
+dnssec-signkey
+dnssec-signzone
+*.lo
+.libs

bin/dnssec/.gitignore

@@ -1,12 +0,0 @@
-dnssec-cds
-dnssec-dsfromkey
-dnssec-keyfromlabel
-dnssec-keygen
-dnssec-makekeyset
-dnssec-revoke
-dnssec-settime
-dnssec-signkey
-dnssec-signzone
-dnssec-verify
-dnssec-importkey
-.libs

bin/dnssec/Makefile.am

@@ -1,38 +0,0 @@
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)	\
-	$(LIBDNS_CFLAGS)
-
-AM_CPPFLAGS +=			\
-	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-
-noinst_LTLIBRARIES = libdnssectool.la
-
-LDADD +=			\
-	libdnssectool.la	\
-	$(LIBISC_LIBS)		\
-	$(LIBDNS_LIBS)
-
-bin_PROGRAMS = \
-	dnssec-cds		\
-	dnssec-dsfromkey	\
-	dnssec-importkey	\
-	dnssec-keyfromlabel	\
-	dnssec-keygen		\
-	dnssec-revoke		\
-	dnssec-settime		\
-	dnssec-signzone		\
-	dnssec-verify
-
-libdnssectool_la_SOURCES =	\
-	dnssectool.h		\
-	dnssectool.c
-
-dnssec_keygen_CPPFLAGS =	\
-	$(AM_CPPFLAGS)		\
-	$(LIBISCCFG_CFLAGS)
-
-dnssec_keygen_LDADD =		\
-	$(LDADD)		\
-	$(LIBISCCFG_LIBS)

bin/dnssec/Makefile.in

@@ -0,0 +1,77 @@
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.13.2.1 2001/01/09 22:31:28 bwelling Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+# Alphabetically
+TARGETS =	dnssec-keygen \
+		dnssec-makekeyset \
+		dnssec-signkey \
+		dnssec-signzone
+
+OBJS =		dnssectool.@O@
+
+SRCS =		dnssec-keygen.c dnssec-makekeyset.c \
+		dnssec-signkey.c dnssec-signzone.c \
+		dnssectool.c
+
+@BIND9_MAKE_RULES@
+
+dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-keygen.@O@ ${OBJS} ${LIBS}
+
+dnssec-makekeyset: dnssec-makekeyset.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-makekeyset.@O@ ${OBJS} ${LIBS}
+
+dnssec-signkey: dnssec-signkey.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signkey.@O@ ${OBJS} ${LIBS}
+
+dnssec-signzone.@O@: dnssec-signzone.c
+	${LIBTOOL} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" -c $<
+
+dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: ${TARGETS} installdirs
+	for t in ${TARGETS}; do ${LIBTOOL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done

bin/dnssec/dnssec-cds.rst

@@ -1,218 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-cds:
-
-dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
---------------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
-
-Description
-~~~~~~~~~~~
-
-The ``dnssec-cds`` command changes DS records at a delegation point
-based on CDS or CDNSKEY records published in the child zone. If both CDS
-and CDNSKEY records are present in the child zone, the CDS is preferred.
-This enables a child zone to inform its parent of upcoming changes to
-its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the
-parent can keep the DS records up-to-date and enable automatic rolling
-of KSKs.
-
-Two input files are required. The ``-f child-file`` option specifies a
-file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
-DNSKEY records so that they can be authenticated. The ``-d path`` option
-specifies the location of a file containing the current DS records. For
-example, this could be a ``dsset-`` file generated by
-``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
-output of a previous run of ``dnssec-cds``.
-
-The ``dnssec-cds`` command uses special DNSSEC validation logic
-specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
-be validly signed by a key represented in the existing DS records. This
-is typically the pre-existing KSK.
-
-For protection against replay attacks, the signatures on the child
-records must not be older than they were on a previous run of
-``dnssec-cds``. Their age is obtained from the modification time of the
-``dsset-`` file, or from the ``-s`` option.
-
-To protect against breaking the delegation, ``dnssec-cds`` ensures that
-the DNSKEY RRset can be verified by every key algorithm in the new DS
-RRset, and that the same set of keys are covered by every DS digest
-type.
-
-By default, replacement DS records are written to the standard output;
-with the ``-i`` option the input file is overwritten in place. The
-replacement DS records are the same as the existing records, when no
-change is required. The output can be empty if the CDS/CDNSKEY records
-specify that the child zone wants to be insecure.
-
-.. warning::
-
-   Be careful not to delete the DS records when ``dnssec-cds`` fails!
-
-Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
-standard output. The ``-u`` and ``-i`` options can be used together to
-maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   When converting CDS records to DS records, this option specifies
-   the acceptable digest algorithms. This option can be repeated, so
-   that multiple digest types are allowed. If none of the CDS records
-   use an acceptable digest type, ``dnssec-cds`` will try to use CDNSKEY
-   records instead; if there are no CDNSKEY records, it reports an error.
-
-   When converting CDNSKEY records to DS records, this option specifies the
-   digest algorithm to use. It can be repeated, so that multiple DS records
-   are created for each CDNSKEY records.
-
-   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
-   are case-insensitive, and the hyphen may be omitted. If no algorithm
-   is specified, the default is SHA-256 only.
-
-``-c class``
-   This option specifies the DNS class of the zones.
-
-``-D``
-   This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
-   records are present in the child zone. By default CDS records are
-   preferred.
-
-``-d path``
-   This specifies the location of the parent DS records. The path can be the name of a file
-   containing the DS records; if it is a directory, ``dnssec-cds``
-   looks for a ``dsset-`` file for the domain inside the directory.
-
-   To protect against replay attacks, child records are rejected if they
-   were signed earlier than the modification time of the ``dsset-``
-   file. This can be adjusted with the ``-s`` option.
-
-``-f child-file``
-   This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
-   DNSKEY records and the covering RRSIG records, so that they can be
-   authenticated.
-
-   The examples below describe how to generate this file.
-
-``-iextension``
-   This option updates the ``dsset-`` file in place, instead of writing DS records to
-   the standard output.
-
-   There must be no space between the ``-i`` and the extension. If
-   no extension is provided, the old ``dsset-`` is discarded. If an
-   extension is present, a backup of the old ``dsset-`` file is kept
-   with the extension appended to its filename.
-
-   To protect against replay attacks, the modification time of the
-   ``dsset-`` file is set to match the signature inception time of the
-   child records, provided that it is later than the file's current
-   modification time.
-
-``-s start-time``
-   This option specifies the date and time after which RRSIG records become
-   acceptable. This can be either an absolute or a relative time. An
-   absolute start time is indicated by a number in YYYYMMDDHHMMSS
-   notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
-   time relative to the ``dsset-`` file is indicated with ``-N``, which is N
-   seconds before the file modification time. A time relative to the
-   current time is indicated with ``now+N``.
-
-   If no start-time is specified, the modification time of the
-   ``dsset-`` file is used.
-
-``-T ttl``
-   This option specifies a TTL to be used for new DS records. If not specified, the
-   default is the TTL of the old DS records. If they had no explicit TTL,
-   the new DS records also have no explicit TTL.
-
-``-u``
-   This option writes an ``nsupdate`` script to the standard output, instead of
-   printing the new DS reords. The output is empty if no change is
-   needed.
-
-   Note: The TTL of new records needs to be specified: it can be done in the
-   original ``dsset-`` file, with the ``-T`` option, or using the
-   ``nsupdate`` ``ttl`` command.
-
-``-V``
-   This option prints version information.
-
-``-v level``
-   This option sets the debugging level. Level 1 is intended to be usefully verbose
-   for general users; higher levels are intended for developers.
-
-``domain``
-   This indicates the name of the delegation point/child zone apex.
-
-Exit Status
-~~~~~~~~~~~
-
-The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
-occurred.
-
-If successful, the DS records may or may not need to be
-changed.
-
-Examples
-~~~~~~~~
-
-Before running ``dnssec-signzone``, ensure that the delegations
-are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
-
-To fetch the child records required by ``dnssec-cds``, invoke
-``dig`` as in the script below. It is acceptable if the ``dig`` fails, since
-``dnssec-cds`` performs all the necessary checking.
-
-::
-
-   for f in dsset-*
-   do
-       d=${f#dsset-}
-       dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-       dnssec-cds -i -f /dev/stdin -d $f $d
-   done
-
-When the parent zone is automatically signed by ``named``,
-``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows.
-The ``dsset-`` file allows the script to avoid having to fetch and
-validate the parent DS records, and it maintains the replay attack
-protection time.
-
-::
-
-   dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-   dnssec-cds -u -i -f /dev/stdin -d $f $d |
-   nsupdate -l
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
-Reference Manual, :rfc:`7344`.

bin/dnssec/dnssec-dsfromkey.c

@@ -1,559 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <inttypes.h>
-#include <stdbool.h>
-#include <stdlib.h>
-
-#include <isc/attributes.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-dsfromkey";
-
-static dns_rdataclass_t rdclass;
-static dns_fixedname_t fixed;
-static dns_name_t *name = NULL;
-static isc_mem_t *mctx = NULL;
-static uint32_t ttl;
-static bool emitttl = false;
-
-static isc_result_t
-initname(char *setname) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	name = dns_fixedname_initname(&fixed);
-
-	isc_buffer_init(&buf, setname, strlen(setname));
-	isc_buffer_add(&buf, strlen(setname));
-	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	return (result);
-}
-
-static void
-db_load_from_stream(dns_db_t *db, FILE *fp) {
-	isc_result_t result;
-	dns_rdatacallbacks_t callbacks;
-
-	dns_rdatacallbacks_init(&callbacks);
-	result = dns_db_beginload(db, &callbacks);
-	if (result != ISC_R_SUCCESS) {
-		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
-	}
-
-	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
-				       mctx);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't load from input: %s", isc_result_totext(result));
-	}
-
-	result = dns_db_endload(db, &callbacks);
-	if (result != ISC_R_SUCCESS) {
-		fatal("dns_db_endload failed: %s", isc_result_totext(result));
-	}
-}
-
-static isc_result_t
-loadset(const char *filename, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	char setname[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(name, setname, sizeof(setname));
-
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
-			       NULL, &db);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't create database");
-	}
-
-	if (strcmp(filename, "-") == 0) {
-		db_load_from_stream(db, stdin);
-		filename = "input";
-	} else {
-		result = dns_db_load(db, filename, dns_masterformat_text, 0);
-		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
-			fatal("can't load %s: %s", filename,
-			      isc_result_totext(result));
-		}
-	}
-
-	result = dns_db_findnode(db, name, false, &node);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't find %s node in %s", setname, filename);
-	}
-
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
-				     rdataset, NULL);
-
-	if (result == ISC_R_NOTFOUND) {
-		fatal("no DNSKEY RR for %s in %s", setname, filename);
-	} else if (result != ISC_R_SUCCESS) {
-		fatal("dns_db_findrdataset");
-	}
-
-	if (node != NULL) {
-		dns_db_detachnode(db, &node);
-	}
-	if (db != NULL) {
-		dns_db_detach(&db);
-	}
-	return (result);
-}
-
-static isc_result_t
-loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	char filename[PATH_MAX + 1];
-	isc_buffer_t buf;
-
-	dns_rdataset_init(rdataset);
-
-	isc_buffer_init(&buf, filename, sizeof(filename));
-	if (dirname != NULL) {
-		/* allow room for a trailing slash */
-		if (strlen(dirname) >= isc_buffer_availablelength(&buf)) {
-			return (ISC_R_NOSPACE);
-		}
-		isc_buffer_putstr(&buf, dirname);
-		if (dirname[strlen(dirname) - 1] != '/') {
-			isc_buffer_putstr(&buf, "/");
-		}
-	}
-
-	if (isc_buffer_availablelength(&buf) < 7) {
-		return (ISC_R_NOSPACE);
-	}
-	isc_buffer_putstr(&buf, "keyset-");
-
-	result = dns_name_tofilenametext(name, false, &buf);
-	check_result(result, "dns_name_tofilenametext()");
-	if (isc_buffer_availablelength(&buf) == 0) {
-		return (ISC_R_NOSPACE);
-	}
-	isc_buffer_putuint8(&buf, 0);
-
-	return (loadset(filename, rdataset));
-}
-
-static void
-loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
-	dns_rdata_t *rdata) {
-	isc_result_t result;
-	dst_key_t *key = NULL;
-	isc_buffer_t keyb;
-	isc_region_t r;
-
-	dns_rdata_init(rdata);
-
-	isc_buffer_init(&keyb, key_buf, key_buf_size);
-
-	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
-				       &key);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't load %s.key: %s", filename,
-		      isc_result_totext(result));
-	}
-
-	if (verbose > 2) {
-		char keystr[DST_KEY_FORMATSIZE];
-
-		dst_key_format(key, keystr, sizeof(keystr));
-		fprintf(stderr, "%s: %s\n", program, keystr);
-	}
-
-	result = dst_key_todns(key, &keyb);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't decode key");
-	}
-
-	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
-			     &r);
-
-	rdclass = dst_key_class(key);
-
-	name = dns_fixedname_initname(&fixed);
-	dns_name_copy(dst_key_name(key), name);
-
-	dst_key_free(&key);
-}
-
-static void
-logkey(dns_rdata_t *rdata) {
-	isc_result_t result;
-	dst_key_t *key = NULL;
-	isc_buffer_t buf;
-	char keystr[DST_KEY_FORMATSIZE];
-
-	isc_buffer_init(&buf, rdata->data, rdata->length);
-	isc_buffer_add(&buf, rdata->length);
-	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
-	if (result != ISC_R_SUCCESS) {
-		return;
-	}
-
-	dst_key_format(key, keystr, sizeof(keystr));
-	fprintf(stderr, "%s: %s\n", program, keystr);
-
-	dst_key_free(&key);
-}
-
-static void
-emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
-	isc_result_t result;
-	unsigned char buf[DNS_DS_BUFFERSIZE];
-	char text_buf[DST_KEY_MAXTEXTSIZE];
-	char name_buf[DNS_NAME_MAXWIRE];
-	char class_buf[10];
-	isc_buffer_t textb, nameb, classb;
-	isc_region_t r;
-	dns_rdata_t ds;
-	dns_rdata_dnskey_t dnskey;
-
-	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
-	isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
-	isc_buffer_init(&classb, class_buf, sizeof(class_buf));
-
-	dns_rdata_init(&ds);
-
-	result = dns_rdata_tostruct(rdata, &dnskey, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't convert DNSKEY");
-	}
-
-	if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
-		return;
-	}
-
-	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
-		return;
-	}
-
-	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't build record");
-	}
-
-	result = dns_name_totext(name, false, &nameb);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't print name");
-	}
-
-	result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, 0, "",
-				     &textb);
-
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't print rdata");
-	}
-
-	result = dns_rdataclass_totext(rdclass, &classb);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't print class");
-	}
-
-	isc_buffer_usedregion(&nameb, &r);
-	printf("%.*s ", (int)r.length, r.base);
-
-	if (emitttl) {
-		printf("%u ", ttl);
-	}
-
-	isc_buffer_usedregion(&classb, &r);
-	printf("%.*s", (int)r.length, r.base);
-
-	if (cds) {
-		printf(" CDS ");
-	} else {
-		printf(" DS ");
-	}
-
-	isc_buffer_usedregion(&textb, &r);
-	printf("%.*s\n", (int)r.length, r.base);
-}
-
-static void
-emits(bool showall, bool cds, dns_rdata_t *rdata) {
-	unsigned i, n;
-
-	n = sizeof(dtype) / sizeof(dtype[0]);
-	for (i = 0; i < n; i++) {
-		if (dtype[i] != 0) {
-			emit(dtype[i], showall, cds, rdata);
-		}
-	}
-}
-
-ISC_NORETURN static void
-usage(void);
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
-	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
-	fprintf(stderr, "    %s [-h|-V]\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
-	fprintf(stderr, "Options:\n"
-			"    -1: digest algorithm SHA-1\n"
-			"    -2: digest algorithm SHA-256\n"
-			"    -a algorithm: digest algorithm (SHA-1, SHA-256 or "
-			"SHA-384)\n"
-			"    -A: include all keys in DS set, not just KSKs (-f "
-			"only)\n"
-			"    -c class: rdata class for DS set (default IN) (-f "
-			"or -s only)\n"
-			"    -C: print CDS records\n"
-			"    -f zonefile: read keys from a zone file\n"
-			"    -h: print help information\n"
-			"    -K directory: where to find key or keyset files\n"
-			"    -s: read keys from keyset-<dnsname> file\n"
-			"    -T: TTL of output records (omitted by default)\n"
-			"    -v level: verbosity\n"
-			"    -V: print version information\n");
-	fprintf(stderr, "Output: DS or CDS RRs\n");
-
-	exit(-1);
-}
-
-int
-main(int argc, char **argv) {
-	char *classname = NULL;
-	char *filename = NULL, *dir = NULL, *namestr;
-	char *endp, *arg1;
-	int ch;
-	bool cds = false;
-	bool usekeyset = false;
-	bool showall = false;
-	isc_result_t result;
-	isc_log_t *log = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata;
-
-	dns_rdata_init(&rdata);
-
-	if (argc == 1) {
-		usage();
-	}
-
-	isc_mem_create(&mctx);
-
-	isc_commandline_errprint = false;
-
-#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
-	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
-		switch (ch) {
-		case '1':
-			add_dtype(DNS_DSDIGEST_SHA1);
-			break;
-		case '2':
-			add_dtype(DNS_DSDIGEST_SHA256);
-			break;
-		case 'A':
-			showall = true;
-			break;
-		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
-			break;
-		case 'C':
-			cds = true;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-		case 'd':
-			fprintf(stderr,
-				"%s: the -d option is deprecated; "
-				"use -K\n",
-				program);
-		/* fall through */
-		case 'K':
-			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U) {
-				fatal("directory must be non-empty string");
-			}
-			break;
-		case 'f':
-			filename = isc_commandline_argument;
-			break;
-		case 'l':
-			fatal("-l option (DLV lookaside) is obsolete");
-			break;
-		case 's':
-			usekeyset = true;
-			break;
-		case 'T':
-			emitttl = true;
-			ttl = strtottl(isc_commandline_argument);
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fatal("-v must be followed by a number");
-			}
-			break;
-		case 'F':
-		/* Reserved for FIPS mode */
-		/* FALLTHROUGH */
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			/* Does not return. */
-			usage();
-
-		case 'V':
-			/* Does not return. */
-			version(program);
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	rdclass = strtoclass(classname);
-
-	if (usekeyset && filename != NULL) {
-		fatal("cannot use both -s and -f");
-	}
-
-	/* When not using -f, -A is implicit */
-	if (filename == NULL) {
-		showall = true;
-	}
-
-	/* Default digest type if none specified. */
-	if (dtype[0] == 0) {
-		dtype[0] = DNS_DSDIGEST_SHA256;
-	}
-
-	/*
-	 * Use local variable arg1 so that clang can correctly analyse
-	 * reachable paths rather than 'argc < isc_commandline_index + 1'.
-	 */
-	arg1 = argv[isc_commandline_index];
-	if (arg1 == NULL && filename == NULL) {
-		fatal("the key file name was not specified");
-	}
-	if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
-		fatal("extraneous arguments");
-	}
-
-	result = dst_lib_init(mctx, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(result));
-	}
-
-	setup_logging(mctx, &log);
-
-	dns_rdataset_init(&rdataset);
-
-	if (usekeyset || filename != NULL) {
-		if (arg1 == NULL) {
-			/* using file name as the zone name */
-			namestr = filename;
-		} else {
-			namestr = arg1;
-		}
-
-		result = initname(namestr);
-		if (result != ISC_R_SUCCESS) {
-			fatal("could not initialize name %s", namestr);
-		}
-
-		if (usekeyset) {
-			result = loadkeyset(dir, &rdataset);
-		} else {
-			INSIST(filename != NULL);
-			result = loadset(filename, &rdataset);
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			fatal("could not load DNSKEY set: %s\n",
-			      isc_result_totext(result));
-		}
-
-		for (result = dns_rdataset_first(&rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(&rdataset, &rdata);
-
-			if (verbose > 2) {
-				logkey(&rdata);
-			}
-
-			emits(showall, cds, &rdata);
-		}
-	} else {
-		unsigned char key_buf[DST_KEY_MAXSIZE];
-
-		loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
-
-		emits(showall, cds, &rdata);
-	}
-
-	if (dns_rdataset_isassociated(&rdataset)) {
-		dns_rdataset_disassociate(&rdataset);
-	}
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	if (verbose > 10) {
-		isc_mem_stats(mctx, stdout);
-	}
-	isc_mem_destroy(&mctx);
-
-	fflush(stdout);
-	if (ferror(stdout)) {
-		fprintf(stderr, "write error\n");
-		return (1);
-	} else {
-		return (0);
-	}
-}

bin/dnssec/dnssec-dsfromkey.rst

@@ -1,154 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-dsfromkey:
-
-dnssec-dsfromkey - DNSSEC DS RR generation tool
------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
-
-:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
-
-:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
-
-:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
-
-Description
-~~~~~~~~~~~
-
-The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
-(RRs), or CDS (Child DS) RRs with the ``-C`` option.
-
-By default, only KSKs are converted (keys with flags = 257).  The
-``-A`` option includes ZSKs (flags = 256).  Revoked keys are never
-included.
-
-The input keys can be specified in a number of ways:
-
-By default, ``dnssec-dsfromkey`` reads a key file named in the format
-``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
-
-With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
-file or partial zone file (which can contain just the DNSKEY records).
-
-With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
-as generated by ``dnssec-keygen`` ``-C``.
-
-Options
-~~~~~~~
-
-``-1``
-   This option is an abbreviation for ``-a SHA1``.
-
-``-2``
-   This option is an abbreviation for ``-a SHA-256``.
-
-``-a algorithm``
-   This option specifies a digest algorithm to use when converting DNSKEY records to
-   DS records. This option can be repeated, so that multiple DS records
-   are created for each DNSKEY record.
-
-   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
-   are case-insensitive, and the hyphen may be omitted. If no algorithm
-   is specified, the default is SHA-256.
-
-``-A``
-   This option indicates that ZSKs are to be included when generating DS records. Without this option, only
-   keys which have the KSK flag set are converted to DS records and
-   printed. This option is only useful in ``-f`` zone file mode.
-
-``-c class``
-   This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
-   or ``-f`` zone file mode.
-
-``-C``
-   This option generates CDS records rather than DS records.
-
-``-f file``
-   This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
-   DNS domain name of a zone whose master file can be read from
-   ``file``. If the zone name is the same as ``file``, then it may be
-   omitted.
-
-   If ``file`` is ``-``, then the zone data is read from the standard
-   input. This makes it possible to use the output of the ``dig``
-   command as input, as in:
-
-   ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
-
-``-h``
-   This option prints usage information.
-
-``-K directory``
-   This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
-
-``-s``
-   This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
-   domain name used to locate a ``keyset-`` file.
-
-``-T TTL``
-   This option specifies the TTL of the DS records. By default the TTL is omitted.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-Example
-~~~~~~~
-
-To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
-issue the following command:
-
-``dnssec-dsfromkey -2 Kexample.com.+003+26160``
-
-The command returns something similar to:
-
-``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
-
-Files
-~~~~~
-
-The keyfile can be designated by the key identification
-``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
-generated by ``dnssec-keygen``.
-
-The keyset file name is built from the ``directory``, the string
-``keyset-``, and the ``dnsname``.
-
-Caveat
-~~~~~~
-
-A keyfile error may return "file not found," even if the file exists.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
-:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).

bin/dnssec/dnssec-importkey.c

@@ -1,475 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <stdbool.h>
-#include <stdlib.h>
-
-#include <isc/attributes.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-importkey";
-
-static dns_rdataclass_t rdclass;
-static dns_fixedname_t fixed;
-static dns_name_t *name = NULL;
-static isc_mem_t *mctx = NULL;
-static bool setpub = false, setdel = false;
-static bool setttl = false;
-static isc_stdtime_t pub = 0, del = 0;
-static dns_ttl_t ttl = 0;
-static isc_stdtime_t syncadd = 0, syncdel = 0;
-static bool setsyncadd = false;
-static bool setsyncdel = false;
-
-static isc_result_t
-initname(char *setname) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	name = dns_fixedname_initname(&fixed);
-
-	isc_buffer_init(&buf, setname, strlen(setname));
-	isc_buffer_add(&buf, strlen(setname));
-	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	return (result);
-}
-
-static void
-db_load_from_stream(dns_db_t *db, FILE *fp) {
-	isc_result_t result;
-	dns_rdatacallbacks_t callbacks;
-
-	dns_rdatacallbacks_init(&callbacks);
-	result = dns_db_beginload(db, &callbacks);
-	if (result != ISC_R_SUCCESS) {
-		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
-	}
-
-	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
-				       mctx);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't load from input: %s", isc_result_totext(result));
-	}
-
-	result = dns_db_endload(db, &callbacks);
-	if (result != ISC_R_SUCCESS) {
-		fatal("dns_db_endload failed: %s", isc_result_totext(result));
-	}
-}
-
-static isc_result_t
-loadset(const char *filename, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	char setname[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(name, setname, sizeof(setname));
-
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
-			       NULL, &db);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't create database");
-	}
-
-	if (strcmp(filename, "-") == 0) {
-		db_load_from_stream(db, stdin);
-		filename = "input";
-	} else {
-		result = dns_db_load(db, filename, dns_masterformat_text,
-				     DNS_MASTER_NOTTL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
-			fatal("can't load %s: %s", filename,
-			      isc_result_totext(result));
-		}
-	}
-
-	result = dns_db_findnode(db, name, false, &node);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't find %s node in %s", setname, filename);
-	}
-
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
-				     rdataset, NULL);
-
-	if (result == ISC_R_NOTFOUND) {
-		fatal("no DNSKEY RR for %s in %s", setname, filename);
-	} else if (result != ISC_R_SUCCESS) {
-		fatal("dns_db_findrdataset");
-	}
-
-	if (node != NULL) {
-		dns_db_detachnode(db, &node);
-	}
-	if (db != NULL) {
-		dns_db_detach(&db);
-	}
-	return (result);
-}
-
-static void
-loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
-	dns_rdata_t *rdata) {
-	isc_result_t result;
-	dst_key_t *key = NULL;
-	isc_buffer_t keyb;
-	isc_region_t r;
-
-	dns_rdata_init(rdata);
-
-	isc_buffer_init(&keyb, key_buf, key_buf_size);
-
-	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
-				       &key);
-	if (result != ISC_R_SUCCESS) {
-		fatal("invalid keyfile name %s: %s", filename,
-		      isc_result_totext(result));
-	}
-
-	if (verbose > 2) {
-		char keystr[DST_KEY_FORMATSIZE];
-
-		dst_key_format(key, keystr, sizeof(keystr));
-		fprintf(stderr, "%s: %s\n", program, keystr);
-	}
-
-	result = dst_key_todns(key, &keyb);
-	if (result != ISC_R_SUCCESS) {
-		fatal("can't decode key");
-	}
-
-	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
-			     &r);
-
-	rdclass = dst_key_class(key);
-
-	name = dns_fixedname_initname(&fixed);
-	dns_name_copy(dst_key_name(key), name);
-
-	dst_key_free(&key);
-}
-
-static void
-emit(const char *dir, dns_rdata_t *rdata) {
-	isc_result_t result;
-	char keystr[DST_KEY_FORMATSIZE];
-	char pubname[1024];
-	char priname[1024];
-	isc_buffer_t buf;
-	dst_key_t *key = NULL, *tmp = NULL;
-
-	isc_buffer_init(&buf, rdata->data, rdata->length);
-	isc_buffer_add(&buf, rdata->length);
-	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
-	if (result != ISC_R_SUCCESS) {
-		fatal("dst_key_fromdns: %s", isc_result_totext(result));
-	}
-
-	isc_buffer_init(&buf, pubname, sizeof(pubname));
-	result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Failed to build public key filename: %s",
-		      isc_result_totext(result));
-	}
-	isc_buffer_init(&buf, priname, sizeof(priname));
-	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Failed to build private key filename: %s",
-		      isc_result_totext(result));
-	}
-
-	result = dst_key_fromfile(
-		dst_key_name(key), dst_key_id(key), dst_key_alg(key),
-		DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir, mctx, &tmp);
-	if (result == ISC_R_SUCCESS) {
-		if (dst_key_isprivate(tmp) && !dst_key_isexternal(tmp)) {
-			fatal("Private key already exists in %s", priname);
-		}
-		dst_key_free(&tmp);
-	}
-
-	dst_key_setexternal(key, true);
-	if (setpub) {
-		dst_key_settime(key, DST_TIME_PUBLISH, pub);
-	}
-	if (setdel) {
-		dst_key_settime(key, DST_TIME_DELETE, del);
-	}
-	if (setsyncadd) {
-		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-	}
-	if (setsyncdel) {
-		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
-	}
-
-	if (setttl) {
-		dst_key_setttl(key, ttl);
-	}
-
-	result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("Failed to write key %s: %s", keystr,
-		      isc_result_totext(result));
-	}
-	printf("%s\n", pubname);
-
-	isc_buffer_clear(&buf);
-	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Failed to build private key filename: %s",
-		      isc_result_totext(result));
-	}
-	printf("%s\n", priname);
-	dst_key_free(&key);
-}
-
-ISC_NORETURN static void
-usage(void);
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s options [-K dir] keyfile\n\n", program);
-	fprintf(stderr, "    %s options -f file [keyname]\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "    -f file: read key from zone file\n");
-	fprintf(stderr, "    -K <directory>: directory in which to store "
-			"the key files\n");
-	fprintf(stderr, "    -L ttl:             set default key TTL\n");
-	fprintf(stderr, "    -v <verbose level>\n");
-	fprintf(stderr, "    -V: print version information\n");
-	fprintf(stderr, "    -h: print usage and exit\n");
-	fprintf(stderr, "Timing options:\n");
-	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
-			"publication date\n");
-	fprintf(stderr, "    -P sync date/[+-]offset/none: set/unset "
-			"CDS and CDNSKEY publication date\n");
-	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
-			"deletion date\n");
-	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
-			"CDS and CDNSKEY deletion date\n");
-
-	exit(-1);
-}
-
-int
-main(int argc, char **argv) {
-	char *classname = NULL;
-	char *filename = NULL, *dir = NULL, *namestr;
-	char *endp;
-	int ch;
-	isc_result_t result;
-	isc_log_t *log = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata;
-	isc_stdtime_t now;
-
-	dns_rdata_init(&rdata);
-	isc_stdtime_get(&now);
-
-	if (argc == 1) {
-		usage();
-	}
-
-	isc_mem_create(&mctx);
-
-	isc_commandline_errprint = false;
-
-#define CMDLINE_FLAGS "D:f:hK:L:P:v:V"
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'D':
-			/* -Dsync ? */
-			if (isoptarg("sync", argv, usage)) {
-				if (setsyncdel) {
-					fatal("-D sync specified more than "
-					      "once");
-				}
-
-				syncdel = strtotime(isc_commandline_argument,
-						    now, now, &setsyncdel);
-				break;
-			}
-			/* -Ddnskey ? */
-			(void)isoptarg("dnskey", argv, usage);
-			if (setdel) {
-				fatal("-D specified more than once");
-			}
-
-			del = strtotime(isc_commandline_argument, now, now,
-					&setdel);
-			break;
-		case 'K':
-			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U) {
-				fatal("directory must be non-empty string");
-			}
-			break;
-		case 'L':
-			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
-			break;
-		case 'P':
-			/* -Psync ? */
-			if (isoptarg("sync", argv, usage)) {
-				if (setsyncadd) {
-					fatal("-P sync specified more than "
-					      "once");
-				}
-
-				syncadd = strtotime(isc_commandline_argument,
-						    now, now, &setsyncadd);
-				break;
-			}
-			/* -Pdnskey ? */
-			(void)isoptarg("dnskey", argv, usage);
-			if (setpub) {
-				fatal("-P specified more than once");
-			}
-
-			pub = strtotime(isc_commandline_argument, now, now,
-					&setpub);
-			break;
-		case 'f':
-			filename = isc_commandline_argument;
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fatal("-v must be followed by a number");
-			}
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			/* Does not return. */
-			usage();
-
-		case 'V':
-			/* Does not return. */
-			version(program);
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	rdclass = strtoclass(classname);
-
-	if (argc < isc_commandline_index + 1 && filename == NULL) {
-		fatal("the key file name was not specified");
-	}
-	if (argc > isc_commandline_index + 1) {
-		fatal("extraneous arguments");
-	}
-
-	result = dst_lib_init(mctx, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(result));
-	}
-
-	setup_logging(mctx, &log);
-
-	dns_rdataset_init(&rdataset);
-
-	if (filename != NULL) {
-		if (argc < isc_commandline_index + 1) {
-			/* using filename as zone name */
-			namestr = filename;
-		} else {
-			namestr = argv[isc_commandline_index];
-		}
-
-		result = initname(namestr);
-		if (result != ISC_R_SUCCESS) {
-			fatal("could not initialize name %s", namestr);
-		}
-
-		result = loadset(filename, &rdataset);
-
-		if (result != ISC_R_SUCCESS) {
-			fatal("could not load DNSKEY set: %s\n",
-			      isc_result_totext(result));
-		}
-
-		for (result = dns_rdataset_first(&rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(&rdataset, &rdata);
-			emit(dir, &rdata);
-		}
-	} else {
-		unsigned char key_buf[DST_KEY_MAXSIZE];
-
-		loadkey(argv[isc_commandline_index], key_buf, DST_KEY_MAXSIZE,
-			&rdata);
-
-		emit(dir, &rdata);
-	}
-
-	if (dns_rdataset_isassociated(&rdataset)) {
-		dns_rdataset_disassociate(&rdataset);
-	}
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	if (verbose > 10) {
-		isc_mem_stats(mctx, stdout);
-	}
-	isc_mem_destroy(&mctx);
-
-	fflush(stdout);
-	if (ferror(stdout)) {
-		fprintf(stderr, "write error\n");
-		return (1);
-	} else {
-		return (0);
-	}
-}

bin/dnssec/dnssec-importkey.rst

@@ -1,123 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-importkey:
-
-dnssec-importkey - import DNSKEY records from external systems so they can be managed
--------------------------------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-importkey` [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] {keyfile}
-
-:program:`dnssec-importkey` {**-f** filename} [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] [dnsname]
-
-Description
-~~~~~~~~~~~
-
-``dnssec-importkey`` reads a public DNSKEY record and generates a pair
-of .key/.private files. The DNSKEY record may be read from an
-existing .key file, in which case a corresponding .private file is
-generated, or it may be read from any other file or from the standard
-input, in which case both .key and .private files are generated.
-
-The newly created .private file does *not* contain private key data, and
-cannot be used for signing. However, having a .private file makes it
-possible to set publication (``-P``) and deletion (``-D``) times for the
-key, which means the public key can be added to and removed from the
-DNSKEY RRset on schedule even if the true private key is stored offline.
-
-Options
-~~~~~~~
-
-``-f filename``
-   This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
-   DNS domain name of a zone master file, which can be read from
-   ``filename``. If the domain name is the same as ``filename``, then it may be
-   omitted.
-
-   If ``filename`` is set to ``"-"``, then the zone data is read from the
-   standard input.
-
-``-K directory``
-   This option sets the directory in which the key files are to reside.
-
-``-L ttl``
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
-   removes it from the key.
-
-``-h``
-   This option emits a usage message and exits.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-Files
-~~~~~
-
-A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
-or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
-``dnssec-keygen``.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`5011`.

bin/dnssec/dnssec-keyfromlabel.c

@@ -1,756 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <ctype.h>
-#include <inttypes.h>
-#include <stdbool.h>
-#include <stdlib.h>
-
-#include <isc/attributes.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-#define MAX_RSA 4096 /* should be long enough... */
-
-const char *program = "dnssec-keyfromlabel";
-
-ISC_NORETURN static void
-usage(void);
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -l label [options] name\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
-	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -l label: label of the key pair\n");
-	fprintf(stderr, "    name: owner of the key\n");
-	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -a algorithm: \n"
-			"        DH | RSASHA1 |\n"
-			"        NSEC3RSASHA1 |\n"
-			"        RSASHA256 | RSASHA512 |\n"
-			"        ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
-			"        ED25519 | ED448\n");
-	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
-	fprintf(stderr, "    -c class (default: IN)\n");
-	fprintf(stderr, "    -E <engine>:\n");
-	fprintf(stderr, "        name of an OpenSSL engine to use\n");
-	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
-	fprintf(stderr, "    -K directory: directory in which to place "
-			"key files\n");
-	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
-	fprintf(stderr, "    -L ttl: default key TTL\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | "
-			"OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
-	fprintf(stderr, "    -t type: "
-			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-			"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -y: permit keys that might collide\n");
-	fprintf(stderr, "    -v verbose level\n");
-	fprintf(stderr, "    -V: print version information\n");
-	fprintf(stderr, "Date options:\n");
-	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
-	fprintf(stderr, "    -P sync date/[+-]offset: set CDS and CDNSKEY "
-			"publication date\n");
-	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
-	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
-	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
-	fprintf(stderr, "    -D sync date/[+-]offset: set CDS and CDNSKEY "
-			"deletion date\n");
-	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
-	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
-			" all dates\n");
-	fprintf(stderr, "    -S <key>: generate a successor to an existing "
-			"key\n");
-	fprintf(stderr, "    -i <interval>: prepublication interval for "
-			"successor key "
-			"(default: 30 days)\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
-			"K<name>+<alg>+<id>.private\n");
-
-	exit(-1);
-}
-
-int
-main(int argc, char **argv) {
-	char *algname = NULL, *freeit = NULL;
-	char *nametype = NULL, *type = NULL;
-	const char *directory = NULL;
-	const char *predecessor = NULL;
-	dst_key_t *prevkey = NULL;
-	const char *engine = NULL;
-	char *classname = NULL;
-	char *endp;
-	dst_key_t *key = NULL;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	uint16_t flags = 0, kskflag = 0, revflag = 0;
-	dns_secalg_t alg;
-	bool oldstyle = false;
-	isc_mem_t *mctx = NULL;
-	int ch;
-	int protocol = -1, signatory = 0;
-	isc_result_t ret;
-	isc_textregion_t r;
-	char filename[255];
-	isc_buffer_t buf;
-	isc_log_t *log = NULL;
-	dns_rdataclass_t rdclass;
-	int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-	char *label = NULL;
-	dns_ttl_t ttl = 0;
-	isc_stdtime_t publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t inactive = 0, deltime = 0;
-	isc_stdtime_t now;
-	int prepub = -1;
-	bool setpub = false, setact = false;
-	bool setrev = false, setinact = false;
-	bool setdel = false, setttl = false;
-	bool unsetpub = false, unsetact = false;
-	bool unsetrev = false, unsetinact = false;
-	bool unsetdel = false;
-	bool genonly = false;
-	bool use_nsec3 = false;
-	bool avoid_collisions = true;
-	bool exact;
-	unsigned char c;
-	isc_stdtime_t syncadd = 0, syncdel = 0;
-	bool unsetsyncadd = false, setsyncadd = false;
-	bool unsetsyncdel = false, setsyncdel = false;
-
-	if (argc == 1) {
-		usage();
-	}
-
-	isc_mem_create(&mctx);
-
-	isc_commandline_errprint = false;
-
-	isc_stdtime_get(&now);
-
-#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:Vy"
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case '3':
-			use_nsec3 = true;
-			break;
-		case 'a':
-			algname = isc_commandline_argument;
-			break;
-		case 'C':
-			oldstyle = true;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-		case 'f':
-			c = (unsigned char)(isc_commandline_argument[0]);
-			if (toupper(c) == 'K') {
-				kskflag = DNS_KEYFLAG_KSK;
-			} else if (toupper(c) == 'R') {
-				revflag = DNS_KEYFLAG_REVOKE;
-			} else {
-				fatal("unknown flag '%s'",
-				      isc_commandline_argument);
-			}
-			break;
-		case 'K':
-			directory = isc_commandline_argument;
-			ret = try_dir(directory);
-			if (ret != ISC_R_SUCCESS) {
-				fatal("cannot open directory %s: %s", directory,
-				      isc_result_totext(ret));
-			}
-			break;
-		case 'k':
-			options |= DST_TYPE_KEY;
-			break;
-		case 'L':
-			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
-			break;
-		case 'l':
-			label = isc_mem_strdup(mctx, isc_commandline_argument);
-			break;
-		case 'n':
-			nametype = isc_commandline_argument;
-			break;
-		case 'p':
-			protocol = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || protocol < 0 || protocol > 255) {
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			}
-			break;
-		case 't':
-			type = isc_commandline_argument;
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fatal("-v must be followed by a number");
-			}
-			break;
-		case 'y':
-			avoid_collisions = false;
-			break;
-		case 'G':
-			genonly = true;
-			break;
-		case 'P':
-			/* -Psync ? */
-			if (isoptarg("sync", argv, usage)) {
-				if (unsetsyncadd || setsyncadd) {
-					fatal("-P sync specified more than "
-					      "once");
-				}
-
-				syncadd = strtotime(isc_commandline_argument,
-						    now, now, &setsyncadd);
-				unsetsyncadd = !setsyncadd;
-				break;
-			}
-			/* -Pdnskey ? */
-			(void)isoptarg("dnskey", argv, usage);
-			if (setpub || unsetpub) {
-				fatal("-P specified more than once");
-			}
-
-			publish = strtotime(isc_commandline_argument, now, now,
-					    &setpub);
-			unsetpub = !setpub;
-			break;
-		case 'A':
-			if (setact || unsetact) {
-				fatal("-A specified more than once");
-			}
-
-			activate = strtotime(isc_commandline_argument, now, now,
-					     &setact);
-			unsetact = !setact;
-			break;
-		case 'R':
-			if (setrev || unsetrev) {
-				fatal("-R specified more than once");
-			}
-
-			revoke = strtotime(isc_commandline_argument, now, now,
-					   &setrev);
-			unsetrev = !setrev;
-			break;
-		case 'I':
-			if (setinact || unsetinact) {
-				fatal("-I specified more than once");
-			}
-
-			inactive = strtotime(isc_commandline_argument, now, now,
-					     &setinact);
-			unsetinact = !setinact;
-			break;
-		case 'D':
-			/* -Dsync ? */
-			if (isoptarg("sync", argv, usage)) {
-				if (unsetsyncdel || setsyncdel) {
-					fatal("-D sync specified more than "
-					      "once");
-				}
-
-				syncdel = strtotime(isc_commandline_argument,
-						    now, now, &setsyncdel);
-				unsetsyncdel = !setsyncdel;
-				break;
-			}
-			/* -Ddnskey ? */
-			(void)isoptarg("dnskey", argv, usage);
-			if (setdel || unsetdel) {
-				fatal("-D specified more than once");
-			}
-
-			deltime = strtotime(isc_commandline_argument, now, now,
-					    &setdel);
-			unsetdel = !setdel;
-			break;
-		case 'S':
-			predecessor = isc_commandline_argument;
-			break;
-		case 'i':
-			prepub = strtottl(isc_commandline_argument);
-			break;
-		case 'F':
-		/* Reserved for FIPS mode */
-		/* FALLTHROUGH */
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			/* Does not return. */
-			usage();
-
-		case 'V':
-			/* Does not return. */
-			version(program);
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	ret = dst_lib_init(mctx, engine);
-	if (ret != ISC_R_SUCCESS) {
-		fatal("could not initialize dst: %s", isc_result_totext(ret));
-	}
-
-	setup_logging(mctx, &log);
-
-	if (predecessor == NULL) {
-		if (label == NULL) {
-			fatal("the key label was not specified");
-		}
-		if (argc < isc_commandline_index + 1) {
-			fatal("the key name was not specified");
-		}
-		if (argc > isc_commandline_index + 1) {
-			fatal("extraneous arguments");
-		}
-
-		name = dns_fixedname_initname(&fname);
-		isc_buffer_init(&buf, argv[isc_commandline_index],
-				strlen(argv[isc_commandline_index]));
-		isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-		ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("invalid key name %s: %s",
-			      argv[isc_commandline_index],
-			      isc_result_totext(ret));
-		}
-
-		if (strchr(label, ':') == NULL) {
-			char *l;
-			int len;
-
-			len = strlen(label) + 8;
-			l = isc_mem_allocate(mctx, len);
-			snprintf(l, len, "pkcs11:%s", label);
-			isc_mem_free(mctx, label);
-			label = l;
-		}
-
-		if (algname == NULL) {
-			fatal("no algorithm specified");
-		}
-
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
-		}
-
-		if (use_nsec3) {
-			switch (alg) {
-			case DST_ALG_RSASHA1:
-				alg = DST_ALG_NSEC3RSASHA1;
-				break;
-			case DST_ALG_NSEC3RSASHA1:
-			case DST_ALG_RSASHA256:
-			case DST_ALG_RSASHA512:
-			case DST_ALG_ECDSA256:
-			case DST_ALG_ECDSA384:
-			case DST_ALG_ED25519:
-			case DST_ALG_ED448:
-				break;
-			default:
-				fatal("%s is incompatible with NSEC3; "
-				      "do not use the -3 option",
-				      algname);
-			}
-		}
-
-		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-			if (strcasecmp(type, "NOAUTH") == 0) {
-				flags |= DNS_KEYTYPE_NOAUTH;
-			} else if (strcasecmp(type, "NOCONF") == 0) {
-				flags |= DNS_KEYTYPE_NOCONF;
-			} else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-				flags |= (DNS_KEYTYPE_NOAUTH |
-					  DNS_KEYTYPE_NOCONF);
-			} else if (strcasecmp(type, "AUTHCONF") == 0) {
-				/* nothing */
-			} else {
-				fatal("invalid type %s", type);
-			}
-		}
-
-		if (!oldstyle && prepub > 0) {
-			if (setpub && setact && (activate - prepub) < publish) {
-				fatal("Activation and publication dates "
-				      "are closer together than the\n\t"
-				      "prepublication interval.");
-			}
-
-			if (!setpub && !setact) {
-				setpub = setact = true;
-				publish = now;
-				activate = now + prepub;
-			} else if (setpub && !setact) {
-				setact = true;
-				activate = publish + prepub;
-			} else if (setact && !setpub) {
-				setpub = true;
-				publish = activate - prepub;
-			}
-
-			if ((activate - prepub) < now) {
-				fatal("Time until activation is shorter "
-				      "than the\n\tprepublication interval.");
-			}
-		}
-	} else {
-		char keystr[DST_KEY_FORMATSIZE];
-		isc_stdtime_t when;
-		int major, minor;
-
-		if (prepub == -1) {
-			prepub = (30 * 86400);
-		}
-
-		if (algname != NULL) {
-			fatal("-S and -a cannot be used together");
-		}
-		if (nametype != NULL) {
-			fatal("-S and -n cannot be used together");
-		}
-		if (type != NULL) {
-			fatal("-S and -t cannot be used together");
-		}
-		if (setpub || unsetpub) {
-			fatal("-S and -P cannot be used together");
-		}
-		if (setact || unsetact) {
-			fatal("-S and -A cannot be used together");
-		}
-		if (use_nsec3) {
-			fatal("-S and -3 cannot be used together");
-		}
-		if (oldstyle) {
-			fatal("-S and -C cannot be used together");
-		}
-		if (genonly) {
-			fatal("-S and -G cannot be used together");
-		}
-
-		ret = dst_key_fromnamedfile(predecessor, directory,
-					    DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-					    mctx, &prevkey);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("Invalid keyfile %s: %s", predecessor,
-			      isc_result_totext(ret));
-		}
-		if (!dst_key_isprivate(prevkey)) {
-			fatal("%s is not a private key", predecessor);
-		}
-
-		name = dst_key_name(prevkey);
-		alg = dst_key_alg(prevkey);
-		flags = dst_key_flags(prevkey);
-
-		dst_key_format(prevkey, keystr, sizeof(keystr));
-		dst_key_getprivateformat(prevkey, &major, &minor);
-		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
-			fatal("Key %s has incompatible format version %d.%d\n\t"
-			      "It is not possible to generate a successor key.",
-			      keystr, major, minor);
-		}
-
-		ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("Key %s has no activation date.\n\t"
-			      "You must use dnssec-settime -A to set one "
-			      "before generating a successor.",
-			      keystr);
-		}
-
-		ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("Key %s has no inactivation date.\n\t"
-			      "You must use dnssec-settime -I to set one "
-			      "before generating a successor.",
-			      keystr);
-		}
-
-		publish = activate - prepub;
-		if (publish < now) {
-			fatal("Key %s becomes inactive\n\t"
-			      "sooner than the prepublication period "
-			      "for the new key ends.\n\t"
-			      "Either change the inactivation date with "
-			      "dnssec-settime -I,\n\t"
-			      "or use the -i option to set a shorter "
-			      "prepublication interval.",
-			      keystr);
-		}
-
-		ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
-		if (ret != ISC_R_SUCCESS) {
-			fprintf(stderr,
-				"%s: WARNING: Key %s has no removal "
-				"date;\n\t it will remain in the zone "
-				"indefinitely after rollover.\n\t "
-				"You can use dnssec-settime -D to "
-				"change this.\n",
-				program, keystr);
-		}
-
-		setpub = setact = true;
-	}
-
-	if (nametype == NULL) {
-		if ((options & DST_TYPE_KEY) != 0) { /* KEY */
-			fatal("no nametype specified");
-		}
-		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
-	} else if (strcasecmp(nametype, "zone") == 0) {
-		flags |= DNS_KEYOWNER_ZONE;
-	} else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
-		if (strcasecmp(nametype, "host") == 0 ||
-		    strcasecmp(nametype, "entity") == 0) {
-			flags |= DNS_KEYOWNER_ENTITY;
-		} else if (strcasecmp(nametype, "user") == 0) {
-			flags |= DNS_KEYOWNER_USER;
-		} else {
-			fatal("invalid KEY nametype %s", nametype);
-		}
-	} else if (strcasecmp(nametype, "other") != 0) { /* DNSKEY */
-		fatal("invalid DNSKEY nametype %s", nametype);
-	}
-
-	rdclass = strtoclass(classname);
-
-	if (directory == NULL) {
-		directory = ".";
-	}
-
-	if ((options & DST_TYPE_KEY) != 0) { /* KEY */
-		flags |= signatory;
-	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-		flags |= kskflag;
-		flags |= revflag;
-	}
-
-	if (protocol == -1) {
-		protocol = DNS_KEYPROTO_DNSSEC;
-	} else if ((options & DST_TYPE_KEY) == 0 &&
-		   protocol != DNS_KEYPROTO_DNSSEC) {
-		fatal("invalid DNSKEY protocol: %d", protocol);
-	}
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) {
-			fatal("specified null key with signing authority");
-		}
-	}
-
-	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    alg == DNS_KEYALG_DH)
-	{
-		fatal("a key with algorithm '%s' cannot be a zone key",
-		      algname);
-	}
-
-	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
-
-	/* associate the key */
-	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
-				label, NULL, mctx, &key);
-
-	if (ret != ISC_R_SUCCESS) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		char algstr[DNS_SECALG_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		dns_secalg_format(alg, algstr, sizeof(algstr));
-		fatal("failed to get key %s/%s: %s", namestr, algstr,
-		      isc_result_totext(ret));
-		/* NOTREACHED */
-		exit(-1);
-	}
-
-	/*
-	 * Set key timing metadata (unless using -C)
-	 *
-	 * Publish and activation dates are set to "now" by default, but
-	 * can be overridden.  Creation date is always set to "now".
-	 */
-	if (!oldstyle) {
-		dst_key_settime(key, DST_TIME_CREATED, now);
-
-		if (genonly && (setpub || setact)) {
-			fatal("cannot use -G together with -P or -A options");
-		}
-
-		if (setpub) {
-			dst_key_settime(key, DST_TIME_PUBLISH, publish);
-		} else if (setact) {
-			dst_key_settime(key, DST_TIME_PUBLISH, activate);
-		} else if (!genonly && !unsetpub) {
-			dst_key_settime(key, DST_TIME_PUBLISH, now);
-		}
-
-		if (setact) {
-			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
-		} else if (!genonly && !unsetact) {
-			dst_key_settime(key, DST_TIME_ACTIVATE, now);
-		}
-
-		if (setrev) {
-			if (kskflag == 0) {
-				fprintf(stderr,
-					"%s: warning: Key is "
-					"not flagged as a KSK, but -R "
-					"was used. Revoking a ZSK is "
-					"legal, but undefined.\n",
-					program);
-			}
-			dst_key_settime(key, DST_TIME_REVOKE, revoke);
-		}
-
-		if (setinact) {
-			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
-		}
-
-		if (setdel) {
-			dst_key_settime(key, DST_TIME_DELETE, deltime);
-		}
-		if (setsyncadd) {
-			dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-		}
-		if (setsyncdel) {
-			dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
-		}
-	} else {
-		if (setpub || setact || setrev || setinact || setdel ||
-		    unsetpub || unsetact || unsetrev || unsetinact ||
-		    unsetdel || genonly || setsyncadd || setsyncdel)
-		{
-			fatal("cannot use -C together with "
-			      "-P, -A, -R, -I, -D, or -G options");
-		}
-		/*
-		 * Compatibility mode: Private-key-format
-		 * should be set to 1.2.
-		 */
-		dst_key_setprivateformat(key, 1, 2);
-	}
-
-	/* Set default key TTL */
-	if (setttl) {
-		dst_key_setttl(key, ttl);
-	}
-
-	/*
-	 * Do not overwrite an existing key.  Warn LOUDLY if there
-	 * is a risk of ID collision due to this key or another key
-	 * being revoked.
-	 */
-	if (key_collision(key, name, directory, mctx, &exact)) {
-		isc_buffer_clear(&buf);
-		ret = dst_key_buildfilename(key, 0, directory, &buf);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("dst_key_buildfilename returned: %s\n",
-			      isc_result_totext(ret));
-		}
-		if (exact) {
-			fatal("%s: %s already exists\n", program, filename);
-		}
-
-		if (avoid_collisions) {
-			fatal("%s: %s could collide with another key upon "
-			      "revokation\n",
-			      program, filename);
-		}
-
-		fprintf(stderr,
-			"%s: WARNING: Key %s could collide with "
-			"another key upon revokation.  If you plan "
-			"to revoke keys, destroy this key and "
-			"generate a different one.\n",
-			program, filename);
-	}
-
-	ret = dst_key_tofile(key, options, directory);
-	if (ret != ISC_R_SUCCESS) {
-		char keystr[DST_KEY_FORMATSIZE];
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("failed to write key %s: %s\n", keystr,
-		      isc_result_totext(ret));
-	}
-
-	isc_buffer_clear(&buf);
-	ret = dst_key_buildfilename(key, 0, NULL, &buf);
-	if (ret != ISC_R_SUCCESS) {
-		fatal("dst_key_buildfilename returned: %s\n",
-		      isc_result_totext(ret));
-	}
-	printf("%s\n", filename);
-	dst_key_free(&key);
-	if (prevkey != NULL) {
-		dst_key_free(&prevkey);
-	}
-
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	if (verbose > 10) {
-		isc_mem_stats(mctx, stdout);
-	}
-	isc_mem_free(mctx, label);
-	isc_mem_destroy(&mctx);
-
-	if (freeit != NULL) {
-		free(freeit);
-	}
-
-	return (0);
-}

bin/dnssec/dnssec-keyfromlabel.rst

@@ -1,258 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-keyfromlabel:
-
-dnssec-keyfromlabel - DNSSEC key generation tool
-------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
-
-Description
-~~~~~~~~~~~
-
-``dnssec-keyfromlabel`` generates a pair of key files that reference a
-key object stored in a cryptographic hardware service module (HSM). The
-private key file can be used for DNSSEC signing of zone data as if it
-were a conventional signing key created by ``dnssec-keygen``, but the
-key material is stored within the HSM and the actual signing takes
-place there.
-
-The ``name`` of the key is specified on the command line. This must
-match the name of the zone for which the key is being generated.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   This option selects the cryptographic algorithm. The value of ``algorithm`` must
-   be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
-   ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
-
-   If no algorithm is specified, RSASHA1 is used by default
-   unless the ``-3`` option is specified, in which case NSEC3RSASHA1
-   is used instead. (If ``-3`` is used and an algorithm is
-   specified, that algorithm is checked for compatibility with
-   NSEC3.)
-
-   These values are case-insensitive. In some cases, abbreviations are
-   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
-   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
-   option, then NSEC3RSASHA1 is used instead.
-
-   Since BIND 9.12.0, this option is mandatory except when using the
-   ``-S`` option, which copies the algorithm from the predecessory key.
-   Previously, the default for newly generated keys was RSASHA1.
-
-``-3``
-   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
-   option is used with an algorithm that has both NSEC and NSEC3
-   versions, then the NSEC3 version is used; for example,
-   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
-
-``-E engine``
-   This option specifies the cryptographic hardware to use.
-
-   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
-   engine identifier that drives the cryptographic accelerator or
-   hardware service module (usually ``pkcs11``).
-
-``-l label``
-   This option specifies the label for a key pair in the crypto hardware.
-
-   When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
-   an arbitrary string that identifies a particular key. It may be
-   preceded by an optional OpenSSL engine name, followed by a colon, as
-   in ``pkcs11:keylabel``.
-
-``-n nametype``
-   This option specifies the owner type of the key. The value of ``nametype`` must
-   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
-   (for a key associated with a host (KEY)), USER (for a key associated
-   with a user (KEY)), or OTHER (DNSKEY). These values are
-   case-insensitive.
-
-``-C``
-   This option enables compatibility mode, which generates an old-style key, without any metadata.
-   By default, ``dnssec-keyfromlabel`` includes the key's creation
-   date in the metadata stored with the private key; other dates may
-   be set there as well, including publication date, activation date, etc. Keys
-   that include this data may be incompatible with older versions of
-   BIND; the ``-C`` option suppresses them.
-
-``-c class``
-   This option indicates that the DNS record containing the key should have the
-   specified class. If not specified, class IN is used.
-
-``-f flag``
-   This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record.
-   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
-
-``-G``
-   This option generates a key, but does not publish it or sign with it. This option is
-   incompatible with ``-P`` and ``-A``.
-
-``-h``
-   This option prints a short summary of the options and arguments to
-   ``dnssec-keyfromlabel``.
-
-``-K directory``
-   This option sets the directory in which the key files are to be written.
-
-``-k``
-   This option generates KEY records rather than DNSKEY records.
-
-``-L`` ttl
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL would take precedence. Setting
-   the default TTL to ``0`` or ``none`` removes it.
-
-``-p protocol``
-   This option sets the protocol value for the key. The protocol is a number between
-   0 and 255. The default is 3 (DNSSEC). Other possible values for this
-   argument are listed in :rfc:`2535` and its successors.
-
-``-S key``
-   This option generates a key as an explicit successor to an existing key. The name,
-   algorithm, size, and type of the key are set to match the
-   predecessor. The activation date of the new key is set to the
-   inactivation date of the existing one. The publication date is
-   set to the activation date minus the prepublication interval, which
-   defaults to 30 days.
-
-``-t type``
-   This option indicates the type of the key. ``type`` must be one of AUTHCONF,
-   NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
-   to the ability to authenticate data, and CONF to the ability to encrypt
-   data.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-``-y``
-   This option allows DNSSEC key files to be generated even if the key ID would
-   collide with that of an existing key, in the event of either key
-   being revoked. (This is only safe to enable if
-   :rfc:`5011` trust anchor maintenance is not used with either of the keys
-   involved.)
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it. If not set, and if the ``-G`` option has not been used, the
-   default is the current date.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-A date/offset``
-   This option sets the date on which the key is to be activated. After that date,
-   the key is included in the zone and used to sign it. If not set,
-   and if the ``-G`` option has not been used, the default is the current date.
-
-``-R date/offset``
-   This option sets the date on which the key is to be revoked. After that date, the
-   key is flagged as revoked. It is included in the zone and
-   is used to sign it.
-
-``-I date/offset``
-   This option sets the date on which the key is to be retired. After that date, the
-   key is still included in the zone, but it is not used to
-   sign it.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-``-i interval``
-   This option sets the prepublication interval for a key. If set, then the
-   publication and activation dates must be separated by at least this
-   much time. If the activation date is specified but the publication
-   date is not, the publication date defaults to this much time
-   before the activation date; conversely, if the publication date is
-   specified but not the activation date, activation is set to
-   this much time after publication.
-
-   If the key is being created as an explicit successor to another key,
-   then the default prepublication interval is 30 days; otherwise it is
-   zero.
-
-   As with date offsets, if the argument is followed by one of the
-   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
-   measured in years, months, weeks, days, hours, or minutes,
-   respectively. Without a suffix, the interval is measured in seconds.
-
-Generated Key Files
-~~~~~~~~~~~~~~~~~~~
-
-When ``dnssec-keyfromlabel`` completes successfully, it prints a string
-of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
-identification string for the key files it has generated.
-
--  ``nnnn`` is the key name.
-
--  ``aaa`` is the numeric representation of the algorithm.
-
--  ``iiiii`` is the key identifier (or footprint).
-
-``dnssec-keyfromlabel`` creates two files, with names based on the
-printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
-``Knnnn.+aaa+iiiii.private`` contains the private key.
-
-The ``.key`` file contains a DNS KEY record that can be inserted into a
-zone file (directly or with an $INCLUDE statement).
-
-The ``.private`` file contains algorithm-specific fields. For obvious
-security reasons, this file does not have general read permission.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`4034`, :rfc:`7512`.

bin/dnssec/dnssec-keygen.rst

@@ -1,319 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-keygen:
-
-dnssec-keygen: DNSSEC key generation tool
------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
-
-Description
-~~~~~~~~~~~
-
-``dnssec-keygen`` generates keys for DNSSEC (Secure DNS), as defined in
-:rfc:`2535` and :rfc:`4034`. It can also generate keys for use with TSIG
-(Transaction Signatures) as defined in :rfc:`2845`, or TKEY (Transaction
-Key) as defined in :rfc:`2930`.
-
-The ``name`` of the key is specified on the command line. For DNSSEC
-keys, this must match the name of the zone for which the key is being
-generated.
-
-Options
-~~~~~~~
-
-``-3``
-   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
-   option is used with an algorithm that has both NSEC and NSEC3
-   versions, then the NSEC3 version is selected; for example,
-   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
-
-``-a algorithm``
-   This option selects the cryptographic algorithm. For DNSSEC keys, the value of
-   ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
-   RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
-   TKEY, the value must be DH (Diffie-Hellman); specifying this value
-   automatically sets the ``-T KEY`` option as well.
-
-   These values are case-insensitive. In some cases, abbreviations are
-   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
-   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
-   option, NSEC3RSASHA1 is used instead.
-
-   This parameter *must* be specified except when using the ``-S``
-   option, which copies the algorithm from the predecessor key.
-
-   In prior releases, HMAC algorithms could be generated for use as TSIG
-   keys, but that feature was removed in BIND 9.13.0. Use
-   ``tsig-keygen`` to generate TSIG keys.
-
-``-b keysize``
-   This option specifies the number of bits in the key. The choice of key size
-   depends on the algorithm used: RSA keys must be between 1024 and 4096
-   bits; Diffie-Hellman keys must be between 128 and 4096 bits. Elliptic
-   curve algorithms do not need this parameter.
-
-   If the key size is not specified, some algorithms have pre-defined
-   defaults. For example, RSA keys for use as DNSSEC zone-signing keys
-   have a default size of 1024 bits; RSA keys for use as key-signing
-   keys (KSKs, generated with ``-f KSK``) default to 2048 bits.
-
-``-C``
-   This option enables compatibility mode, which generates an old-style key, without any timing
-   metadata. By default, ``dnssec-keygen`` includes the key's
-   creation date in the metadata stored with the private key; other
-   dates may be set there as well, including publication date, activation date,
-   etc. Keys that include this data may be incompatible with older
-   versions of BIND; the ``-C`` option suppresses them.
-
-``-c class``
-   This option indicates that the DNS record containing the key should have the
-   specified class. If not specified, class IN is used.
-
-``-d bits``
-   This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
-   RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
-   and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
-   ECDSAP384SHA384, ED25519, and ED448.
-
-``-E engine``
-   This option specifies the cryptographic hardware to use, when applicable.
-
-   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
-   engine identifier that drives the cryptographic accelerator or
-   hardware service module (usually ``pkcs11``).
-
-``-f flag``
-   This option sets the specified flag in the flag field of the KEY/DNSKEY record.
-   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
-
-``-G``
-   This option generates a key, but does not publish it or sign with it. This option is
-   incompatible with ``-P`` and ``-A``.
-
-``-g generator``
-   This option indicates the generator to use if generating a Diffie-Hellman key. Allowed
-   values are 2 and 5. If no generator is specified, a known prime from
-   :rfc:`2539` is used if possible; otherwise the default is 2.
-
-``-h``
-   This option prints a short summary of the options and arguments to
-   ``dnssec-keygen``.
-
-``-K directory``
-   This option sets the directory in which the key files are to be written.
-
-``-k policy``
-   This option creates keys for a specific ``dnssec-policy``. If a policy uses multiple keys,
-   ``dnssec-keygen`` generates multiple keys. This also
-   creates a ".state" file to keep track of the key state.
-
-   This option creates keys according to the ``dnssec-policy`` configuration, hence
-   it cannot be used at the same time as many of the other options that
-   ``dnssec-keygen`` provides.
-
-``-L ttl``
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL takes precedence. If this
-   value is not set and there is no existing DNSKEY RRset, the TTL
-   defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
-   is the same as leaving it unset.
-
-``-l file``
-   This option provides a configuration file that contains a ``dnssec-policy`` statement
-   (matching the policy set with ``-k``).
-
-``-n nametype``
-   This option specifies the owner type of the key. The value of ``nametype`` must
-   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
-   (for a key associated with a host (KEY)), USER (for a key associated
-   with a user (KEY)), or OTHER (DNSKEY). These values are
-   case-insensitive. The default is ZONE for DNSKEY generation.
-
-``-p protocol``
-   This option sets the protocol value for the generated key, for use with
-   ``-T KEY``. The protocol is a number between 0 and 255. The default
-   is 3 (DNSSEC). Other possible values for this argument are listed in
-   :rfc:`2535` and its successors.
-
-``-q``
-   This option sets quiet mode, which suppresses unnecessary output, including progress
-   indication. Without this option, when ``dnssec-keygen`` is run
-   interactively to generate an RSA or DSA key pair, it prints a
-   string of symbols to ``stderr`` indicating the progress of the key
-   generation. A ``.`` indicates that a random number has been found which
-   passed an initial sieve test; ``+`` means a number has passed a single
-   round of the Miller-Rabin primality test; and a space ( ) means that the
-   number has passed all the tests and is a satisfactory key.
-
-``-S key``
-   This option creates a new key which is an explicit successor to an existing key.
-   The name, algorithm, size, and type of the key are set to match
-   the existing key. The activation date of the new key is set to
-   the inactivation date of the existing one. The publication date is
-   set to the activation date minus the prepublication interval,
-   which defaults to 30 days.
-
-``-s strength``
-   This option specifies the strength value of the key. The strength is a number
-   between 0 and 15, and currently has no defined purpose in DNSSEC.
-
-``-T rrtype``
-   This option specifies the resource record type to use for the key. ``rrtype``
-   must be either DNSKEY or KEY. The default is DNSKEY when using a
-   DNSSEC algorithm, but it can be overridden to KEY for use with
-   SIG(0).
-
-``-t type``
-   This option indicates the type of the key for use with ``-T KEY``. ``type``
-   must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
-   is AUTHCONF. AUTH refers to the ability to authenticate data, and
-   CONF to the ability to encrypt data.
-
-``-V``
-   This option prints version information.
-
-``-v level``
-   This option sets the debugging level.
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it. If not set, and if the ``-G`` option has not been used, the
-   default is the current date.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-A date/offset``
-   This option sets the date on which the key is to be activated. After that date,
-   the key is included in the zone and used to sign it. If not set,
-   and if the ``-G`` option has not been used, the default is the current date. If set,
-   and ``-P`` is not set, the publication date is set to the
-   activation date minus the prepublication interval.
-
-``-R date/offset``
-   This option sets the date on which the key is to be revoked. After that date, the
-   key is flagged as revoked. It is included in the zone and
-   is used to sign it.
-
-``-I date/offset``
-   This option sets the date on which the key is to be retired. After that date, the
-   key is still included in the zone, but it is not used to
-   sign it.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-``-i interval``
-   This option sets the prepublication interval for a key. If set, then the
-   publication and activation dates must be separated by at least this
-   much time. If the activation date is specified but the publication
-   date is not, the publication date defaults to this much time
-   before the activation date; conversely, if the publication date is
-   specified but not the activation date, activation is set to
-   this much time after publication.
-
-   If the key is being created as an explicit successor to another key,
-   then the default prepublication interval is 30 days; otherwise it is
-   zero.
-
-   As with date offsets, if the argument is followed by one of the
-   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
-   measured in years, months, weeks, days, hours, or minutes,
-   respectively. Without a suffix, the interval is measured in seconds.
-
-Generated Keys
-~~~~~~~~~~~~~~
-
-When ``dnssec-keygen`` completes successfully, it prints a string of the
-form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
-identification string for the key it has generated.
-
--  ``nnnn`` is the key name.
-
--  ``aaa`` is the numeric representation of the algorithm.
-
--  ``iiiii`` is the key identifier (or footprint).
-
-``dnssec-keygen`` creates two files, with names based on the printed
-string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
-``Knnnn.+aaa+iiiii.private`` contains the private key.
-
-The ``.key`` file contains a DNSKEY or KEY record. When a zone is being
-signed by ``named`` or ``dnssec-signzone -S``, DNSKEY records are
-included automatically. In other cases, the ``.key`` file can be
-inserted into a zone file manually or with an ``$INCLUDE`` statement.
-
-The ``.private`` file contains algorithm-specific fields. For obvious
-security reasons, this file does not have general read permission.
-
-Example
-~~~~~~~
-
-To generate an ECDSAP256SHA256 zone-signing key for the zone
-``example.com``, issue the command:
-
-``dnssec-keygen -a ECDSAP256SHA256 example.com``
-
-The command prints a string of the form:
-
-``Kexample.com.+013+26160``
-
-In this example, ``dnssec-keygen`` creates the files
-``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``.
-
-To generate a matching key-signing key, issue the command:
-
-``dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com``
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
-:rfc:`2845`, :rfc:`4034`.

bin/dnssec/dnssec-makekeyset.c

@@ -0,0 +1,440 @@
+/*
+ * Portions Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-makekeyset.c,v 1.45.4.2 2001/03/26 19:11:53 gson Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+#define BUFSIZE 2048
+
+const char *program = "dnssec-makekeyset";
+int verbose;
+
+typedef struct keynode keynode_t;
+struct keynode {
+	dst_key_t *key;
+	ISC_LINK(keynode_t) link;
+};
+typedef ISC_LIST(keynode_t) keylist_t;
+
+static isc_stdtime_t starttime = 0, endtime = 0, now;
+static int ttl = -1;
+
+static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
+
+static keylist_t keylist;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] keys\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-a\n");
+	fprintf(stderr, "\t\tverify generated signatures\n");
+	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
+	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tSIG end time  - "
+			     "absolute|from start|from now (now + 30 days)\n");
+	fprintf(stderr, "\t-t ttl\n");
+	fprintf(stderr, "\t-p\n");
+	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
+	fprintf(stderr, "\t-r randomdev:\n");
+	fprintf(stderr, "\t\ta file containing random data\n");
+	fprintf(stderr, "\t-v level:\n");
+	fprintf(stderr, "\t\tverbose level (0)\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "keys:\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "\tkeyset (keyset-<name>)\n");
+	exit(0);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char *startstr = NULL, *endstr = NULL;
+	char *randomfile = NULL;
+	dns_fixedname_t fdomain;
+	dns_name_t *domain = NULL;
+	char *output = NULL;
+	char *endp;
+	unsigned char *data;
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	dns_dbversion_t *version;
+	dst_key_t *key = NULL;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t rdatalist, sigrdatalist;
+	dns_rdataset_t rdataset, sigrdataset;
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_log_t *log = NULL;
+	keynode_t *keynode;
+	dns_name_t *savedname = NULL;
+	unsigned int eflags;
+	isc_boolean_t pseudorandom = ISC_FALSE;
+	isc_boolean_t tryverify = ISC_FALSE;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create memory context: %s",
+		      isc_result_totext(result));
+
+	dns_result_register();
+
+	while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
+	{
+		switch (ch) {
+		case 'a':
+			tryverify = ISC_TRUE;
+			break;
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+
+		case 'e':
+			endstr = isc_commandline_argument;
+			break;
+
+		case 't':
+			endp = NULL;
+			ttl = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("TTL must be numeric");
+			break;
+
+		case 'r':
+			randomfile = isc_commandline_argument;
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		case 'p':
+			pseudorandom = ISC_TRUE;
+			break;
+
+		case 'h':
+		default:
+			usage();
+
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage();
+
+	setup_entropy(mctx, randomfile, &ectx);
+	eflags = ISC_ENTROPY_BLOCKING;
+	if (!pseudorandom)
+		eflags |= ISC_ENTROPY_GOODONLY;
+	result = dst_lib_init(mctx, ectx, eflags);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize dst");
+
+	isc_stdtime_get(&now);
+
+	if (startstr != NULL)
+		starttime = strtotime(startstr, now, now);
+	else
+		starttime = now;
+
+	if (endstr != NULL)
+		endtime = strtotime(endstr, now, starttime);
+	else
+		endtime = starttime + (30 * 24 * 60 * 60);
+
+	if (ttl == -1) {
+		ttl = 3600;
+		fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
+			program);
+	}
+
+	setup_logging(verbose, mctx, &log);
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = 0;
+	rdatalist.type = dns_rdatatype_key;
+	rdatalist.covers = 0;
+	rdatalist.ttl = ttl;
+
+	ISC_LIST_INIT(keylist);
+
+	for (i = 0; i < argc; i++) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_fixedname_t fname;
+		isc_buffer_t namebuf;
+
+		key = NULL;
+		result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
+					       mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			fatal("error loading key from %s", argv[i]);
+		if (rdatalist.rdclass == 0)
+			rdatalist.rdclass = dst_key_class(key);
+
+		isc_buffer_init(&namebuf, namestr, sizeof namestr);
+		dns_fixedname_init(&fname);
+		dns_name_downcase(dst_key_name(key),
+				  dns_fixedname_name(&fname),
+				  NULL);
+		result = dns_name_totext(dns_fixedname_name(&fname),
+					 ISC_FALSE,
+					 &namebuf);
+		check_result(result, "dns_name_totext");
+		isc_buffer_putuint8(&namebuf, 0);
+		
+		if (savedname == NULL) {
+			savedname = isc_mem_get(mctx, sizeof(dns_name_t));
+			if (savedname == NULL)
+				fatal("out of memory");
+			dns_name_init(savedname, NULL);
+			result = dns_name_dup(dst_key_name(key), mctx,
+					      savedname);
+			if (result != ISC_R_SUCCESS)
+				fatal("out of memory");
+		} else {
+			char savednamestr[DNS_NAME_FORMATSIZE];
+			dns_name_format(savedname, savednamestr,
+					sizeof savednamestr);
+			if (!dns_name_equal(savedname, dst_key_name(key)) != 0)
+				fatal("all keys must have the same owner - %s "
+				      "and %s do not match",
+				      savednamestr, namestr);
+		}
+		if (output == NULL) {
+			output = isc_mem_allocate(mctx,
+						  strlen("keyset-") +
+						  strlen(namestr) + 1);
+			if (output == NULL)
+				fatal("out of memory");
+			strcpy(output, "keyset-");
+			strcat(output, namestr);
+		}
+		if (domain == NULL) {
+			dns_fixedname_init(&fdomain);
+			domain = dns_fixedname_name(&fdomain);
+			isc_buffer_init(&b, namestr, strlen(namestr));
+			isc_buffer_add(&b, strlen(namestr));
+			result = dns_name_fromtext(domain, &b, dns_rootname,
+						   ISC_FALSE, NULL);
+			if (result != ISC_R_SUCCESS)
+				fatal("%s is not a valid name: %s",
+				      namestr, isc_result_totext(result));
+		}
+		if (dst_key_iszonekey(key)) {
+			dst_key_t *zonekey = NULL;
+			result = dst_key_fromnamedfile(argv[i],
+						       DST_TYPE_PRIVATE,
+						       mctx, &zonekey);
+			if (result != ISC_R_SUCCESS)
+				fatal("failed to read private key %s: %s",
+				      argv[i], isc_result_totext(result));
+			keynode = isc_mem_get(mctx, sizeof (keynode_t));
+			if (keynode == NULL)
+				fatal("out of memory");
+			keynode->key = zonekey;
+			ISC_LIST_INITANDAPPEND(keylist, keynode, link);
+		}
+		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+		if (rdata == NULL)
+			fatal("out of memory");
+		dns_rdata_init(rdata);
+		data = isc_mem_get(mctx, BUFSIZE);
+		if (data == NULL)
+			fatal("out of memory");
+		isc_buffer_init(&b, data, BUFSIZE);
+		result = dst_key_todns(key, &b);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to convert key %s to a DNS KEY: %s",
+			      argv[i], isc_result_totext(result));
+		isc_buffer_usedregion(&b, &r);
+		dns_rdata_fromregion(rdata, rdatalist.rdclass,
+				     dns_rdatatype_key, &r);
+		ISC_LIST_APPEND(rdatalist.rdata, rdata, link);
+		dst_key_free(&key);
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	check_result(result, "dns_rdatalist_tordataset()");
+
+	dns_rdatalist_init(&sigrdatalist);
+	sigrdatalist.rdclass = rdatalist.rdclass;
+	sigrdatalist.type = dns_rdatatype_sig;
+	sigrdatalist.covers = dns_rdatatype_key;
+	sigrdatalist.ttl = ttl;
+
+	if (ISC_LIST_EMPTY(keylist))
+		fprintf(stderr,
+			"%s: no private zone key found; not self-signing\n",
+			program);
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+	{
+		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+		if (rdata == NULL)
+			fatal("out of memory");
+		dns_rdata_init(rdata);
+		data = isc_mem_get(mctx, BUFSIZE);
+		if (data == NULL)
+			fatal("out of memory");
+		isc_buffer_init(&b, data, BUFSIZE);
+		result = dns_dnssec_sign(domain, &rdataset, keynode->key,
+					 &starttime, &endtime, mctx, &b,
+					 rdata);
+		isc_entropy_stopcallbacksources(ectx);
+		if (result != ISC_R_SUCCESS) {
+			char keystr[KEY_FORMATSIZE];
+			key_format(keynode->key, keystr, sizeof keystr);
+			fatal("failed to sign keyset with key %s: %s",
+			      keystr, isc_result_totext(result));
+		}
+		if (tryverify) {
+			result = dns_dnssec_verify(domain, &rdataset,
+						   keynode->key, ISC_TRUE,
+						   mctx, rdata);
+			if (result != ISC_R_SUCCESS) {
+				char keystr[KEY_FORMATSIZE];
+				key_format(keynode->key, keystr, sizeof keystr);
+				fatal("signature from key '%s' failed to "
+				      "verify: %s",
+				      keystr, isc_result_totext(result));
+			}
+		}
+		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
+		dns_rdataset_init(&sigrdataset);
+		result = dns_rdatalist_tordataset(&sigrdatalist, &sigrdataset);
+		check_result(result, "dns_rdatalist_tordataset()");
+	}
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", domain, dns_dbtype_zone,
+			       rdataset.rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS) {
+		char domainstr[DNS_NAME_FORMATSIZE];
+		dns_name_format(domain, domainstr, sizeof domainstr);
+		fatal("failed to create a database for %s", domainstr);
+	}
+
+	version = NULL;
+	dns_db_newversion(db, &version);
+
+	node = NULL;
+	result = dns_db_findnode(db, domain, ISC_TRUE, &node);
+	check_result(result, "dns_db_findnode()");
+
+	dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
+	if (!ISC_LIST_EMPTY(keylist))
+		dns_db_addrdataset(db, node, version, 0, &sigrdataset, 0,
+				   NULL);
+
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &version, ISC_TRUE);
+	result = dns_db_dump(db, version, output);
+	if (result != ISC_R_SUCCESS) {
+		char domainstr[DNS_NAME_FORMATSIZE];
+		dns_name_format(domain, domainstr, sizeof domainstr);
+		fatal("failed to write database for %s to %s",
+		      domainstr, output);
+	}
+
+	printf("%s\n", output);
+
+	dns_db_detach(&db);
+
+	dns_rdataset_disassociate(&rdataset);
+	while (!ISC_LIST_EMPTY(rdatalist.rdata)) {
+		rdata = ISC_LIST_HEAD(rdatalist.rdata);
+		ISC_LIST_UNLINK(rdatalist.rdata, rdata, link);
+		isc_mem_put(mctx, rdata->data, BUFSIZE);
+		isc_mem_put(mctx, rdata, sizeof *rdata);
+	}
+	while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) {
+		rdata = ISC_LIST_HEAD(sigrdatalist.rdata);
+		ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link);
+		isc_mem_put(mctx, rdata->data, BUFSIZE);
+		isc_mem_put(mctx, rdata, sizeof *rdata);
+	}
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		keynode = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, keynode, link);
+		dst_key_free(&keynode->key);
+		isc_mem_put(mctx, keynode, sizeof(keynode_t));
+	}
+
+	if (savedname != NULL) {
+		dns_name_free(savedname, mctx);
+		isc_mem_put(mctx, savedname, sizeof(dns_name_t));
+	}
+
+	cleanup_logging(&log);
+	cleanup_entropy(&ectx);
+
+	isc_mem_free(mctx, output);
+	dst_lib_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+	return (0);
+}

bin/dnssec/dnssec-revoke.c

@@ -1,260 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <inttypes.h>
-#include <stdbool.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/attributes.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-revoke";
-
-static isc_mem_t *mctx = NULL;
-
-ISC_NORETURN static void
-usage(void);
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
-	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
-	fprintf(stderr, "    -f:           force overwrite\n");
-	fprintf(stderr, "    -h:           help\n");
-	fprintf(stderr, "    -K directory: use directory for key files\n");
-	fprintf(stderr, "    -r:           remove old keyfiles after "
-			"creating revoked version\n");
-	fprintf(stderr, "    -v level:     set level of verbosity\n");
-	fprintf(stderr, "    -V:           print version information\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
-			"K<name>+<alg>+<new id>.private\n");
-
-	exit(-1);
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-	const char *engine = NULL;
-	char const *filename = NULL;
-	char *dir = NULL;
-	char newname[1024], oldname[1024];
-	char keystr[DST_KEY_FORMATSIZE];
-	char *endp;
-	int ch;
-	dst_key_t *key = NULL;
-	uint32_t flags;
-	isc_buffer_t buf;
-	bool force = false;
-	bool removefile = false;
-	bool id = false;
-
-	if (argc == 1) {
-		usage();
-	}
-
-	isc_mem_create(&mctx);
-
-	isc_commandline_errprint = false;
-
-	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
-		switch (ch) {
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-		case 'f':
-			force = true;
-			break;
-		case 'K':
-			/*
-			 * We don't have to copy it here, but do it to
-			 * simplify cleanup later
-			 */
-			dir = isc_mem_strdup(mctx, isc_commandline_argument);
-			break;
-		case 'r':
-			removefile = true;
-			break;
-		case 'R':
-			id = true;
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fatal("-v must be followed by a number");
-			}
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			/* Does not return. */
-			usage();
-
-		case 'V':
-			/* Does not return. */
-			version(program);
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (argc < isc_commandline_index + 1 ||
-	    argv[isc_commandline_index] == NULL) {
-		fatal("The key file name was not specified");
-	}
-	if (argc > isc_commandline_index + 1) {
-		fatal("Extraneous arguments");
-	}
-
-	if (dir != NULL) {
-		filename = argv[isc_commandline_index];
-	} else {
-		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
-					    &dir, &filename);
-		if (result != ISC_R_SUCCESS) {
-			fatal("cannot process filename %s: %s",
-			      argv[isc_commandline_index],
-			      isc_result_totext(result));
-		}
-		if (strcmp(dir, ".") == 0) {
-			isc_mem_free(mctx, dir);
-			dir = NULL;
-		}
-	}
-
-	result = dst_lib_init(mctx, engine);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Could not initialize dst: %s",
-		      isc_result_totext(result));
-	}
-
-	result = dst_key_fromnamedfile(
-		filename, dir, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, mctx, &key);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Invalid keyfile name %s: %s", filename,
-		      isc_result_totext(result));
-	}
-
-	if (id) {
-		fprintf(stdout, "%u\n", dst_key_rid(key));
-		goto cleanup;
-	}
-	dst_key_format(key, keystr, sizeof(keystr));
-
-	if (verbose > 2) {
-		fprintf(stderr, "%s: %s\n", program, keystr);
-	}
-
-	if (force) {
-		set_keyversion(key);
-	} else {
-		check_keyversion(key, keystr);
-	}
-
-	flags = dst_key_flags(key);
-	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
-		isc_stdtime_t now;
-
-		if ((flags & DNS_KEYFLAG_KSK) == 0) {
-			fprintf(stderr,
-				"%s: warning: Key is not flagged "
-				"as a KSK. Revoking a ZSK is "
-				"legal, but undefined.\n",
-				program);
-		}
-
-		isc_stdtime_get(&now);
-		dst_key_settime(key, DST_TIME_REVOKE, now);
-
-		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
-
-		isc_buffer_init(&buf, newname, sizeof(newname));
-		dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
-
-		if (access(newname, F_OK) == 0 && !force) {
-			fatal("Key file %s already exists; "
-			      "use -f to force overwrite",
-			      newname);
-		}
-
-		result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-					dir);
-		if (result != ISC_R_SUCCESS) {
-			dst_key_format(key, keystr, sizeof(keystr));
-			fatal("Failed to write key %s: %s", keystr,
-			      isc_result_totext(result));
-		}
-
-		isc_buffer_clear(&buf);
-		dst_key_buildfilename(key, 0, dir, &buf);
-		printf("%s\n", newname);
-
-		/*
-		 * Remove old key file, if told to (and if
-		 * it isn't the same as the new file)
-		 */
-		if (removefile) {
-			isc_buffer_init(&buf, oldname, sizeof(oldname));
-			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
-			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
-			if (strcmp(oldname, newname) == 0) {
-				goto cleanup;
-			}
-			(void)unlink(oldname);
-			isc_buffer_clear(&buf);
-			dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
-			(void)unlink(oldname);
-		}
-	} else {
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("Key %s is already revoked", keystr);
-	}
-
-cleanup:
-	dst_key_free(&key);
-	dst_lib_destroy();
-	if (verbose > 10) {
-		isc_mem_stats(mctx, stdout);
-	}
-	if (dir != NULL) {
-		isc_mem_free(mctx, dir);
-	}
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}

bin/dnssec/dnssec-revoke.rst

@@ -1,78 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-revoke:
-
-dnssec-revoke - set the REVOKED bit on a DNSSEC key
----------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
-
-Description
-~~~~~~~~~~~
-
-``dnssec-revoke`` reads a DNSSEC key file, sets the REVOKED bit on the
-key as defined in :rfc:`5011`, and creates a new pair of key files
-containing the now-revoked key.
-
-Options
-~~~~~~~
-
-``-h``
-   This option emits a usage message and exits.
-
-``-K directory``
-   This option sets the directory in which the key files are to reside.
-
-``-r``
-   This option indicates to remove the original keyset files after writing the new keyset files.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-``-E engine``
-   This option specifies the cryptographic hardware to use, when applicable.
-
-   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
-   engine identifier that drives the cryptographic accelerator or
-   hardware service module (usually ``pkcs11``).
-
-``-f``
-   This option indicates a forced overwrite and causes ``dnssec-revoke`` to write the new key pair,
-   even if a file already exists matching the algorithm and key ID of
-   the revoked key.
-
-``-R``
-   This option prints the key tag of the key with the REVOKE bit set, but does not
-   revoke the key.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`5011`.

bin/dnssec/dnssec-settime.c

@@ -1,963 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <errno.h>
-#include <inttypes.h>
-#include <stdbool.h>
-#include <stdlib.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/attributes.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-settime";
-
-static isc_mem_t *mctx = NULL;
-
-ISC_NORETURN static void
-usage(void);
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
-	fprintf(stderr, "General options:\n");
-	fprintf(stderr, "    -E engine:          specify OpenSSL engine\n");
-	fprintf(stderr, "    -f:                 force update of old-style "
-			"keys\n");
-	fprintf(stderr, "    -K directory:       set key file location\n");
-	fprintf(stderr, "    -L ttl:             set default key TTL\n");
-	fprintf(stderr, "    -v level:           set level of verbosity\n");
-	fprintf(stderr, "    -V:                 print version information\n");
-	fprintf(stderr, "    -h:                 help\n");
-	fprintf(stderr, "Timing options:\n");
-	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
-			"publication date\n");
-	fprintf(stderr, "    -P ds date/[+-]offset/none: set/unset "
-			"DS publication date\n");
-	fprintf(stderr, "    -P sync date/[+-]offset/none: set/unset "
-			"CDS and CDNSKEY publication date\n");
-	fprintf(stderr, "    -A date/[+-]offset/none: set/unset key "
-			"activation date\n");
-	fprintf(stderr, "    -R date/[+-]offset/none: set/unset key "
-			"revocation date\n");
-	fprintf(stderr, "    -I date/[+-]offset/none: set/unset key "
-			"inactivation date\n");
-	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
-			"deletion date\n");
-	fprintf(stderr, "    -D ds date/[+-]offset/none: set/unset "
-			"DS deletion date\n");
-	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
-			"CDS and CDNSKEY deletion date\n");
-	fprintf(stderr, "    -S <key>: generate a successor to an existing "
-			"key\n");
-	fprintf(stderr, "    -i <interval>: prepublication interval for "
-			"successor key "
-			"(default: 30 days)\n");
-	fprintf(stderr, "Key state options:\n");
-	fprintf(stderr, "    -s: update key state file (default no)\n");
-	fprintf(stderr, "    -g state: set the goal state for this key\n");
-	fprintf(stderr, "    -d state date/[+-]offset: set the DS state\n");
-	fprintf(stderr, "    -k state date/[+-]offset: set the DNSKEY state\n");
-	fprintf(stderr, "    -r state date/[+-]offset: set the RRSIG (KSK) "
-			"state\n");
-	fprintf(stderr, "    -z state date/[+-]offset: set the RRSIG (ZSK) "
-			"state\n");
-	fprintf(stderr, "Printing options:\n");
-	fprintf(stderr, "    -p C/P/Psync/A/R/I/D/Dsync/all: print a "
-			"particular time value or values\n");
-	fprintf(stderr, "    -u:                 print times in unix epoch "
-			"format\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
-			"K<name>+<alg>+<new id>.private\n");
-
-	exit(-1);
-}
-
-static void
-printtime(dst_key_t *key, int type, const char *tag, bool epoch, FILE *stream) {
-	isc_result_t result;
-	isc_stdtime_t when;
-
-	if (tag != NULL) {
-		fprintf(stream, "%s: ", tag);
-	}
-
-	result = dst_key_gettime(key, type, &when);
-	if (result == ISC_R_NOTFOUND) {
-		fprintf(stream, "UNSET\n");
-	} else if (epoch) {
-		fprintf(stream, "%d\n", (int)when);
-	} else {
-		time_t now = when;
-		struct tm t, *tm = localtime_r(&now, &t);
-		unsigned int flen;
-		char timebuf[80];
-
-		if (tm == NULL) {
-			fprintf(stream, "INVALID\n");
-			return;
-		}
-
-		flen = strftime(timebuf, sizeof(timebuf),
-				"%a %b %e %H:%M:%S %Y", tm);
-		INSIST(flen > 0U && flen < sizeof(timebuf));
-		fprintf(stream, "%s\n", timebuf);
-	}
-}
-
-static void
-writekey(dst_key_t *key, const char *directory, bool write_state) {
-	char newname[1024];
-	char keystr[DST_KEY_FORMATSIZE];
-	isc_buffer_t buf;
-	isc_result_t result;
-	int options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE;
-
-	if (write_state) {
-		options |= DST_TYPE_STATE;
-	}
-
-	isc_buffer_init(&buf, newname, sizeof(newname));
-	result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &buf);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Failed to build public key filename: %s",
-		      isc_result_totext(result));
-	}
-
-	result = dst_key_tofile(key, options, directory);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("Failed to write key %s: %s", keystr,
-		      isc_result_totext(result));
-	}
-	printf("%s\n", newname);
-
-	isc_buffer_clear(&buf);
-	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &buf);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Failed to build private key filename: %s",
-		      isc_result_totext(result));
-	}
-	printf("%s\n", newname);
-
-	if (write_state) {
-		isc_buffer_clear(&buf);
-		result = dst_key_buildfilename(key, DST_TYPE_STATE, directory,
-					       &buf);
-		if (result != ISC_R_SUCCESS) {
-			fatal("Failed to build key state filename: %s",
-			      isc_result_totext(result));
-		}
-		printf("%s\n", newname);
-	}
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-	const char *engine = NULL;
-	const char *filename = NULL;
-	char *directory = NULL;
-	char keystr[DST_KEY_FORMATSIZE];
-	char *endp, *p;
-	int ch;
-	const char *predecessor = NULL;
-	dst_key_t *prevkey = NULL;
-	dst_key_t *key = NULL;
-	dns_name_t *name = NULL;
-	dns_secalg_t alg = 0;
-	unsigned int size = 0;
-	uint16_t flags = 0;
-	int prepub = -1;
-	int options;
-	dns_ttl_t ttl = 0;
-	isc_stdtime_t now;
-	isc_stdtime_t dstime = 0, dnskeytime = 0;
-	isc_stdtime_t krrsigtime = 0, zrrsigtime = 0;
-	isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
-	isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0;
-	dst_key_state_t goal = DST_KEY_STATE_NA;
-	dst_key_state_t ds = DST_KEY_STATE_NA;
-	dst_key_state_t dnskey = DST_KEY_STATE_NA;
-	dst_key_state_t krrsig = DST_KEY_STATE_NA;
-	dst_key_state_t zrrsig = DST_KEY_STATE_NA;
-	bool setgoal = false, setds = false, setdnskey = false;
-	bool setkrrsig = false, setzrrsig = false;
-	bool setdstime = false, setdnskeytime = false;
-	bool setkrrsigtime = false, setzrrsigtime = false;
-	bool setpub = false, setact = false;
-	bool setrev = false, setinact = false;
-	bool setdel = false, setttl = false;
-	bool unsetpub = false, unsetact = false;
-	bool unsetrev = false, unsetinact = false;
-	bool unsetdel = false;
-	bool printcreate = false, printpub = false;
-	bool printact = false, printrev = false;
-	bool printinact = false, printdel = false;
-	bool force = false;
-	bool epoch = false;
-	bool changed = false;
-	bool write_state = false;
-	isc_log_t *log = NULL;
-	isc_stdtime_t syncadd = 0, syncdel = 0;
-	bool unsetsyncadd = false, setsyncadd = false;
-	bool unsetsyncdel = false, setsyncdel = false;
-	bool printsyncadd = false, printsyncdel = false;
-	isc_stdtime_t dsadd = 0, dsdel = 0;
-	bool unsetdsadd = false, setdsadd = false;
-	bool unsetdsdel = false, setdsdel = false;
-	bool printdsadd = false, printdsdel = false;
-
-	options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE;
-
-	if (argc == 1) {
-		usage();
-	}
-
-	isc_mem_create(&mctx);
-
-	setup_logging(mctx, &log);
-
-	isc_commandline_errprint = false;
-
-	isc_stdtime_get(&now);
-
-#define CMDLINE_FLAGS "A:D:d:E:fg:hI:i:K:k:L:P:p:R:r:S:suv:Vz:"
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'A':
-			if (setact || unsetact) {
-				fatal("-A specified more than once");
-			}
-
-			changed = true;
-			act = strtotime(isc_commandline_argument, now, now,
-					&setact);
-			unsetact = !setact;
-			break;
-		case 'D':
-			/* -Dsync ? */
-			if (isoptarg("sync", argv, usage)) {
-				if (unsetsyncdel || setsyncdel) {
-					fatal("-D sync specified more than "
-					      "once");
-				}
-
-				changed = true;
-				syncdel = strtotime(isc_commandline_argument,
-						    now, now, &setsyncdel);
-				unsetsyncdel = !setsyncdel;
-				break;
-			}
-			/* -Dds ? */
-			if (isoptarg("ds", argv, usage)) {
-				if (unsetdsdel || setdsdel) {
-					fatal("-D ds specified more than once");
-				}
-
-				changed = true;
-				dsdel = strtotime(isc_commandline_argument, now,
-						  now, &setdsdel);
-				unsetdsdel = !setdsdel;
-				break;
-			}
-			/* -Ddnskey ? */
-			(void)isoptarg("dnskey", argv, usage);
-			if (setdel || unsetdel) {
-				fatal("-D specified more than once");
-			}
-
-			changed = true;
-			del = strtotime(isc_commandline_argument, now, now,
-					&setdel);
-			unsetdel = !setdel;
-			break;
-		case 'd':
-			if (setds) {
-				fatal("-d specified more than once");
-			}
-
-			ds = strtokeystate(isc_commandline_argument);
-			setds = true;
-			/* time */
-			(void)isoptarg(isc_commandline_argument, argv, usage);
-			dstime = strtotime(isc_commandline_argument, now, now,
-					   &setdstime);
-			break;
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-		case 'f':
-			force = true;
-			break;
-		case 'g':
-			if (setgoal) {
-				fatal("-g specified more than once");
-			}
-
-			goal = strtokeystate(isc_commandline_argument);
-			if (goal != DST_KEY_STATE_NA &&
-			    goal != DST_KEY_STATE_HIDDEN &&
-			    goal != DST_KEY_STATE_OMNIPRESENT)
-			{
-				fatal("-g must be either none, hidden, or "
-				      "omnipresent");
-			}
-			setgoal = true;
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			}
-		/* FALLTHROUGH */
-		case 'h':
-			/* Does not return. */
-			usage();
-		case 'I':
-			if (setinact || unsetinact) {
-				fatal("-I specified more than once");
-			}
-
-			changed = true;
-			inact = strtotime(isc_commandline_argument, now, now,
-					  &setinact);
-			unsetinact = !setinact;
-			break;
-		case 'i':
-			prepub = strtottl(isc_commandline_argument);
-			break;
-		case 'K':
-			/*
-			 * We don't have to copy it here, but do it to
-			 * simplify cleanup later
-			 */
-			directory = isc_mem_strdup(mctx,
-						   isc_commandline_argument);
-			break;
-		case 'k':
-			if (setdnskey) {
-				fatal("-k specified more than once");
-			}
-
-			dnskey = strtokeystate(isc_commandline_argument);
-			setdnskey = true;
-			/* time */
-			(void)isoptarg(isc_commandline_argument, argv, usage);
-			dnskeytime = strtotime(isc_commandline_argument, now,
-					       now, &setdnskeytime);
-			break;
-		case 'L':
-			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
-			break;
-		case 'P':
-			/* -Psync ? */
-			if (isoptarg("sync", argv, usage)) {
-				if (unsetsyncadd || setsyncadd) {
-					fatal("-P sync specified more than "
-					      "once");
-				}
-
-				changed = true;
-				syncadd = strtotime(isc_commandline_argument,
-						    now, now, &setsyncadd);
-				unsetsyncadd = !setsyncadd;
-				break;
-			}
-			/* -Pds ? */
-			if (isoptarg("ds", argv, usage)) {
-				if (unsetdsadd || setdsadd) {
-					fatal("-P ds specified more than once");
-				}
-
-				changed = true;
-				dsadd = strtotime(isc_commandline_argument, now,
-						  now, &setdsadd);
-				unsetdsadd = !setdsadd;
-				break;
-			}
-			/* -Pdnskey ? */
-			(void)isoptarg("dnskey", argv, usage);
-			if (setpub || unsetpub) {
-				fatal("-P specified more than once");
-			}
-
-			changed = true;
-			pub = strtotime(isc_commandline_argument, now, now,
-					&setpub);
-			unsetpub = !setpub;
-			break;
-		case 'p':
-			p = isc_commandline_argument;
-			if (!strcasecmp(p, "all")) {
-				printcreate = true;
-				printpub = true;
-				printact = true;
-				printrev = true;
-				printinact = true;
-				printdel = true;
-				printsyncadd = true;
-				printsyncdel = true;
-				printdsadd = true;
-				printdsdel = true;
-				break;
-			}
-
-			do {
-				switch (*p++) {
-				case 'A':
-					printact = true;
-					break;
-				case 'C':
-					printcreate = true;
-					break;
-				case 'D':
-					if (!strncmp(p, "sync", 4)) {
-						p += 4;
-						printsyncdel = true;
-						break;
-					}
-					if (!strncmp(p, "ds", 2)) {
-						p += 2;
-						printdsdel = true;
-						break;
-					}
-					printdel = true;
-					break;
-				case 'I':
-					printinact = true;
-					break;
-				case 'P':
-					if (!strncmp(p, "sync", 4)) {
-						p += 4;
-						printsyncadd = true;
-						break;
-					}
-					if (!strncmp(p, "ds", 2)) {
-						p += 2;
-						printdsadd = true;
-						break;
-					}
-					printpub = true;
-					break;
-				case 'R':
-					printrev = true;
-					break;
-				case ' ':
-					break;
-				default:
-					usage();
-					break;
-				}
-			} while (*p != '\0');
-			break;
-		case 'R':
-			if (setrev || unsetrev) {
-				fatal("-R specified more than once");
-			}
-
-			changed = true;
-			rev = strtotime(isc_commandline_argument, now, now,
-					&setrev);
-			unsetrev = !setrev;
-			break;
-		case 'r':
-			if (setkrrsig) {
-				fatal("-r specified more than once");
-			}
-
-			krrsig = strtokeystate(isc_commandline_argument);
-			setkrrsig = true;
-			/* time */
-			(void)isoptarg(isc_commandline_argument, argv, usage);
-			krrsigtime = strtotime(isc_commandline_argument, now,
-					       now, &setkrrsigtime);
-			break;
-		case 'S':
-			predecessor = isc_commandline_argument;
-			break;
-		case 's':
-			write_state = true;
-			break;
-		case 'u':
-			epoch = true;
-			break;
-		case 'V':
-			/* Does not return. */
-			version(program);
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fatal("-v must be followed by a number");
-			}
-			break;
-		case 'z':
-			if (setzrrsig) {
-				fatal("-z specified more than once");
-			}
-
-			zrrsig = strtokeystate(isc_commandline_argument);
-			setzrrsig = true;
-			(void)isoptarg(isc_commandline_argument, argv, usage);
-			zrrsigtime = strtotime(isc_commandline_argument, now,
-					       now, &setzrrsigtime);
-			break;
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n", program,
-				isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (argc < isc_commandline_index + 1 ||
-	    argv[isc_commandline_index] == NULL) {
-		fatal("The key file name was not specified");
-	}
-	if (argc > isc_commandline_index + 1) {
-		fatal("Extraneous arguments");
-	}
-
-	if ((setgoal || setds || setdnskey || setkrrsig || setzrrsig) &&
-	    !write_state) {
-		fatal("Options -g, -d, -k, -r and -z require -s to be set");
-	}
-
-	result = dst_lib_init(mctx, engine);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Could not initialize dst: %s",
-		      isc_result_totext(result));
-	}
-
-	if (predecessor != NULL) {
-		int major, minor;
-
-		if (prepub == -1) {
-			prepub = (30 * 86400);
-		}
-
-		if (setpub || unsetpub) {
-			fatal("-S and -P cannot be used together");
-		}
-		if (setact || unsetact) {
-			fatal("-S and -A cannot be used together");
-		}
-
-		result = dst_key_fromnamedfile(predecessor, directory, options,
-					       mctx, &prevkey);
-		if (result != ISC_R_SUCCESS) {
-			fatal("Invalid keyfile %s: %s", filename,
-			      isc_result_totext(result));
-		}
-		if (!dst_key_isprivate(prevkey) && !dst_key_isexternal(prevkey))
-		{
-			fatal("%s is not a private key", filename);
-		}
-
-		name = dst_key_name(prevkey);
-		alg = dst_key_alg(prevkey);
-		size = dst_key_size(prevkey);
-		flags = dst_key_flags(prevkey);
-
-		dst_key_format(prevkey, keystr, sizeof(keystr));
-		dst_key_getprivateformat(prevkey, &major, &minor);
-		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
-			fatal("Predecessor has incompatible format "
-			      "version %d.%d\n\t",
-			      major, minor);
-		}
-
-		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
-		if (result != ISC_R_SUCCESS) {
-			fatal("Predecessor has no activation date. "
-			      "You must set one before\n\t"
-			      "generating a successor.");
-		}
-
-		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
-					 &previnact);
-		if (result != ISC_R_SUCCESS) {
-			fatal("Predecessor has no inactivation date. "
-			      "You must set one before\n\t"
-			      "generating a successor.");
-		}
-
-		pub = previnact - prepub;
-		act = previnact;
-
-		if ((previnact - prepub) < now && prepub != 0) {
-			fatal("Time until predecessor inactivation is\n\t"
-			      "shorter than the prepublication interval.  "
-			      "Either change\n\t"
-			      "predecessor inactivation date, or use the -i "
-			      "option to set\n\t"
-			      "a shorter prepublication interval.");
-		}
-
-		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr,
-				"%s: warning: Predecessor has no "
-				"removal date;\n\t"
-				"it will remain in the zone "
-				"indefinitely after rollover.\n",
-				program);
-		} else if (prevdel < previnact) {
-			fprintf(stderr,
-				"%s: warning: Predecessor is "
-				"scheduled to be deleted\n\t"
-				"before it is scheduled to be "
-				"inactive.\n",
-				program);
-		}
-
-		changed = setpub = setact = true;
-	} else {
-		if (prepub < 0) {
-			prepub = 0;
-		}
-
-		if (prepub > 0) {
-			if (setpub && setact && (act - prepub) < pub) {
-				fatal("Activation and publication dates "
-				      "are closer together than the\n\t"
-				      "prepublication interval.");
-			}
-
-			if (setpub && !setact) {
-				setact = true;
-				act = pub + prepub;
-			} else if (setact && !setpub) {
-				setpub = true;
-				pub = act - prepub;
-			}
-
-			if ((act - prepub) < now) {
-				fatal("Time until activation is shorter "
-				      "than the\n\tprepublication interval.");
-			}
-		}
-	}
-
-	if (directory != NULL) {
-		filename = argv[isc_commandline_index];
-	} else {
-		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
-					    &directory, &filename);
-		if (result != ISC_R_SUCCESS) {
-			fatal("cannot process filename %s: %s",
-			      argv[isc_commandline_index],
-			      isc_result_totext(result));
-		}
-	}
-
-	result = dst_key_fromnamedfile(filename, directory, options, mctx,
-				       &key);
-	if (result != ISC_R_SUCCESS) {
-		fatal("Invalid keyfile %s: %s", filename,
-		      isc_result_totext(result));
-	}
-
-	if (!dst_key_isprivate(key) && !dst_key_isexternal(key)) {
-		fatal("%s is not a private key", filename);
-	}
-
-	dst_key_format(key, keystr, sizeof(keystr));
-
-	if (predecessor != NULL) {
-		if (!dns_name_equal(name, dst_key_name(key))) {
-			fatal("Key name mismatch");
-		}
-		if (alg != dst_key_alg(key)) {
-			fatal("Key algorithm mismatch");
-		}
-		if (size != dst_key_size(key)) {
-			fatal("Key size mismatch");
-		}
-		if (flags != dst_key_flags(key)) {
-			fatal("Key flags mismatch");
-		}
-	}
-
-	prevdel = previnact = 0;
-	if ((setdel && setinact && del < inact) ||
-	    (dst_key_gettime(key, DST_TIME_INACTIVE, &previnact) ==
-		     ISC_R_SUCCESS &&
-	     setdel && !setinact && !unsetinact && del < previnact) ||
-	    (dst_key_gettime(key, DST_TIME_DELETE, &prevdel) == ISC_R_SUCCESS &&
-	     setinact && !setdel && !unsetdel && prevdel < inact) ||
-	    (!setdel && !unsetdel && !setinact && !unsetinact && prevdel != 0 &&
-	     prevdel < previnact))
-	{
-		fprintf(stderr,
-			"%s: warning: Key is scheduled to "
-			"be deleted before it is\n\t"
-			"scheduled to be inactive.\n",
-			program);
-	}
-
-	if (force) {
-		set_keyversion(key);
-	} else {
-		check_keyversion(key, keystr);
-	}
-
-	if (verbose > 2) {
-		fprintf(stderr, "%s: %s\n", program, keystr);
-	}
-
-	/*
-	 * Set time values.
-	 */
-	if (setpub) {
-		dst_key_settime(key, DST_TIME_PUBLISH, pub);
-	} else if (unsetpub) {
-		dst_key_unsettime(key, DST_TIME_PUBLISH);
-	}
-
-	if (setact) {
-		dst_key_settime(key, DST_TIME_ACTIVATE, act);
-	} else if (unsetact) {
-		dst_key_unsettime(key, DST_TIME_ACTIVATE);
-	}
-
-	if (setrev) {
-		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) {
-			fprintf(stderr,
-				"%s: warning: Key %s is already "
-				"revoked; changing the revocation date "
-				"will not affect this.\n",
-				program, keystr);
-		}
-		if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0) {
-			fprintf(stderr,
-				"%s: warning: Key %s is not flagged as "
-				"a KSK, but -R was used.  Revoking a "
-				"ZSK is legal, but undefined.\n",
-				program, keystr);
-		}
-		dst_key_settime(key, DST_TIME_REVOKE, rev);
-	} else if (unsetrev) {
-		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) {
-			fprintf(stderr,
-				"%s: warning: Key %s is already "
-				"revoked; removing the revocation date "
-				"will not affect this.\n",
-				program, keystr);
-		}
-		dst_key_unsettime(key, DST_TIME_REVOKE);
-	}
-
-	if (setinact) {
-		dst_key_settime(key, DST_TIME_INACTIVE, inact);
-	} else if (unsetinact) {
-		dst_key_unsettime(key, DST_TIME_INACTIVE);
-	}
-
-	if (setdel) {
-		dst_key_settime(key, DST_TIME_DELETE, del);
-	} else if (unsetdel) {
-		dst_key_unsettime(key, DST_TIME_DELETE);
-	}
-
-	if (setsyncadd) {
-		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-	} else if (unsetsyncadd) {
-		dst_key_unsettime(key, DST_TIME_SYNCPUBLISH);
-	}
-
-	if (setsyncdel) {
-		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
-	} else if (unsetsyncdel) {
-		dst_key_unsettime(key, DST_TIME_SYNCDELETE);
-	}
-
-	if (setdsadd) {
-		dst_key_settime(key, DST_TIME_DSPUBLISH, dsadd);
-	} else if (unsetdsadd) {
-		dst_key_unsettime(key, DST_TIME_DSPUBLISH);
-	}
-
-	if (setdsdel) {
-		dst_key_settime(key, DST_TIME_DSDELETE, dsdel);
-	} else if (unsetdsdel) {
-		dst_key_unsettime(key, DST_TIME_DSDELETE);
-	}
-
-	if (setttl) {
-		dst_key_setttl(key, ttl);
-	}
-
-	if (predecessor != NULL && prevkey != NULL) {
-		dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
-		dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
-	}
-
-	/*
-	 * No metadata changes were made but we're forcing an upgrade
-	 * to the new format anyway: use "-P now -A now" as the default
-	 */
-	if (force && !changed) {
-		dst_key_settime(key, DST_TIME_PUBLISH, now);
-		dst_key_settime(key, DST_TIME_ACTIVATE, now);
-		changed = true;
-	}
-
-	/*
-	 * Make sure the key state goals are written.
-	 */
-	if (write_state) {
-		if (setgoal) {
-			if (goal == DST_KEY_STATE_NA) {
-				dst_key_unsetstate(key, DST_KEY_GOAL);
-			} else {
-				dst_key_setstate(key, DST_KEY_GOAL, goal);
-			}
-			changed = true;
-		}
-		if (setds) {
-			if (ds == DST_KEY_STATE_NA) {
-				dst_key_unsetstate(key, DST_KEY_DS);
-				dst_key_unsettime(key, DST_TIME_DS);
-			} else {
-				dst_key_setstate(key, DST_KEY_DS, ds);
-				dst_key_settime(key, DST_TIME_DS, dstime);
-			}
-			changed = true;
-		}
-		if (setdnskey) {
-			if (dnskey == DST_KEY_STATE_NA) {
-				dst_key_unsetstate(key, DST_KEY_DNSKEY);
-				dst_key_unsettime(key, DST_TIME_DNSKEY);
-			} else {
-				dst_key_setstate(key, DST_KEY_DNSKEY, dnskey);
-				dst_key_settime(key, DST_TIME_DNSKEY,
-						dnskeytime);
-			}
-			changed = true;
-		}
-		if (setkrrsig) {
-			if (krrsig == DST_KEY_STATE_NA) {
-				dst_key_unsetstate(key, DST_KEY_KRRSIG);
-				dst_key_unsettime(key, DST_TIME_KRRSIG);
-			} else {
-				dst_key_setstate(key, DST_KEY_KRRSIG, krrsig);
-				dst_key_settime(key, DST_TIME_KRRSIG,
-						krrsigtime);
-			}
-			changed = true;
-		}
-		if (setzrrsig) {
-			if (zrrsig == DST_KEY_STATE_NA) {
-				dst_key_unsetstate(key, DST_KEY_ZRRSIG);
-				dst_key_unsettime(key, DST_TIME_ZRRSIG);
-			} else {
-				dst_key_setstate(key, DST_KEY_ZRRSIG, zrrsig);
-				dst_key_settime(key, DST_TIME_ZRRSIG,
-						zrrsigtime);
-			}
-			changed = true;
-		}
-	}
-
-	if (!changed && setttl) {
-		changed = true;
-	}
-
-	/*
-	 * Print out time values, if -p was used.
-	 */
-	if (printcreate) {
-		printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
-	}
-
-	if (printpub) {
-		printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
-	}
-
-	if (printact) {
-		printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
-	}
-
-	if (printrev) {
-		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
-	}
-
-	if (printinact) {
-		printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
-	}
-
-	if (printdel) {
-		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
-	}
-
-	if (printsyncadd) {
-		printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish", epoch,
-			  stdout);
-	}
-
-	if (printsyncdel) {
-		printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete", epoch,
-			  stdout);
-	}
-
-	if (printdsadd) {
-		printtime(key, DST_TIME_DSPUBLISH, "DS Publish", epoch, stdout);
-	}
-
-	if (printdsdel) {
-		printtime(key, DST_TIME_DSDELETE, "DS Delete", epoch, stdout);
-	}
-
-	if (changed) {
-		writekey(key, directory, write_state);
-		if (predecessor != NULL && prevkey != NULL) {
-			writekey(prevkey, directory, write_state);
-		}
-	}
-
-	if (prevkey != NULL) {
-		dst_key_free(&prevkey);
-	}
-	dst_key_free(&key);
-	dst_lib_destroy();
-	if (verbose > 10) {
-		isc_mem_stats(mctx, stdout);
-	}
-	cleanup_logging(&log);
-	isc_mem_free(mctx, directory);
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}

bin/dnssec/dnssec-settime.rst

@@ -1,238 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, you can obtain one at https://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-settime:
-
-dnssec-settime: set the key timing metadata for a DNSSEC key
-------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
-
-Description
-~~~~~~~~~~~
-
-``dnssec-settime`` reads a DNSSEC private key file and sets the key
-timing metadata as specified by the ``-P``, ``-A``, ``-R``, ``-I``, and
-``-D`` options. The metadata can then be used by ``dnssec-signzone`` or
-other signing software to determine when a key is to be published,
-whether it should be used for signing a zone, etc.
-
-If none of these options is set on the command line,
-``dnssec-settime`` simply prints the key timing metadata already stored
-in the key.
-
-When key metadata fields are changed, both files of a key pair
-(``Knnnn.+aaa+iiiii.key`` and ``Knnnn.+aaa+iiiii.private``) are
-regenerated.
-
-Metadata fields are stored in the private file. A
-human-readable description of the metadata is also placed in comments in
-the key file. The private file's permissions are always set to be
-inaccessible to anyone other than the owner (mode 0600).
-
-When working with state files, it is possible to update the timing metadata in
-those files as well with ``-s``.  With this option, it is also possible to update key
-states with ``-d`` (DS), ``-k`` (DNSKEY), ``-r`` (RRSIG of KSK), or ``-z``
-(RRSIG of ZSK). Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and
-UNRETENTIVE.
-
-The goal state of the key can also be set with ``-g``. This should be either
-HIDDEN or OMNIPRESENT, representing whether the key should be removed from the
-zone or published.
-
-It is NOT RECOMMENDED to manipulate state files manually, except for testing
-purposes.
-
-Options
-~~~~~~~
-
-``-f``
-   This option forces an update of an old-format key with no metadata fields. Without
-   this option, ``dnssec-settime`` fails when attempting to update a
-   legacy key. With this option, the key is recreated in the new
-   format, but with the original key data retained. The key's creation
-   date is set to the present time. If no other values are
-   specified, then the key's publication and activation dates are also
-   set to the present time.
-
-``-K directory``
-   This option sets the directory in which the key files are to reside.
-
-``-L ttl``
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL takes precedence. If this
-   value is not set and there is no existing DNSKEY RRset, the TTL
-   defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
-   removes it from the key.
-
-``-h``
-   This option emits a usage message and exits.
-
-``-V``
-   This option prints version information.
-
-``-v level``
-   This option sets the debugging level.
-
-``-E engine``
-   This option specifies the cryptographic hardware to use, when applicable.
-
-   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
-   engine identifier that drives the cryptographic accelerator or
-   hardware service module (usually ``pkcs11``).
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it.
-
-``-P ds date/offset``
-   This option sets the date on which DS records that match this key have been
-   seen in the parent zone.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-A date/offset``
-   This option sets the date on which the key is to be activated. After that date,
-   the key is included in the zone and used to sign it. 
-
-``-R date/offset``
-   This option sets the date on which the key is to be revoked. After that date, the
-   key is flagged as revoked. It is included in the zone and
-   is used to sign it.
-
-``-I date/offset``
-   This option sets the date on which the key is to be retired. After that date, the
-   key is still included in the zone, but it is not used to
-   sign it.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D ds date/offset``
-   This option sets the date on which the DS records that match this key have
-   been seen removed from the parent zone.
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-``-S predecessor key``
-   This option selects a key for which the key being modified is an explicit
-   successor. The name, algorithm, size, and type of the predecessor key
-   must exactly match those of the key being modified. The activation
-   date of the successor key is set to the inactivation date of the
-   predecessor. The publication date is set to the activation date
-   minus the prepublication interval, which defaults to 30 days.
-
-``-i interval``
-   This option sets the prepublication interval for a key. If set, then the
-   publication and activation dates must be separated by at least this
-   much time. If the activation date is specified but the publication
-   date is not, the publication date defaults to this much time
-   before the activation date; conversely, if the publication date is
-   specified but not the activation date, activation is set to
-   this much time after publication.
-
-   If the key is being created as an explicit successor to another key,
-   then the default prepublication interval is 30 days; otherwise it is
-   zero.
-
-   As with date offsets, if the argument is followed by one of the
-   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
-   measured in years, months, weeks, days, hours, or minutes,
-   respectively. Without a suffix, the interval is measured in seconds.
-
-Key State Options
-~~~~~~~~~~~~~~~~~
-
-To test dnssec-policy it may be necessary to construct keys with artificial
-state information; these options are used by the testing framework for that
-purpose, but should never be used in production.
-
-Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.
-
-``-s``
-   This option indicates that when setting key timing data, the state file should also be updated.
-
-``-g state``
-   This option sets the goal state for this key. Must be HIDDEN or OMNIPRESENT.
-
-``-d state date/offset``
-   This option sets the DS state for this key as of the specified date, offset from the current date.
-
-``-k state date/offset``
-   This option sets the DNSKEY state for this key as of the specified date, offset from the current date.
-
-``-r state date/offset``
-   This option sets the RRSIG (KSK) state for this key as of the specified date, offset from the current date.
-
-``-z state date/offset``
-   This option sets the RRSIG (ZSK) state for this key as of the specified date, offset from the current date.
-
-Printing Options
-~~~~~~~~~~~~~~~~
-
-``dnssec-settime`` can also be used to print the timing metadata
-associated with a key.
-
-``-u``
-   This option indicates that times should be printed in Unix epoch format.
-
-``-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all``
-   This option prints a specific metadata value or set of metadata values.
-   The ``-p`` option may be followed by one or more of the following letters or
-   strings to indicate which value or values to print: ``C`` for the
-   creation date, ``P`` for the publication date, ``Pds` for the DS publication
-   date, ``Psync`` for the CDS and CDNSKEY publication date, ``A`` for the
-   activation date, ``R`` for the revocation date, ``I`` for the inactivation
-   date, ``D`` for the deletion date, ``Dds`` for the DS deletion date,
-   and ``Dsync`` for the CDS and CDNSKEY deletion date. To print all of the
-   metadata, use ``all``.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`5011`.