Update BIND version to 9.17.17

Prepare documentation for BIND 9.17.17

See merge request isc-private/bind9!312

.clang-format

@@ -34,10 +34,6 @@ PointerAlignment: Right
 PointerBindsToType: false
 IncludeBlocks: Regroup
 IncludeCategories:
-  - Regex:           '^<(urcu\.h|urcu/urcu-|urcu-)'
-    Priority:        2
-  - Regex:           '^<urcu/'
-    Priority:        3
   - Regex:           '^<isc/'
     Priority:        5
   - Regex:           '^<(pk11|pkcs11)/'
@@ -54,18 +50,18 @@ IncludeCategories:
     Priority:        35
   - Regex:           '^<irs/'
     Priority:        40
+  - Regex:           '^<bind9/'
+    Priority:        45
   - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
     Priority:        50
   - Regex:           '^<dlz_'
     Priority:        55
   - Regex:           '^".*"'
     Priority:        99
-  - Regex:           '^<tests/'
-    Priority:        100
   - Regex:           '<openssl/'
-    Priority:        4
+    Priority:        1
   - Regex:           '<(mysql|protobuf-c)/'
-    Priority:        4
+    Priority:        1
   - Regex:           '.*'
     Priority:        0
 IndentExternBlock: NoIndent
@@ -78,6 +74,3 @@ PenaltyBreakString: 80
 PenaltyExcessCharacter: 100
 Standard: Cpp11
 ContinuationIndentWidth: 8
-ForEachMacros: [ 'cds_lfs_for_each', 'cds_lfs_for_each_safe', 'cds_list_for_each_entry_safe', 'ISC_LIST_FOREACH', 'ISC_LIST_FOREACH_SAFE', 'ISC_LIST_FOREACH_REV', 'ISC_LIST_FOREACH_REV_SAFE' ]
-RemoveParentheses: ReturnStatement
-RemoveSemicolon: true

.clang-format.headers

@@ -34,40 +34,24 @@ PointerAlignment: Right
 PointerBindsToType: false
 IncludeBlocks: Regroup
 IncludeCategories:
-  - Regex:           '^<(urcu/urcu-|urcu-)'
-    Priority:        2
-  - Regex:           '^<urcu/'
-    Priority:        3
   - Regex:           '^<isc/'
-    Priority:        5
-  - Regex:           '^<(pk11|pkcs11)/'
-    Priority:        10
+    Priority:        2
   - Regex:           '^<dns/'
-    Priority:        15
-  - Regex:           '^<dst/'
-    Priority:        20
-  - Regex:           '^<isccc/'
-    Priority:        25
+    Priority:        3
+  - Regex:           '^<iscccc/'
+    Priority:        4
   - Regex:           '^<isccfg/'
-    Priority:        30
+    Priority:        5
   - Regex:           '^<ns/'
-    Priority:        35
-  - Regex:           '^<irs/'
-    Priority:        40
-  - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
-    Priority:        50
-  - Regex:           '^<dlz_'
-    Priority:        55
-  - Regex:           '^".*"'
-    Priority:        99
-  - Regex:           '^<tests/'
-    Priority:        100
-  - Regex:           '<openssl/'
-    Priority:        4
-  - Regex:           '<(mysql|protobuf-c)/'
-    Priority:        4
-  - Regex:           '.*'
-    Priority:        0
+    Priority:        6
+  - Regex:           '^<bind9/)'
+    Priority:        7
+  - Regex:           '^(<[^/]*)/)'
+    Priority:        8
+  - Regex:           '<[[:alnum:].]+>'
+    Priority:        1
+  - Regex:           '".*"'
+    Priority:        9
 IndentExternBlock: NoIndent
 KeepEmptyLinesAtTheStartOfBlocks: false
 MaxEmptyLinesToKeep: 1
@@ -78,5 +62,3 @@ PenaltyBreakString: 80
 PenaltyExcessCharacter: 100
 Standard: Cpp11
 ContinuationIndentWidth: 8
-RemoveParentheses: ReturnStatement
-RemoveSemicolon: true

.dir-locals.el

@@ -49,10 +49,6 @@
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
 
-	       ;; libtest
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "tests/include"))
-
 	       ;; bin
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/check"))
@@ -61,7 +57,7 @@
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/confgen"))
 	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
+		(concat directory-of-current-dir-locals-file "bin/confgen/include"))	       
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/dig/include"))
 	       (expand-file-name
@@ -77,9 +73,6 @@
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
 
-	       (expand-file-name "/usr/include/libxml2")
-	       (expand-file-name "/usr/include/json-c")
-
 	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
 	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
 	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")
@@ -110,9 +103,8 @@
 	  "--enable=all"
 	  "--suppress=missingIncludeSystem"
 	  "--suppress=nullPointerRedundantCheck"
-	  "--suppress=preprocessorErrorDirective"
-	  "--suppress=unknownMacro"
-	  "--suppress=unmatchedSuppression"
+	  (concat "--suppressions-list=" (expand-file-name
+			       (concat directory-of-current-dir-locals-file "util/suppressions.txt")))
 	  (concat "-include=" (expand-file-name
 			       (concat directory-of-current-dir-locals-file "config.h")))
 	  )

.editorconfig

@@ -1,5 +0,0 @@
-[*.sh{,.in}]
-indent_style = space
-indent_size = 2
-binary_next_line   = true
-switch_case_indent = true

.gitattributes

@@ -10,4 +10,4 @@
 /util/**			 export-ignore
 /util/bindkeys.pl		-export-ignore
 /util/check-make-install.in	-export-ignore
-/util/dtrace.sh		-export-ignore
+/util/mksymtbl.pl		-export-ignore

.gitchangelog.rc

@@ -1 +0,0 @@
-contrib/gitchangelog/changelog.rc.py

.github/workflows/codeql.yml

@@ -1,55 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "bind-9.16", "bind-9.18", "main" ]
-  schedule:
-    - cron: '39 8 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      uses: awalsh128/cache-apt-pkgs-action@latest
-      with:
-        packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
-        version: 1.0
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"

.github/workflows/sonarcloud.yml

@@ -1,50 +0,0 @@
-name: SonarCloud
-
-on:
-  push:
-    branches: [ "bind-9.16", "bind-9.18", "main" ]
-  schedule:
-    - cron: '39 8 * * 3'
-
-jobs:
-  build:
-    name: Build and analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
-    env:
-      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      uses: awalsh128/cache-apt-pkgs-action@latest
-      with:
-        packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
-        version: 1.0
-
-    - name: Install sonar-scanner and build-wrapper
-      uses: SonarSource/sonarcloud-github-c-cpp@v1
-
-    - name: Run build-wrapper
-      run: |
-        autoreconf -fi
-        ./configure
-        build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all
-
-    - name: Run sonar-scanner
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      run: |
-        sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"

.gitignore

@@ -5,7 +5,6 @@
 *.la
 *.lo
 *.log
-*.log.txt
 *.o
 *.orig
 *.plist/ # ccc-analyzer store its results in .plist directories
@@ -55,7 +54,6 @@ __pycache__/
 /test-driver
 Makefile
 Makefile.in
-Makefile.user
 ans.run
 gen.dSYM/
 named.memstats
@@ -64,6 +62,8 @@ timestamp
 /compile_commands.json
 # Gets generated by Build Ear (bear)
 /compile_commands.commands.json
+/cppcheck_html/
+/cppcheck.results
 /tsan
 /util/check-make-install
 /INSTALL
@@ -75,7 +75,6 @@ doc/man/dnssec-importkey.8in
 doc/man/dnssec-keyfromlabel.8in
 doc/man/dnssec-keygen.8in
 doc/man/dnssec-keymgr.8in
-doc/man/dnssec-ksr.8in
 doc/man/dnssec-revoke.8in
 doc/man/dnssec-settime.8in
 doc/man/dnssec-signzone.8in
@@ -91,12 +90,10 @@ doc/man/pkcs11-list.8in
 doc/man/pkcs11-tokens.8in
 # clangd index directory
 /\.cache/
-/\.*_clangd/
 # GNU Global index files
 /GPATH
 /GRTAGS
 /GTAGS
-TAGS
 # Emacs specific files
 \.dir-locals-2.el
 /emacs.desktop

.gitlab/issue_templates/Bug.md

@@ -1,63 +1,46 @@
 <!--
 If the bug you are reporting is potentially security-related - for example,
 if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please make sure that you make the new issue
-confidential by clicking the checkbox at the bottom!
+triggered repeatedly - then please do *NOT* report it here, but send an
+email to [security-officer@isc.org](security-officer@isc.org).
 -->
 
 ### Summary
 
-<!-- Concisely summarize the bug encountered. -->
+(Summarize the bug encountered concisely.)
 
-### BIND version affected
-<!--
-Make sure you are testing with the **latest** supported version of BIND
-for a given branch. Many bugs have been fixed over time!
+### BIND version used
 
-See https://kb.isc.org/docs/supported-platforms for the current list.
-The latest source is available from https://www.isc.org/download/#BIND
-
-Paste the output of `named -V` here.
--->
+(Paste the output of `named -V`.)
 
 ### Steps to reproduce
 
-<!--
-This is extremely important! Be precise and use itemized lists, please.
-
-Even if a default configuration is affected, please include the full configuration
-files _you were testing with_.
-
-Example:
-1. Use _attached_ configuration file
-2. Start BIND server with command: `named -g -c named.conf ...`
-3. Simulate legitimate clients using command `dnsperf -S1 -d legit-queries ...`
-4. Simulate attack traffic using command `dnsperf -S1 -d attack-queries ...`
--->
-
-1.
-2.
-3.
+(How one can reproduce the issue - this is very important.)
 
 ### What is the current *bug* behavior?
 
-<!-- What actually happens. -->
+(What actually happens.)
 
 ### What is the expected *correct* behavior?
 
-<!-- What you should see instead. -->
+(What you should see instead.)
 
 ### Relevant configuration files
 
-<!-- Paste any relevant configuration files here - please use code blocks (```)
+(Paste any relevant configuration files - please use code blocks (```)
 to format console output. If submitting the contents of your
-configuration file in a non-confidential issue, it is advisable to
-obscure key secrets; this can be done automatically by using
-`named-checkconf -px`. -->
+configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+`named-checkconf -px`.)
 
-### Relevant logs
+### Relevant logs and/or screenshots
 
-<!-- Paste any relevant logs here - please use code blocks (```) to format console
-output, logs, and code, as it's very hard to read otherwise. -->
+(Paste any relevant logs - please use code blocks (```) to format console
+output, logs, and code, as it's very hard to read otherwise.)
 
-/label ~Bug
+### Possible fixes
+
+(If you can, link to the line of code that might be responsible for the
+problem.)
+
+/label ~bug

.gitlab/issue_templates/CVE.md

@@ -0,0 +1,33 @@
+<!--
+THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
+
+If the bug you are reporting is potentially security-related - for example,
+if it involves an assertion failure or other crash in `named` that can be
+triggered repeatedly - then please do *NOT* report it here, but send an
+email to [security-officer@isc.org](security-officer@isc.org).
+-->
+
+### CVE-specific actions
+
+  - [ ] Assign a CVE identifier
+  - [ ] Determine CVSS score
+  - [ ] Determine the range of BIND versions affected (including the Subscription Edition)
+  - [ ] Determine whether workarounds for the problem exists
+  - [ ] Create a draft of the security advisory and put the information above in there
+  - [ ] Prepare a detailed description of the problem which should include the following by default:
+      - instructions for reproducing the problem (a system test is good enough)
+      - explanation of code flow which triggers the problem (a system test is *not* good enough)
+  - [ ] Prepare a private merge request containing the following items in separate commits:
+      - a test for the issue (may be moved to a separate merge request for deferred merging)
+      - a fix for the issue
+      - documentation updates (`CHANGES`, release notes, anything else applicable)
+  - [ ] Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
+  - [ ] Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
+  - [ ] Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
+  - [ ] Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
+
+### Release-specific actions
+
+  - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
+  - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
+  - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order

.gitlab/issue_templates/Default.md

@@ -1,8 +0,0 @@
-Hi and thanks for filing an issue! It will be read with care by human beings.
-
-It would be a tremendous help if you could follow these steps first:
-- [ ] Search the existing issues in GitLab (both open and closed) to see if your report might be a duplicate. We have a large database here and many issues have already been fixed in the latest versions!
-- [ ] Make sure this is **not** a support question. If you have specific trouble configuring or debugging your setup, please use the bind-users mailing list: https://lists.isc.org/mailman/listinfo/bind-users
-- [ ] You have read and understood the "out in the open" support policy: https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ . Even though it was written by the PowerDNS folks, we follow it as well!
-
-Before continuing, **please select the appropriate issue template in the drop-down menu above, under the heading _Description_**.

.gitlab/issue_templates/Feature_Request.md

@@ -8,4 +8,4 @@
 
 ### Links / references
 
-/label ~Feature
+/label ~"feature request"

.gitlab/issue_templates/Internal_use_only-CVE.md

@@ -1,122 +0,0 @@
-<!--
-THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
-
-If the bug you are reporting is potentially security-related - for example,
-if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please make sure that you make the new issue
-confidential!
--->
-| Quick Links              | :link:                               |
-| ------------------------ | ------------------------------------ |
-| Incident Manager:        | @user                                |
-| Deputy Incident Manager: | @user                                |
-| Public Disclosure Date:  | YYYY-MM-DD                           |
-| CVSS Score:              | [0.0][cvss_score]                    |
-| Security Advisory:       | isc-private/printing-press!NNN       |
-| Mattermost Channel:      | [CVE-YYYY-NNNN][mattermost_url]      |
-| Support Ticket:          | [URL]                                |
-| Release Checklist:       | #NNNN                                |
-
-[cvss_score]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1
-[mattermost_url]:
-
-:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.**
-
-[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations
-
-### Earlier Than T-5
-
-  - [ ] [:link:][step_deputy]            **(IM)** Pick a Deputy Incident Manager
-  - [ ] [:link:][step_respond]           **(IM)** Respond to the bug reporter
-  - [ ] [:link:][step_public_mrs]        **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
-  - [ ] [:link:][step_assign_cve_id]     **(IM)** Assign a CVE identifier
-  - [ ] [:link:][step_note_cve_info]     **(SwEng)** Update this issue with the assigned CVE identifier and the CVSS score
-  - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
-  - [ ] [:link:][step_workarounds]       **(SwEng)** Determine whether workarounds for the problem exist
-  - [ ] [:link:][step_coordinate]        **(SwEng)** If necessary, coordinate with other parties
-  - [ ] [:link:][step_earliest_prepare]  **(Support)** Prepare "earliest" notification text and hand it off to Marketing
-  - [ ] [:link:][step_earliest_send]     **(Marketing)** Update "earliest" notification document in SF portal and send bulk email to earliest customers
-  - [ ] [:link:][step_advisory_mr]       **(Support)** Create a merge request for the Security Advisory and include all readily available information in it
-  - [ ] [:link:][step_reproducer_mr]     **(SwEng)** Prepare a private merge request containing a system test reproducing the problem
-  - [ ] [:link:][step_notify_support]    **(SwEng)** Notify Support when a reproducer is ready
-  - [ ] [:link:][step_code_analysis]     **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem
-  - [ ] [:link:][step_fix_mr]            **(SwEng)** Prepare a private merge request with the fix
-  - [ ] [:link:][step_review_fix]        **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions
-  - [ ] [:link:][step_review_docs]       **(Support)** Review the documentation changes introduced by the merge request with the fix
-  - [ ] [:link:][step_backports]         **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
-  - [ ] [:link:][step_finish_advisory]   **(Support)** Finish preparing the Security Advisory
-  - [ ] [:link:][step_meta_issue]        **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
-  - [ ] [:link:][step_merge_fixes]       **(QA)** Merge the CVE fixes in CVE identifier order
-  - [ ] [:link:][step_patches]           **(QA)** Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
-  - [ ] [:link:][step_asn_releases]      **(QA)** Prepare ASN releases (as outlined in the Release Checklist)
-
-### At T-5
-
-  - [ ] [:link:][step_asn_documents]     **(Marketing)** Update the text on the T-5 (from the Printing Press project) and "earliest" ASN documents in the SF portal
-  - [ ] [:link:][step_asn_links]         **(Marketing)** (BIND 9 only) Update the BIND -S information document in SF with download links to the new versions
-  - [ ] [:link:][step_asn_send]          **(Marketing)** Bulk email eligible customers to check the SF portal
-  - [ ] [:link:][step_preannouncement]   **(Marketing)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
-
-### At T-1
-
-  - [ ] [:link:][step_packager_emails]   **(First IM)** Send notifications to OS packagers
-
-### On the Day of Public Disclosure
-
-  - [ ] [:link:][step_clearance]         **(IM)** Grant QA & Marketing clearance to proceed with public release
-  - [ ] [:link:][step_publish]           **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
-  - [ ] [:link:][step_matrix]            **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
-  - [ ] [:link:][step_publish_advisory]  **(Support)** Bump Document Version for the Security Advisory and publish it in the Knowledge Base
-  - [ ] [:link:][step_notifications]     **(First IM)** Send notification emails to third parties
-  - [ ] [:link:][step_mitre]             **(First IM)** Advise MITRE about the disclosed CVEs
-  - [ ] [:link:][step_merge_advisory]    **(First IM)** Merge the Security Advisory merge request
-  - [ ] [:link:][step_embargo_end]       **(IM)** Inform original reporter (if external) that the security disclosure process is complete
-  - [ ] [:link:][step_asn_clear]         **(Marketing)** Update the SF portal to clear the ASN
-  - [ ] [:link:][step_customers]         **(Marketing)** Email ASN recipients that the embargo is lifted
-
-### After Public Disclosure
-
-  - [ ] [:link:][step_regression]        **(QA)** Merge a regression test reproducing the bug into all affected (and still maintained) branches
-
-[step_deputy]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
-[step_respond]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter
-[step_public_mrs]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue
-[step_assign_cve_id]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#assign-a-cve-identifier
-[step_note_cve_info]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-this-issue-with-the-assigned-cve-identifier-and-the-cvss-score
-[step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition
-[step_workarounds]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist
-[step_coordinate]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#if-necessary-coordinate-with-other-parties
-[step_earliest_prepare]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-earliest-notification-text-and-hand-it-off-to-marketing
-[step_earliest_send]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-earliest-notification-document-in-sf-portal-and-send-bulk-email-to-earliest-customers
-[step_advisory_mr]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it
-[step_reproducer_mr]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem
-[step_notify_support]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready
-[step_code_analysis]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-detailed-explanation-of-the-code-flow-triggering-the-problem
-[step_fix_mr]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-with-the-fix
-[step_review_fix]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-the-merge-request-with-the-fix-is-reviewed-and-has-no-outstanding-discussions
-[step_review_docs]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#review-the-documentation-changes-introduced-by-the-merge-request-with-the-fix
-[step_backports]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-backports-of-the-merge-request-addressing-the-problem-for-all-affected-and-still-maintained-branches-of-a-given-product
-[step_finish_advisory]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#finish-preparing-the-security-advisory
-[step_meta_issue]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-or-update-the-private-issue-containing-links-to-fixes-reproducers-for-all-cves-fixed-in-a-given-release-cycle
-[step_changes]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-reserve-a-block-of-changes-placeholders-once-the-complete-set-of-vulnerabilities-fixed-in-a-given-release-cycle-is-determined
-[step_merge_fixes]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order
-[step_patches]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch
-[step_asn_releases]:      https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist
-[step_asn_documents]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-text-on-the-t-5-from-the-printing-press-project-and-earliest-asn-documents-in-the-sf-portal
-[step_asn_links]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-update-the-bind-s-information-document-in-sf-with-download-links-to-the-new-versions
-[step_asn_send]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bulk-email-eligible-customers-to-check-the-sf-portal
-[step_preannouncement]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes
-[step_packager_emails]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers
-[step_clearance]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-qa-marketing-clearance-to-proceed-with-public-release
-[step_publish]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist
-[step_matrix]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-add-the-new-cves-to-the-vulnerability-matrix-in-the-knowledge-base
-[step_publish_advisory]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-and-publish-it-in-the-knowledge-base
-[step_notifications]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notification-emails-to-third-parties
-[step_mitre]:             https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves
-[step_merge_advisory]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request
-[step_embargo_end]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete
-[step_asn_clear]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-sf-portal-to-clear-the-asn
-[step_customers]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#email-asn-recipients-that-the-embargo-is-lifted
-[step_regression]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches
-
-/confidential

.gitlab/issue_templates/Release.md

@@ -0,0 +1,95 @@
+## Release Schedule
+
+**Code Freeze:**
+
+**Tagging Deadline:**
+
+**Public Release:**
+
+## Documentation Review Links
+
+**Closed issues assigned to the milestone without a release note:**
+
+ - []()
+ - []()
+ - []()
+
+**Merge requests merged into the milestone without a release note:**
+
+ - []()
+ - []()
+ - []()
+
+**Merge requests merged into the milestone without a `CHANGES` entry:**
+
+ - []()
+ - []()
+ - []()
+
+## Release Checklist
+
+### Before the Code Freeze
+
+ - [ ] ***(QA)*** Inform Support and Marketing of impending release (and give estimated release dates).
+ - [ ] ***(QA)*** Ensure there are no permanent test failures on any platform.
+ - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
+ - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
+ - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
+ - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
+ - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is in effect.
+
+### Before the Tagging Deadline
+
+ - [ ] ***(QA)*** Look for outstanding documentation issues (e.g. `CHANGES` mistakes) and address them if any are found.
+ - [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well.
+ - [ ] ***(QA)*** Update API files for libraries with new version information.
+ - [ ] ***(QA)*** Change software version and library versions in `configure.ac` (new major release only).
+ - [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
+ - [ ] ***(QA)*** Update `CHANGES`.
+ - [ ] ***(QA)*** Update `CHANGES.SE` (Subscription Edition only).
+ - [ ] ***(QA)*** Update `README.md`.
+ - [ ] ***(QA)*** Update `version`.
+ - [ ] ***(QA)*** Build documentation on `docs.isc.org`.
+ - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
+ - [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
+ - [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9_x_y`).
+
+### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
+
+ - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
+ - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
+ - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
+ - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
+ - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
+ - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
+ - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
+ - [ ] ***(QA)*** Notify Support that the releases have been prepared.
+ - [ ] ***(Support)*** Send out ASNs (if applicable).
+
+### On the Day of Public Release
+
+ - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
+ - [ ] ***(Support)*** Place tarballs in public location on FTP site.
+ - [ ] ***(Support)*** Publish links to downloads on ISC website.
+ - [ ] ***(Support)*** Write release email to *bind-announce*.
+ - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
+ - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
+ - [ ] ***(Support)*** Update tickets in case of waiting support customers.
+ - [ ] ***(QA)*** Build and test any outstanding private packages.
+ - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
+ - [ ] ***(QA)*** Inform Marketing of the release.
+ - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
+ - [ ] ***(Marketing)*** Post short note to Twitter.
+ - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
+ - [ ] ***(Marketing)*** Write blog article (if a major release).
+ - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
+ - [ ] ***(QA)*** Push tags for the published releases to the public repository.
+ - [ ] ***(QA)*** Merge the automatically prepared `prep 9.x.y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_x`).
+ - [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
+ - [ ] ***(QA)*** Prepare empty release notes for the next set of releases.
+ - [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.
+ - [ ] ***(QA)*** Sanitize confidential issues which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].
+ - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Flake8, PyLint) by modifying the relevant `Dockerfile`.
+
+[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
+[^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.

.gitlab/issue_templates/Security_issue.md

@@ -1,139 +0,0 @@
-### Summary
-<!--
-Concisely summarize the bug encountered,
-preferably in one paragraph or less.
--->
-
-### BIND versions affected
-<!--
-Make sure you are testing with the **latest** supported version of BIND.
-See https://kb.isc.org/docs/supported-platforms for the current list.
-The latest source is available from https://www.isc.org/download/#BIND
-
-Paste the output of `named -V` here.
--->
-
-### Preconditions and assumptions
-<!--
-Is a specific setup needed?
-
-Please check the BIND Security Assumptions chapter in the ARM:
-https://bind9.readthedocs.io/en/latest/chapter7.html#security-assumptions
-
-E.g. DNSSEC validation must be disabled, etc.
-E.g. Resolver must be configured to forward to attacker's server via DNS-over-TLS, etc.
-E.g. Authoritative server must be configured to transfer specific primary zone.
-E.g. Attacker must be in posession of a key authorized to modify at least one zone.
-E.g. Attacker can affect system clock on the server running BIND.
--->
-
-### Attacker's abilities
-<!--
-What resources does an attacker need to have under their control to mount this attack?
-
-E.g. If attacking an authoritative server, does the attacked have to have prior
-relationship with it? "The authoritative server under attack needs to
-transfer a malicious zone from attacker's authoritative server via TLS."
-
-E.g. If attacking a resolver, does the attacker need the ability to send
-arbitrary queries to the resolver under attack? Do they need to _also_ control
-an authoritative server at the same time?
--->
-
-
-### Impact
-<!--
-Who or what is the victim of the attack and what is the impact?
-
-Is a third party receiving many packets generated by a reflection attack?
-
-If the affected party is the BIND server itself, please quantify the impact
-on legitimate clients:
-E.g. After launching the attack, the answers-per-second metric for legitimate
-traffic drops to 1/1000 within the first minute of the attack.
--->
-
-
-### Steps to reproduce
-<!--
-This is extremely important! Be precise and use itemized lists, please.
-
-Even if a default configuration is affected, please include the full configuration
-files _you were testing with_.
-
-Example:
-1. Use the _attached_ configuration file
-2. Start the BIND server with command: `named -g -c named.conf ...`
-3. Simulate legitimate clients using the command `dnsperf -S1 -d legit-queries ...`
-4. Simulate attack traffic using the command `dnsperf -S1 -d attack-queries ...`
--->
-
-1.
-2.
-3.
-
-### What is the current *bug* behavior?
-
-<!--
-Examples:
-Legitimate QPS drops 1000x.
-Memory consumption increases out of bounds and the server crashes.
-The server crashes immediately.
--->
-
-### What is the expected *correct* behavior?
-
-<!--
-If the attack causes resource exhaustion, what do you think the correct
-behavior should be? Should BIND refuse to process more requests?
-
-What heuristic do you propose to distinguish legitimate and attack traffic?
--->
-
-### Relevant logs
-<!--
-Please provide log files from your testing. Include full named logs and also
-the output from any testing tools (e.g. dnsperf, DNS Shotgun, kxdpgun, etc.)
-
-If multiple log files are needed, make sure all the files have matching timestamps
-so we can correlate log events across log files.
-
-In the case of resource exhaustion attacks, please _also_ include system monitoring
-data. You can use https://gitlab.isc.org/isc-projects/resource-monitor/ to
-gather system-wide statistics.
--->
-
-### Coordination
-- Does this issue affect multiple implementations?
-<!--
-Issues affecting multiple implementations require very careful coordination. We
-have to make sure the information does not leak to the public until vendors are ready to
-release fixed versions. If it is a multi-vendor issue, we need to know about the situation
-as soon as possible to start the (confidential!) coordination process within
-DNS-OARC and other suitable fora.
-
-Please list implementations you have tested.
--->
-
-- Have you shared the information with anyone else?
-<!--
-Have you informed other affected vendors? Or maybe submitted a paper for
-review?
--->
-
-- What is your plan to publicize this issue?
-<!--
-E.g. we plan to go public during conference XYZ on 20XX-XX-XX
--->
-
-### Acknowledgements
-<!--
-Please specify whether and how you would like to be publicly credited with
-discovering the issue. We normally use the format:
-First_name Last_name, Company_or_Team.
--->
-
-<!-- DO NOT modify the following two lines. -->
-
-/label ~Bug ~Security
-/confidential

.lgtm.yml

@@ -0,0 +1,35 @@
+extraction:
+  cpp:
+    prepare:
+      packages:
+      - "libxml2-dev"
+      - "libjson-c-dev"
+      - "libssl-dev"
+      - "zlib1g-dev"
+      - "libcmocka-dev"
+      - "pkg-config"
+      - "libcap2-dev"
+      - "libedit-dev"
+      - "libidn2-dev"
+      - "libmaxminddb-dev"
+      - "libuv1-dev"
+      - "libnghttp2-dev"
+    configure:
+      command:
+      - "autoreconf -fi"
+      - "CFLAGS=\"-Og -g\" ./configure --enable-developer"
+path_classifiers:
+  test:
+    - "lib/*/tests/"
+    - "bin/tests/"
+  docs:
+    - "**/*.xml"
+    - "**/*.docbook"
+    - "**/*.html"
+    - "**/*.1"
+    - "**/*.5"
+    - "**/*.8"
+queries:
+  - exclude: fuzz/
+  - exclude: "bin/tests/system/*/ans*/*.py"
+  - exclude: cpp/use-of-goto

.mailmap

@@ -1,27 +0,0 @@
-Alan Clegg <aclegg@isc.org>
-Alessio Podda <alessio@isc.org>
-Aram Sargsyan <aram@isc.org>
-Artem Boldariev <artem@isc.org> <artem@boldariev.com>
-Curtis Blackburn <ckb@isc.org> <ckb@freebsd11.local>
-Curtis Blackburn <ckb@isc.org> <ckb@isc.org>
-Diego Fronza <diego@isc.org>
-Evan Hunt <each@isc.org> Evan Hunt <fanf@isc.org>
-Håvard Eidnes <he@uninett.no>
-Jeremy C. Reed <jreed@isc.org> <jreed@docs.lab.isc.org>
-Jeremy C. Reed <jreed@isc.org> <jreed@ISC.org>
-Joey Salazar <joey@isc.org>
-John H. DuBois III <johnd>
-Mark Andrews <marka@isc.org>
-Mark Andrews <marka@isc.org> <marka@daemon.lab.isc.org>
-Mark Andrews <marka@isc.org> <marka@newdocs.lab.isc.org>
-Matthijs Mekking <matthijs@isc.org> <github@pletterpet.nl>
-Nicki Křížek <nicki@isc.org> <tkrizek@isc.org>
-Ondřej Surý <ondrej@isc.org>
-Ondřej Surý <ondrej@isc.org> <ondrej@openbsd-6-9.home.sury.org>
-Ondřej Surý <ondrej@isc.org> <ondrej@sury.org>
-Petr Menšík <pemensik@redhat.com>
-Petr Menšík <pemensik@redhat.com> <pmensik@redhat.com>
-Robert Edmonds <edmonds>
-Tatuya JINMEI 神明達哉 <jinmei@isc.org>
-Witold Kręcicki <wpk@isc.org>
-Witold Kręcicki <wpk@isc.org> <wpk@culm.net>

.pylintrc

@@ -1,28 +1,8 @@
-[IMPORTS]
-
-deprecated-modules=
-    dns.resolver,
-
-[MESSAGES CONTROL]
-
+[MASTER]
 disable=
-    C0103, # invalid-name
     C0114, # missing-module-docstring
     C0115, # missing-class-docstring
     C0116, # missing-function-docstring
-    C0209, # consider-using-f-string
-    C0301, # line-too-long, handled better by black
-    C0302, # too-many-lines
-    C0415, # import-outside-toplevel
     R0801, # duplicate-code
-    R0901, # too-many-ancestors
-    R0902, # too-many-instance-attributes
-    R0903, # too-few-public-methods
-    R0904, # too-many-public-methods
-    R0911, # too-many-return-statements
-    R0912, # too-many-branches
-    R0913, # too-many-arguments
-    R0914, # too-many-locals
-    R0915, # too-many-statements
-    R0916, # too-many-boolean-expressions
-    R0917, # too-many-positional-arguments
+    C0103, # invalid-name
+    C0415,# import-outside-toplevel

.readthedocs.yaml

@@ -1,18 +0,0 @@
-# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
-
-version: 2
-
-build:
-  os: ubuntu-22.04
-  tools:
-    python: "3.11"
-  jobs:
-    pre_build:
-      - python -m pip install -r https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/requirements.txt
-
-# Build documentation in doc/arm/ with Sphinx
-sphinx:
-  configuration: doc/arm/conf.py
-
-# Build all formats
-formats: all

.reuse/dep5

@@ -1,230 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: BIND 9
-Upstream-Contact: Internet Systems Consortium, Inc. ("ISC") <info@isc.org>
-Source: https://gitlab.isc.org/isc-projects/bind9/
-
-#
-# Build system, data files from tests, and misc cruft
-#
-Files: **/*.after*
-       **/*.bad
-       **/*.batch
-       **/*.before*
-       **/*.ccache
-       **/*.good
-       **/*.key
-       **/*.pem
-       **/*.private
-       **/*.raw
-       **/*.saved
-       **/*.zonelist
-       **/*dig.out*
-       **/Makefile
-       **/Makefile.*
-       **/testdata/*
-       .github/*
-       .gitlab/*
-       .mailmap
-       AUTHORS
-       COPYRIGHT
-       Makefile
-       Makefile.*
-       bin/tests/system/checkzone/zones/bad-caa-rr.db
-       bin/tests/system/checkzone/zones/bad1.db
-       bin/tests/system/checkzone/zones/crashzone.db
-       bin/tests/system/dnstap/large-answer.fstrm
-       bin/tests/system/doth/CA/CA.cfg
-       bin/tests/system/doth/CA/README
-       bin/tests/system/doth/CA/index.txt
-       bin/tests/system/doth/CA/index.txt.attr
-       bin/tests/system/doth/CA/serial
-       bin/tests/system/formerr/badnsec3owner
-       bin/tests/system/formerr/badrecordname
-       bin/tests/system/formerr/dupans
-       bin/tests/system/formerr/dupquestion
-       bin/tests/system/formerr/keyclass
-       bin/tests/system/formerr/malformeddeltype
-       bin/tests/system/formerr/malformedrrsig
-       bin/tests/system/formerr/nametoolong
-       bin/tests/system/formerr/noquestions
-       bin/tests/system/formerr/optwrongname
-       bin/tests/system/formerr/qtypeasanswer
-       bin/tests/system/formerr/questionclass
-       bin/tests/system/formerr/shortquestion
-       bin/tests/system/formerr/shortrecord
-       bin/tests/system/formerr/tsignotlast
-       bin/tests/system/formerr/tsigwrongclass
-       bin/tests/system/formerr/twoquestionnames
-       bin/tests/system/formerr/twoquestiontypes
-       bin/tests/system/formerr/wrongclass
-       bin/tests/system/forward/CA/CA.cfg
-       bin/tests/system/forward/CA/README
-       bin/tests/system/forward/CA/index.txt
-       bin/tests/system/forward/CA/index.txt.attr
-       bin/tests/system/forward/CA/serial
-       bin/tests/system/isctest/vars/.ac_vars/*
-       bin/tests/system/journal/ns1/managed-keys.bind.in
-       bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
-       bin/tests/system/journal/ns2/managed-keys.bind.in
-       bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
-       bin/tests/system/keepalive/expected
-       bin/tests/system/legacy/ns6/edns512.db.signed
-       bin/tests/system/legacy/ns7/edns512-notcp.db.signed
-       bin/tests/system/masterfile/knowngood.include
-       bin/tests/system/masterfile/knowngood.ttl1
-       bin/tests/system/masterfile/knowngood.ttl2
-       bin/tests/system/notify/CA/CA.cfg
-       bin/tests/system/notify/CA/README
-       bin/tests/system/notify/CA/index.txt
-       bin/tests/system/notify/CA/index.txt.attr
-       bin/tests/system/notify/CA/serial
-       bin/tests/system/notify/ns4/named.port.in
-       bin/tests/system/nsupdate/CA/CA.cfg
-       bin/tests/system/nsupdate/CA/README
-       bin/tests/system/nsupdate/CA/index.txt
-       bin/tests/system/nsupdate/CA/index.txt.attr
-       bin/tests/system/nsupdate/CA/serial
-       bin/tests/system/nsupdate/commandlist
-       bin/tests/system/nsupdate/verylarge.in
-       bin/tests/system/org.isc.bind.system.plist
-       bin/tests/system/pipelined/input
-       bin/tests/system/pipelined/inputb
-       bin/tests/system/pipelined/ref
-       bin/tests/system/pipelined/refb
-       bin/tests/system/rsabigexponent/ns2/dsset-example.in
-       bin/tests/system/run.gdb
-       bin/tests/system/runtime/ctrl-chars
-       bin/tests/system/runtime/long-cmd-line
-       bin/tests/system/statschannel/traffic.expect.1
-       bin/tests/system/statschannel/traffic.expect.2
-       bin/tests/system/statschannel/traffic.expect.4
-       bin/tests/system/statschannel/traffic.expect.5
-       bin/tests/system/statschannel/traffic.expect.6
-       bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt
-       bin/tests/system/tsig/badlocation
-       bin/tests/system/tsig/badtime
-       bin/tests/system/unknown/large.out
-       bin/tests/system/xfer/ans5/badkeydata
-       bin/tests/system/xfer/ans5/badmessageid
-       bin/tests/system/xfer/ans5/ednsformerr
-       bin/tests/system/xfer/ans5/ednsnotimp
-       bin/tests/system/xfer/ans5/goodaxfr
-       bin/tests/system/xfer/ans5/ixfrnotimp
-       bin/tests/system/xfer/ans5/partial
-       bin/tests/system/xfer/ans5/soamismatch
-       bin/tests/system/xfer/ans5/unknownkey
-       bin/tests/system/xfer/ans5/unsigned
-       bin/tests/system/xfer/ans5/wrongkey
-       bin/tests/system/xfer/ans5/wrongname
-       bin/tests/system/xfer/knowngood.mapped
-       cocci/*.cocci
-       cocci/*.disabled
-       cocci/*.spatch
-       doc/arm/*.dia
-       doc/arm/*.png
-       doc/arm/isc-logo.pdf
-       doc/man/*.1in
-       doc/man/*.5in
-       doc/man/*.8in
-       fuzz/*.in/*
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: MPL-2.0
-
-#
-# DNSSEC Guide images
-#
-Files: doc/dnssec-guide/img/*.png
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: MPL-2.0
-
-#
-# Libtool Files
-#
-Files: m4/libtool.m4
-       m4/ltoptions.m4
-       m4/ltsugar.m4
-       m4/ltversion.m4
-       m4/ltversion.m4
-       m4/lt~obsolete.m4
-Copyright: Free Software Foundation, Inc.
-License:
- This file is free software; the Free Software Foundation gives unlimited
- permission to copy and/or distribute it, with or without modifications, as long
- as this notice is preserved.
-
-#
-# DLZ Modules
-#
-Files: contrib/dlz/modules/*/testing/*
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-	   Stichting NLnet, Netherlands
-License: ISC and MPL-2.0
-
-#
-# Stuff that's basically uncopyrightable (configuration, generated files),
-# use CC0-1.0 for clarity that we don't care
-#
-Files: **/.clang-format
-       **/.clang-format.headers
-       **/.dir-locals.el
-       **/.gitattributes
-       **/.gitignore
-       **/named*.args
-       **/named.dropedns
-       **/named.ednsformerr
-       **/named.ednsnotimp
-       **/named.ednsrefused
-       **/named.maxudp1460
-       **/named.maxudp512
-       **/named.noaa
-       **/named.noedns
-       **/named.nosoa
-       **/named.notcp
-       **/startme
-       .clang-format
-       .clang-format.headers
-       .dir-locals.el
-       .editorconfig
-       .git-blame-ignore-revs
-       .gitattributes
-       .gitignore
-       .gitlab-ci.yml
-       .lgtm.yml
-       .pylintrc
-       .readthedocs.yaml
-       .tsan-suppress
-       .uncrustify.cfg
-       contrib/gitchangelog/changelog.rc.py
-       contrib/gitchangelog/relnotes.rc.py
-       doc/misc/*.zoneopt
-       doc/misc/options
-       doc/misc/rndc.grammar
-       sonar-project.properties
-       tests/bench/names.csv
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: CC0-1.0
-
-#
-# geoip2 test files (mmdb is generated from json)
-#
-Files: bin/tests/system/geoip2/data/*.json
-       bin/tests/system/geoip2/data/*.mmdb
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: CC0-1.0
-
-#
-# files that may be left over from other branches.
-#
-# in a newly cloned branch or after running "git clean", these
-# files don't exist, but they can be left lying around after
-# checking out an older branch. we explicitly ignore them so they
-# won't clutter up the output when running "reuse lint" by hand
-# in a working source tree.
-#
-Files: **/platform.h
-       bin/python/*
-       bin/tests/optional/*
-       make/*
-       unit/unittest.sh
-Copyright: Internet Systems Consortium, Inc. ("ISC")
-License: CC0-1.0

.reuse/templates/isc.jinja2

@@ -1,16 +0,0 @@
-{% for copyright_line in copyright_lines %}
-{{ copyright_line }}
-{% endfor %}
-
-{% for expression in spdx_expressions %}
-SPDX-License-Identifier: {{ expression }}
-{% endfor %}
-
-{% if "MPL-2.0" in spdx_expressions %}
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
-{% endif %}

.tsan-suppress

@@ -1,3 +0,0 @@
-# Uninstrumented libraries
-called_from_lib:libfstrm.so
-race:dummyrpz

AUTHORS

@@ -51,4 +51,3 @@ Anay Panvalkar
 colleen
 Robert Edmonds
 João Damas
-Artem Boldariev (Артем Болдарєв)

CODE_OF_CONDUCT.md

@@ -1,16 +1,3 @@
-<!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
--->
-
 # BIND 9 Code of Conduct
 
 Like the technical community as a whole, the BIND 9 team and community is made

CONTRIBUTING.md

@@ -1,17 +1,15 @@
 <!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
 -->
 ## BIND 9 Source Access and Contributor Guidelines
-*Nov 26, 2024*
+*May 28, 2020*
 
 ### Contents
 
@@ -71,14 +69,14 @@ To clone the repository, use:
 
 >       $ git clone https://gitlab.isc.org/isc-projects/bind9.git
 
-Release branch names are of the form `bind-9.X`, where X represents the second
-number in the BIND 9 version number.  So, to check out the BIND 9.20
+Release branch names are of the form `v9_X`, where X represents the second
+number in the BIND 9 version number.  So, to check out the BIND 9.12
 branch, use:
 
->       $ git checkout bind-9.20
+>       $ git checkout v9_12
 
 Whenever a branch is ready for publication, a tag is placed of the
-form `v9.X.Y`.  The 9.20.0 release, for instance, is tagged as `v9.20.0`.
+form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
 `main`.
@@ -102,7 +100,22 @@ Twitter, or Facebook.
 
 ### Reporting possible security issues
 
-See `SECURITY.md`.
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
+
+Do not discuss undisclosed security vulnerabilities on any public mailing list.
+ISC has a long history of handling reported vulnerabilities promptly and
+effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at
+[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+
+If you have a crash, you may want to consult
+["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
 
 ### <a name="contrib"></a>Contributing code
 
@@ -121,9 +134,8 @@ patch will be applied.
 #### <a name="bind"></a>BIND code
 
 Patches for BIND may be submitted directly via merge requests in
-[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source repository for
-BIND. Please contact ISC and provide your GitLab username in order to be allowed
-to fork the project and submit merge requests.
+[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
+repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
 BIND -- preferably the current top of the `main` branch.  Diffs may
@@ -145,8 +157,8 @@ we're busy with other work, it may take us a long time to get to it.
 To ensure your patch is acted on as promptly as possible, please:
 
 * Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
-* Run unit and system tests to ensure your change hasn't caused any
-  functional regressions (these can be checked in the CI pipeline).
+* Run `make check` to ensure your change hasn't caused any
+  functional regressions.
 * Document your work, both in the patch itself and in the
   accompanying email.
 * In patches that make non-trivial functional changes, include system
@@ -157,12 +169,12 @@ To ensure your patch is acted on as promptly as possible, please:
 ##### Changes to `configure`
 
 If you need to make changes to `configure`, you should not edit it
-directly; instead, edit `configure.ac`, then run `autoconf`.  Similarly,
-instead of editing `config.h.in` directly, edit `configure.ac` and run
+directly; instead, edit `configure.in`, then run `autoconf`.  Similarly,
+instead of editing `config.h.in` directly, edit `configure.in` and run
 `autoheader`.
 
 When submitting a patch as a diff, it's fine to omit the `configure`
-diffs to save space.  Just send the `configure.ac` diffs and we'll
+diffs to save space.  Just send the `configure.in` diffs and we'll
 generate the new `configure` during the review process.
 
 ##### Documentation
@@ -174,7 +186,7 @@ of documentation in the BIND source tree:
   they document, in files ending in `.rst`: for example, the
   `named` man page is `bin/named/named.rst`.
 * The *BIND 9 Administrator Reference Manual* is in the .rst files in
-  `doc/arm/`; the HTML version is automatically generated from
+  `doc/arm/`; the PDF and HTML versions are automatically generated from
   the `.rst` files.
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 1996-2023  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -133,7 +133,7 @@ modification, are permitted provided that the following conditions are met:
 3. Neither the name of the University nor the names of its contributors may
    be used to endorse or promote products derived from this software
    without specific prior written permission.
-
+ 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -149,35 +149,35 @@ POSSIBILITY OF SUCH DAMAGE.
  -----------------------------------------------------------------------------
 
 Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden).
-All rights reserved.
+(Royal Institute of Technology, Stockholm, Sweden). 
+All rights reserved. 
 
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions 
+are met: 
 
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
+1. Redistributions of source code must retain the above copyright 
+   notice, this list of conditions and the following disclaimer. 
 
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
+2. Redistributions in binary form must reproduce the above copyright 
+   notice, this list of conditions and the following disclaimer in the 
+   documentation and/or other materials provided with the distribution. 
 
-3. Neither the name of the Institute nor the names of its contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
+3. Neither the name of the Institute nor the names of its contributors 
+   may be used to endorse or promote products derived from this software 
+   without specific prior written permission. 
 
-THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+SUCH DAMAGE. 
 
  -----------------------------------------------------------------------------
 

ChangeLog

@@ -1 +1 @@
-doc/arm/changelog.rst
+CHANGES

LICENSE

@@ -346,7 +346,7 @@ Exhibit A - Source Code Form License Notice
       2.0. If a copy of the MPL was not
       distributed with this file, You can
       obtain one at
-      https://mozilla.org/MPL/2.0/.
+      http://mozilla.org/MPL/2.0/.
 
 If it is not possible or desirable to put the notice in a particular file,
 then You may include the notice in a location (such as a LICENSE file in a

LICENSES/Apache-2.0.txt

@@ -1,73 +0,0 @@
-Apache License
-Version 2.0, January 2004
-http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
-
-"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
-
-"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
-
-"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
-
-"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
-
-"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
-
-"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
-
-"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
-
-"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
-
-"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.
-
-2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
-
-3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
-
-4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
-
-     (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
-
-     (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
-
-     (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
-
-     (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
-
-     You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
-
-5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
-
-6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
-
-8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work.
-
-To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!)  The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
-
-Copyright [yyyy] [name of copyright owner]
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.

LICENSES/Autoconf-exception-3.0.txt

@@ -1,26 +0,0 @@
-AUTOCONF CONFIGURE SCRIPT EXCEPTION
-
-Version 3.0, 18 August 2009
-Copyright © 2009 Free Software Foundation, Inc. <http://fsf.org/>
-
-Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
-
-This Exception is an additional permission under section 7 of the GNU General Public License, version 3 ("GPLv3"). It applies to a given file that bears a notice placed by the copyright holder of the file stating that the file is governed by GPLv3 along with this Exception.
-
-The purpose of this Exception is to allow distribution of Autoconf's typical output under terms of the recipient's choice (including proprietary).
-
-0. Definitions.
-
-"Covered Code" is the source or object code of a version of Autoconf that is a covered work under this License.
-
-"Normally Copied Code" for a version of Autoconf means all parts of its Covered Code which that version can copy from its code (i.e., not from its input file) into its minimally verbose, non-debugging and non-tracing output.
-
-"Ineligible Code" is Covered Code that is not Normally Copied Code.
-
-1. Grant of Additional Permission.
-
-You have permission to propagate output of Autoconf, even if such propagation would otherwise violate the terms of GPLv3. However, if by modifying Autoconf you cause any Ineligible Code of the version you received to become Normally Copied Code of your modified version, then you void this Exception for the resulting covered work. If you convey that resulting covered work, you must remove this Exception in accordance with the second paragraph of Section 7 of GPLv3.
-
-2. No Weakening of Autoconf Copyleft.
-
-The availability of this Exception does not imply any general presumption that third-party software is unaffected by the copyleft requirements of the license of Autoconf.

LICENSES/Autoconf-exception-generic.txt

@@ -1 +0,0 @@
-As a special exception to the GNU General Public License, if you distribute this file as part of a program that contains a configuration script generated by Autoconf, you may include it under the same distribution terms that you use for the rest of that program.

LICENSES/BSD-2-Clause.txt

@@ -1,9 +0,0 @@
-Copyright (c) <year> <owner> All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/BSD-3-Clause.txt

@@ -1,11 +0,0 @@
-Copyright (c) <year> <owner>. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/CC0-1.0.txt

@@ -1,121 +0,0 @@
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
-    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
-    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
-    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
-    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
-    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
-    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
-    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
-    HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
-  i. the right to reproduce, adapt, distribute, perform, display,
-     communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
-     likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
-     subject to the limitations in paragraph 4(a), below;
-  v. rights protecting the extraction, dissemination, use and reuse of data
-     in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
-     European Parliament and of the Council of 11 March 1996 on the legal
-     protection of databases, and under any national implementation
-     thereof, including any amended or successor version of such
-     directive); and
-vii. other similar, equivalent or corresponding rights throughout the
-     world based on applicable law or treaty, and any national
-     implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
-    surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
-    warranties of any kind concerning the Work, express, implied,
-    statutory or otherwise, including without limitation warranties of
-    title, merchantability, fitness for a particular purpose, non
-    infringement, or the absence of latent or other defects, accuracy, or
-    the present or absence of errors, whether or not discoverable, all to
-    the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
-    that may apply to the Work or any use thereof, including without
-    limitation any person's Copyright and Related Rights in the Work.
-    Further, Affirmer disclaims responsibility for obtaining any necessary
-    consents, permissions or other rights required for any use of the
-    Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
-    party to this document and has no duty or obligation with respect to
-    this CC0 or use of the Work.

LICENSES/FSFAP.txt

@@ -1 +0,0 @@
-Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.  This file is offered as-is, without any warranty.

LICENSES/GPL-2.0-or-later.txt

@@ -1,117 +0,0 @@
-GNU GENERAL PUBLIC LICENSE
-Version 2, June 1991
-
-Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-
-Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
-
-Preamble
-
-The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too.
-
-When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
-
-To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
-
-For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
-
-We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
-
-Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
-
-Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
-
-The precise terms and conditions for copying, distribution and modification follow.
-
-TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
-
-1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
-
-2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
-
-     a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
-
-     b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
-
-     c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
-
-3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
-
-     a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-
-     b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-
-     c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
-
-If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
-
-4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
-
-5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
-
-6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
-
-7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
-
-It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
-
-This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
-
-8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
-
-9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
-
-10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
-
-NO WARRANTY
-
-11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-END OF TERMS AND CONDITIONS
-
-How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
-
-To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
-
-     one line to give the program's name and an idea of what it does. Copyright (C) yyyy name of author
-
-     This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-
-     This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
-
-     Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:
-
-     Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice

LICENSES/GPL-3.0-or-later.txt

@@ -1,232 +0,0 @@
-GNU GENERAL PUBLIC LICENSE
-Version 3, 29 June 2007
-
-Copyright © 2007 Free Software Foundation, Inc. <http://fsf.org/>
-
-Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
-
-Preamble
-
-The GNU General Public License is a free, copyleft license for software and other kinds of works.
-
-The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.
-
-When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.
-
-To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.
-
-For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
-
-Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
-
-For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.
-
-Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.
-
-Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.
-
-The precise terms and conditions for copying, distribution and modification follow.
-
-TERMS AND CONDITIONS
-
-0. Definitions.
-
-“This License” refers to version 3 of the GNU General Public License.
-
-“Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
-
-“The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations.
-
-To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work.
-
-A “covered work” means either the unmodified Program or a work based on the Program.
-
-To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
-
-To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
-
-An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.
-
-1. Source Code.
-The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.
-
-A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.
-
-The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
-
-The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
-
-The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.
-
-The Corresponding Source for a work in source code form is that same work.
-
-2. Basic Permissions.
-All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.
-
-You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.
-
-Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
-
-3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.
-
-When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
-
-4. Conveying Verbatim Copies.
-You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
-
-You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.
-
-5. Conveying Modified Source Versions.
-You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
-
-     a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
-
-     b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”.
-
-     c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
-
-     d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
-
-A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
-
-6. Conveying Non-Source Forms.
-You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
-
-     a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
-
-     b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
-
-     c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
-
-     d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
-
-     e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.
-
-A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.
-
-A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
-
-“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
-
-If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
-
-The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
-
-Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.
-
-7. Additional Terms.
-“Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
-
-When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
-
-Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
-
-     a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
-
-     b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
-
-     c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
-
-     d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
-
-     e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
-
-     f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
-
-All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
-
-If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
-
-Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.
-
-8. Termination.
-You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
-
-However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
-
-Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
-
-Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.
-
-9. Acceptance Not Required for Having Copies.
-You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
-
-10. Automatic Licensing of Downstream Recipients.
-Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.
-
-An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.
-
-You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.
-
-11. Patents.
-A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”.
-
-A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
-
-Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
-
-In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.
-
-If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.
-
-If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.
-
-A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
-
-Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.
-
-12. No Surrender of Others' Freedom.
-If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
-
-13. Use with the GNU Affero General Public License.
-Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
-
-14. Revised Versions of this License.
-The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.
-
-If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
-
-Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
-
-15. Disclaimer of Warranty.
-THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-16. Limitation of Liability.
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-17. Interpretation of Sections 15 and 16.
-If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.
-
-END OF TERMS AND CONDITIONS
-
-How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
-
-To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.
-
-     <one line to give the program's name and a brief idea of what it does.>
-     Copyright (C) <year>  <name of author>
-
-     This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
-
-     This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:
-
-     <program>  Copyright (C) <year>  <name of author>
-     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-     This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”.
-
-You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see <http://www.gnu.org/licenses/>.
-
-The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read <http://www.gnu.org/philosophy/why-not-lgpl.html>.

LICENSES/ISC.txt

@@ -1,8 +0,0 @@
-ISC License:
-
-Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC")
-Copyright (c) 1995-2003 by Internet Software Consortium
-
-Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

LICENSES/LLVM-exception.txt

@@ -1,15 +0,0 @@
----- LLVM Exceptions to the Apache 2.0 License ----
-
-   As an exception, if, as a result of your compiling your source code, portions
-   of this Software are embedded into an Object form of such source code, you
-   may redistribute such embedded portions in such Object form without complying
-   with the conditions of Sections 4(a), 4(b) and 4(d) of the License.
-
-   In addition, if you combine or link compiled forms of this Software with
-   software that is licensed under the GPLv2 ("Combined Software") and if a
-   court of competent jurisdiction determines that the patent provision (Section
-   3), the indemnity provision (Section 9) or other Section of the License
-   conflicts with the conditions of the GPLv2, you may retroactively and
-   prospectively choose to deem waived or otherwise exclude such Section(s) of
-   the License, but only in their entirety and only with respect to the Combined
-   Software.

LICENSES/MIT.txt

@@ -1,9 +0,0 @@
-MIT License
-
-Copyright (c) <year> <copyright holders>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

LICENSES/MPL-2.0.txt

@@ -1,144 +0,0 @@
-Mozilla Public License Version 2.0
-
-1. Definitions
-
-     1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.
-
-     1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.
-
-     1.3. "Contribution" means Covered Software of a particular Contributor.
-
-     1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.
-
-     1.5. "Incompatible With Secondary Licenses" means
-
-          (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or
-
-          (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.
-
-     1.6. "Executable Form" means any form of the work other than Source Code Form.
-
-     1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.
-
-     1.8. "License" means this document.
-
-     1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.
-
-     1.10. "Modifications" means any of the following:
-
-          (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or
-
-          (b) any new file in Source Code Form that contains any Covered Software.
-
-     1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.
-
-     1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.
-
-     1.13. "Source Code Form" means the form of the work preferred for making modifications.
-
-     1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
-
-2. License Grants and Conditions
-
-     2.1. Grants
-     Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:
-
-          (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and
-
-          (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.
-
-     2.2. Effective Date
-     The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.
-
-     2.3. Limitations on Grant Scope
-     The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:
-
-          (a) for any code that a Contributor has removed from Covered Software; or
-
-          (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or
-
-          (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.
-
-     This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).
-
-     2.4. Subsequent Licenses
-     No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).
-
-     2.5. Representation
-     Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.
-
-     2.6. Fair Use
-     This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.
-
-     2.7. Conditions
-     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.
-
-3. Responsibilities
-
-     3.1. Distribution of Source Form
-     All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.
-
-     3.2. Distribution of Executable Form
-     If You distribute Covered Software in Executable Form then:
-
-          (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and
-
-          (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.
-
-     3.3. Distribution of a Larger Work
-     You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).
-
-     3.4. Notices
-     You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.
-
-     3.5. Application of Additional Terms
-     You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.
-
-4. Inability to Comply Due to Statute or Regulation
-If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
-
-5. Termination
-
-     5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.
-
-     5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.
-
-     5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.
-
-6. Disclaimer of Warranty
-Covered Software is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.
-
-7. Limitation of Liability
-Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.
-
-8. Litigation
-Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.
-
-9. Miscellaneous
-This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.
-
-10. Versions of the License
-
-     10.1. New Versions
-     Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.
-
-     10.2. Effect of New Versions
-     You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.
-
-     10.3. Modified Versions
-     If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).
-
-     10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
-     If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.
-
-Exhibit A - Source Code Form License Notice
-
-     This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice.
-
-You may add additional accurate notices of copyright ownership.
-
-Exhibit B - "Incompatible With Secondary Licenses" Notice
-
-     This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0.

Makefile.am

@@ -1,26 +1,21 @@
 include $(top_srcdir)/Makefile.top
 
-SUBDIRS = . lib doc
+SUBDIRS = . lib doc bin fuzz
 
-# build libtest before fuzz/* and bin/tests
-SUBDIRS += tests
-
-# run fuzz tests before system tests
-SUBDIRS += fuzz bin
-
-BUILT_SOURCES += bind.keys.h
-CLEANFILES += bind.keys.h
+BUILT_SOURCES = bind.keys.h
+CLEANFILES = bind.keys.h
 
 bind.keys.h: bind.keys Makefile
 	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
 
+dist_sysconf_DATA = bind.keys
+
 .PHONY: doc
 
-EXTRA_DIST =			\
-	bind.keys		\
+EXTRA_DIST = 			\
 	util/bindkeys.pl	\
-	util/dtrace.sh		\
 	contrib			\
+	CHANGES			\
 	COPYRIGHT		\
 	LICENSE			\
 	*.md

Makefile.docs

@@ -2,7 +2,6 @@ SPHINX_V = $(SPHINX_V_@AM_V@)
 SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
 SPHINX_V_0 = -q
 SPHINX_V_1 = -n
-SPHINX_W = -W
 
 AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
 AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
@@ -10,44 +9,26 @@ AM_V_SPHINX_0 = @echo "  SPHINX   $@";
 
 SPHINXBUILDDIR = $(builddir)/_build
 
-LF = \n
-RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
-RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
-NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
-NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
-SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
-
-export RST_EPILOG = $(RNDC_CONF)$(LF)$(RNDC_KEY)$(LF)$(NAMED_CONF)$(LF)$(BIND_KEYS)$(LF)$(NAMED_PID)$(LF)$(SESSION_KEY)
-
 common_SPHINXOPTS =			\
-	$(SPHINX_W)			\
+	-W				\
 	-c $(srcdir)			\
 	-a				\
 	$(SPHINX_V)
 
-ALLSPHINXOPTS =					\
-	$(common_SPHINXOPTS)			\
-	-D rst_epilog="$$(printf "$${RST_EPILOG}")"	\
-	$(SPHINXOPTS)				\
+ALLSPHINXOPTS =				\
+	$(common_SPHINXOPTS)		\
+	-D version="$(PACKAGE_VERSION)"	\
+	-D today="$(RELEASE_DATE)"	\
+	-D release="$(PACKAGE_VERSION)"	\
+	$(SPHINXOPTS)			\
 	$(srcdir)
 
-_ = @
-man_RNDC_CONF = .. |rndc_conf| replace:: ``$(_)sysconfdir$(_)/rndc.conf``
-man_RNDC_KEY = .. |rndc_key| replace:: ``$(_)sysconfdir$(_)/rndc.key``
-man_NAMED_CONF = .. |named_conf| replace:: ``$(_)sysconfdir$(_)/named.conf``
-man_BIND_KEYS = .. |bind_keys| replace:: ``$(_)sysconfdir$(_)/bind.keys``
-man_NAMED_PID = .. |named_pid| replace:: ``$(_)runstatedir$(_)/named.pid``
-man_SESSION_KEY = .. |session_key| replace:: ``$(_)runstatedir$(_)/session.key``
-
-export man_RST_EPILOG = $(man_RNDC_CONF)$(LF)$(man_RNDC_KEY)$(LF)$(man_NAMED_CONF)$(LF)$(man_BIND_KEYS)$(LF)$(man_NAMED_PID)$(LF)$(man_SESSION_KEY)
-
-man_SPHINXOPTS =				\
-	$(common_SPHINXOPTS)			\
-	-D version="@""PACKAGE_VERSION@"	\
-	-D today="@""RELEASE_DATE@"		\
-	-D release="@""PACKAGE_VERSION@"	\
-	-D rst_epilog="$$(printf "$${man_RST_EPILOG}")"	\
-	$(SPHINXOPTS)				\
+man_SPHINXOPTS =			\
+	$(common_SPHINXOPTS)		\
+	-D version="@""PACKAGE_VERSION@"\
+	-D today="@""RELEASE_DATE@"	\
+	-D release="@""PACKAGE_VERSION@"\
+	$(SPHINXOPTS)			\
 	$(srcdir)
 
 AM_V_SED = $(AM_V_SED_@AM_V@)
@@ -57,3 +38,15 @@ AM_V_SED_0 = @echo "  SED $@";
 AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
 AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
 AM_V_CFG_TEST_0 = @echo "  CFG_GEN $@";
+
+AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@)
+AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@)
+AM_V_RST_OPTIONS_0 = @echo "  RST_OPTIONS $@";
+
+AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@)
+AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@)
+AM_V_RST_ZONEOPT_0 = @echo "  RST_ZONEOPT $@";
+
+AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@)
+AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@)
+AM_V_RST_GRAMMARS_0 = @echo "  RST_GRAMMARS $@";

Makefile.dtrace

@@ -1,20 +0,0 @@
-# Hey Emacs, this is -*- makefile-automake -*- file!
-# vim: filetype=automake
-
-AM_V_DTRACE = $(AM_V_DTRACE_@AM_V@)
-AM_V_DTRACE_ = $(AM_V_DTRACE_@AM_DEFAULT_V@)
-AM_V_DTRACE_0 = @echo "  DTRACE   $@";
-
-BUILT_SOURCES += probes.h
-CLEANFILES += probes.h probes.o
-
-probes.h: Makefile probes.d
-	$(AM_V_DTRACE)$(DTRACE) -s $(srcdir)/probes.d -h -o $@
-probes.lo: Makefile probes.d $(DTRACE_DEPS)
-	$(AM_V_DTRACE)$(LIBTOOL) --mode=compile --tag=CC $(DTRACE) -s $(srcdir)/probes.d -G -o $@ $(DTRACE_OBJS)
-
-if HAVE_DTRACE
-if !HOST_MACOS
-DTRACE_LIBADD = probes.lo
-endif
-endif

Makefile.tests

@@ -3,26 +3,15 @@
 
 unit-local: check
 
-if HAVE_CMOCKA
 TESTS = $(check_PROGRAMS)
-endif HAVE_CMOCKA
 
-LOG_COMPILER = $(top_builddir)/tests/unit-test-driver.sh
-
-AM_CFLAGS +=					\
-	-I$(top_srcdir)/tests/include		\
-	$(TEST_CFLAGS)
+LOG_COMPILER = $(builddir)/../../unit-test-driver.sh
 
 AM_CPPFLAGS +=					\
 	$(CMOCKA_CFLAGS)			\
-	-DNAMED_PLUGINDIR=\"$(pkglibdir)\"	\
+	-DNAMED_PLUGINDIR=\"$(libdir)/named\"	\
+	-DSKIPPED_TEST_EXIT_CODE=77		\
 	-DTESTS_DIR=\"$(abs_srcdir)\"
 
-LDADD +=						\
-	$(top_builddir)/tests/libtest/libtest.la	\
+LDADD +=					\
 	$(CMOCKA_LIBS)
-
-if HAVE_JEMALLOC
-AM_CFLAGS += $(JEMALLOC_CFLAGS)
-LDADD += $(JEMALLOC_LIBS)
-endif

Makefile.top

@@ -11,35 +11,20 @@ AM_CPPFLAGS =					\
 	-include $(top_builddir)/config.h	\
 	-I$(srcdir)/include
 
-AM_LDFLAGS =					\
-	$(STD_LDFLAGS)
+AM_LDFLAGS =
 LDADD =
 
-BUILT_SOURCES =
-CLEANFILES =
-
 if HOST_MACOS
 AM_LDFLAGS +=					\
 	-Wl,-flat_namespace
 endif HOST_MACOS
 
-if HAVE_JEMALLOC
-LIBISC_CFLAGS = $(JEMALLOC_CFLAGS)
-LIBISC_LIBS = $(JEMALLOC_LIBS)
-else
-LIBISC_CFLAGS =
-LIBISC_LIBS =
-endif
-
-LIBISC_CFLAGS +=						\
+LIBISC_CFLAGS =						\
 	-I$(top_srcdir)/include				\
 	-I$(top_srcdir)/lib/isc/include			\
 	-I$(top_builddir)/lib/isc/include
 
-LIBISC_LIBS += $(top_builddir)/lib/isc/libisc.la
-if HAVE_DTRACE
-LIBISC_DTRACE = $(top_builddir)/lib/isc/probes.lo
-endif
+LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
 
 LIBDNS_CFLAGS = \
 	-I$(top_srcdir)/lib/dns/include			\
@@ -47,18 +32,18 @@ LIBDNS_CFLAGS = \
 
 LIBDNS_LIBS = \
 	$(top_builddir)/lib/dns/libdns.la
-if HAVE_DTRACE
-LIBDNS_DTRACE = $(top_builddir)/lib/dns/probes.lo
-endif
 
 LIBNS_CFLAGS = \
 	-I$(top_srcdir)/lib/ns/include
 
 LIBNS_LIBS = \
 	$(top_builddir)/lib/ns/libns.la
-if HAVE_DTRACE
-LIBNS_DTRACE = $(top_builddir)/lib/ns/probes.lo
-endif
+
+LIBIRS_CFLAGS = \
+	-I$(top_srcdir)/lib/irs/include
+
+LIBIRS_LIBS = \
+	$(top_builddir)/lib/irs/libirs.la
 
 LIBISCCFG_CFLAGS = \
 	-I$(top_srcdir)/lib/isccfg/include
@@ -71,3 +56,9 @@ LIBISCCC_CFLAGS = \
 
 LIBISCCC_LIBS = \
 	$(top_builddir)/lib/isccc/libisccc.la
+
+LIBBIND9_CFLAGS = \
+	-I$(top_srcdir)/lib/bind9/include
+
+LIBBIND9_LIBS = \
+	$(top_builddir)/lib/bind9/libbind9.la

NEWS

@@ -1 +1 @@
-doc/arm/changelog.rst
+CHANGES

OPTIONS.md

@@ -1,14 +1,12 @@
 <!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
 -->
 Setting the `CPPFLAGS` environment variable before running `configure`
 can be used to enable certain compile-time options that are not
@@ -26,4 +24,3 @@ Some of these settings are:
 | `-DISC_MEM_TRACKLINES=0`     | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult                   |
 | `-DNAMED_RUN_PID_DIR=0`      | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`                                           |
 | `-DNS_CLIENT_DROPPORT=0`     | Disable dropping queries from particular well-known ports                                                                              |
-| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support     |

PLATFORMS.md

@@ -0,0 +1,117 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+## Supported platforms
+
+In general, this version of BIND will build and run on any POSIX-compliant
+system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
+IPv6 support, and POSIX-compliant threads, plus the following mandatory
+libraries:
+
+- `libuv` for asynchronous I/O operations and event loops
+- `libssl` and `libcrypto` from OpenSSL for cryptography
+
+Use of the following libraries is optional:
+
+- `libjemalloc` for improved memory allocation performance
+- `libnghttp2` for DNS-over-HTTPS (DoH) support
+
+The following C11 features are used in BIND 9:
+
+* Atomic operations support, either in the form of C11 atomics or
+  `__atomic` builtin operations.
+
+* Thread Local Storage support, either in the form of C11
+  `_Thread_local`/`thread_local`, or the `__thread` GCC extension.
+
+The C11 variants are preferred.
+
+BIND 9.17 requires a fairly recent version of `libuv` (at least 1.x).  For
+some of the older systems listed below, you will have to install an updated
+`libuv` package from sources such as EPEL, PPA, or other native sources for
+updated packages. The other option is to build and install `libuv` from
+source.
+
+Certain optional BIND features have additional library dependencies.
+These include:
+
+* `libfstrm` and `libprotobuf-c` for DNSTAP
+* `libidn2` for display of internationalized domain names in `dig`
+* `libjson-c` for JSON statistics
+* `libmaxminddb` for geolocation
+* `libnghttp2` for DNS over HTTPS
+* `libxml2` for XML statistics
+* `libz` for compression of the HTTP statistics channel
+* `readline` for line editing in `nsupdate` and `nslookup`
+
+ISC regularly tests BIND on many operating systems and architectures, but
+lacks the resources to test all of them. Consequently, ISC is only able to
+offer support on a "best effort" basis for some.
+
+### Regularly tested platforms
+
+As of Nov 2020, BIND 9.17 is fully supported and regularly tested on the
+following systems:
+
+* Debian 9, 10
+* Ubuntu LTS 18.04, 20.04
+* Fedora 34
+* Red Hat Enterprise Linux / CentOS 7, 8
+* FreeBSD 11.4, 12.2, 13.0
+* OpenBSD 6.9
+* Alpine Linux 3.14
+
+The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
+
+### Best effort
+
+The following are platforms on which BIND is known to build and run.
+ISC makes every effort to fix bugs on these platforms, but may be unable
+to do so quickly due to lack of hardware, less familiarity on the part
+of engineering staff, and other constraints. None of these are tested
+regularly by ISC.
+
+* macOS 10.12+
+* Solaris 11
+* NetBSD
+* Other Linux distributions still supported by their vendors, such as:
+    * Ubuntu 20.10+
+    * Gentoo
+    * Arch Linux
+* OpenWRT/LEDE 17.01+
+* Other CPU architectures (mips, mipsel, sparc, ...)
+
+### Community maintained
+
+These systems may not all have the required dependencies for building BIND
+easily available, although it will be possible in many cases to compile
+those directly from source. The community and interested parties may wish
+to help with maintenance, and we welcome patch contributions, although we
+cannot guarantee that we will accept them.  All contributions will be
+assessed against the risk of adverse effect on officially supported
+platforms.
+
+* Platforms past or close to their respective EOL dates, such as:
+    * Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported)
+    * CentOS 6
+    * Debian Jessie
+    * FreeBSD 10.x
+
+## Unsupported platforms
+
+These are platforms on which BIND 9.17 is known *not* to build or run:
+
+* Platforms without at least OpenSSL 1.0.2
+* Windows
+* Solaris 10 and older
+* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
+* Platforms that don't support atomic operations (via compiler or library)
+* Linux without NPTL (Native POSIX Thread Library)
+* Platforms on which `libuv` cannot be compiled

README.md

@@ -1,14 +1,12 @@
 <!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
 -->
 # BIND 9
 
@@ -18,8 +16,12 @@ information regarding copyright ownership.
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
 1. [Building BIND](#build)
+1. [macOS](#macos)
+1. [Dependencies](#dependencies)
+1. [Compile-time options](#opts)
 1. [Automated testing](#testing)
 1. [Documentation](#doc)
+1. [Change log](#changes)
 1. [Acknowledgments](#ack)
 
 ### <a name="intro"/> Introduction
@@ -48,14 +50,13 @@ ongoing maintenance and improvement. BIND is open source software
 licensed under the terms of the Mozilla Public License, version 2.0.
 
 For a detailed list of changes made throughout the history of BIND 9, see
-the [changelog](doc/arm/changelog.rst).
+the file [CHANGES](CHANGES). See [below](#changes) for details on the
+CHANGES file format.
 
 For up-to-date versions and release notes, see
 [https://www.isc.org/download/](https://www.isc.org/download/).
 
-For information about supported platforms, see the
-["Supported Platforms"](doc/arm/platforms.rst) section in the BIND 9
-Administrator Reference Manual.
+For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
 
 ### <a name="help"/> Reporting bugs and getting help
 
@@ -72,9 +73,17 @@ contents of your configuration file in a non-confidential issue, it is
 advisable to obscure key secrets; this can be done automatically by
 using `named-checkconf -px`.
 
-For information about ISC's Security Vulnerability Disclosure Policy and
-information about reporting potential security issues, please see
-`SECURITY.md`.
+If you are reporting a bug that is a potential security issue, such as an
+assertion failure or other crash in `named`, please do *NOT* use GitLab to
+report it. Instead, send mail to
+[security-officer@isc.org](mailto:security-officer@isc.org) using our
+OpenPGP key to secure your message. (Information about OpenPGP and links
+to our key can be found at
+[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
+discuss the bug on any public mailing list.
+
+For a general overview of ISC security policies, read the Knowledgebase
+article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 Professional support and training for BIND are available from
 ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
@@ -114,9 +123,143 @@ including your patch as an attachment, preferably generated by
 
 ### <a name="build"/> Building BIND 9
 
-For information about building BIND 9, see the
-["Building BIND 9"](doc/arm/build.inc.rst) section in the BIND 9
-Administrator Reference Manual.
+At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler,
+basic POSIX support, and a 64-bit integer type. BIND also requires the
+`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, the
+`jemalloc` memory allocation library, and the OpenSSL cryptography
+library.  On Linux, BIND requires the `libcap` library to set process
+privileges, though this requirement can be overridden by disabling
+capability support at compile time. See [Compile-time options](#opts)
+below for details on other libraries that may be required to support
+optional features.
+
+Successful builds have been observed on many versions of Linux and
+Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
+Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
+OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
+
+To build on a Unix or Linux system, use:
+
+		$ autoreconf -fi (if you are building in the git repository)
+		$ ./configure
+		$ make
+
+If you're using Emacs, you might find `make tags` helpful.
+
+Several environment variables, which can be set before running `configure`,
+affect compilation.  Significant ones are:
+
+|Variable|Description |
+|--------------------|-----------------------------------------------|
+|`CC`|The C compiler to use.  `configure` tries to figure out the right one for supported systems.|
+|`CFLAGS`|C compiler flags.  Defaults to include -g and/or -O2 as supported by the compiler.  Please include '-g' if you need to set `CFLAGS`. |
+|`LDFLAGS`|Linker flags. Defaults to empty string.|
+
+Additional environment variables affecting the build are listed at the
+end of the `configure` help text, which can be obtained by running the
+command:
+
+    $ ./configure --help
+
+#### <a name="macos"> macOS
+
+Building on macOS assumes that the "Command Tools for Xcode" are installed.
+These can be downloaded from
+[https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
+or, if you have Xcode already installed, you can run `xcode-select --install`.
+(Note that an Apple ID may be required to access the download page.)
+
+#### <a name="dependencies"> Dependencies
+
+To build BIND you need to have the following packages installed:
+
+    libuv
+    pkg-config / pkgconfig / pkgconf
+
+To build BIND from the git repository, you need the following tools
+installed:
+
+    autoconf (includes autoreconf)
+    automake
+    libtool
+
+#### <a name="opts"/> Compile-time options
+
+To see a full list of configuration options, run `configure --help`.
+
+For the server to support DNSSEC, you need to build it with crypto support.
+To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the
+OpenSSL library is installed in a nonstandard location, specify the prefix
+using `--with-openssl=<PREFIX>` on the configure command line. To use a
+PKCS#11 hardware service module for cryptographic operations, specify the
+path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
+configure BIND with `--enable-native-pkcs11`.
+
+To support DNS over HTTPS, the server must be linked with `libnghttp2`.
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following libraries: `libxml2`
+[http://xmlsoft.org](http://xmlsoft.org) or `json-c`
+[https://github.com/json-c/json-c](https://github.com/json-c/json-c).
+If these are installed at a nonstandard location, then:
+
+* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`.
+* for `json-c`, adjust `PKG_CONFIG_PATH`.
+
+To support compression on the HTTP statistics channel, the server must be
+linked against `libzlib`. If this is installed in a nonstandard location,
+specify the prefix using `--with-zlib=/prefix`.
+
+To support storing configuration data for runtime-added zones in an LMDB
+database, the server must be linked with `liblmdb`. If this is installed in a
+nonstandard location, specify the prefix using `with-lmdb=/prefix`.
+
+To support MaxMind GeoIP2 location-based ACLs, the server must be linked
+with `libmaxminddb`. This is turned on by default if the library is
+found; if the library is installed in a nonstandard location,
+specify the prefix using `--with-maxminddb=/prefix`. GeoIP2 support
+can be switched off with `--disable-geoip`.
+
+For DNSTAP packet logging, you must have installed `libfstrm`
+[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
+and `libprotobuf-c`
+[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
+and BIND must be configured with `--enable-dnstap`.
+
+Certain compiled-in constants and default settings can be decreased to
+values better suited to small machines, e.g. OpenWRT boxes, by specifying
+`--with-tuning=small` on the `configure` command line. This decreases
+memory usage by using smaller structures, but degrades performance.
+
+On Linux, process capabilities are managed in user space using
+the `libcap` library, which can be installed on most Linux systems via
+the `libcap-dev` or `libcap-devel` package. Process capability support can
+also be disabled by configuring with `--disable-linux-caps`.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB.  This can be done by using
+`--enable-largefile` on the `configure` command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
+configure command line. By default, fixed rrset-order is disabled to
+reduce memory footprint.
+
+The `--enable-querytrace` option causes `named` to log every step of
+processing every query. The `--enable-singletrace` option turns on the
+same verbose tracing, but allows an individual query to be separately
+traced by setting its query ID to 0. These options should only be enabled
+when debugging, because they have a significant negative impact on query
+performance.
+
+`make install` installs `named` and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+`--prefix` option when running `configure`.
+
+You may specify the option `--sysconfdir` to set the directory where
+configuration files like `named.conf` go by default, and `--localstatedir`
+to set the default parent directory of `run/named.pid`. `--sysconfdir`
+defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
 
 ### <a name="testing"/> Automated testing
 
@@ -126,7 +269,7 @@ multiple servers to run locally and communicate with each other). These
 IP addresses can be configured by running the command
 `bin/tests/system/ifconfig.sh up` as root.
 
-Some tests require Perl and the `Net::DNS` and/or `IO::Socket::IP` modules,
+Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
 and are skipped if these are not available. Some tests require Python
 and the `dnspython` module and are skipped if these are not available.
 See bin/tests/system/README for further details.
@@ -139,18 +282,9 @@ parallel test driver; unit tests are also run by `make check`.
 
 The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
 distribution, and in .rst format, in the `doc/arm`
-directory. The HTML version is automatically generated and can
+directory. HTML and PDF versions are automatically generated and can
 be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
 
-The PDF version can be built by running:
-
-    cd doc/arm/
-    sphinx-build -b latex . pdf/
-    make -C pdf/ all-pdf
-
-The above requires TeX Live in order to work. The PDF will be written to
-`doc/arm/pdf/Bv9ARM.pdf`.
-
 Man pages for some of the programs in the BIND 9 distribution
 are also included in the BIND ARM.
 
@@ -161,9 +295,38 @@ can be found in the ISC Knowledgebase at
 Additional information on various subjects can be found in other
 `README` files throughout the source tree.
 
+### <a name="changes"/> Change log
+
+A detailed list of all changes that have been made throughout the
+development of BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+|Category	|Description	        			|
+|--------------	|-----------------------------------------------|
+| [func] | New feature |
+| [bug] | General bug fix |
+| [security] | Fix for a significant security flaw |
+| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
+| [port] | Portability enhancement |
+| [maint] | Updates to built-in data such as root server addresses and keys |
+| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
+| [performance] | Other changes to improve server performance |
+| [protocol] | Updates to the DNS protocol such as new RR types |
+| [test] | Changes to the automatic tests, not affecting server functionality |
+| [cleanup] | Minor corrections and refactoring |
+| [doc] | Documentation |
+| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
+| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
+
+In general, [func] and [experimental] tags only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently supported releases.
+
 #### Bug report identifiers
 
-Most notes in the ARM Changelog appendix include a reference to a bug report or
+Most notes in the CHANGES file include a reference to a bug report or
 issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
 and referred to entries in the "bind9-bugs" RT database, which was not open
 to the public. More recent entries use the form `[GL #NNN]` or, less often,

SECURITY.md

@@ -1,35 +0,0 @@
-<!--
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-SPDX-License-Identifier: MPL-2.0
-
-This Source Code Form is subject to the terms of the Mozilla Public
-License, v. 2.0.  If a copy of the MPL was not distributed with this
-file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
-See the COPYRIGHT file distributed with this work for additional
-information regarding copyright ownership.
--->
-# Security Policy
-
-ISC's Security Vulnerability Disclosure Policy is documented in the
-relevant [ISC Knowledgebase article][1].
-
-## Reporting possible security issues
-
-If you think you may be seeing a potential security vulnerability in
-BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure),
-please report it immediately by [opening a confidential GitLab issue][2]
-(preferred) or emailing bind-security@isc.org.
-
-Please do not discuss undisclosed security vulnerabilities on any public
-mailing list. ISC has a long history of handling reported
-vulnerabilities promptly and effectively and we respect and acknowledge
-responsible reporters.
-
-If you have a crash, you may want to consult the Knowledgebase article
-entitled ["What to do if your BIND or DHCP server has crashed"][3].
-
-[1]: https://kb.isc.org/docs/aa-00861
-[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug
-[3]: https://kb.isc.org/docs/aa-00340

bin/Makefile.am

@@ -1 +1,5 @@
 SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
+
+if HAVE_PKCS11
+SUBDIRS += pkcs11
+endif

bin/check/Makefile.am

@@ -4,7 +4,8 @@ AM_CPPFLAGS +=			\
 	$(LIBISC_CFLAGS)	\
 	$(LIBDNS_CFLAGS)	\
 	$(LIBNS_CFLAGS)		\
-	$(LIBISCCFG_CFLAGS)
+	$(LIBISCCFG_CFLAGS)	\
+	$(LIBBIND9_CFLAGS)
 
 AM_CPPFLAGS +=			\
 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
@@ -20,7 +21,8 @@ LDADD +=			\
 	$(LIBISC_LIBS)		\
 	$(LIBDNS_LIBS)		\
 	$(LIBNS_LIBS)		\
-	$(LIBISCCFG_LIBS)
+	$(LIBISCCFG_LIBS)	\
+	$(LIBBIND9_LIBS)
 
 bin_PROGRAMS = named-checkconf named-checkzone
 

bin/check/check-tool.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -14,7 +12,6 @@
 /*! \file */
 
 #include <inttypes.h>
-#include <netdb.h>
 #include <stdbool.h>
 #include <stdio.h>
 
@@ -22,8 +19,9 @@
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/netdb.h>
+#include <isc/print.h>
 #include <isc/region.h>
-#include <isc/result.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/symtab.h>
@@ -40,6 +38,7 @@
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/rdatatype.h>
+#include <dns/result.h>
 #include <dns/types.h>
 #include <dns/zone.h>
 
@@ -73,7 +72,7 @@
 #define ERR_IS_MXCNAME	   6
 #define ERR_IS_SRVCNAME	   7
 
-static const char *dbtype[] = { ZONEDB_DEFAULT };
+static const char *dbtype[] = { "rbt" };
 
 int debug = 0;
 const char *journal = NULL;
@@ -88,13 +87,12 @@ bool dochecksrv = false;
 bool docheckns = false;
 #endif /* if CHECK_LOCAL */
 dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
-			     DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF |
 			     DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES |
 			     DNS_ZONEOPT_CHECKINTEGRITY |
 #if CHECK_SIBLING
 			     DNS_ZONEOPT_CHECKSIBLING |
 #endif /* if CHECK_SIBLING */
-			     DNS_ZONEOPT_CHECKSVCB | DNS_ZONEOPT_CHECKWILDCARD |
+			     DNS_ZONEOPT_CHECKWILDCARD |
 			     DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME;
 
 /*
@@ -146,14 +144,14 @@ logged(char *key, int value) {
 	isc_result_t result;
 
 	if (symtab == NULL) {
-		return false;
+		return (false);
 	}
 
 	result = isc_symtab_lookup(symtab, key, value, NULL);
 	if (result == ISC_R_SUCCESS) {
-		return true;
+		return (true);
 	}
-	return false;
+	return (false);
 }
 
 static bool
@@ -177,7 +175,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 		aaaa->type == dns_rdatatype_aaaa);
 
 	if (a == NULL || aaaa == NULL) {
-		return answer;
+		return (answer);
 	}
 
 	memset(&hints, 0, sizeof(hints));
@@ -205,8 +203,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 		 */
 		cur = ai;
 		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
-		{
+		       cur->ai_next != NULL) {
 			cur = cur->ai_next;
 		}
 		if (cur != NULL && cur->ai_canonname != NULL &&
@@ -234,7 +231,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 			add(namebuf, ERR_NO_ADDRESSES);
 		}
 		/* XXX950 make fatal for 9.5.0 */
-		return true;
+		return (true);
 
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
@@ -243,7 +240,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 				     gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
-		return true;
+		return (true);
 	}
 
 	/*
@@ -371,7 +368,7 @@ checkmissing:
 		}
 	}
 	freeaddrinfo(ai);
-	return answer;
+	return (answer);
 }
 
 static bool
@@ -408,8 +405,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 		 */
 		cur = ai;
 		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
-		{
+		       cur->ai_next != NULL) {
 			cur = cur->ai_next;
 		}
 		if (cur != NULL && cur->ai_canonname != NULL &&
@@ -434,7 +430,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			}
 		}
 		freeaddrinfo(ai);
-		return answer;
+		return (answer);
 
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
@@ -448,7 +444,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			add(namebuf, ERR_NO_ADDRESSES);
 		}
 		/* XXX950 make fatal for 9.5.0. */
-		return true;
+		return (true);
 
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
@@ -457,7 +453,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 				     gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
-		return true;
+		return (true);
 	}
 }
 
@@ -495,8 +491,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 		 */
 		cur = ai;
 		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
-		{
+		       cur->ai_next != NULL) {
 			cur = cur->ai_next;
 		}
 		if (cur != NULL && cur->ai_canonname != NULL &&
@@ -521,7 +516,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			}
 		}
 		freeaddrinfo(ai);
-		return answer;
+		return (answer);
 
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
@@ -535,7 +530,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			add(namebuf, ERR_NO_ADDRESSES);
 		}
 		/* XXX950 make fatal for 9.5.0. */
-		return true;
+		return (true);
 
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
@@ -544,7 +539,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 				     gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
-		return true;
+		return (true);
 	}
 }
 
@@ -573,7 +568,97 @@ setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
 		      ISC_R_SUCCESS);
 
 	*logp = log;
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
+}
+
+/*% scan the zone for oversize TTLs */
+static isc_result_t
+check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	name = dns_fixedname_initname(&fname);
+	dns_rdataset_init(&rdataset);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	INSIST(db != NULL);
+
+	CHECK(dns_db_newversion(db, &version));
+	CHECK(dns_db_createiterator(db, 0, &dbiter));
+
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result == DNS_R_NEWORIGIN) {
+			result = ISC_R_SUCCESS;
+		}
+		CHECK(result);
+
+		CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsiter));
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			if (rdataset.ttl > maxttl) {
+				char nbuf[DNS_NAME_FORMATSIZE];
+				char tbuf[255];
+				isc_buffer_t b;
+				isc_region_t r;
+
+				dns_name_format(name, nbuf, sizeof(nbuf));
+				isc_buffer_init(&b, tbuf, sizeof(tbuf) - 1);
+				CHECK(dns_rdatatype_totext(rdataset.type, &b));
+				isc_buffer_usedregion(&b, &r);
+				r.base[r.length] = 0;
+
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "%s/%s TTL %d exceeds "
+					     "maximum TTL %d",
+					     nbuf, tbuf, rdataset.ttl, maxttl);
+				dns_rdataset_disassociate(&rdataset);
+				CHECK(ISC_R_RANGE);
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result == ISC_R_NOMORE) {
+			result = ISC_R_SUCCESS;
+		}
+		CHECK(result);
+
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(db, &node);
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (rdsiter != NULL) {
+		dns_rdatasetiter_destroy(&rdsiter);
+	}
+	if (dbiter != NULL) {
+		dns_dbiterator_destroy(&dbiter);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (result);
 }
 
 /*% load the zone */
@@ -596,9 +681,9 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 			zonename, filename, classname);
 	}
 
-	dns_zone_create(&zone, mctx, 0);
+	CHECK(dns_zone_create(&zone, mctx));
 
-	dns_zone_settype(zone, dns_zone_primary);
+	dns_zone_settype(zone, dns_zone_master);
 
 	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
 	isc_buffer_add(&buffer, strlen(zonename));
@@ -617,7 +702,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 		CHECK(dns_zone_setjournal(zone, journal));
 	}
 
-	region.base = UNCONST(classname);
+	DE_CONST(classname, region.base);
 	region.length = strlen(classname);
 	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
 
@@ -639,6 +724,14 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 
 	CHECK(dns_zone_load(zone, false));
 
+	/*
+	 * When loading map files we can't catch oversize TTLs during
+	 * load, so we check for them here.
+	 */
+	if (fileformat == dns_masterformat_map && maxttl != 0) {
+		CHECK(check_ttls(zone, maxttl));
+	}
+
 	if (zonep != NULL) {
 		*zonep = zone;
 		zone = NULL;
@@ -648,7 +741,7 @@ cleanup:
 	if (zone != NULL) {
 		dns_zone_detach(&zone);
 	}
-	return result;
+	return (result);
 }
 
 /*% dump the zone */
@@ -679,7 +772,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 				"could not open output "
 				"file \"%s\" for writing\n",
 				filename);
-			return ISC_R_FAILURE;
+			return (ISC_R_FAILURE);
 		}
 	}
 
@@ -689,5 +782,5 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 		(void)isc_stdio_close(output);
 	}
 
-	return result;
+	return (result);
 }

bin/check/check-tool.h

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -11,7 +9,8 @@
  * information regarding copyright ownership.
  */
 
-#pragma once
+#ifndef CHECK_TOOL_H
+#define CHECK_TOOL_H
 
 /*! \file */
 
@@ -50,3 +49,5 @@ extern bool dochecksrv;
 extern dns_zoneopt_t zone_options;
 
 ISC_LANG_ENDDECLS
+
+#endif /* ifndef CHECK_TOOL_H */

bin/check/named-checkconf.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -24,6 +22,7 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -33,17 +32,21 @@
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
+#include <dns/result.h>
 #include <dns/rootns.h>
 #include <dns/zone.h>
 
-#include <isccfg/check.h>
 #include <isccfg/grammar.h>
 #include <isccfg/namedconf.h>
 
+#include <bind9/check.h>
+
 #include "check-tool.h"
 
 static const char *program = "named-checkconf";
 
+static bool loadplugins = true;
+
 isc_log_t *logc = NULL;
 
 #define CHECK(r)                             \
@@ -54,16 +57,16 @@ isc_log_t *logc = NULL;
 	} while (0)
 
 /*% usage */
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: %s [-achijlvz] [-p [-x]] [-t directory] "
+		"usage: %s [-chijlvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n",
 		program);
-	exit(EXIT_SUCCESS);
+	exit(1);
 }
 
 /*% directory callback */
@@ -86,10 +89,10 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
 			    "change directory to '%s' failed: %s\n", directory,
 			    isc_result_totext(result));
-		return result;
+		return (result);
 	}
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static bool
@@ -97,10 +100,10 @@ get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 	for (i = 0;; i++) {
 		if (maps[i] == NULL) {
-			return false;
+			return (false);
 		}
 		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
-			return true;
+			return (true);
 		}
 	}
 }
@@ -116,7 +119,7 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 
 	for (i = 0;; i++) {
 		if (maps[i] == NULL) {
-			return false;
+			return (false);
 		}
 		checknames = NULL;
 		result = cfg_map_get(maps[i], "check-names", &checknames);
@@ -125,7 +128,7 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 		}
 		if (checknames != NULL && !cfg_obj_islist(checknames)) {
 			*obj = checknames;
-			return true;
+			return (true);
 		}
 		for (element = cfg_list_first(checknames); element != NULL;
 		     element = cfg_list_next(element))
@@ -139,7 +142,7 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 				continue;
 			}
 			*obj = cfg_tuple_get(value, "mode");
-			return true;
+			return (true);
 		}
 	}
 }
@@ -152,23 +155,23 @@ configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
 	isc_textregion_t r;
 
 	if (zfile == NULL) {
-		return ISC_R_FAILURE;
+		return (ISC_R_FAILURE);
 	}
 
-	r.base = UNCONST(zclass);
+	DE_CONST(zclass, r.base);
 	r.length = strlen(zclass);
 	result = dns_rdataclass_fromtext(&rdclass, &r);
 	if (result != ISC_R_SUCCESS) {
-		return result;
+		return (result);
 	}
 
 	result = dns_rootns_create(mctx, rdclass, zfile, &db);
 	if (result != ISC_R_SUCCESS) {
-		return result;
+		return (result);
 	}
 
 	dns_db_detach(&db);
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 /*% configure the zone */
@@ -224,33 +227,33 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 		printf("%s %s %s in-view %s\n", zname, zclass, view, inview);
 	}
 	if (inviewobj != NULL) {
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	cfg_map_get(zoptions, "type", &typeobj);
 	if (typeobj == NULL) {
-		return ISC_R_FAILURE;
+		return (ISC_R_FAILURE);
 	}
 
 	if (list) {
 		const char *ztype = cfg_obj_asstring(typeobj);
 		printf("%s %s %s %s\n", zname, zclass, view, ztype);
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	/*
 	 * Skip checks when using an alternate data source.
 	 */
 	cfg_map_get(zoptions, "database", &dbobj);
-	if (dbobj != NULL &&
-	    strcmp(ZONEDB_DEFAULT, cfg_obj_asstring(dbobj)) != 0)
+	if (dbobj != NULL && strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
+	    strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0)
 	{
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	cfg_map_get(zoptions, "dlz", &dlzobj);
 	if (dlzobj != NULL) {
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	cfg_map_get(zoptions, "file", &fileobj);
@@ -264,16 +267,16 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 	 * master and redirect
 	 */
 	if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0) {
-		return configure_hint(zfile, zclass, mctx);
+		return (configure_hint(zfile, zclass, mctx));
 	} else if ((strcasecmp(cfg_obj_asstring(typeobj), "primary") != 0) &&
 		   (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) &&
 		   (strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
 	{
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	/*
-	 * Is the redirect zone configured as a secondary?
+	 * Is the redirect zone configured as a slave?
 	 */
 	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
 		cfg_map_get(zoptions, "primaries", &primariesobj);
@@ -282,12 +285,12 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 		}
 
 		if (primariesobj != NULL) {
-			return ISC_R_SUCCESS;
+			return (ISC_R_SUCCESS);
 		}
 	}
 
 	if (zfile == NULL) {
-		return ISC_R_FAILURE;
+		return (ISC_R_FAILURE);
 	}
 
 	obj = NULL;
@@ -302,7 +305,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
@@ -321,7 +325,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options &= ~DNS_ZONEOPT_CHECKMX;
 			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKMX;
@@ -351,7 +356,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
@@ -370,7 +376,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
@@ -393,34 +400,13 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKSPF;
 	}
 
-	obj = NULL;
-	if (get_maps(maps, "check-svcb", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
-			zone_options |= DNS_ZONEOPT_CHECKSVCB;
-		} else {
-			zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKSVCB;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-wildcard", &obj)) {
-		if (cfg_obj_asboolean(obj)) {
-			zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-		} else {
-			zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
-		}
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-	}
-
 	obj = NULL;
 	if (get_checknames(maps, &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@@ -433,7 +419,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKNAMES;
@@ -448,8 +435,11 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			masterformat = dns_masterformat_text;
 		} else if (strcasecmp(masterformatstr, "raw") == 0) {
 			masterformat = dns_masterformat_raw;
+		} else if (strcasecmp(masterformatstr, "map") == 0) {
+			masterformat = dns_masterformat_map;
 		} else {
-			UNREACHABLE();
+			INSIST(0);
+			ISC_UNREACHABLE();
 		}
 	}
 
@@ -463,9 +453,9 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 			   NULL);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
-			isc_result_totext(result));
+			dns_result_totext(result));
 	}
-	return result;
+	return (result);
 }
 
 /*% configure a view */
@@ -500,7 +490,7 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
 			result = tresult;
 		}
 	}
-	return result;
+	return (result);
 }
 
 static isc_result_t
@@ -510,11 +500,11 @@ config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 
 	if (!cfg_obj_isstring(classobj)) {
 		*classp = defclass;
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
-	r.base = UNCONST(cfg_obj_asstring(classobj));
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
 	r.length = strlen(r.base);
-	return dns_rdataclass_fromtext(classp, &r);
+	return (dns_rdataclass_fromtext(classp, &r));
 }
 
 /*% load zones from the configuration */
@@ -572,15 +562,15 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
 	}
 
 cleanup:
-	return result;
+	return (result);
 }
 
 static void
 output(void *closure, const char *text, int textlen) {
+	UNUSED(closure);
 	if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
-		isc_result_t *result = closure;
 		perror("fwrite");
-		*result = ISC_R_FAILURE;
+		exit(1);
 	}
 }
 
@@ -592,21 +582,20 @@ main(int argc, char **argv) {
 	cfg_obj_t *config = NULL;
 	const char *conffile = NULL;
 	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	bool cleanup_dst = false;
+	isc_result_t result;
+	int exit_status = 0;
 	bool load_zones = false;
 	bool list_zones = false;
 	bool print = false;
 	bool nodeprecate = false;
 	unsigned int flags = 0;
-	unsigned int checkflags = BIND_CHECK_PLUGINS | BIND_CHECK_ALGORITHMS;
 
 	isc_commandline_errprint = false;
 
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "acdhijlm:t:pvxz"
+#define CMDLINE_FLAGS "cdhijlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -633,12 +622,8 @@ main(int argc, char **argv) {
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
-		case 'a':
-			checkflags &= ~BIND_CHECK_ALGORITHMS;
-			break;
-
 		case 'c':
-			checkflags &= ~BIND_CHECK_PLUGINS;
+			loadplugins = false;
 			break;
 
 		case 'd':
@@ -665,7 +650,7 @@ main(int argc, char **argv) {
 			if (result != ISC_R_SUCCESS) {
 				fprintf(stderr, "isc_dir_chroot: %s\n",
 					isc_result_totext(result));
-				CHECK(result);
+				exit(1);
 			}
 			break;
 
@@ -675,8 +660,7 @@ main(int argc, char **argv) {
 
 		case 'v':
 			printf("%s\n", PACKAGE_VERSION);
-			result = ISC_R_SUCCESS;
-			goto cleanup;
+			exit(0);
 
 		case 'x':
 			flags |= CFG_PRINTER_XKEY;
@@ -694,29 +678,27 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+		/* FALLTHROUGH */
 		case 'h':
-			isc_mem_detach(&mctx);
 			usage();
 
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			CHECK(ISC_R_FAILURE);
+			exit(1);
 		}
 	}
 
 	if (((flags & CFG_PRINTER_XKEY) != 0) && !print) {
 		fprintf(stderr, "%s: -x cannot be used without -p\n", program);
-		CHECK(ISC_R_FAILURE);
+		exit(1);
 	}
 	if (print && list_zones) {
 		fprintf(stderr, "%s: -l cannot be used with -p\n", program);
-		CHECK(ISC_R_FAILURE);
+		exit(1);
 	}
 
 	if (isc_commandline_index + 1 < argc) {
-		isc_mem_detach(&mctx);
 		usage();
 	}
 	if (argv[isc_commandline_index] != NULL) {
@@ -726,48 +708,45 @@ main(int argc, char **argv) {
 		conffile = NAMED_CONFFILE;
 	}
 
-	CHECK(setup_logging(mctx, stdout, &logc));
+	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
-	CHECK(dst_lib_init(mctx, NULL));
-	cleanup_dst = true;
+	dns_result_register();
 
-	CHECK(cfg_parser_create(mctx, logc, &parser));
+	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
 
 	if (nodeprecate) {
 		cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
 	}
 	cfg_parser_setcallback(parser, directory_callback, NULL);
 
-	CHECK(cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config));
-	CHECK(isccfg_check_namedconf(config, checkflags, logc, mctx));
-	if (load_zones || list_zones) {
-		CHECK(load_zones_fromconfig(config, mctx, list_zones));
+	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
+	    ISC_R_SUCCESS)
+	{
+		exit(1);
 	}
 
-	if (print) {
-		cfg_printx(config, flags, output, &result);
+	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
+	if (result != ISC_R_SUCCESS) {
+		exit_status = 1;
 	}
 
-cleanup:
-	if (config != NULL) {
-		cfg_obj_destroy(parser, &config);
+	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
+		result = load_zones_fromconfig(config, mctx, list_zones);
+		if (result != ISC_R_SUCCESS) {
+			exit_status = 1;
+		}
 	}
 
-	if (parser != NULL) {
-		cfg_parser_destroy(&parser);
+	if (print && exit_status == 0) {
+		cfg_printx(config, flags, output, NULL);
 	}
+	cfg_obj_destroy(parser, &config);
 
-	if (cleanup_dst) {
-		dst_lib_destroy();
-	}
+	cfg_parser_destroy(&parser);
 
-	if (logc != NULL) {
-		isc_log_destroy(&logc);
-	}
+	isc_log_destroy(&logc);
 
-	if (mctx != NULL) {
-		isc_mem_destroy(&mctx);
-	}
+	isc_mem_destroy(&mctx);
 
-	return result == ISC_R_SUCCESS ? 0 : 1;
+	return (exit_status);
 }

bin/check/named-checkconf.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: named-checkconf
-.. program:: named-checkconf
 .. _man_named-checkconf:
 
 named-checkconf - named configuration file syntax checking tool
@@ -21,96 +29,77 @@ named-checkconf - named configuration file syntax checking tool
 Synopsis
 ~~~~~~~~
 
-:program:`named-checkconf` [**-achjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
+:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
 
 Description
 ~~~~~~~~~~~
 
-:program:`named-checkconf` checks the syntax, but not the semantics, of a
-:iscman:`named` configuration file. The file, along with all files included by it, is parsed and checked for syntax
+``named-checkconf`` checks the syntax, but not the semantics, of a
+``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
 errors. If no file is specified,
-|named_conf| is read by default.
+``/etc/named.conf`` is read by default.
 
-Note: files that :iscman:`named` reads in separate parser contexts, such as
-``rndc.conf`` or ``rndc.key``, are not automatically read by
-:program:`named-checkconf`.  Configuration errors in these files may cause
-:iscman:`named` to fail to run, even if :program:`named-checkconf` was
-successful.  However, :program:`named-checkconf` can be run on these files
-explicitly.
+Note: files that ``named`` reads in separate parser contexts, such as
+``rndc.key`` and ``bind.keys``, are not automatically read by
+``named-checkconf``. Configuration errors in these files may cause
+``named`` to fail to run, even if ``named-checkconf`` was successful.
+However, ``named-checkconf`` can be run on these files explicitly.
 
 Options
 ~~~~~~~
 
-.. option:: -a
-
-   Don't check the `dnssec-policy`'s DNSSEC key algorithms against
-   those supported by the crypto provider.  This is useful when checking
-   a `named.conf` intended to be run on another machine with possibly a
-   different set of supported DNSSEC key algorithms.
-
-.. option:: -h
-
+``-h``
    This option prints the usage summary and exits.
 
-.. option:: -j
-
-   When loading a zonefile, this option instructs :iscman:`named` to read the journal if it exists.
-
-.. option:: -l
+``-j``
+   When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
 
+``-l``
    This option lists all the configured zones. Each line of output contains the zone
    name, class (e.g. IN), view, and type (e.g. primary or secondary).
 
-.. option:: -c
-
+``-c``
    This option specifies that only the "core" configuration should be checked. This suppresses the loading of
    plugin modules, and causes all parameters to ``plugin`` statements to
    be ignored.
 
-.. option:: -i
-
+``-i``
    This option ignores warnings on deprecated options.
 
-.. option:: -p
+``-p``
+   This option prints out the ``named.conf`` and included files in canonical form if
+   no errors were detected. See also the ``-x`` option.
 
-   This option prints out the :iscman:`named.conf` and included files in canonical form if
-   no errors were detected. See also the :option:`-x` option.
-
-.. option:: -t directory
-
-   This option instructs :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
+``-t directory``
+   This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
    configuration file are processed as if run by a similarly chrooted
-   :iscman:`named`.
+   ``named``.
 
-.. option:: -v
-
-   This option prints the version of the :program:`named-checkconf` program and exits.
-
-.. option:: -x
+``-v``
+   This option prints the version of the ``named-checkconf`` program and exits.
 
+``-x``
    When printing the configuration files in canonical form, this option obscures
    shared secrets by replacing them with strings of question marks
-   (``?``). This allows the contents of :iscman:`named.conf` and related files
+   (``?``). This allows the contents of ``named.conf`` and related files
    to be shared - for example, when submitting bug reports -
    without compromising private data. This option cannot be used without
-   :option:`-p`.
+   ``-p``.
 
-.. option:: -z
-
-   This option performs a test load of all zones of type ``primary`` found in :iscman:`named.conf`.
-
-.. option:: filename
+``-z``
+   This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
 
+``filename``
    This indicates the name of the configuration file to be checked. If not specified,
-   it defaults to |named_conf|.
+   it defaults to ``/etc/named.conf``.
 
 Return Values
 ~~~~~~~~~~~~~
 
-:program:`named-checkconf` returns an exit status of 1 if errors were detected
+``named-checkconf`` returns an exit status of 1 if errors were detected
 and 0 otherwise.
 
 See Also
 ~~~~~~~~
 
-:iscman:`named(8) <named>`, :iscman:`named-checkzone(8) <named-checkzone>`, BIND 9 Administrator Reference Manual.
+:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

bin/check/named-checkzone.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -17,6 +15,7 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
+#include <isc/app.h>
 #include <isc/attributes.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
@@ -24,8 +23,10 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/print.h>
+#include <isc/socket.h>
 #include <isc/string.h>
+#include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
@@ -37,6 +38,7 @@
 #include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
+#include <dns/result.h>
 #include <dns/types.h>
 #include <dns/zone.h>
 
@@ -45,7 +47,7 @@
 static int quiet = 0;
 static isc_mem_t *mctx = NULL;
 dns_zone_t *zone = NULL;
-dns_zonetype_t zonetype = dns_zone_primary;
+dns_zonetype_t zonetype = dns_zone_master;
 static int dumpzone = 0;
 static const char *output_filename;
 static const char *prog_name = NULL;
@@ -57,12 +59,12 @@ static enum { progmode_check, progmode_compile } progmode;
 		if (result != ISC_R_SUCCESS) {                                \
 			if (!quiet)                                           \
 				fprintf(stderr, "%s() returned %s\n",         \
-					function, isc_result_totext(result)); \
+					function, dns_result_totext(result)); \
 			return (result);                                      \
 		}                                                             \
 	} while (0)
 
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -79,7 +81,7 @@ usage(void) {
 		"%s zonename [ (filename|-) ]\n",
 		prog_name,
 		progmode == progmode_check ? "[-o filename]" : "-o filename");
-	exit(EXIT_FAILURE);
+	exit(1);
 }
 
 static void
@@ -144,15 +146,19 @@ main(int argc, char **argv) {
 	} else if (PROGCMP("named-compilezone")) {
 		progmode = progmode_compile;
 	} else {
-		UNREACHABLE();
+		INSIST(0);
+		ISC_UNREACHABLE();
 	}
 
-	/* When compiling, disable checks by default */
+	/* Compilation specific defaults */
 	if (progmode == progmode_compile) {
-		zone_options = 0;
-		docheckmx = false;
-		docheckns = false;
-		dochecksrv = false;
+		zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF | DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKNAMES |
+				 DNS_ZONEOPT_CHECKNAMESFAIL |
+				 DNS_ZONEOPT_CHECKWILDCARD);
+	} else {
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF);
 	}
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
@@ -160,8 +166,8 @@ main(int argc, char **argv) {
 	isc_commandline_errprint = false;
 
 	while ((c = isc_commandline_parse(argc, argv,
-					  "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:C:"
-					  "DF:M:S:T:W:")) != EOF)
+					  "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:"
+					  "M:S:T:W:")) != EOF)
 	{
 		switch (c) {
 		case 'c':
@@ -206,7 +212,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -i: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -240,7 +246,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -k: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -251,7 +257,7 @@ main(int argc, char **argv) {
 			if (*endp != '\0') {
 				fprintf(stderr, "source serial number "
 						"must be numeric");
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -262,7 +268,7 @@ main(int argc, char **argv) {
 			if (*endp != '\0') {
 				fprintf(stderr, "maximum TTL "
 						"must be numeric");
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -279,7 +285,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -n: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -296,7 +302,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -m: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -321,7 +327,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -r: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -334,7 +340,7 @@ main(int argc, char **argv) {
 				fprintf(stderr,
 					"unknown or unsupported style: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -344,30 +350,18 @@ main(int argc, char **argv) {
 				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
 					isc_commandline_argument,
 					isc_result_totext(result));
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
 		case 'v':
 			printf("%s\n", PACKAGE_VERSION);
-			exit(EXIT_SUCCESS);
+			exit(0);
 
 		case 'w':
 			workdir = isc_commandline_argument;
 			break;
 
-		case 'C':
-			if (ARGCMP("check-svcb:fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKSVCB;
-			} else if (ARGCMP("check-svcb:ignore")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKSVCB;
-			} else {
-				fprintf(stderr, "invalid argument to -C: %s\n",
-					isc_commandline_argument);
-				exit(EXIT_FAILURE);
-			}
-			break;
-
 		case 'D':
 			dumpzone++;
 			break;
@@ -385,7 +379,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -M: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -402,7 +396,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -S: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -414,7 +408,7 @@ main(int argc, char **argv) {
 			} else {
 				fprintf(stderr, "invalid argument to -T: %s\n",
 					isc_commandline_argument);
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
 			break;
 
@@ -431,14 +425,14 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
 			}
-			FALLTHROUGH;
+		/* FALLTHROUGH */
 		case 'h':
 			usage();
 
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -447,7 +441,7 @@ main(int argc, char **argv) {
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stderr, "isc_dir_chdir: %s: %s\n", workdir,
 				isc_result_totext(result));
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -460,10 +454,12 @@ main(int argc, char **argv) {
 			inputformat = dns_masterformat_raw;
 			fprintf(stderr, "WARNING: input format raw, version "
 					"ignored\n");
+		} else if (strcasecmp(inputformatstr, "map") == 0) {
+			inputformat = dns_masterformat_map;
 		} else {
 			fprintf(stderr, "unknown file format: %s\n",
 				inputformatstr);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -478,15 +474,16 @@ main(int argc, char **argv) {
 			outputformat = dns_masterformat_raw;
 			rawversion = strtol(outputformatstr + 4, &end, 10);
 			if (end == outputformatstr + 4 || *end != '\0' ||
-			    rawversion > 1U)
-			{
+			    rawversion > 1U) {
 				fprintf(stderr, "unknown raw format version\n");
-				exit(EXIT_FAILURE);
+				exit(1);
 			}
+		} else if (strcasecmp(outputformatstr, "map") == 0) {
+			outputformat = dns_masterformat_map;
 		} else {
 			fprintf(stderr, "unknown file format: %s\n",
 				outputformatstr);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -518,8 +515,7 @@ main(int argc, char **argv) {
 	}
 
 	if (argc - isc_commandline_index < 1 ||
-	    argc - isc_commandline_index > 2)
-	{
+	    argc - isc_commandline_index > 2) {
 		usage();
 	}
 
@@ -529,6 +525,8 @@ main(int argc, char **argv) {
 			      ISC_R_SUCCESS);
 	}
 
+	dns_result_register();
+
 	origin = argv[isc_commandline_index++];
 
 	if (isc_commandline_index == argc) {
@@ -571,5 +569,5 @@ main(int argc, char **argv) {
 	}
 	isc_mem_destroy(&mctx);
 
-	return (result == ISC_R_SUCCESS) ? 0 : 1;
+	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }

bin/check/named-checkzone.rst

@@ -1,84 +1,80 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. BEWARE: Do not forget to edit also named-compilezone.rst!
-
-.. iscman:: named-checkzone
-.. program:: named-checkzone
-.. _man_named-checkzone:
-
-named-checkzone - zone file validation tool
--------------------------------------------
+named-checkzone, named-compilezone - zone file validity checking or converting tool
+-----------------------------------------------------------------------------------
 
 Synopsis
 ~~~~~~~~
 
-:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
+:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
+
+:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
 
 Description
 ~~~~~~~~~~~
 
-:program:`named-checkzone` checks the syntax and integrity of a zone file. It
-performs the same checks as :iscman:`named` does when loading a zone. This
-makes :program:`named-checkzone` useful for checking zone files before
+``named-checkzone`` checks the syntax and integrity of a zone file. It
+performs the same checks as ``named`` does when loading a zone. This
+makes ``named-checkzone`` useful for checking zone files before
 configuring them into a name server.
 
+``named-compilezone`` is similar to ``named-checkzone``, but it always
+dumps the zone contents to a specified file in a specified format.
+It also applies stricter check levels by default, since the
+dump output is used as an actual zone file loaded by ``named``.
+When manually specified otherwise, the check levels must at least be as
+strict as those specified in the ``named`` configuration file.
+
 Options
 ~~~~~~~
 
-.. option:: -d
-
+``-d``
    This option enables debugging.
 
-.. option:: -h
-
+``-h``
    This option prints the usage summary and exits.
 
-.. option:: -q
-
+``-q``
    This option sets quiet mode, which only sets an exit code to indicate
    successful or failed completion.
 
-.. option:: -v
+``-v``
+   This option prints the version of the ``named-checkzone`` program and exits.
 
-   This option prints the version of the :program:`named-checkzone` program and exits.
-
-.. option:: -j
-
-   When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal
+``-j``
+   When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
    file name is assumed to be the zone file name with the
    string ``.jnl`` appended.
 
-.. option:: -J filename
-
-   When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if
-   it exists. This implies :option:`-j`.
-
-.. option:: -c class
+``-J filename``
+   When loading the zone file, this option tells ``named`` to read the journal from the given file, if
+   it exists. This implies ``-j``.
 
+``-c class``
    This option specifies the class of the zone. If not specified, ``IN`` is assumed.
 
-.. option:: -C mode
-
-   This option controls check mode on zone files when loading.
-   Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
-
-   ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
-   records and ``check-svcb:ignore`` disables these checks.  The
-   default is ``check-svcb:fail``.
-
-.. option:: -i mode
-
+``-i mode``
    This option performs post-load zone integrity checks. Possible modes are
    ``full`` (the default), ``full-sibling``, ``local``,
    ``local-sibling``, and ``none``.
@@ -104,128 +100,114 @@ Options
 
    Mode ``none`` disables the checks.
 
-.. option:: -f format
-
-   This option specifies the format of the zone file. Possible formats are
-   ``text`` (the default), and ``raw``.
-
-.. option:: -F format
+``-f format``
+   This option specifies the format of the zone file. Possible formats are ``text``
+   (the default), ``raw``, and ``map``.
 
+``-F format``
    This option specifies the format of the output file specified. For
-   :program:`named-checkzone`, this does not have any effect unless it dumps
+   ``named-checkzone``, this does not have any effect unless it dumps
    the zone contents.
 
    Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``raw`` and ``raw=N``, which
-   store the zone in a binary format for rapid loading by :iscman:`named`.
-   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
-   0, the raw file can be read by any version of :iscman:`named`; if N is 1, the
-   file can only be read by release 9.9.0 or higher. The default is 1.
-
-.. option:: -k mode
+   textual representation of the zone, and ``map``, ``raw``, and
+   ``raw=N``, which store the zone in a binary format for rapid
+   loading by ``named``. ``raw=N`` specifies the format version of the
+   raw zone file: if ``N`` is 0, the raw file can be read by any version of
+   ``named``; if N is 1, the file can only be read by release 9.9.0 or
+   higher. The default is 1.
 
+``-k mode``
    This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
-
-.. option:: -l ttl
+   Possible modes are ``fail`` (the default for ``named-compilezone``),
+   ``warn`` (the default for ``named-checkzone``), and ``ignore``.
 
+``-l ttl``
    This option sets a maximum permissible TTL for the input file. Any record with a
    TTL higher than this value causes the zone to be rejected. This
-   is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`.
+   is similar to using the ``max-zone-ttl`` option in ``named.conf``.
 
-.. option:: -L serial
-
-   When compiling a zone to ``raw`` format, this option sets the "source
+``-L serial``
+   When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
    serial" value in the header to the specified serial number. This is
    expected to be used primarily for testing purposes.
 
-.. option:: -m mode
-
+``-m mode``
    This option specifies whether MX records should be checked to see if they are
    addresses. Possible modes are ``fail``, ``warn`` (the default), and
    ``ignore``.
 
-.. option:: -M mode
-
+``-M mode``
    This option checks whether a MX record refers to a CNAME. Possible modes are
    ``fail``, ``warn`` (the default), and ``ignore``.
 
-.. option:: -n mode
-
+``-n mode``
    This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
-
-.. option:: -o filename
+   addresses. Possible modes are ``fail`` (the default for
+   ``named-compilezone``), ``warn`` (the default for ``named-checkzone``),
+   and ``ignore``.
 
+``-o filename``
    This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output.
-
-.. option:: -r mode
+   the zone output is written to standard output. This is mandatory for ``named-compilezone``.
 
+``-r mode``
    This option checks for records that are treated as different by DNSSEC but are
    semantically equal in plain DNS. Possible modes are ``fail``,
    ``warn`` (the default), and ``ignore``.
 
-.. option:: -s style
-
+``-s style``
    This option specifies the style of the dumped zone file. Possible styles are
    ``full`` (the default) and ``relative``. The ``full`` format is most
    suitable for processing automatically by a separate script.
    The relative format is more human-readable and is thus
-   suitable for editing by hand. This does not have any effect unless it dumps
-   the zone contents. It also does not have any meaning if the output format
-   is not text.
-
-.. option:: -S mode
+   suitable for editing by hand. For ``named-checkzone``, this does not
+   have any effect unless it dumps the zone contents. It also does not
+   have any meaning if the output format is not text.
 
+``-S mode``
    This option checks whether an SRV record refers to a CNAME. Possible modes are
    ``fail``, ``warn`` (the default), and ``ignore``.
 
-.. option:: -t directory
-
-   This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
+``-t directory``
+   This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
    configuration file are processed as if run by a similarly chrooted
-   :iscman:`named`.
-
-.. option:: -T mode
+   ``named``.
 
+``-T mode``
    This option checks whether Sender Policy Framework (SPF) records exist and issues a
    warning if an SPF-formatted TXT record is not also present. Possible
    modes are ``warn`` (the default) and ``ignore``.
 
-.. option:: -w directory
-
-   This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file
+``-w directory``
+   This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
    ``$INCLUDE`` directives work. This is similar to the directory clause in
-   :iscman:`named.conf`.
+   ``named.conf``.
 
-.. option:: -D
-
-   This option dumps the zone file in canonical format.
-
-.. option:: -W mode
+``-D``
+   This option dumps the zone file in canonical format. This is always enabled for
+   ``named-compilezone``.
 
+``-W mode``
    This option specifies whether to check for non-terminal wildcards. Non-terminal
    wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
+   wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn``
    (the default) and ``ignore``.
 
-.. option:: zonename
-
+``zonename``
    This indicates the domain name of the zone being checked.
 
-.. option:: filename
-
+``filename``
    This is the name of the zone file.
 
 Return Values
 ~~~~~~~~~~~~~
 
-:program:`named-checkzone` returns an exit status of 1 if errors were detected
+``named-checkzone`` returns an exit status of 1 if errors were detected
 and 0 otherwise.
 
 See Also
 ~~~~~~~~
 
-:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-compilezone(8) <named-compilezone>`, :rfc:`1035`, BIND 9 Administrator Reference
+:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
 Manual.

bin/check/named-compilezone.rst

@@ -1,239 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. highlight: console
-
-.. BEWARE: Do not forget to edit also named-checkzone.rst!
-
-.. iscman:: named-compilezone
-.. program:: named-compilezone
-.. _man_named-compilezone:
-
-named-compilezone - zone file converting tool
----------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
-
-Description
-~~~~~~~~~~~
-
-:program:`named-compilezone` checks the syntax and integrity of a zone file,
-and dumps the zone contents to a specified file in a specified format.
-
-Unlike :program:`named-checkzone`, zone contents are not strictly checked
-by default. If the output is to be used as an actual zone file to be loaded
-by :iscman:`named`, then the check levels should be manually configured to
-be at least as strict as those specified in the :iscman:`named` configuration
-file.
-
-Running :program:`named-checkzone` on the input prior to compiling will
-ensure that the zone compiles with the default requirements of
-:iscman:`named`.
-
-Options
-~~~~~~~
-
-.. option:: -d
-
-   This option enables debugging.
-
-.. option:: -h
-
-   This option prints the usage summary and exits.
-
-.. option:: -q
-
-   This option sets quiet mode, which only sets an exit code to indicate
-   successful or failed completion.
-
-.. option:: -v
-
-   This option prints the version of the :iscman:`named-checkzone` program and exits.
-
-.. option:: -j
-
-   When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal
-   file name is assumed to be the zone file name with the
-   string ``.jnl`` appended.
-
-.. option:: -J filename
-
-   When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if
-   it exists. This implies :option:`-j`.
-
-.. option:: -c class
-
-   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
-
-.. option:: -C mode
-
-   This option controls check mode on zone files when loading.
-   Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``.
-
-   ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB
-   records and ``check-svcb:ignore`` disables these checks.  The
-   default is ``check-svcb:ignore``.
-
-.. option:: -i mode
-
-   This option performs post-load zone integrity checks. Possible modes are
-   ``full``, ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none`` (the default).
-
-   Mode ``full`` checks that MX records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks MX records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that SRV records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks SRV records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that delegation NS records refer to A or AAAA
-   records (both in-zone and out-of-zone hostnames). It also checks that
-   glue address records in the zone match those advertised by the child.
-   Mode ``local`` only checks NS records which refer to in-zone
-   hostnames or verifies that some required glue exists, i.e., when the
-   name server is in a child zone.
-
-   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
-   checks, but are otherwise the same as ``full`` and ``local``,
-   respectively.
-
-   Mode ``none`` disables the checks.
-
-.. option:: -f format
-
-   This option specifies the format of the zone file. Possible formats are
-   ``text`` (the default), and ``raw``.
-
-.. option:: -F format
-
-   This option specifies the format of the output file specified. For
-   :iscman:`named-checkzone`, this does not have any effect unless it dumps
-   the zone contents.
-
-   Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``raw`` and ``raw=N``, which
-   store the zone in a binary format for rapid loading by :iscman:`named`.
-   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
-   0, the raw file can be read by any version of :iscman:`named`; if N is 1, the
-   file can only be read by release 9.9.0 or higher. The default is 1.
-
-.. option:: -k mode
-
-   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail``, ``warn``, and ``ignore`` (the default).
-
-.. option:: -l ttl
-
-   This option sets a maximum permissible TTL for the input file. Any record with a
-   TTL higher than this value causes the zone to be rejected. This
-   is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`.
-
-.. option:: -L serial
-
-   When compiling a zone to ``raw`` format, this option sets the "source
-   serial" value in the header to the specified serial number. This is
-   expected to be used primarily for testing purposes.
-
-.. option:: -m mode
-
-   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn``, and
-   ``ignore`` (the default).
-
-.. option:: -M mode
-
-   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn``, and ``ignore`` (the default).
-
-.. option:: -n mode
-
-   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn``,  and
-   ``ignore`` (the default).
-
-.. option:: -o filename
-
-   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output. This is mandatory for :program:`named-compilezone`.
-
-.. option:: -r mode
-
-   This option checks for records that are treated as different by DNSSEC but are
-   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn``, and ``ignore`` (the default).
-
-.. option:: -s style
-
-   This option specifies the style of the dumped zone file. Possible styles are
-   ``full`` (the default) and ``relative``. The ``full`` format is most
-   suitable for processing automatically by a separate script.
-   The relative format is more human-readable and is thus
-   suitable for editing by hand.
-
-.. option:: -S mode
-
-   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn``, and ``ignore`` (the default).
-
-.. option:: -t directory
-
-   This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   :iscman:`named`.
-
-.. option:: -T mode
-
-   This option checks whether Sender Policy Framework (SPF) records exist and issues a
-   warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` and ``ignore`` (the default).
-
-.. option:: -w directory
-
-   This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file
-   ``$INCLUDE`` directives work. This is similar to the directory clause in
-   :iscman:`named.conf`.
-
-.. option:: -D
-
-   This option dumps the zone file in canonical format. This is always enabled for
-   :program:`named-compilezone`.
-
-.. option:: -W mode
-
-   This option specifies whether to check for non-terminal wildcards. Non-terminal
-   wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
-   and ``ignore`` (the default).
-
-.. option:: zonename
-
-   This indicates the domain name of the zone being checked.
-
-.. option:: filename
-
-   This is the name of the zone file.
-
-Return Values
-~~~~~~~~~~~~~
-
-:program:`named-compilezone` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-checkzone(8) <named-checkzone>`, :rfc:`1035`,
-BIND 9 Administrator Reference Manual.

bin/confgen/ddns-confgen.rst

@@ -1,96 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. highlight: console
-
-.. BEWARE: Do not forget to edit also tsig-keygen.rst!
-
-.. iscman:: ddns-confgen
-.. program:: ddns-confgen
-.. _man_ddns-confgen:
-
-ddns-confgen - TSIG key generation tool
----------------------------------------
-
-Synopsis
-~~~~~~~~
-:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone]
-
-Description
-~~~~~~~~~~~
-
-:program:`ddns-confgen` is an utility that generates keys for use in TSIG signing.
-The resulting keys can be used, for example, to secure dynamic DNS updates
-to a zone, or for the :iscman:`rndc` command channel.
-
-The key name can specified using :option:`-k` parameter and defaults to ``ddns-key``.
-The generated key is accompanied by configuration text and instructions that
-can be used with :iscman:`nsupdate` and :iscman:`named` when setting up dynamic DNS,
-including an example ``update-policy`` statement.
-(This usage is similar to the :iscman:`rndc-confgen` command for setting up
-command-channel security.)
-
-Note that :iscman:`named` itself can configure a local DDNS key for use with
-:option:`nsupdate -l`; it does this when a zone is configured with
-``update-policy local;``. :program:`ddns-confgen` is only needed when a more
-elaborate configuration is required: for instance, if :iscman:`nsupdate` is to
-be used from a remote system.
-
-Options
-~~~~~~~
-
-.. option:: -a algorithm
-
-   This option specifies the algorithm to use for the TSIG key. Available
-   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
-   and hmac-sha512. The default is hmac-sha256. Options are
-   case-insensitive, and the "hmac-" prefix may be omitted.
-
-.. option:: -h
-
-   This option prints a short summary of options and arguments.
-
-.. option:: -k keyname
-
-   This option specifies the key name of the DDNS authentication key. The
-   default is ``ddns-key`` when neither the :option:`-s` nor :option:`-z` option is
-   specified; otherwise, the default is ``ddns-key`` as a separate label
-   followed by the argument of the option, e.g., ``ddns-key.example.com.``
-   The key name must have the format of a valid domain name, consisting of
-   letters, digits, hyphens, and periods.
-
-.. option:: -q
-
-   This option enables quiet mode, which prints only the key, with no
-   explanatory text or usage examples. This is essentially identical to
-   :iscman:`tsig-keygen`.
-
-.. option:: -s name
-
-   This option generates a configuration example to allow dynamic updates
-   of a single hostname. The example :iscman:`named.conf` text shows how to set
-   an update policy for the specified name using the "name" nametype. The
-   default key name is ``ddns-key.name``. Note that the "self" nametype
-   cannot be used, since the name to be updated may differ from the key
-   name. This option cannot be used with the :option:`-z` option.
-
-.. option:: -z zone
-
-   This option generates a configuration example to allow
-   dynamic updates of a zone. The example :iscman:`named.conf` text shows how
-   to set an update policy for the specified zone using the "zonesub"
-   nametype, allowing updates to all subdomain names within that zone.
-   This option cannot be used with the :option:`-s` option.
-
-See Also
-~~~~~~~~
-
-:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.

bin/confgen/include/confgen/os.h

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -13,7 +11,8 @@
 
 /*! \file */
 
-#pragma once
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
 
 #include <stdio.h>
 
@@ -31,3 +30,5 @@ set_user(FILE *fd, const char *user);
  */
 
 ISC_LANG_ENDDECLS
+
+#endif /* ifndef RNDC_OS_H */

bin/confgen/keygen.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -21,9 +19,12 @@
 #include <isc/buffer.h>
 #include <isc/file.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
@@ -33,6 +34,29 @@
 
 #include "util.h"
 
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+		return ("hmac-md5");
+	case DST_ALG_HMACSHA1:
+		return ("hmac-sha1");
+	case DST_ALG_HMACSHA224:
+		return ("hmac-sha224");
+	case DST_ALG_HMACSHA256:
+		return ("hmac-sha256");
+	case DST_ALG_HMACSHA384:
+		return ("hmac-sha384");
+	case DST_ALG_HMACSHA512:
+		return ("hmac-sha512");
+	default:
+		return ("(unknown)");
+	}
+}
+
 /*%
  * Convert string to algorithm type.
  */
@@ -44,24 +68,24 @@ alg_fromtext(const char *name) {
 	}
 
 	if (strcasecmp(p, "md5") == 0) {
-		return DST_ALG_HMACMD5;
+		return (DST_ALG_HMACMD5);
 	}
 	if (strcasecmp(p, "sha1") == 0) {
-		return DST_ALG_HMACSHA1;
+		return (DST_ALG_HMACSHA1);
 	}
 	if (strcasecmp(p, "sha224") == 0) {
-		return DST_ALG_HMACSHA224;
+		return (DST_ALG_HMACSHA224);
 	}
 	if (strcasecmp(p, "sha256") == 0) {
-		return DST_ALG_HMACSHA256;
+		return (DST_ALG_HMACSHA256);
 	}
 	if (strcasecmp(p, "sha384") == 0) {
-		return DST_ALG_HMACSHA384;
+		return (DST_ALG_HMACSHA384);
 	}
 	if (strcasecmp(p, "sha512") == 0) {
-		return DST_ALG_HMACSHA512;
+		return (DST_ALG_HMACSHA512);
 	}
-	return DST_ALG_UNKNOWN;
+	return (DST_ALG_UNKNOWN);
 }
 
 /*%
@@ -71,19 +95,19 @@ int
 alg_bits(dns_secalg_t alg) {
 	switch (alg) {
 	case DST_ALG_HMACMD5:
-		return 128;
+		return (128);
 	case DST_ALG_HMACSHA1:
-		return 160;
+		return (160);
 	case DST_ALG_HMACSHA224:
-		return 224;
+		return (224);
 	case DST_ALG_HMACSHA256:
-		return 256;
+		return (256);
 	case DST_ALG_HMACSHA384:
-		return 384;
+		return (384);
 	case DST_ALG_HMACSHA512:
-		return 512;
+		return (512);
 	default:
-		return 0;
+		return (0);
 	}
 }
 
@@ -124,7 +148,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
 
 	DO("generate key",
 	   dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
-			    dns_rdataclass_in, NULL, mctx, &key, NULL));
+			    dns_rdataclass_in, mctx, &key, NULL));
 
 	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
 
@@ -151,7 +175,7 @@ void
 write_key_file(const char *keyfile, const char *user, const char *keyname,
 	       isc_buffer_t *secret, dns_secalg_t alg) {
 	isc_result_t result;
-	const char *algname = dst_hmac_algorithm_totext(alg);
+	const char *algname = alg_totext(alg);
 	FILE *fd = NULL;
 
 	DO("create keyfile", isc_file_safecreate(keyfile, &fd));

bin/confgen/keygen.h

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -11,7 +9,8 @@
  * information regarding copyright ownership.
  */
 
-#pragma once
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
 
 /*! \file */
 
@@ -39,3 +38,5 @@ int
 alg_bits(dns_secalg_t alg);
 
 ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */

bin/confgen/os.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -30,7 +28,7 @@ set_user(FILE *fd, const char *user) {
 	pw = getpwnam(user);
 	if (pw == NULL) {
 		errno = EINVAL;
-		return -1;
+		return (-1);
 	}
-	return fchown(fileno(fd), pw->pw_uid, -1);
+	return (fchown(fileno(fd), pw->pw_uid, -1));
 }

bin/confgen/rndc-confgen.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -34,11 +32,14 @@
 #include <isc/file.h>
 #include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
@@ -60,7 +61,7 @@ bool verbose = false;
 
 const char *keyfile, *keydef;
 
-noreturn static void
+ISC_NORETURN static void
 usage(int status);
 
 static void
@@ -146,8 +147,7 @@ main(int argc, char **argv) {
 			keyfile = isc_commandline_argument;
 			break;
 		case 'h':
-			usage(EXIT_SUCCESS);
-			break;
+			usage(0);
 		case 'k':
 		case 'y': /* Compatible with rndc -y. */
 			keyname = isc_commandline_argument;
@@ -193,15 +193,15 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-				usage(EXIT_FAILURE);
+				usage(1);
 			} else {
-				usage(EXIT_SUCCESS);
+				usage(0);
 			}
 			break;
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -210,7 +210,7 @@ main(int argc, char **argv) {
 	POST(argv);
 
 	if (argc > 0) {
-		usage(EXIT_FAILURE);
+		usage(1);
 	}
 
 	if (alg == DST_ALG_HMACMD5) {
@@ -222,7 +222,7 @@ main(int argc, char **argv) {
 	if (keysize < 0) {
 		keysize = alg_bits(alg);
 	}
-	algname = dst_hmac_algorithm_totext(alg);
+	algname = alg_totext(alg);
 
 	isc_mem_create(&mctx);
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
@@ -290,5 +290,5 @@ options {\n\
 
 	isc_mem_destroy(&mctx);
 
-	return 0;
+	return (0);
 }

bin/confgen/rndc-confgen.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: rndc-confgen
-.. program:: rndc-confgen
 .. _man_rndc-confgen:
 
 rndc-confgen - rndc key generation tool
@@ -26,96 +34,86 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-:program:`rndc-confgen` generates configuration files for :iscman:`rndc`. It can be
-used as a convenient alternative to writing the :iscman:`rndc.conf` file and
-the corresponding ``controls`` and ``key`` statements in :iscman:`named.conf`
-by hand. Alternatively, it can be run with the :option:`-a` option to set up a
-``rndc.key`` file and avoid the need for a :iscman:`rndc.conf` file and a
+``rndc-confgen`` generates configuration files for ``rndc``. It can be
+used as a convenient alternative to writing the ``rndc.conf`` file and
+the corresponding ``controls`` and ``key`` statements in ``named.conf``
+by hand. Alternatively, it can be run with the ``-a`` option to set up a
+``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
 ``controls`` statement altogether.
 
 Options
 ~~~~~~~
 
-.. option:: -a
-
-   This option sets automatic :iscman:`rndc` configuration, which creates a file
-   |rndc_key| that is read by both :iscman:`rndc` and :iscman:`named` on startup.
+``-a``
+   This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
+   in ``/etc`` (or a different ``sysconfdir`` specified when BIND
+   was built) that is read by both ``rndc`` and ``named`` on startup.
    The ``rndc.key`` file defines a default command channel and
-   authentication key allowing :iscman:`rndc` to communicate with :iscman:`named` on
+   authentication key allowing ``rndc`` to communicate with ``named`` on
    the local host with no further configuration.
 
    If a more elaborate configuration than that generated by
-   :option:`rndc-confgen -a` is required, for example if rndc is to be used
-   remotely, run :program:`rndc-confgen` without the :option:`-a` option
-   and set up :iscman:`rndc.conf` and :iscman:`named.conf` as directed.
-
-.. option:: -A algorithm
+   ``rndc-confgen -a`` is required, for example if rndc is to be used
+   remotely, run ``rndc-confgen`` without the ``-a`` option
+   and set up ``rndc.conf`` and ``named.conf`` as directed.
 
+``-A algorithm``
    This option specifies the algorithm to use for the TSIG key. Available choices
    are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
    hmac-sha512. The default is hmac-sha256.
 
-.. option:: -b keysize
-
+``-b keysize``
    This option specifies the size of the authentication key in bits. The size must be between
    1 and 512 bits; the default is the hash size.
 
-.. option:: -c keyfile
-
-   This option is used with the :option:`-a` option to specify an alternate location for
+``-c keyfile``
+   This option is used with the ``-a`` option to specify an alternate location for
    ``rndc.key``.
 
-.. option:: -h
-
+``-h``
    This option prints a short summary of the options and arguments to
-   :program:`rndc-confgen`.
+   ``rndc-confgen``.
 
-.. option:: -k keyname
-
-   This option specifies the key name of the :iscman:`rndc` authentication key. This must be a
+``-k keyname``
+   This option specifies the key name of the ``rndc`` authentication key. This must be a
    valid domain name. The default is ``rndc-key``.
 
-.. option:: -p port
-
-   This option specifies the command channel port where :iscman:`named` listens for
-   connections from :iscman:`rndc`. The default is 953.
-
-.. option:: -q
+``-p port``
+   This option specifies the command channel port where ``named`` listens for
+   connections from ``rndc``. The default is 953.
 
+``-q``
    This option prevets printing the written path in automatic configuration mode.
 
-.. option:: -s address
-
-   This option specifies the IP address where :iscman:`named` listens for command-channel
-   connections from :iscman:`rndc`. The default is the loopback address
+``-s address``
+   This option specifies the IP address where ``named`` listens for command-channel
+   connections from ``rndc``. The default is the loopback address
    127.0.0.1.
 
-.. option:: -t chrootdir
-
-   This option is used with the :option:`-a` option to specify a directory where :iscman:`named`
+``-t chrootdir``
+   This option is used with the ``-a`` option to specify a directory where ``named``
    runs chrooted. An additional copy of the ``rndc.key`` is
    written relative to this directory, so that it is found by the
-   chrooted :iscman:`named`.
+   chrooted ``named``.
 
-.. option:: -u user
-
-   This option is used with the :option:`-a` option to set the owner of the generated ``rndc.key`` file.
-   If :option:`-t` is also specified, only the file in the chroot
+``-u user``
+   This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
+   If ``-t`` is also specified, only the file in the chroot
    area has its owner changed.
 
 Examples
 ~~~~~~~~
 
-To allow :iscman:`rndc` to be used with no manual configuration, run:
+To allow ``rndc`` to be used with no manual configuration, run:
 
 ``rndc-confgen -a``
 
-To print a sample :iscman:`rndc.conf` file and the corresponding ``controls`` and
-``key`` statements to be manually inserted into :iscman:`named.conf`, run:
+To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
+``key`` statements to be manually inserted into ``named.conf``, run:
 
-:program:`rndc-confgen`
+``rndc-confgen``
 
 See Also
 ~~~~~~~~
 
-:iscman:`rndc(8) <rndc>`, :iscman:`rndc.conf(5) <rndc.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.
+:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/tsig-keygen.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -30,13 +28,19 @@
 #include <isc/file.h>
 #include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
 
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
+#include <dns/result.h>
 
 #include <dst/dst.h>
 
@@ -53,7 +57,7 @@ const char *progname;
 static enum { progmode_keygen, progmode_confgen } progmode;
 bool verbose = false; /* needed by util.c but not used here */
 
-noreturn static void
+ISC_NORETURN static void
 usage(int status);
 
 static void
@@ -97,6 +101,11 @@ main(int argc, char **argv) {
 	int len = 0;
 	int ch;
 
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
 	result = isc_file_progname(*argv, program, sizeof(program));
 	if (result != ISC_R_SUCCESS) {
 		memmove(program, "tsig-keygen", 11);
@@ -120,14 +129,14 @@ main(int argc, char **argv) {
 	} else if (PROGCMP("ddns-confgen")) {
 		progmode = progmode_confgen;
 	} else {
-		UNREACHABLE();
+		INSIST(0);
+		ISC_UNREACHABLE();
 	}
 
 	isc_commandline_errprint = false;
 
 	while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) !=
-	       -1)
-	{
+	       -1) {
 		switch (ch) {
 		case 'a':
 			algname = isc_commandline_argument;
@@ -138,13 +147,13 @@ main(int argc, char **argv) {
 			keysize = alg_bits(alg);
 			break;
 		case 'h':
-			usage(EXIT_SUCCESS);
+			usage(0);
 		case 'k':
 		case 'y':
 			if (progmode == progmode_confgen) {
 				keyname = isc_commandline_argument;
 			} else {
-				usage(EXIT_FAILURE);
+				usage(1);
 			}
 			break;
 		case 'M':
@@ -157,7 +166,7 @@ main(int argc, char **argv) {
 			if (progmode == progmode_confgen) {
 				quiet = true;
 			} else {
-				usage(EXIT_FAILURE);
+				usage(1);
 			}
 			break;
 		case 'r':
@@ -167,29 +176,29 @@ main(int argc, char **argv) {
 			if (progmode == progmode_confgen) {
 				self_domain = isc_commandline_argument;
 			} else {
-				usage(EXIT_FAILURE);
+				usage(1);
 			}
 			break;
 		case 'z':
 			if (progmode == progmode_confgen) {
 				zone = isc_commandline_argument;
 			} else {
-				usage(EXIT_FAILURE);
+				usage(1);
 			}
 			break;
 		case '?':
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-				usage(EXIT_FAILURE);
+				usage(1);
 			} else {
-				usage(EXIT_SUCCESS);
+				usage(0);
 			}
 			break;
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -200,15 +209,15 @@ main(int argc, char **argv) {
 	POST(argv);
 
 	if (self_domain != NULL && zone != NULL) {
-		usage(EXIT_FAILURE); /* -s and -z cannot coexist */
+		usage(1); /* -s and -z cannot coexist */
 	}
 
 	if (argc > isc_commandline_index) {
-		usage(EXIT_FAILURE);
+		usage(1);
 	}
 
 	/* Use canonical algorithm name */
-	algname = dst_hmac_algorithm_totext(alg);
+	algname = alg_totext(alg);
 
 	isc_mem_create(&mctx);
 
@@ -296,5 +305,5 @@ nsupdate -k <keyfile>\n");
 
 	isc_mem_destroy(&mctx);
 
-	return 0;
+	return (0);
 }

bin/confgen/tsig-keygen.rst

@@ -1,55 +1,101 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. BEWARE: Do not forget to edit also ddns-confgen.rst!
-
-.. iscman:: tsig-keygen
-.. program:: tsig-keygen
-.. _man_tsig-keygen:
-
-tsig-keygen - TSIG key generation tool
---------------------------------------
+tsig-keygen, ddns-confgen - TSIG key generation tool
+----------------------------------------------------
 
 Synopsis
 ~~~~~~~~
-:program:`tsig-keygen` [**-a** algorithm] [**-h**] [name]
+:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name]
+
+:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
 
 Description
 ~~~~~~~~~~~
 
-:program:`tsig-keygen` is an utility that generates keys for use with TSIG
-(Transaction Signatures) as defined in :rfc:`2845`. The resulting keys can be used,
-for example, to secure dynamic DNS updates to a zone, or for the :iscman:`rndc`
-command channel.
+``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
+utility that generates keys for use in TSIG signing. The resulting keys
+can be used, for example, to secure dynamic DNS updates to a zone, or for
+the ``rndc`` command channel.
 
-A domain name can be specified on the command line to be used as the name
-of the generated key. If no name is specified, the default is ``tsig-key``.
+When run as ``tsig-keygen``, a domain name can be specified on the
+command line to be used as the name of the generated key. If no
+name is specified, the default is ``tsig-key``.
+
+When run as ``ddns-confgen``, the key name can specified using ``-k``
+parameter and defaults to ``ddns-key``. The generated key is accompanied
+by configuration text and instructions that can be used with ``nsupdate``
+and ``named`` when setting up dynamic DNS, including an example
+``update-policy`` statement. (This usage is similar to the ``rndc-confgen``
+command for setting up command-channel security.)
+
+Note that ``named`` itself can configure a local DDNS key for use with
+``nsupdate -l``; it does this when a zone is configured with
+``update-policy local;``. ``ddns-confgen`` is only needed when a more
+elaborate configuration is required: for instance, if ``nsupdate`` is to
+be used from a remote system.
 
 Options
 ~~~~~~~
 
-.. option:: -a algorithm
-
+``-a algorithm``
    This option specifies the algorithm to use for the TSIG key. Available
    choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
    and hmac-sha512. The default is hmac-sha256. Options are
    case-insensitive, and the "hmac-" prefix may be omitted.
 
-.. option:: -h
-
+``-h``
    This option prints a short summary of options and arguments.
 
+``-k keyname``
+   This option specifies the key name of the DDNS authentication key. The
+   default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is
+   specified; otherwise, the default is ``ddns-key`` as a separate label
+   followed by the argument of the option, e.g., ``ddns-key.example.com.``
+   The key name must have the format of a valid domain name, consisting of
+   letters, digits, hyphens, and periods.
+
+``-q`` (``ddns-confgen`` only)
+   This option enables quiet mode, which prints only the key, with no
+   explanatory text or usage examples. This is essentially identical to
+   ``tsig-keygen``.
+
+``-s name`` (``ddns-confgen`` only)
+   This option generates a configuration example to allow dynamic updates
+   of a single hostname. The example ``named.conf`` text shows how to set
+   an update policy for the specified name using the "name" nametype. The
+   default key name is ``ddns-key.name``. Note that the "self" nametype
+   cannot be used, since the name to be updated may differ from the key
+   name. This option cannot be used with the ``-z`` option.
+
+``-z zone`` (``ddns-confgen`` only)
+   This option generates a configuration example to allow
+   dynamic updates of a zone. The example ``named.conf`` text shows how
+   to set an update policy for the specified zone using the "zonesub"
+   nametype, allowing updates to all subdomain names within that zone.
+   This option cannot be used with the ``-s`` option.
+
 See Also
 ~~~~~~~~
 
-:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.
+:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/util.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -13,15 +11,13 @@
 
 /*! \file */
 
+#include "util.h"
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <unistd.h>
 
-#include <isc/tls.h>
-
-#include "util.h"
+#include <isc/print.h>
 
 extern bool verbose;
 extern const char *progname;
@@ -47,5 +43,5 @@ fatal(const char *format, ...) {
 	vfprintf(stderr, format, args);
 	va_end(args);
 	fprintf(stderr, "\n");
-	_exit(EXIT_FAILURE);
+	exit(1);
 }

bin/confgen/util.h

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -11,7 +9,8 @@
  * information regarding copyright ownership.
  */
 
-#pragma once
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
 
 /*! \file */
 
@@ -36,7 +35,9 @@ ISC_LANG_BEGINDECLS
 void
 notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
 
-noreturn void
+ISC_NORETURN void
 fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
 ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */

bin/delv/Makefile.am

@@ -4,9 +4,8 @@ AM_CPPFLAGS +=				\
 	-I$(top_builddir)/include	\
 	$(LIBISC_CFLAGS)		\
 	$(LIBDNS_CFLAGS)		\
-	$(LIBNS_CFLAGS)			\
 	$(LIBISCCFG_CFLAGS)		\
-	$(OPENSSL_CFLAGS)
+	$(LIBIRS_CFLAGS)
 
 AM_CPPFLAGS +=				\
 	-DSYSCONFDIR=\"${sysconfdir}\"
@@ -15,9 +14,8 @@ bin_PROGRAMS = delv
 
 delv_SOURCES =				\
 	delv.c
-
 delv_LDADD =				\
 	$(LIBISC_LIBS)			\
 	$(LIBDNS_LIBS)			\
-	$(LIBNS_LIBS)			\
-	$(LIBISCCFG_LIBS)
+	$(LIBISCCFG_LIBS)		\
+	$(LIBIRS_LIBS)

bin/delv/delv.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: delv
-.. program:: delv
 .. _man_delv:
 
 delv - DNS lookup and validation utility
@@ -32,10 +40,10 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-:program:`delv` is a tool for sending DNS queries and validating the results,
-using the same internal resolver and validator logic as :iscman:`named`.
+``delv`` is a tool for sending DNS queries and validating the results,
+using the same internal resolver and validator logic as ``named``.
 
-:program:`delv` sends to a specified name server all queries needed to
+``delv`` sends to a specified name server all queries needed to
 fetch and validate the requested data; this includes the original
 requested query, subsequent queries to follow CNAME or DNAME chains,
 queries for DNSKEY, and DS records to establish a chain of trust for
@@ -44,25 +52,25 @@ simulates the behavior of a name server configured for DNSSEC validating
 and forwarding.
 
 By default, responses are validated using the built-in DNSSEC trust anchor
-for the root zone ("."). Records returned by :program:`delv` are either fully
+for the root zone ("."). Records returned by ``delv`` are either fully
 validated or were not signed. If validation fails, an explanation of the
 failure is included in the output; the validation process can be traced
-in detail. Because :program:`delv` does not rely on an external server to carry
+in detail. Because ``delv`` does not rely on an external server to carry
 out validation, it can be used to check the validity of DNS responses in
 environments where local name servers may not be trustworthy.
 
-Unless it is told to query a specific name server, :program:`delv` tries
+Unless it is told to query a specific name server, ``delv`` tries
 each of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, :program:`delv` sends queries to the localhost
+addresses are found, ``delv`` sends queries to the localhost
 addresses (127.0.0.1 for IPv4, ::1 for IPv6).
 
-When no command-line arguments or options are given, :program:`delv`
+When no command-line arguments or options are given, ``delv``
 performs an NS query for "." (the root zone).
 
 Simple Usage
 ~~~~~~~~~~~~
 
-A typical invocation of :program:`delv` looks like:
+A typical invocation of ``delv`` looks like:
 
 ::
 
@@ -70,143 +78,125 @@ A typical invocation of :program:`delv` looks like:
 
 where:
 
-.. option:: server
-
+``server``
    is the name or IP address of the name server to query. This can be an
    IPv4 address in dotted-decimal notation or an IPv6 address in
    colon-delimited notation. When the supplied ``server`` argument is a
-   hostname, :program:`delv` resolves that name before querying that name
+   hostname, ``delv`` resolves that name before querying that name
    server (note, however, that this initial lookup is *not* validated by
    DNSSEC).
 
-   If no ``server`` argument is provided, :program:`delv` consults
+   If no ``server`` argument is provided, ``delv`` consults
    ``/etc/resolv.conf``; if an address is found there, it queries the
-   name server at that address. If either of the :option:`-4` or :option:`-6`
+   name server at that address. If either of the ``-4`` or ``-6``
    options is in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, :program:`delv`
+   transport are tried. If no usable addresses are found, ``delv``
    sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
    for IPv6).
 
-.. option:: name
-
+``name``
    is the domain name to be looked up.
 
-.. option:: type
-
+``type``
    indicates what type of query is required - ANY, A, MX, etc.
    ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, :program:`delv` performs a lookup for an A record.
+   supplied, ``delv`` performs a lookup for an A record.
 
 Options
 ~~~~~~~
 
-.. option:: -a anchor-file
+``-a anchor-file``
+   This option specifies a file from which to read DNSSEC trust anchors. The default
+   is ``/etc/bind.keys``, which is included with BIND 9 and contains one
+   or more trust anchors for the root zone (".").
 
-   This option specifies a file from which to read an alternate
-   DNSSEC root zone trust anchor.
+   Keys that do not match the root zone name are ignored. An alternate
+   key name can be specified using the ``+root=NAME`` options.
 
-   By default, keys that do not match the root zone name (`.`) are
-   ignored. If an alternate key name is desired, it can be
-   specified using the :option:`+root` option.
-
-   Note: When reading trust anchors, :program:`delv` treats
-   ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That
-   is, for a managed key, it is the *initial* key that is trusted;
-   :rfc:`5011` key management is not supported. :program:`delv` does not
-   consult the managed-keys database maintained by :iscman:`named`. This
-   means that if the default key built in to :program:`delv` is revoked,
-   :program:`delv` must be updated to a newer version in order to continue
-   validating.
-
-.. option:: -b address
+   Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
+   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
+   it is the *initial* key that is trusted; :rfc:`5011` key management is not
+   supported. ``delv`` does not consult the managed-keys database maintained by
+   ``named``, which means that if either of the keys in ``/etc/bind.keys`` is
+   revoked and rolled over, ``/etc/bind.keys`` must be updated to
+   use DNSSEC validation in ``delv``.
 
+``-b address``
    This option sets the source IP address of the query to ``address``. This must be
    a valid address on one of the host's network interfaces, or ``0.0.0.0``,
    or ``::``. An optional source port may be specified by appending
    ``#<port>``
 
-.. option:: -c class
-
+``-c class``
    This option sets the query class for the requested data. Currently, only class
-   "IN" is supported in :program:`delv` and any other value is ignored.
-
-.. option:: -d level
+   "IN" is supported in ``delv`` and any other value is ignored.
 
+``-d level``
    This option sets the systemwide debug level to ``level``. The allowed range is
    from 0 to 99. The default is 0 (no debugging). Debugging traces from
-   :program:`delv` become more verbose as the debug level increases. See the
-   :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for
+   ``delv`` become more verbose as the debug level increases. See the
+   ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
    additional debugging details.
 
-.. option:: -h
-
-   This option displays the :program:`delv` help usage output and exits.
-
-.. option:: -i
+``-h``
+   This option displays the ``delv`` help usage output and exits.
 
+``-i``
    This option sets insecure mode, which disables internal DNSSEC validation. (Note,
    however, that this does not set the CD bit on upstream queries. If the
    server being queried is performing DNSSEC validation, then it does
-   not return invalid data; this can cause :program:`delv` to time out. When it
+   not return invalid data; this can cause ``delv`` to time out. When it
    is necessary to examine invalid data to debug a DNSSEC problem, use
-   :option:`dig +cd`.)
-
-.. option:: -m
+   ``dig +cd``.)
 
+``-m``
    This option enables memory usage debugging.
 
-.. option:: -p port#
-
+``-p port#``
    This option specifies a destination port to use for queries, instead of the
    standard DNS port number 53. This option is used with a name
    server that has been configured to listen for queries on a
    non-standard port number.
 
-.. option:: -q name
-
+``-q name``
    This option sets the query name to ``name``. While the query name can be
-   specified without using the :option:`-q` option, it is sometimes necessary to
+   specified without using the ``-q`` option, it is sometimes necessary to
    disambiguate names from types or classes (for example, when looking
    up the name "ns", which could be misinterpreted as the type NS, or
    "ch", which could be misinterpreted as class CH).
 
-.. option:: -t type
-
+``-t type``
    This option sets the query type to ``type``, which can be any valid query type
    supported in BIND 9 except for zone transfer types AXFR and IXFR. As
-   with :option:`-q`, this is useful to distinguish query-name types or classes
+   with ``-q``, this is useful to distinguish query-name types or classes
    when they are ambiguous. It is sometimes necessary to disambiguate
    names from types.
 
-   The default query type is "A", unless the :option:`-x` option is supplied
+   The default query type is "A", unless the ``-x`` option is supplied
    to indicate a reverse lookup, in which case it is "PTR".
 
-.. option:: -v
-
-   This option prints the :program:`delv` version and exits.
-
-.. option:: -x addr
+``-v``
+   This option prints the ``delv`` version and exits.
 
+``-x addr``
    This option performs a reverse lookup, mapping an address to a name. ``addr``
    is an IPv4 address in dotted-decimal notation, or a colon-delimited
-   IPv6 address. When :option:`-x` is used, there is no need to provide the
-   ``name`` or ``type`` arguments; :program:`delv` automatically performs a
+   IPv6 address. When ``-x`` is used, there is no need to provide the
+   ``name`` or ``type`` arguments; ``delv`` automatically performs a
    lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
    query type to PTR. IPv6 addresses are looked up using nibble format
    under the IP6.ARPA domain.
 
-.. option:: -4
+``-4``
+   This option forces ``delv`` to only use IPv4.
 
-   This option forces :program:`delv` to only use IPv4.
-
-.. option:: -6
-
-   This option forces :program:`delv` to only use IPv6.
+``-6``
+   This option forces ``delv`` to only use IPv6.
 
 Query Options
 ~~~~~~~~~~~~~
 
-:program:`delv` provides a number of query options which affect the way results
+``delv`` provides a number of query options which affect the way results
 are displayed, and in some cases the way lookups are performed.
 
 Each query option is identified by a keyword preceded by a plus sign
@@ -215,121 +205,69 @@ the string ``no`` to negate the meaning of that keyword. Other keywords
 assign values to options like the timeout interval. They have the form
 ``+keyword=value``. The query options are:
 
-.. option:: +cdflag, +nocdflag
-
+``+[no]cdflag``
    This option controls whether to set the CD (checking disabled) bit in queries
-   sent by :program:`delv`. This may be useful when troubleshooting DNSSEC
+   sent by ``delv``. This may be useful when troubleshooting DNSSEC
    problems from behind a validating resolver. A validating resolver
    blocks invalid responses, making it difficult to retrieve them
    for analysis. Setting the CD flag on queries causes the resolver
-   to return invalid responses, which :program:`delv` can then validate
+   to return invalid responses, which ``delv`` can then validate
    internally and report the errors in detail.
 
-.. option:: +class, +noclass
-
+``+[no]class``
    This option controls whether to display the CLASS when printing a record. The
    default is to display the CLASS.
 
-.. option:: +hint=FILE, +nohint
-
-   This option specifies a filename from which to load root hints;
-   this will be used to find the root name servers when name server
-   mode (``delv +ns``) is in use. If the option is not specified,
-   built-in root hints will be used.
-
-.. option:: +ns, +nons
-
-   This option toggles name server mode. When this option is in use,
-   the ``delv`` process instantiates a full recursive resolver, and uses
-   that to look up the requested query name and type. Turning on this
-   option also activates ``+mtrace``, ``+strace`` and ``+rtrace``, so that
-   every iterative query will be logged, including the full response messages
-   from each authoritatve server.  These logged messages will be written
-   to ``stdout`` rather than ``stderr`` as usual, so that the full trace
-   can be captured more easily.
-
-   This is intended to be similar to the behavior of ``dig +trace``, but
-   because it uses the same code as ``named``, it much more accurately
-   replicates the behavior of a recursive name server with a cold cache
-   that is processing a recursive query.
-
-.. option:: +qmin[=MODE], +noqmin
-
-   When used with ``+ns``, this option enables QNAME minimization mode.
-   Valid options of MODE are ``relaxed`` and ``strict``. By default,
-   QNAME minimization is disabled.  If ``+qmin`` is specified but MODE
-   is omitted, then ``relaxed`` mode will be used.
-
-.. option:: +ttl, +nottl
-
+``+[no]ttl``
    This option controls whether to display the TTL when printing a record. The
    default is to display the TTL.
 
-.. option:: +rtrace, +nortrace
-
-   This option toggles resolver fetch logging. This reports the name and
-   type of each query sent by :program:`delv` in the process of carrying
-   out the resolution and validation process, including the original query
-   and all subsequent queries to follow CNAMEs and to establish a chain of
-   trust for DNSSEC validation.
+``+[no]rtrace``
+   This option toggles resolver fetch logging. This reports the name and type of each
+   query sent by ``delv`` in the process of carrying out the resolution
+   and validation process, including the original query
+   and all subsequent queries to follow CNAMEs and to establish a chain
+   of trust for DNSSEC validation.
 
    This is equivalent to setting the debug level to 1 in the "resolver"
    logging category. Setting the systemwide debug level to 1 using the
-   :option:`-d` option produces the same output, but affects other
+   ``-d`` option produces the same output, but affects other
    logging categories as well.
 
-.. option:: +mtrace, +nomtrace
-
-   This option toggles logging of messages received. This produces
-   a detailed dump of the responses received by :program:`delv` in the
-   process of carrying out the resolution and validation process.
+``+[no]mtrace``
+   This option toggles message logging. This produces a detailed dump of the
+   responses received by ``delv`` in the process of carrying out the
+   resolution and validation process.
 
    This is equivalent to setting the debug level to 10 for the "packets"
    module of the "resolver" logging category. Setting the systemwide
-   debug level to 10 using the :option:`-d` option produces the same
+   debug level to 10 using the ``-d`` option produces the same
    output, but affects other logging categories as well.
 
-.. option:: +strace, +nostrace
-
-   This option toggles logging of messages sent. This produces a detailed
-   dump of the queries sent by :program:`delv` in the process of carrying
-   out the resolution and validation process. Turning on this option
-   also activates ``+mtrace``.
-
-   This is equivalent to setting the debug level to 11 for the "packets"
-   module of the "resolver" logging category. Setting the systemwide
-   debug level to 11 using the :option:`-d` option produces the same
-   output, but affects other logging categories as well.
-
-.. option:: +vtrace, +novtrace
-
+``+[no]vtrace``
    This option toggles validation logging. This shows the internal process of the
    validator as it determines whether an answer is validly signed,
    unsigned, or invalid.
 
    This is equivalent to setting the debug level to 3 for the
    "validator" module of the "dnssec" logging category. Setting the
-   systemwide debug level to 3 using the :option:`-d` option produces the
+   systemwide debug level to 3 using the ``-d`` option produces the
    same output, but affects other logging categories as well.
 
-.. option:: +short, +noshort
-
+``+[no]short``
    This option toggles between verbose and terse answers. The default is to print the answer in a
    verbose form.
 
-.. option:: +comments, +nocomments
-
+``+[no]comments``
    This option toggles the display of comment lines in the output. The default is to
    print comments.
 
-.. option:: +rrcomments, +norrcomments
-
+``+[no]rrcomments``
    This option toggles the display of per-record comments in the output (for example,
    human-readable key information about DNSKEY records). The default is
    to print per-record comments.
 
-.. option:: +crypto, +nocrypto
-
+``+[no]crypto``
    This option toggles the display of cryptographic fields in DNSSEC records. The
    contents of these fields are unnecessary to debug most DNSSEC
    validation failures and removing them makes it easier to see the
@@ -337,86 +275,62 @@ assign values to options like the timeout interval. They have the form
    they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
    key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
 
-.. option:: +restarts
-
-   When name server mode (``delv +ns``) is in use, this option sets the
-   maximum number of CNAME queries to follow before terminating resolution.
-   This prevents ``delv`` from hanging in the event of a CNAME loop.
-   The default is 11.
-
-.. option:: +maxqueries
-
-   This option specifies the maximum number of queries to send to resolve
-   a name before giving up. The default is 50.
-
-.. option:: +maxtotalqueries
-
-   This option specifies the maximum number of queries to send to resolve
-   a client request before giving up. The default is 200.
-
-.. option:: +trust, +notrust
-
+``+[no]trust``
    This option controls whether to display the trust level when printing a record.
    The default is to display the trust level.
 
-.. option:: +split[=W], +nosplit
-
+``+[no]split[=W]``
    This option splits long hex- or base64-formatted fields in resource records into
    chunks of ``W`` characters (where ``W`` is rounded up to the nearest
    multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
    split at all. The default is 56 characters, or 44 characters when
    multiline mode is active.
 
-.. option:: +all, +noall
-
-   This option sets or clears the display options :option:`+comments`,
-   :option:`+rrcomments`, and :option:`+trust` as a group.
-
-.. option:: +multiline, +nomultiline
+``+[no]all``
+   This option sets or clears the display options ``+[no]comments``,
+   ``+[no]rrcomments``, and ``+[no]trust`` as a group.
 
+``+[no]multiline``
    This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
    verbose multi-line format with human-readable comments. The default
    is to print each record on a single line, to facilitate machine
-   parsing of the :program:`delv` output.
+   parsing of the ``delv`` output.
 
-.. option:: +dnssec, +nodnssec
-
-   This option indicates whether to display RRSIG records in the :program:`delv` output.
-   The default is to do so. Note that (unlike in :iscman:`dig`) this does
+``+[no]dnssec``
+   This option indicates whether to display RRSIG records in the ``delv`` output.
+   The default is to do so. Note that (unlike in ``dig``) this does
    *not* control whether to request DNSSEC records or to
    validate them. DNSSEC records are always requested, and validation
-   always occurs unless suppressed by the use of :option:`-i` or
-   :option:`+noroot`.
-
-.. option:: +root[=ROOT], +noroot
+   always occurs unless suppressed by the use of ``-i`` or
+   ``+noroot``.
 
+``+[no]root[=ROOT]``
    This option indicates whether to perform conventional DNSSEC validation, and if so,
    specifies the name of a trust anchor. The default is to validate using a
    trust anchor of "." (the root zone), for which there is a built-in key. If
-   specifying a different trust anchor, then :option:`-a` must be used to specify a
+   specifying a different trust anchor, then ``-a`` must be used to specify a
    file containing the key.
 
-.. option:: +tcp, +notcp
-
+``+[no]tcp``
    This option controls whether to use TCP when sending queries. The default is to
    use UDP unless a truncated response has been received.
 
-.. option:: +unknownformat, +nounknownformat
-
+``+[no]unknownformat``
    This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
    The default is to print RDATA for known types in the type's
    presentation format.
 
-.. option:: +yaml, +noyaml
-
+``+[no]yaml``
    This option prints response data in YAML format.
 
 Files
 ~~~~~
 
+``/etc/bind.keys``
+
 ``/etc/resolv.conf``
 
 See Also
 ~~~~~~~~
 
-:iscman:`dig(1) <dig>`, :iscman:`named(8) <named>`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.
+:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

bin/dig/Makefile.am

@@ -4,15 +4,17 @@ AM_CPPFLAGS +=			\
 	$(LIBISC_CFLAGS)	\
 	$(LIBDNS_CFLAGS)	\
 	$(LIBISCCFG_CFLAGS)	\
-	$(LIBIDN2_CFLAGS)	\
-	$(LIBUV_CFLAGS)		\
-	$(OPENSSL_CFLAGS)
+	$(LIBIRS_CFLAGS)	\
+	$(LIBBIND9_CFLAGS)	\
+	$(LIBIDN2_CFLAGS)
 
 LDADD +=			\
 	libdighost.la		\
 	$(LIBISC_LIBS)		\
 	$(LIBDNS_LIBS)		\
 	$(LIBISCCFG_LIBS)	\
+	$(LIBIRS_LIBS)		\
+	$(LIBBIND9_LIBS)	\
 	$(LIBIDN2_LIBS)
 
 noinst_LTLIBRARIES = libdighost.la

bin/dig/dig.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: dig
-.. program:: dig
 .. _man_dig:
 
 dig - DNS lookup utility
@@ -29,41 +37,41 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-:program:`dig` is a flexible tool for interrogating DNS name servers. It
+``dig`` is a flexible tool for interrogating DNS name servers. It
 performs DNS lookups and displays the answers that are returned from the
-name server(s) that were queried. Most DNS administrators use :program:`dig` to
+name server(s) that were queried. Most DNS administrators use ``dig`` to
 troubleshoot DNS problems because of its flexibility, ease of use, and
 clarity of output. Other lookup tools tend to have less functionality
-than :program:`dig`.
+than ``dig``.
 
-Although :program:`dig` is normally used with command-line arguments, it also
+Although ``dig`` is normally used with command-line arguments, it also
 has a batch mode of operation for reading lookup requests from a file. A
 brief summary of its command-line arguments and options is printed when
-the :option:`-h` option is given. The BIND 9
-implementation of :program:`dig` allows multiple lookups to be issued from the
+the ``-h`` option is given. The BIND 9
+implementation of ``dig`` allows multiple lookups to be issued from the
 command line.
 
-Unless it is told to query a specific name server, :program:`dig` tries each
+Unless it is told to query a specific name server, ``dig`` tries each
 of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, :program:`dig` sends the query to the local host.
+addresses are found, ``dig`` sends the query to the local host.
 
-When no command-line arguments or options are given, :program:`dig`
+When no command-line arguments or options are given, ``dig``
 performs an NS query for "." (the root).
 
-It is possible to set per-user defaults for :program:`dig` via
+It is possible to set per-user defaults for ``dig`` via
 ``${HOME}/.digrc``. This file is read and any options in it are applied
-before the command-line arguments. The :option:`-r` option disables this
+before the command-line arguments. The ``-r`` option disables this
 feature, for scripts that need predictable behavior.
 
 The IN and CH class names overlap with the IN and CH top-level domain
-names. Either use the :option:`-t` and :option:`-c` options to specify the type and
-class, use the :option:`-q` to specify the domain name, or use "IN." and
+names. Either use the ``-t`` and ``-c`` options to specify the type and
+class, use the ``-q`` to specify the domain name, or use "IN." and
 "CH." when looking up these top-level domains.
 
 Simple Usage
 ~~~~~~~~~~~~
 
-A typical invocation of :program:`dig` looks like:
+A typical invocation of ``dig`` looks like:
 
 ::
 
@@ -71,103 +79,83 @@ A typical invocation of :program:`dig` looks like:
 
 where:
 
-.. option:: server
-
+``server``
    is the name or IP address of the name server to query. This can be an
    IPv4 address in dotted-decimal notation or an IPv6 address in
    colon-delimited notation. When the supplied ``server`` argument is a
-   hostname, :program:`dig` resolves that name before querying that name
+   hostname, ``dig`` resolves that name before querying that name
    server.
 
-   If no ``server`` argument is provided, :program:`dig` consults
+   If no ``server`` argument is provided, ``dig`` consults
    ``/etc/resolv.conf``; if an address is found there, it queries the
-   name server at that address. If either of the :option:`-4` or :option:`-6`
+   name server at that address. If either of the ``-4`` or ``-6``
    options are in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, :program:`dig`
+   transport are tried. If no usable addresses are found, ``dig``
    sends the query to the local host. The reply from the name server
    that responds is displayed.
 
-.. option:: name
-
+``name``
    is the name of the resource record that is to be looked up.
 
-.. option:: type
-
+``type``
    indicates what type of query is required - ANY, A, MX, SIG, etc.
    ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, :program:`dig` performs a lookup for an A record.
+   supplied, ``dig`` performs a lookup for an A record.
 
 Options
 ~~~~~~~
 
-.. option:: -4
-
+``-4``
    This option indicates that only IPv4 should be used.
 
-.. option:: -6
-
+``-6``
    This option indicates that only IPv6 should be used.
 
-.. option:: -b address[#port]
-
+``-b address[#port]``
    This option sets the source IP address of the query. The ``address`` must be a
    valid address on one of the host's network interfaces, or "0.0.0.0"
    or "::". An optional port may be specified by appending ``#port``.
 
-.. option:: -c class
-
+``-c class``
    This option sets the query class. The default ``class`` is IN; other classes are
    HS for Hesiod records or CH for Chaosnet records.
 
-.. option:: -f file
-
-   This option sets batch mode, in which :program:`dig` reads a list of lookup requests to process from
+``-f file``
+   This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
    the given ``file``. Each line in the file should be organized in the
-   same way it would be presented as a query to :program:`dig` using the
+   same way it would be presented as a query to ``dig`` using the
    command-line interface.
 
-.. option:: -h
-
-   Print a usage summary.
-
-.. option:: -k keyfile
-
-   This option tells :program:`dig` to sign queries using TSIG or
-   SIG(0) using a key read from the given file. Key files can be
-   generated using :iscman:`tsig-keygen`. When using TSIG authentication
-   with :program:`dig`, the name server that is queried needs to
-   know the key and algorithm that is being used. In BIND, this is
-   done by providing appropriate ``key`` and ``server`` statements
-   in :iscman:`named.conf` for TSIG and by looking up the KEY record
-   in zone data for SIG(0).
-
-.. option:: -m
+``-k keyfile``
+   This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
+   files can be generated using ``tsig-keygen``. When using TSIG
+   authentication with ``dig``, the name server that is queried needs to
+   know the key and algorithm that is being used. In BIND, this is done
+   by providing appropriate ``key`` and ``server`` statements in
+   ``named.conf``.
 
+``-m``
    This option enables memory usage debugging.
 
-.. option:: -p port
-
+``-p port``
    This option sends the query to a non-standard port on the server, instead of the
    default port 53. This option is used to test a name server that
    has been configured to listen for queries on a non-standard port
    number.
 
-.. option:: -q name
-
+``-q name``
    This option specifies the domain name to query. This is useful to distinguish the ``name``
    from other arguments.
 
-.. option:: -r
-
+``-r``
    This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
    scripts that need predictable behavior.
 
-.. option:: -t type
-
+``-t type``
    This option indicates the resource record type to query, which can be any valid query type. If
    it is a resource record type supported in BIND 9, it can be given by
    the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
-   ``A``, unless the :option:`-x` option is supplied to indicate a reverse
+   ``A``, unless the ``-x`` option is supplied to indicate a reverse
    lookup. A zone transfer can be requested by specifying a type of
    AXFR. When an incremental zone transfer (IXFR) is required, set the
    ``type`` to ``ixfr=N``. The incremental zone transfer contains
@@ -178,27 +166,23 @@ Options
    the number of the type. If the resource record type is not supported
    in BIND 9, the result is displayed as described in :rfc:`3597`.
 
-.. option:: -u
-
+``-u``
    This option indicates that print query times should be provided in microseconds instead of milliseconds.
 
-.. option:: -v
-
+``-v``
    This option prints the version number and exits.
 
-.. option:: -x addr
-
+``-x addr``
    This option sets simplified reverse lookups, for mapping addresses to names. The
    ``addr`` is an IPv4 address in dotted-decimal notation, or a
-   colon-delimited IPv6 address. When the :option:`-x` option is used, there is no
+   colon-delimited IPv6 address. When the ``-x`` option is used, there is no
    need to provide the ``name``, ``class``, and ``type`` arguments.
-   :program:`dig` automatically performs a lookup for a name like
+   ``dig`` automatically performs a lookup for a name like
    ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
    and IN respectively. IPv6 addresses are looked up using nibble format
    under the IP6.ARPA domain.
 
-.. option:: -y [hmac:]keyname:secret
-
+``-y [hmac:]keyname:secret``
    This option signs queries using TSIG with the given authentication key.
    ``keyname`` is the name of the key, and ``secret`` is the
    base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
@@ -207,15 +191,15 @@ Options
    not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
    ``hmac-sha256``.
 
-.. note:: Only the :option:`-k` option should be used, rather than the :option:`-y` option,
-   because with :option:`-y` the shared secret is supplied as a command-line
+.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
+   because with ``-y`` the shared secret is supplied as a command-line
    argument in clear text. This may be visible in the output from ``ps1`` or
    in a history file maintained by the user's shell.
 
 Query Options
 ~~~~~~~~~~~~~
 
-:program:`dig` provides a number of query options which affect the way in which
+``dig`` provides a number of query options which affect the way in which
 lookups are made and the results displayed. Some of these set or reset
 flag bits in the query header, some determine which sections of the
 answer get printed, and others determine the timeout and retry
@@ -226,24 +210,20 @@ Each query option is identified by a keyword preceded by a plus sign
 the string ``no`` to negate the meaning of that keyword. Other keywords
 assign values to options, like the timeout interval. They have the form
 ``+keyword=value``. Keywords may be abbreviated, provided the
-abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
-:option:`+cdflag`. The query options are:
+abbreviation is unambiguous; for example, ``+cd`` is equivalent to
+``+cdflag``. The query options are:
 
-.. option:: +aaflag, +noaaflag
-
-   This option is a synonym for :option:`+aaonly`, :option:`+noaaonly`.
-
-.. option:: +aaonly, +noaaonly
+``+[no]aaflag``
+   This option is a synonym for ``+[no]aaonly``.
 
+``+[no]aaonly``
    This option sets the ``aa`` flag in the query.
 
-.. option:: +additional, +noadditional
-
+``+[no]additional``
    This option displays [or does not display] the additional section of a reply. The
    default is to display it.
 
-.. option:: +adflag, +noadflag
-
+``+[no]adflag``
    This option sets [or does not set] the AD (authentic data) bit in the query. This
    requests the server to return whether all of the answer and authority
    sections have been validated as secure, according to the security
@@ -252,73 +232,61 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    indicates that some part of the answer was insecure or not validated.
    This bit is set by default.
 
-.. option:: +all, +noall
-
+``+[no]all``
    This option sets or clears all display flags.
 
-.. option:: +answer, +noanswer
-
+``+[no]answer``
    This option displays [or does not display] the answer section of a reply. The default
    is to display it.
 
-.. option:: +authority, +noauthority
-
+``+[no]authority``
    This option displays [or does not display] the authority section of a reply. The
    default is to display it.
 
-.. option:: +badcookie, +nobadcookie
-
+``+[no]badcookie``
    This option retries the lookup with a new server cookie if a BADCOOKIE response is
    received.
 
-.. option:: +besteffort, +nobesteffort
-
+``+[no]besteffort``
    This option attempts to display the contents of messages which are malformed. The
    default is to not display malformed answers.
 
-.. option:: +bufsize[=B]
-
+``+bufsize[=B]``
    This option sets the UDP message buffer size advertised using EDNS0 to
    ``B`` bytes.  The maximum and minimum sizes of this buffer are 65535 and
    0, respectively.  ``+bufsize`` restores the default buffer size.
 
-.. option:: +cd, +cdflag, +nocdflag
-
+``+[no]cdflag``
    This option sets [or does not set] the CD (checking disabled) bit in the query. This
    requests the server to not perform DNSSEC validation of responses.
 
-.. option:: +class, +noclass
-
+``+[no]class``
    This option displays [or does not display] the CLASS when printing the record.
 
-.. option:: +cmd, +nocmd
-
+``+[no]cmd``
    This option toggles the printing of the initial comment in the output, identifying the
-   version of :program:`dig` and the query options that have been applied. This option
+   version of ``dig`` and the query options that have been applied. This option
    always has a global effect; it cannot be set globally and then overridden on a
    per-lookup basis. The default is to print this comment.
 
-.. option:: +comments, +nocomments
-
+``+[no]comments``
    This option toggles the display of some comment lines in the output, with
    information about the packet header and OPT pseudosection, and the names of
    the response section. The default is to print these comments.
 
    Other types of comments in the output are not affected by this option, but
    can be controlled using other command-line switches. These include
-   :option:`+cmd`, :option:`+question`, :option:`+stats`, and :option:`+rrcomments`.
-
-.. option:: +cookie=####, +nocookie
+   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
 
+``+[no]cookie=####``
    This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
    from a previous response allows the server to identify a previous
    client. The default is ``+cookie``.
 
-   ``+cookie`` is also set when :option:`+trace` is set to better emulate the
+   ``+cookie`` is also set when ``+trace`` is set to better emulate the
    default queries from a nameserver.
 
-.. option:: +crypto, +nocrypto
-
+``+[no]crypto``
    This option toggles the display of cryptographic fields in DNSSEC records. The
    contents of these fields are unnecessary for debugging most DNSSEC
    validation failures and removing them makes it easier to see the
@@ -326,79 +294,63 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
    key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
 
-.. option:: +defname, +nodefname
-
-   This option, which is deprecated, is treated as a synonym for
-   :option:`+search`, :option:`+nosearch`.
-
-.. option:: +dns64prefix, +nodns64prefix
+``+[no]defname``
+   This option, which is deprecated, is treated as a synonym for ``+[no]search``.
 
+``+[no]dns64prefix``
    Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
 
-.. option:: +dnssec, +do, +nodnssec, +nodo
-
+``+[no]dnssec``
    This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
    the OPT record in the additional section of the query.
 
-.. option:: +domain=somename
-
+``+domain=somename``
    This option sets the search list to contain the single domain ``somename``, as if
    specified in a ``domain`` directive in ``/etc/resolv.conf``, and
-   enables search list processing as if the :option:`+search` option were
+   enables search list processing as if the ``+search`` option were
    given.
 
-.. option:: +edns[=#], +noedns
+``+dscp=value``
+   This option sets the DSCP code point to be used when sending the query. Valid DSCP
+   code points are in the range [0...63]. By default no code point is
+   explicitly set.
 
+``+[no]edns[=#]``
    This option specifies the EDNS version to query with. Valid values are 0 to 255.
    Setting the EDNS version causes an EDNS query to be sent.
    ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
    default.
 
-.. option:: +ednsflags[=#], +noednsflags
-
+``+[no]ednsflags[=#]``
    This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
    Decimal, hex, and octal encodings are accepted. Setting a named flag
    (e.g., DO) is silently ignored. By default, no Z bits are set.
 
-.. option:: +ednsnegotiation, +noednsnegotiation
-
+``+[no]ednsnegotiation``
    This option enables/disables EDNS version negotiation. By default, EDNS version
    negotiation is enabled.
 
-.. option:: +ednsopt[=code[:value]], +noednsopt
-
+``+[no]ednsopt[=code[:value]]``
    This option specifies the EDNS option with code point ``code`` and an optional payload
    of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
    option name (for example, ``NSID`` or ``ECS``) or an arbitrary
    numeric value. ``+noednsopt`` clears the EDNS options to be sent.
 
-.. option:: +expire, +noexpire
-
+``+[no]expire``
    This option sends an EDNS Expire option.
 
-.. option:: +fail, +nofail
-
-   This option indicates that :iscman:`named` should try [or not try] the next server if a SERVFAIL is received. The default is
+``+[no]fail``
+   This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
    to not try the next server, which is the reverse of normal stub
    resolver behavior.
 
-.. option:: +fuzztime[=value], +nofuzztime
-
-   This option allows the signing time to be specified when generating
-   signed messages.  If a value is specified it is the seconds since
-   00:00:00 January 1, 1970 UTC ignoring leap seconds.  If no value
-   is specified 1646972129 (Fri 11 Mar 2022 04:15:29 UTC) is used.
-   The default is ``+nofuzztime`` and the current time is used.
-
-.. option:: +header-only, +noheader-only
-
+``+[no]header-only``
    This option sends a query with a DNS header without a question section. The
    default is to add a question section. The query type and query name
    are ignored when this is set.
 
-.. option:: +https[=value], +nohttps
-
-   This option indicates whether to use DNS over HTTPS (DoH) when querying
+``+[no]https[=value]``
+   This option indicates whether to use DNS-over-HTTPS (DoH) when querying
    name servers.  When this option is in use, the port number defaults to 443.
    The HTTP POST request mode is used when sending the query.
 
@@ -406,99 +358,94 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    query URI; the default is ``/dns-query``. So, for example, ``dig
    @example.com +https`` will use the URI ``https://example.com/dns-query``.
 
-.. option:: +https-get[=value], +nohttps-get
-
-   Similar to :option:`+https`, except that the HTTP GET request mode is used
+``+[no]https-get[=value]``
+   Similar to ``+https``, except that the HTTP GET request mode is used
    when sending the query.
 
-.. option:: +https-post[=value], +nohttps-post
+``+[no]https-post[=value]``
+   Same as ``+https``.
 
-   Same as :option:`+https`.
-
-.. option:: +http-plain[=value], +nohttp-plain
-
-   Similar to :option:`+https`, except that HTTP queries will be sent over a
+``+[no]http-plain[=value]``
+   Similar to ``+https``, except that HTTP queries will be sent over a
    non-encrypted channel. When this option is in use, the port number
    defaults to 80 and the HTTP request mode is POST.
 
-.. option:: +http-plain-get[=value], +nohttp-plain-get
+``+[no]http-plain-get[=value]``
+   Similar to ``+http-plain``, except that the HTTP request mode is GET.
 
-   Similar to :option:`+http-plain`, except that the HTTP request mode is GET.
-
-.. option:: +http-plain-post[=value], +nohttp-plain-post
-
-   Same as :option:`+http-plain`.
-
-.. option:: +identify, +noidentify
+``+[no]http-plain-post[=value]``
+   Same as ``+http-plain``.
 
+``+[no]identify``
    This option shows [or does not show] the IP address and port number that
-   supplied the answer, when the :option:`+short` option is enabled. If short
+   supplied the answer, when the ``+short`` option is enabled. If short
    form answers are requested, the default is not to show the source
    address and port number of the server that provided the answer.
 
-.. option:: +idn, +noidn
+``+[no]idnin``
+   This option processes [or does not process] IDN domain names on input. This requires
+   ``IDN SUPPORT`` to have been enabled at compile time.
 
-   Enable or disable IDN processing. By default IDN is enabled for
-   input query names, and for display when the output is a terminal.
+   The default is to process IDN input when standard output is a tty.
+   The IDN processing on input is disabled when ``dig`` output is redirected
+   to files, pipes, and other non-tty file descriptors.
 
-   You can also turn off :program:`dig`'s IDN processing by setting
-   the ``IDN_DISABLE`` environment variable.
+``+[no]idnout``
+   This option converts [or does not convert] puny code on output. This requires
+   ``IDN SUPPORT`` to have been enabled at compile time.
 
-.. option:: +ignore, +noignore
+   The default is to process puny code on output when standard output is
+   a tty. The puny code processing on output is disabled when ``dig`` output
+   is redirected to files, pipes, and other non-tty file descriptors.
 
-   This option ignores [or does not ignore] truncation in UDP
-   responses instead of retrying with TCP. By default, TCP retries are
-   performed.
-
-.. option:: +keepalive, +nokeepalive
+``+[no]ignore``
+   This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
+   default, TCP retries are performed.
 
+``+[no]keepalive``
    This option sends [or does not send] an EDNS Keepalive option.
 
-.. option:: +keepopen, +nokeepopen
-
+``+[no]keepopen``
    This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
    creating a new TCP socket for each lookup. The default is
    ``+nokeepopen``.
 
-.. option:: +multiline, +nomultiline
+``+[no]mapped``
+   This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
+   ``+mapped``.
 
+``+[no]multiline``
    This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
    with human-readable comments. The default is to print each record on
-   a single line to facilitate machine parsing of the :program:`dig` output.
-
-.. option:: +ndots=D
+   a single line to facilitate machine parsing of the ``dig`` output.
 
+``+ndots=D``
    This option sets the number of dots (``D``) that must appear in ``name`` for
    it to be considered absolute. The default value is that defined using
    the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
    statement is present. Names with fewer dots are interpreted as
    relative names, and are searched for in the domains listed in the
    ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
-   :option:`+search` is set.
-
-.. option:: +nsid, +nonsid
+   ``+search`` is set.
 
+``+[no]nsid``
    When enabled, this option includes an EDNS name server ID request when sending a query.
 
-.. option:: +nssearch, +nonssearch
-
-   When this option is set, :program:`dig` attempts to find the authoritative
+``+[no]nssearch``
+   When this option is set, ``dig`` attempts to find the authoritative
    name servers for the zone containing the name being looked up, and
    display the SOA record that each name server has for the zone.
    Addresses of servers that did not respond are also printed.
 
-.. option:: +onesoa, +noonesoa
-
+``+[no]onesoa``
    When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
    default is to print both the starting and ending SOA records.
 
-.. option:: +opcode=value, +noopcode
-
+``+[no]opcode=value``
    When enabled, this option sets (restores) the DNS message opcode to the specified value. The
    default value is QUERY (0).
 
-.. option:: +padding=value
-
+``+padding=value``
    This option pads the size of the query packet using the EDNS Padding option to
    blocks of ``value`` bytes. For example, ``+padding=32`` causes a
    48-byte query to be padded to 64 bytes. The default block size is 0,
@@ -507,129 +454,75 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    mandatory. Responses to padded queries may also be padded, but only
    if the query uses TCP or DNS COOKIE.
 
-.. option:: +proxy[=src_addr[#src_port]-dst_addr[#dst_port]], +noproxy
-
-   When this option is set, :program:`dig` adds PROXYv2 headers to the
-   queries. When source and destination addresses are specified, the
-   headers contain them and use the ``PROXY`` command. It means for
-   the remote peer that the queries were sent on behalf of another
-   node and that the PROXYv2 header reflects the original connection
-   endpoints. The default source port is ``0`` and destination port is
-   `53`.
-
-   For encrypted DNS transports, to prevent accidental information
-   leakage, encryption is applied to the PROXYv2 headers: the headers
-   are sent right after the handshake process has been completed.
-
-   For plain DNS transports, no encryption is applied to the PROXYv2
-   headers.
-
-   If the addressees are omitted, PROXYv2 headers, that use the
-   ``LOCAL`` command set, are added instead. For the remote peer, that
-   means that the queries were sent on purpose without being relayed,
-   so the real connection endpoint addresses must be used.
-
-.. option:: +proxy-plain[=src_addr[#src_port]-dst_addr[#dst_port], +noproxy-plain
-
-   The same as ``+[no]proxy``, but instructs ``dig`` to send PROXYv2
-   headers ahead of any encryption, before any handshake messages are
-   sent. That makes :program:`dig` behave exactly how it is described
-   in the PROXY protocol specification, but not all software expects
-   such behaviour.
-
-   Please consult the software documentation to find out if you need
-   this option. (for example, ``dnsdist`` expects encrypted PROXYv2
-   headers sent over TLS when encryption is used, while ``HAProxy``
-   and many other software packages expect plain ones).
-
-   For plain DNS transports the option is effectively an alias for the
-   ``+[no]proxy`` described above.
-
-.. option:: +qid=value
-
+``+qid=value``
    This option specifies the query ID to use when sending queries.
 
-.. option:: +qr, +noqr
-
+``+[no]qr``
    This option toggles the display of the query message as it is sent. By default, the query
    is not printed.
 
-.. option:: +question, +noquestion
-
+``+[no]question``
    This option toggles the display of the question section of a query when an answer is
    returned. The default is to print the question section as a comment.
 
-.. option:: +raflag, +noraflag
-
+``+[no]raflag``
    This option sets [or does not set] the RA (Recursion Available) bit in the query. The
    default is ``+noraflag``. This bit is ignored by the server for
    QUERY.
 
-.. option:: +rdflag, +nordflag
-
-   This option is a synonym for :option:`+recurse`, :option:`+norecurse`.
-
-.. option:: +recurse, +norecurse
+``+[no]rdflag``
+   This option is a synonym for ``+[no]recurse``.
 
+``+[no]recurse``
    This option toggles the setting of the RD (recursion desired) bit in the query.
-   This bit is set by default, which means :program:`dig` normally sends
+   This bit is set by default, which means ``dig`` normally sends
    recursive queries. Recursion is automatically disabled when the
-   :option:`+nssearch` or :option:`+trace` query option is used.
-
-.. option:: +retry=T
+   ``+nssearch`` or ``+trace`` query option is used.
 
+``+retry=T``
    This option sets the number of times to retry UDP and TCP queries to server to ``T``
-   instead of the default, 2.  Unlike :option:`+tries`, this does not include
+   instead of the default, 2.  Unlike ``+tries``, this does not include
    the initial query.
 
-.. option:: +rrcomments, +norrcomments
-
+``+[no]rrcomments``
    This option toggles the display of per-record comments in the output (for example,
    human-readable key information about DNSKEY records). The default is
    not to print record comments unless multiline mode is active.
 
-.. option:: +search, +nosearch
-
+``+[no]search``
    This option uses [or does not use] the search list defined by the searchlist or domain
    directive in ``resolv.conf``, if any. The search list is not used by
    default.
 
    ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
-   :option:`+ndots`, determines whether the name is treated as relative
+   ``+ndots``, determines whether the name is treated as relative
    and hence whether a search is eventually performed.
 
-.. option:: +short, +noshort
-
+``+[no]short``
    This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
    form. This option always has a global effect; it cannot be set globally and
    then overridden on a per-lookup basis.
 
-.. option:: +showbadcookie, +noshowbadcookie
-
-   This option toggles whether to show the message containing the
-   BADCOOKIE rcode before retrying the request or not. The default
-   is to not show the messages.
-
-.. option:: +showsearch, +noshowsearch
-
+``+[no]showsearch``
    This option performs [or does not perform] a search showing intermediate results.
 
-.. option:: +split=W
+``+[no]sigchase``
+   This feature is now obsolete and has been removed; use ``delv``
+   instead.
 
+``+split=W``
    This option splits long hex- or base64-formatted fields in resource records into
    chunks of ``W`` characters (where ``W`` is rounded up to the nearest
    multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
    split at all. The default is 56 characters, or 44 characters when
    multiline mode is active.
 
-.. option:: +stats, +nostats
-
+``+[no]stats``
    This option toggles the printing of statistics: when the query was made, the size of the
    reply, etc. The default behavior is to print the query statistics as a
    comment after each lookup.
 
-.. option:: +subnet=addr[/prefix-length], +nosubnet
-
+``+[no]subnet=addr[/prefix-length]``
    This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
    address or network prefix.
 
@@ -638,112 +531,83 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    prefix-length of zero, which signals a resolver that the client's
    address information must *not* be used when resolving this query.
 
-.. option:: +tcflag, +notcflag
-
+``+[no]tcflag``
    This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
    ``+notcflag``. This bit is ignored by the server for QUERY.
 
-.. option:: +tcp, +notcp
-
-   This option indicates whether to use TCP when querying name
-   servers.  The default behavior is to use UDP unless a type ``any``
-   or ``ixfr=N`` query is requested, in which case the default is
-   TCP. AXFR queries always use TCP. To prevent retry over TCP when
-   TC=1 is returned from a UDP query, use ``+ignore``.
-
-.. option:: +timeout=T
+``+[no]tcp``
+   This option indicates whether to use TCP when querying name servers.
+   The default behavior is to use UDP unless a type ``any`` or ``ixfr=N``
+   query is requested, in which case the default is TCP. AXFR queries
+   always use TCP.
 
+``+timeout=T``
    This option sets the timeout for a query to ``T`` seconds. The default timeout is
    5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
 
-.. option:: +tls, +notls
-
-   This option indicates whether to use DNS over TLS (DoT) when querying
+``+[no]tls``
+   This option indicates whether to use DNS-over-TLS (DoT) when querying
    name servers. When this option is in use, the port number defaults
    to 853.
 
-.. option:: +tls-ca[=file-name], +notls-ca
+``+[no]topdown``
+   This feature is related to ``dig +sigchase``, which is obsolete and
+   has been removed. Use ``delv`` instead.
 
-   This option enables remote server TLS certificate validation for
-   DNS transports, relying on TLS. Certificate authorities
-   certificates are loaded from the specified PEM file
-   (``file-name``). If the file is not specified, the default
-   certificates from the global certificates store are used.
-
-.. option:: +tls-certfile=file-name, +tls-keyfile=file-name, +notls-certfile, +notls-keyfile
-
-   These options set the state of certificate-based client
-   authentication for DNS transports, relying on TLS. Both certificate
-   chain file and private key file are expected to be in PEM format.
-   Both options must be specified at the same time.
-
-.. option:: +tls-hostname=hostname, +notls-hostname
-
-   This option makes :program:`dig` use the provided hostname during remote
-   server TLS certificate verification. Otherwise, the DNS server name
-   is used. This option has no effect if :option:`+tls-ca` is not specified.
-
-.. option:: +trace, +notrace
-
-   This option toggles tracing of the delegation path from the root name
-   servers for the name being looked up. Tracing is disabled by default.
-   When tracing is enabled, :program:`dig` makes iterative queries to
-   resolve the name being looked up. It follows referrals from the root
-   servers, showing the answer from each server that was used to resolve
-   the lookup.
+``+[no]trace``
+   This option toggles tracing of the delegation path from the root name servers for
+   the name being looked up. Tracing is disabled by default. When
+   tracing is enabled, ``dig`` makes iterative queries to resolve the
+   name being looked up. It follows referrals from the root servers,
+   showing the answer from each server that was used to resolve the
+   lookup.
 
    If ``@server`` is also specified, it affects only the initial query for
    the root zone name servers.
 
-   :option:`+dnssec` is set when :option:`+trace` is set, to better
-   emulate the default queries from a name server.
-
-   Note that the ``delv +ns`` option can also be used for tracing the
-   resolution of a name from the root (see :iscman:`delv`).
-
-.. option:: +tries=T
+   ``+dnssec`` is also set when ``+trace`` is set, to better emulate the
+   default queries from a name server.
 
+``+tries=T``
    This option sets the number of times to try UDP and TCP queries to server to ``T``
    instead of the default, 3. If ``T`` is less than or equal to zero,
    the number of tries is silently rounded up to 1.
 
-.. option:: +ttlid, +nottlid
+``+trusted-key=####``
+   This option formerly specified trusted keys for use with ``dig +sigchase``. This
+   feature is now obsolete and has been removed; use ``delv`` instead.
 
+``+[no]ttlid``
    This option displays [or does not display] the TTL when printing the record.
 
-.. option:: +ttlunits, +nottlunits
-
+``+[no]ttlunits``
    This option displays [or does not display] the TTL in friendly human-readable time
    units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
-   hours, days, and weeks. This implies :option:`+ttlid`.
-
-.. option:: +unknownformat, +nounknownformat
+   hours, days, and weeks. This implies ``+ttlid``.
 
+``+[no]unknownformat``
    This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
    The default is to print RDATA for known types in the type's
    presentation format.
 
-.. option:: +vc, +novc
-
+``+[no]vc``
    This option uses [or does not use] TCP when querying name servers. This alternate
-   syntax to :option:`+tcp` is provided for backwards compatibility. The
+   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
    ``vc`` stands for "virtual circuit."
 
-.. option:: +yaml, +noyaml
-
-   When enabled, this option prints the responses (and, if :option:`+qr` is in use, also the
+``+[no]yaml``
+   When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
    outgoing queries) in a detailed YAML format.
 
-.. option:: +zflag, +nozflag
-
+``+[no]zflag``
    This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
    This flag is off by default.
 
 Multiple Queries
 ~~~~~~~~~~~~~~~~
 
-The BIND 9 implementation of :program:`dig` supports specifying multiple
-queries on the command line (in addition to supporting the :option:`-f` batch
+The BIND 9 implementation of ``dig`` supports specifying multiple
+queries on the command line (in addition to supporting the ``-f`` batch
 file option). Each of those queries can be supplied with its own set of
 flags, options, and query options.
 
@@ -756,41 +620,32 @@ query.
 A global set of query options, which should be applied to all queries,
 can also be supplied. These global query options must precede the first
 tuple of name, class, type, options, flags, and query options supplied
-on the command line. Any global query options (except :option:`+cmd` and
-:option:`+short` options) can be overridden by a query-specific set of
+on the command line. Any global query options (except ``+[no]cmd`` and
+``+[no]short`` options) can be overridden by a query-specific set of
 query options. For example:
 
 ::
 
    dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
-shows how :program:`dig` can be used from the command line to make three
+shows how ``dig`` can be used from the command line to make three
 lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
 and a query for the NS records of ``isc.org``. A global query option of
-:option:`+qr` is applied, so that :program:`dig` shows the initial query it made for
-each lookup. The final query has a local query option of :option:`+noqr` which
-means that :program:`dig` does not print the initial query when it looks up the
+``+qr`` is applied, so that ``dig`` shows the initial query it made for
+each lookup. The final query has a local query option of ``+noqr`` which
+means that ``dig`` does not print the initial query when it looks up the
 NS records for ``isc.org``.
 
-Return Codes
-~~~~~~~~~~~~
+IDN Support
+~~~~~~~~~~~
 
-:program:`dig` return codes are:
-
-``0``
-   DNS response received, including NXDOMAIN status
-
-``1``
-   Usage error
-
-``8``
-   Couldn't open batch file
-
-``9``
-   No reply from server
-
-``10``
-   Internal error
+If ``dig`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``dig``
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, use the parameters
+``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
+variable.
 
 Files
 ~~~~~
@@ -802,7 +657,7 @@ Files
 See Also
 ~~~~~~~~
 
-:iscman:`delv(1) <delv>`, :iscman:`host(1) <host>`, :iscman:`named(8) <named>`, :iscman:`dnssec-keygen(8) <dnssec-keygen>`, :rfc:`1035`.
+:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
 
 Bugs
 ~~~~

bin/dig/dighost.h

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -11,7 +9,8 @@
  * information regarding copyright ownership.
  */
 
-#pragma once
+#ifndef DIG_H
+#define DIG_H
 
 /*! \file */
 
@@ -23,13 +22,13 @@
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/list.h>
-#include <isc/loop.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/netmgr.h>
+#include <isc/print.h>
 #include <isc/refcount.h>
 #include <isc/sockaddr.h>
-#include <isc/time.h>
+#include <isc/socket.h>
 
 #include <dns/rdatalist.h>
 
@@ -77,6 +76,7 @@
 #define DEFAULT_EDNS_VERSION 0
 #define DEFAULT_EDNS_BUFSIZE 1232
 
+#define DEFAULT_HTTPS_PATH  "/dns-query"
 #define DEFAULT_HTTPS_QUERY "?dns="
 
 /*%
@@ -105,25 +105,24 @@ typedef struct dig_searchlist dig_searchlist_t;
 struct dig_lookup {
 	unsigned int magic;
 	isc_refcount_t references;
-	bool aaonly, adflag, badcookie, besteffort, cdflag, cleared, comments,
+	bool aaonly, adflag, badcookie, besteffort, cdflag, comments,
 		dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa,
-		expire, fuzzing, header_only, identify, /*%< Append an "on
-							   server <foo>" message
-							 */
-		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
-					   message, with newline and tab */
-		idnin, idnout, ignore, multiline, need_search, new_search,
-		noclass, nocrypto, nottl, ns_search_only, /*%< dig +nssearch,
-							     host -C */
-		ns_search_success, nsid, /*% Name Server ID (RFC 5001) */
-		onesoa, pending,	 /*%< Pending a successful answer */
+		expire, header_only, identify, /*%< Append an "on server <foo>"
+						  message */
+		identify_previous_line,	       /*% Prepend a "Nameserver <foo>:"
+						  message, with newline and tab */
+		idnin, idnout, ignore, mapped, multiline, need_search,
+		new_search, noclass, nocrypto, nottl,
+		ns_search_only,	 /*%< dig +nssearch, host -C */
+		nsid,		 /*% Name Server ID (RFC 5001) */
+		onesoa, pending, /*%< Pending a successful answer */
 		print_unknown_format, qr, raflag, recurse, section_additional,
 		section_answer, section_authority, section_question,
 		seenbadcookie, sendcookie, servfail_stops,
 		setqid, /*% use a speciied query ID */
-		showbadcookie, stats, tcflag, tcp_keepalive, tcp_mode,
-		tcp_mode_set, tls_mode, /*% connect using TLS */
-		trace,			/*% dig +trace */
+		stats, tcflag, tcp_keepalive, tcp_mode, tcp_mode_set,
+		tls_mode,   /*% connect using TLS */
+		trace,	    /*% dig +trace */
 		trace_root, /*% initial query for either +trace or +nssearch */
 		ttlunits, use_usec, waiting_connect, zflag;
 	char textname[MXNAME]; /*% Name we're going to be looking up */
@@ -166,9 +165,11 @@ struct dig_lookup {
 	char *cookie;
 	dns_ednsopt_t *ednsopts;
 	unsigned int ednsoptscnt;
+	isc_dscp_t dscp;
 	unsigned int ednsflags;
 	dns_opcode_t opcode;
 	int rrcomments;
+	unsigned int eoferr;
 	uint16_t qid;
 	struct {
 		bool http_plain;
@@ -176,37 +177,17 @@ struct dig_lookup {
 		bool https_get;
 		char *https_path;
 	};
-	struct {
-		bool tls_ca_set;
-		char *tls_ca_file;
-		bool tls_hostname_set;
-		char *tls_hostname;
-		bool tls_cert_file_set;
-		char *tls_cert_file;
-		bool tls_key_file_set;
-		char *tls_key_file;
-		isc_tlsctx_cache_t *tls_ctx_cache;
-	};
-	struct {
-		bool proxy_mode;
-		bool proxy_plain;
-		bool proxy_local;
-		isc_sockaddr_t proxy_src_addr;
-		isc_sockaddr_t proxy_dst_addr;
-	};
-	isc_stdtime_t fuzztime;
 };
 
 /*% The dig_query structure */
 struct dig_query {
 	unsigned int magic;
 	dig_lookup_t *lookup;
-	bool started;
+	bool first_pass;
 	bool first_soa_rcvd;
 	bool second_rr_rcvd;
 	bool first_repeat_rcvd;
 	bool warn_id;
-	bool canceled;
 	uint32_t first_rr_serial;
 	uint32_t second_rr_serial;
 	uint32_t msg_count;
@@ -227,6 +208,7 @@ struct dig_query {
 	isc_time_t time_recv;
 	uint64_t byte_count;
 	isc_timer_t *timer;
+	isc_tlsctx_t *tlsctx;
 };
 
 struct dig_server {
@@ -266,12 +248,12 @@ extern isc_sockaddr_t localaddr;
 extern char keynametext[MXNAME];
 extern char keyfile[MXNAME];
 extern char keysecret[MXNAME];
-extern dst_algorithm_t hmac_alg;
+extern const dns_name_t *hmacname;
 extern unsigned int digestbits;
 extern dns_tsigkey_t *tsigkey;
 extern bool validated;
-extern isc_loopmgr_t *loopmgr;
-extern isc_loop_t *mainloop;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *global_task;
 extern bool free_now;
 extern bool debugging, debugtiming, memdebugging;
 extern bool keep_open;
@@ -293,18 +275,15 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
 isc_result_t
 get_reverse(char *reverse, size_t len, char *value, bool strict);
 
-noreturn void
+ISC_NORETURN void
 fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
 void
 warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
-noreturn void
+ISC_NORETURN void
 digexit(void);
 
-void
-cleanup_openssl_refs(void);
-
 void
 debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
@@ -324,10 +303,7 @@ void
 start_lookup(void);
 
 void
-onrun_callback(void *arg);
-
-void
-run_loop(void *arg);
+onrun_callback(isc_task_t *task, isc_event_t *event);
 
 int
 dhmain(int argc, char **argv);
@@ -348,7 +324,7 @@ isc_result_t
 parse_netprefix(isc_sockaddr_t **sap, const char *value);
 
 void
-parse_hmac(const char *algname);
+parse_hmac(const char *hmacstr);
 
 dig_lookup_t *
 requeue_lookup(dig_lookup_t *lookold, bool servers);
@@ -452,6 +428,12 @@ dig_query_setup(bool, bool, int argc, char **argv);
 void
 dig_startup(void);
 
+/*%
+ * Initiates the next lookup cycle
+ */
+void
+dig_query_start(void);
+
 /*%
  * Activate/deactivate IDN filtering of output.
  */
@@ -464,7 +446,6 @@ dig_idnsetup(dig_lookup_t *lookup, bool active);
 void
 dig_shutdown(void);
 
-bool
-dig_lookup_is_tls(const dig_lookup_t *lookup);
-
 ISC_LANG_ENDDECLS
+
+#endif /* ifndef DIG_H */

bin/dig/host.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -19,11 +17,13 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
+#include <isc/app.h>
 #include <isc/attributes.h>
 #include <isc/commandline.h>
-#include <isc/loop.h>
 #include <isc/netaddr.h>
+#include <isc/print.h>
 #include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/byaddr.h>
@@ -80,7 +80,6 @@ struct rtype rtypes[] = { { 1, "has address" },
 			  { 25, "has key" },
 			  { 28, "has IPv6 address" },
 			  { 29, "location" },
-			  { dns_rdatatype_https, "has HTTP service bindings" },
 			  { 0, NULL } };
 
 static char *
@@ -97,10 +96,10 @@ rcode_totext(dns_rcode_t rcode) {
 	} else {
 		totext.consttext = rcodetext[rcode];
 	}
-	return totext.deconsttext;
+	return (totext.deconsttext);
 }
 
-noreturn static void
+ISC_NORETURN static void
 show_usage(void);
 
 static void
@@ -133,12 +132,12 @@ show_usage(void) {
 		"       -W specifies how long to wait for a reply\n"
 		"       -4 use IPv4 query transport only\n"
 		"       -6 use IPv6 query transport only\n");
-	exit(EXIT_FAILURE);
+	exit(1);
 }
 
 static void
 host_shutdown(void) {
-	isc_loopmgr_shutdown(loopmgr);
+	(void)isc_app_shutdown();
 }
 
 static void
@@ -150,9 +149,9 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		char fromtext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
 		if (query->lookup->use_usec) {
-			now = isc_time_now_hires();
+			TIME_NOW_HIRES(&now);
 		} else {
-			now = isc_time_now();
+			TIME_NOW(&now);
 		}
 		diff = (int)isc_time_microdiff(&now, &query->time_sent);
 		printf("Received %u bytes from %s in %d ms\n", bytes, fromtext,
@@ -184,7 +183,6 @@ retry:
 	result = dns_rdata_totext(rdata, NULL, b);
 	if (result == ISC_R_NOSPACE) {
 		isc_buffer_free(&b);
-		INSIST(bufsize <= (UINT_MAX / 2));
 		bufsize *= 2;
 		goto retry;
 	}
@@ -211,9 +209,15 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 	isc_result_t result, loopresult;
 	isc_region_t r;
 	dns_name_t empty_name;
-	char tbuf[4096] = { 0 };
+	char tbuf[4096];
 	bool first;
-	bool no_rdata = (sectionid == DNS_SECTION_QUESTION);
+	bool no_rdata;
+
+	if (sectionid == DNS_SECTION_QUESTION) {
+		no_rdata = true;
+	} else {
+		no_rdata = false;
+	}
 
 	if (headers) {
 		printf(";; %s SECTION:\n", section_name);
@@ -223,9 +227,9 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 
 	result = dns_message_firstname(msg, sectionid);
 	if (result == ISC_R_NOMORE) {
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	} else if (result != ISC_R_SUCCESS) {
-		return result;
+		return (result);
 	}
 
 	for (;;) {
@@ -263,7 +267,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 							     print_name, false,
 							     no_rdata, &target);
 				if (result != ISC_R_SUCCESS) {
-					return result;
+					return (result);
 				}
 #ifdef USEINITALWS
 				if (first) {
@@ -318,11 +322,11 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 		if (result == ISC_R_NOMORE) {
 			break;
 		} else if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -342,12 +346,12 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
 
 	result = dns_rdataset_totext(rdataset, owner, false, false, &target);
 	if (result != ISC_R_SUCCESS) {
-		return result;
+		return (result);
 	}
 	isc_buffer_usedregion(&target, &r);
 	printf("%.*s", (int)r.length, (char *)r.base);
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -424,7 +428,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 				       : query->lookup->textname,
 			       msg->rcode, rcode_totext(msg->rcode));
 		}
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
@@ -458,16 +462,6 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 			lookup->retries = tries;
 			ISC_LIST_APPEND(lookup_list, lookup, link);
 		}
-		lookup = clone_lookup(query->lookup, false);
-		if (lookup != NULL) {
-			strlcpy(lookup->textname, namestr,
-				sizeof(lookup->textname));
-			lookup->rdtype = dns_rdatatype_https;
-			lookup->rdtypeset = true;
-			lookup->origin = NULL;
-			lookup->retries = tries;
-			ISC_LIST_APPEND(lookup_list, lookup, link);
-		}
 	}
 
 	if (!short_form) {
@@ -528,7 +522,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
 				      true, query);
 		if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
 	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
@@ -538,28 +532,26 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
 				      !short_form, query);
 		if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
 
 	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
-	    !short_form)
-	{
+	    !short_form) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
 				      true, query);
 		if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
 	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
-	    !short_form)
-	{
+	    !short_form) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_ADDITIONAL, "ADDITIONAL",
 				      true, query);
 		if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
 	if ((tsig != NULL) && !short_form) {
@@ -567,7 +559,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 		result = printrdata(msg, tsig, tsigname, "PSEUDOSECTION TSIG",
 				    true);
 		if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
 	if (!short_form) {
@@ -585,11 +577,17 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 		printf("%s has no %s record\n", namestr, typestr);
 	}
 	seen_error = force_error;
-	return result;
+	return (result);
 }
 
 static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
 
+/*% version */
+static void
+version(void) {
+	fprintf(stderr, "host %s\n", PACKAGE_VERSION);
+}
+
 static void
 pre_parse_args(int argc, char **argv) {
 	int c;
@@ -602,12 +600,10 @@ pre_parse_args(int argc, char **argv) {
 			{
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
 			} else if (strcasecmp("record",
-					      isc_commandline_argument) == 0)
-			{
+					      isc_commandline_argument) == 0) {
 				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
 			} else if (strcasecmp("usage",
-					      isc_commandline_argument) == 0)
-			{
+					      isc_commandline_argument) == 0) {
 				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
 			}
 			break;
@@ -665,8 +661,8 @@ pre_parse_args(int argc, char **argv) {
 		case 'v':
 			break;
 		case 'V':
-			printf("host %s\n", PACKAGE_VERSION);
-			exit(EXIT_SUCCESS);
+			version();
+			exit(0);
 			break;
 		case 'w':
 			break;
@@ -718,8 +714,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			break;
 		case 't':
 			if (strncasecmp(isc_commandline_argument, "ixfr=", 5) ==
-			    0)
-			{
+			    0) {
 				rdtype = dns_rdatatype_ixfr;
 				/* XXXMPA add error checking */
 				serial = strtoul(isc_commandline_argument + 5,
@@ -738,8 +733,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 				      isc_commandline_argument);
 			}
 			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
-			{
+			    lookup->rdtype != dns_rdatatype_axfr) {
 				lookup->rdtype = rdtype;
 			}
 			lookup->rdtypeset = true;
@@ -780,11 +774,10 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			break;
 		case 'A':
 			list_almost_all = true;
-			FALLTHROUGH;
+		/* FALL THROUGH */
 		case 'a':
 			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
-			{
+			    lookup->rdtype != dns_rdatatype_axfr) {
 				lookup->rdtype = dns_rdatatype_any;
 			}
 			list_type = dns_rdatatype_any;
@@ -858,7 +851,6 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			break;
 		case 'p':
 			port = atoi(isc_commandline_argument);
-			port_set = true;
 			break;
 		}
 	}
@@ -896,6 +888,8 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 
 int
 main(int argc, char **argv) {
+	isc_result_t result;
+
 	tries = 2;
 
 	ISC_LIST_INIT(lookup_list);
@@ -913,6 +907,8 @@ main(int argc, char **argv) {
 	debug("main()");
 	progname = argv[0];
 	pre_parse_args(argc, argv);
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
 	setup_libs();
 	setup_system(ipv4only, ipv6only);
 	parse_args(false, argc, argv);
@@ -921,12 +917,11 @@ main(int argc, char **argv) {
 	} else if (keysecret[0] != 0) {
 		setup_text_key();
 	}
-
-	isc_loopmgr_setup(loopmgr, run_loop, NULL);
-	isc_loopmgr_run(loopmgr);
-
+	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	check_result(result, "isc_app_onrun");
+	isc_app_run();
 	cancel_all();
 	destroy_libs();
-
-	return (seen_error == 0) ? 0 : 1;
+	isc_app_finish();
+	return ((seen_error == 0) ? 0 : 1);
 }

bin/dig/host.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: host
-.. program:: host
 .. _man_host:
 
 host - DNS lookup utility
@@ -26,64 +34,55 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-:program:`host` is a simple utility for performing DNS lookups. It is normally
+``host`` is a simple utility for performing DNS lookups. It is normally
 used to convert names to IP addresses and vice versa. When no arguments
-or options are given, :program:`host` prints a short summary of its
+or options are given, ``host`` prints a short summary of its
 command-line arguments and options.
 
 ``name`` is the domain name that is to be looked up. It can also be a
 dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
-case :program:`host` by default performs a reverse lookup for that address.
+case ``host`` by default performs a reverse lookup for that address.
 ``server`` is an optional argument which is either the name or IP
-address of the name server that :program:`host` should query instead of the
+address of the name server that ``host`` should query instead of the
 server or servers listed in ``/etc/resolv.conf``.
 
 Options
 ~~~~~~~
 
-.. option:: -4
+``-4``
+   This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
 
-   This option specifies that only IPv4 should be used for query transport. See also the :option:`-6` option.
+``-6``
+   This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
 
-.. option:: -6
+``-a``
+   The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
+   also affects the behavior of the ``-l`` list zone option.
 
-   This option specifies that only IPv6 should be used for query transport. See also the :option:`-4` option.
-
-.. option:: -a
-
-   The :option:`-a` ("all") option is normally equivalent to :option:`-v` :option:`-t ANY <-t>`. It
-   also affects the behavior of the :option:`-l` list zone option.
-
-.. option:: -A
-
-   The :option:`-A` ("almost all") option is equivalent to :option:`-a`, except that RRSIG,
+``-A``
+   The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
    NSEC, and NSEC3 records are omitted from the output.
 
-.. option:: -c class
-
+``-c class``
    This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
    class resource records. The default class is IN (Internet).
 
-.. option:: -C
-
-   This option indicates that :iscman:`named` should check consistency, meaning that :program:`host` queries the SOA records for zone
+``-C``
+   This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
    ``name`` from all the listed authoritative name servers for that
    zone. The list of name servers is defined by the NS records that are
    found for the zone.
 
-.. option:: -d
+``-d``
+   This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
 
-   This option prints debugging traces, and is equivalent to the :option:`-v` verbose option.
-
-.. option:: -l
-
-   This option tells :iscman:`named` to list the zone, meaning the :program:`host` command performs a zone transfer of zone
+``-l``
+   This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone
    ``name`` and prints out the NS, PTR, and address records (A/AAAA).
 
-   Together, the :option:`-l` :option:`-a` options print all records in the zone.
-
-.. option:: -N ndots
+   Together, the ``-l -a`` options print all records in the zone.
 
+``-N ndots``
    This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
    considered absolute. The default value is that defined using the
    ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
@@ -91,96 +90,85 @@ Options
    and are searched for in the domains listed in the ``search`` or
    ``domain`` directive in ``/etc/resolv.conf``.
 
-.. option:: -p port
-
+``-p port``
    This option specifies the port to query on the server. The default is 53.
 
-.. option:: -r
-
+``-r``
    This option specifies a non-recursive query; setting this option clears the RD (recursion
    desired) bit in the query. This means that the name server
-   receiving the query does not attempt to resolve ``name``. The :option:`-r`
-   option enables :program:`host` to mimic the behavior of a name server by
+   receiving the query does not attempt to resolve ``name``. The ``-r``
+   option enables ``host`` to mimic the behavior of a name server by
    making non-recursive queries, and expecting to receive answers to
    those queries that can be referrals to other name servers.
 
-.. option:: -R number
-
+``-R number``
    This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
    the number of retries is silently set to 1. The default value is 1, or
    the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
 
-.. option:: -s
-
-   This option tells :iscman:`named` *not* to send the query to the next nameserver if any server responds
+``-s``
+   This option tells ``named`` *not* to send the query to the next nameserver if any server responds
    with a SERVFAIL response, which is the reverse of normal stub
    resolver behavior.
 
-.. option:: -t type
-
+``-t type``
    This option specifies the query type. The ``type`` argument can be any recognized query type:
    CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
 
-   When no query type is specified, :program:`host` automatically selects an
-   appropriate query type. By default, it looks for A, AAAA, MX, and HTTPS
-   records. If the :option:`-C` option is given, queries are made for SOA
+   When no query type is specified, ``host`` automatically selects an
+   appropriate query type. By default, it looks for A, AAAA, and MX
+   records. If the ``-C`` option is given, queries are made for SOA
    records. If ``name`` is a dotted-decimal IPv4 address or
-   colon-delimited IPv6 address, :program:`host` queries for PTR records.
+   colon-delimited IPv6 address, ``host`` queries for PTR records.
 
    If a query type of IXFR is chosen, the starting serial number can be
    specified by appending an equals sign (=), followed by the starting serial
-   number, e.g., :option:`-t IXFR=12345678 <-t>`.
+   number, e.g., ``-t IXFR=12345678``.
 
-.. option:: -T, -U
-
-   This option specifies TCP or UDP. By default, :program:`host` uses UDP when making queries; the
-   :option:`-T` option makes it use a TCP connection when querying the name
+``-T``; ``-U``
+   This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
+   ``-T`` option makes it use a TCP connection when querying the name
    server. TCP is automatically selected for queries that require
    it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
-   to TCP, but can be forced to use UDP initially via :option:`-U`.
-
-.. option:: -m flag
+   to TCP, but can be forced to use UDP initially via ``-U``.
 
+``-m flag``
    This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
-   ``trace``. The :option:`-m` option can be specified more than once to set
+   ``trace``. The ``-m`` option can be specified more than once to set
    multiple flags.
 
-.. option:: -v
-
-   This option sets verbose output, and is equivalent to the :option:`-d` debug option. Verbose output
+``-v``
+   This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
    can also be enabled by setting the ``debug`` option in
    ``/etc/resolv.conf``.
 
-.. option:: -V
-
+``-V``
    This option prints the version number and exits.
 
-.. option:: -w
-
+``-w``
    This option sets "wait forever": the query timeout is set to the maximum possible. See
-   also the :option:`-W` option.
+   also the ``-W`` option.
 
-.. option:: -W wait
-
-   This options sets the length of the wait timeout, indicating that :iscman:`named` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
+``-W wait``
+   This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
    less than 1, the wait interval is set to 1 second.
 
-   By default, :program:`host` waits for 5 seconds for UDP responses and 10
+   By default, ``host`` waits for 5 seconds for UDP responses and 10
    seconds for TCP connections. These defaults can be overridden by the
    ``timeout`` option in ``/etc/resolv.conf``.
 
-   See also the :option:`-w` option.
+   See also the ``-w`` option.
 
 IDN Support
 ~~~~~~~~~~~
 
-If :program:`host` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. :program:`host`
+If ``host`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``host``
 appropriately converts character encoding of a domain name before sending
 a request to a DNS server or displaying a reply from the server.
 To turn off IDN support, define the ``IDN_DISABLE``
 environment variable. IDN support is disabled if the variable is set
-when :program:`host` runs.
+when ``host`` runs.
 
 Files
 ~~~~~
@@ -190,4 +178,4 @@ Files
 See Also
 ~~~~~~~~
 
-:iscman:`dig(1) <dig>`, :iscman:`named(8) <named>`.
+:manpage:`dig(1)`, :manpage:`named(8)`.

bin/dig/nslookup.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -16,17 +14,17 @@
 #include <stdlib.h>
 #include <unistd.h>
 
-#include <isc/async.h>
+#include <isc/app.h>
 #include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
-#include <isc/condition.h>
-#include <isc/loop.h>
+#include <isc/event.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
+#include <isc/print.h>
 #include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
-#include <isc/work.h>
 
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
@@ -41,9 +39,6 @@
 #include "dighost.h"
 #include "readline.h"
 
-static char cmdlinebuf[COMMSIZE];
-static char *cmdline = NULL;
-
 static bool short_form = true, tcpmode = false, tcpmode_set = false,
 	    identify = false, stats = true, comments = true,
 	    section_question = true, section_answer = true,
@@ -56,6 +51,7 @@ static bool interactive;
 static bool in_use = false;
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
+static isc_event_t *global_event = NULL;
 static int query_error = 1, print_error = 0;
 
 static char domainopt[DNS_NAME_MAXTEXT];
@@ -114,6 +110,9 @@ static const char *rtypetext[] = {
 
 #define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
 
+static void
+getinput(isc_task_t *task, isc_event_t *event);
+
 static char *
 rcode_totext(dns_rcode_t rcode) {
 	static char buf[sizeof("?65535")];
@@ -128,7 +127,21 @@ rcode_totext(dns_rcode_t rcode) {
 	} else {
 		totext.consttext = rcodetext[rcode];
 	}
-	return totext.deconsttext;
+	return (totext.deconsttext);
+}
+
+static void
+query_finished(void) {
+	isc_event_t *event = global_event;
+
+	debug("dighost_shutdown()");
+
+	if (!in_use) {
+		isc_app_shutdown();
+		return;
+	}
+
+	isc_task_send(global_task, &event);
 }
 
 static void
@@ -189,7 +202,6 @@ printrdata(dns_rdata_t *rdata) {
 			check_result(result, "dns_rdata_totext");
 		}
 		isc_buffer_free(&b);
-		INSIST(size <= (UINT_MAX / 2));
 		size *= 2;
 	}
 }
@@ -210,9 +222,9 @@ printsection(dig_query_t *query, dns_message_t *msg, bool headers,
 
 	result = dns_message_firstname(msg, section);
 	if (result == ISC_R_NOMORE) {
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	} else if (result != ISC_R_SUCCESS) {
-		return result;
+		return (result);
 	}
 	for (;;) {
 		name = NULL;
@@ -256,10 +268,10 @@ printsection(dig_query_t *query, dns_message_t *msg, bool headers,
 		if (result == ISC_R_NOMORE) {
 			break;
 		} else if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -294,9 +306,9 @@ detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
 
 	result = dns_message_firstname(msg, section);
 	if (result == ISC_R_NOMORE) {
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	} else if (result != ISC_R_SUCCESS) {
-		return result;
+		return (result);
 	}
 	for (;;) {
 		name = NULL;
@@ -338,10 +350,10 @@ detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
 		if (result == ISC_R_NOMORE) {
 			break;
 		} else if (result != ISC_R_SUCCESS) {
-			return result;
+			return (result);
 		}
 	}
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -387,6 +399,8 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 static isc_result_t
 printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 	     bool headers) {
+	char servtext[ISC_SOCKADDR_FORMATSIZE];
+
 	UNUSED(msgbuf);
 
 	/* I've we've gotten this far, we've reached a server. */
@@ -395,7 +409,6 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 	debug("printmessage()");
 
 	if (!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
-		char servtext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(&query->sockaddr, servtext,
 				    sizeof(servtext));
 		printf("Server:\t\t%s\n", query->userarg);
@@ -424,7 +437,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 
 		/* the lookup failed */
 		print_error |= 1;
-		return ISC_R_SUCCESS;
+		return (ISC_R_SUCCESS);
 	}
 
 	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
@@ -478,7 +491,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 		printsection(query, msg, headers, DNS_SECTION_AUTHORITY);
 		printsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
 	}
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -537,10 +550,10 @@ testtype(char *typetext) {
 	tr.length = strlen(typetext);
 	result = dns_rdatatype_fromtext(&rdtype, &tr);
 	if (result == ISC_R_SUCCESS) {
-		return true;
+		return (true);
 	} else {
 		printf("unknown query type: %s\n", typetext);
-		return false;
+		return (false);
 	}
 }
 
@@ -554,10 +567,10 @@ testclass(char *typetext) {
 	tr.length = strlen(typetext);
 	result = dns_rdataclass_fromtext(&rdclass, &tr);
 	if (result == ISC_R_SUCCESS) {
-		return true;
+		return (true);
 	} else {
 		printf("unknown query class: %s\n", typetext);
-		return false;
+		return (false);
 	}
 }
 
@@ -567,7 +580,6 @@ set_port(const char *value) {
 	isc_result_t result = parse_uint(&n, value, 65535, "port");
 	if (result == ISC_R_SUCCESS) {
 		port = (uint16_t)n;
-		port_set = true;
 	}
 }
 
@@ -598,10 +610,17 @@ set_ndots(const char *value) {
 	}
 }
 
+static void
+version(void) {
+	fprintf(stderr, "nslookup %s\n", PACKAGE_VERSION);
+}
+
 static void
 setoption(char *opt) {
 	size_t l = strlen(opt);
 
+	debugging = true;
+
 #define CHECKOPT(A, N) \
 	((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
 
@@ -791,8 +810,10 @@ do_next_command(char *input) {
 	} else if ((strcasecmp(ptr, "server") == 0) ||
 		   (strcasecmp(ptr, "lserver") == 0))
 	{
+		isc_app_block();
 		set_nameserver(arg);
 		check_ra = false;
+		isc_app_unblock();
 		show_settings(true, true);
 	} else if (strcasecmp(ptr, "exit") == 0) {
 		in_use = false;
@@ -809,34 +830,31 @@ do_next_command(char *input) {
 }
 
 static void
-readline_next_command(void *arg) {
-	char *ptr = NULL;
+get_next_command(void) {
+	char cmdlinebuf[COMMSIZE];
+	char *cmdline, *ptr = NULL;
 
-	UNUSED(arg);
-
-	isc_loopmgr_blocking(loopmgr);
-	ptr = readline("> ");
-	isc_loopmgr_nonblocking(loopmgr);
-	if (ptr == NULL) {
-		return;
+	isc_app_block();
+	if (interactive) {
+		cmdline = ptr = readline("> ");
+		if (ptr != NULL && *ptr != 0) {
+			add_history(ptr);
+		}
+	} else {
+		cmdline = fgets(cmdlinebuf, COMMSIZE, stdin);
 	}
-
-	if (*ptr != 0) {
-		add_history(ptr);
-		strlcpy(cmdlinebuf, ptr, COMMSIZE);
-		cmdline = cmdlinebuf;
+	isc_app_unblock();
+	if (cmdline == NULL) {
+		in_use = false;
+	} else {
+		do_next_command(cmdline);
+	}
+	if (ptr != NULL) {
+		free(ptr);
 	}
-	free(ptr);
 }
 
-static void
-fgets_next_command(void *arg) {
-	UNUSED(arg);
-
-	cmdline = fgets(cmdlinebuf, COMMSIZE, stdin);
-}
-
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -850,7 +868,7 @@ usage(void) {
 			"'host' using default server\n");
 	fprintf(stderr, "   nslookup [-opt ...] host server # just look up "
 			"'host' using 'server'\n");
-	exit(EXIT_FAILURE);
+	exit(1);
 }
 
 static void
@@ -862,8 +880,8 @@ parse_args(int argc, char **argv) {
 		debug("main parsing %s", argv[0]);
 		if (argv[0][0] == '-') {
 			if (strncasecmp(argv[0], "-ver", 4) == 0) {
-				printf("nslookup %s\n", PACKAGE_VERSION);
-				exit(EXIT_SUCCESS);
+				version();
+				exit(0);
 			} else if (argv[0][1] != 0) {
 				setoption(&argv[0][1]);
 			} else {
@@ -886,54 +904,25 @@ parse_args(int argc, char **argv) {
 }
 
 static void
-start_next_command(void);
-
-static void
-process_next_command(void *arg ISC_ATTR_UNUSED) {
-	isc_loop_t *loop = isc_loop_main(loopmgr);
-	if (cmdline == NULL) {
-		in_use = false;
-	} else {
-		do_next_command(cmdline);
+getinput(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	if (global_event == NULL) {
+		global_event = event;
+	}
+	while (in_use) {
+		get_next_command();
 		if (ISC_LIST_HEAD(lookup_list) != NULL) {
-			isc_async_run(loop, run_loop, NULL);
+			start_lookup();
 			return;
 		}
 	}
-
-	start_next_command();
-}
-
-static void
-start_next_command(void) {
-	isc_loop_t *loop = isc_loop_main(loopmgr);
-	if (!in_use) {
-		isc_loopmgr_shutdown(loopmgr);
-		return;
-	}
-
-	cmdline = NULL;
-
-	isc_loopmgr_pause(loopmgr);
-	if (interactive) {
-		isc_work_enqueue(loop, readline_next_command,
-				 process_next_command, loop);
-	} else {
-		isc_work_enqueue(loop, fgets_next_command, process_next_command,
-				 loop);
-	}
-	isc_loopmgr_resume(loopmgr);
-}
-
-static void
-read_loop(void *arg) {
-	UNUSED(arg);
-
-	start_next_command();
+	isc_app_shutdown();
 }
 
 int
 main(int argc, char **argv) {
+	isc_result_t result;
+
 	interactive = isatty(0);
 
 	ISC_LIST_INIT(lookup_list);
@@ -946,7 +935,10 @@ main(int argc, char **argv) {
 	dighost_printmessage = printmessage;
 	dighost_received = received;
 	dighost_trying = trying;
-	dighost_shutdown = start_next_command;
+	dighost_shutdown = query_finished;
+
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
 
 	setup_libs();
 	progname = argv[0];
@@ -962,18 +954,23 @@ main(int argc, char **argv) {
 		set_search_domain(domainopt);
 	}
 	if (in_use) {
-		isc_loopmgr_setup(loopmgr, run_loop, NULL);
+		result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	} else {
-		isc_loopmgr_setup(loopmgr, read_loop, NULL);
+		result = isc_app_onrun(mctx, global_task, getinput, NULL);
 	}
+	check_result(result, "isc_app_onrun");
 	in_use = !in_use;
 
-	isc_loopmgr_run(loopmgr);
+	(void)isc_app_run();
 
 	puts("");
 	debug("done, and starting to shut down");
+	if (global_event != NULL) {
+		isc_event_free(&global_event);
+	}
 	cancel_all();
 	destroy_libs();
+	isc_app_finish();
 
-	return query_error | print_error;
+	return (query_error | print_error);
 }

bin/dig/nslookup.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: nslookup
-.. program:: nslookup
 .. _man_nslookup:
 
 nslookup - query Internet name servers interactively
@@ -26,8 +34,8 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-:program:`nslookup` is a program to query Internet domain name servers.
-:program:`nslookup` has two modes: interactive and non-interactive. Interactive
+``nslookup`` is a program to query Internet domain name servers.
+``nslookup`` has two modes: interactive and non-interactive. Interactive
 mode allows the user to query name servers for information about various
 hosts and domains or to print a list of hosts in a domain.
 Non-interactive mode prints just the name and requested
@@ -56,16 +64,16 @@ seconds, type:
 
    nslookup -query=hinfo  -timeout=10
 
-The ``-version`` option causes :program:`nslookup` to print the version number
+The ``-version`` option causes ``nslookup`` to print the version number
 and immediately exit.
 
 Interactive Commands
 ~~~~~~~~~~~~~~~~~~~~
 
 ``host [server]``
-   This command looks up information for :iscman:`host` using the current default server or
-   using ``server``, if specified. If :iscman:`host` is an Internet address and the
-   query type is A or PTR, the name of the host is returned. If :iscman:`host` is
+   This command looks up information for ``host`` using the current default server or
+   using ``server``, if specified. If ``host`` is an Internet address and the
+   query type is A or PTR, the name of the host is returned. If ``host`` is
    a name and does not have a trailing period (``.``), the search list is used
    to qualify the name.
 
@@ -183,19 +191,19 @@ Interactive Commands
 Return Values
 ~~~~~~~~~~~~~
 
-:program:`nslookup` returns with an exit status of 1 if any query failed, and 0
+``nslookup`` returns with an exit status of 1 if any query failed, and 0
 otherwise.
 
 IDN Support
 ~~~~~~~~~~~
 
-If :program:`nslookup` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. :program:`nslookup`
+If ``nslookup`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``nslookup``
 appropriately converts character encoding of a domain name before sending
 a request to a DNS server or displaying a reply from the server.
 To turn off IDN support, define the ``IDN_DISABLE``
 environment variable. IDN support is disabled if the variable is set
-when :program:`nslookup` runs, or when the standard output is not a tty.
+when ``nslookup`` runs, or when the standard output is not a tty.
 
 Files
 ~~~~~
@@ -205,4 +213,4 @@ Files
 See Also
 ~~~~~~~~
 
-:iscman:`dig(1) <dig>`, :iscman:`host(1) <host>`, :iscman:`named(8) <named>`.
+:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

bin/dig/readline.h

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -48,10 +46,10 @@ readline(const char *prompt) {
 	line = fgets(buf, RL_MAXCMD, stdin);
 	if (line == NULL) {
 		free(buf);
-		return NULL;
+		return (NULL);
 	}
-	return buf;
-}
+	return (buf);
+};
 
 #define add_history(line)
 

bin/dnssec/.gitignore

@@ -2,7 +2,6 @@ dnssec-cds
 dnssec-dsfromkey
 dnssec-keyfromlabel
 dnssec-keygen
-dnssec-ksr
 dnssec-makekeyset
 dnssec-revoke
 dnssec-settime

bin/dnssec/Makefile.am

@@ -2,7 +2,6 @@ include $(top_srcdir)/Makefile.top
 
 AM_CPPFLAGS +=			\
 	$(LIBISC_CFLAGS)	\
-	$(LIBISCCFG_CFLAGS)	\
 	$(LIBDNS_CFLAGS)
 
 AM_CPPFLAGS +=			\
@@ -13,9 +12,7 @@ noinst_LTLIBRARIES = libdnssectool.la
 LDADD +=			\
 	libdnssectool.la	\
 	$(LIBISC_LIBS)		\
-	$(LIBISCCFG_LIBS)	\
-	$(LIBDNS_LIBS)		\
-	$(OPENSSL_LIBS)
+	$(LIBDNS_LIBS)
 
 bin_PROGRAMS = \
 	dnssec-cds		\
@@ -23,7 +20,6 @@ bin_PROGRAMS = \
 	dnssec-importkey	\
 	dnssec-keyfromlabel	\
 	dnssec-keygen		\
-	dnssec-ksr		\
 	dnssec-revoke		\
 	dnssec-settime		\
 	dnssec-signzone		\
@@ -35,16 +31,8 @@ libdnssectool_la_SOURCES =	\
 
 dnssec_keygen_CPPFLAGS =	\
 	$(AM_CPPFLAGS)		\
-	$(OPENSSL_CFLAGS)
+	$(LIBISCCFG_CFLAGS)
 
 dnssec_keygen_LDADD =		\
 	$(LDADD)		\
-	$(OPENSSL_LIBS)
-
-dnssec_signzone_CPPFLAGS =	\
-	$(AM_CPPFLAGS)		\
-	$(OPENSSL_CFLAGS)
-
-dnssec_signzone_LDADD =		\
-	$(LDADD)		\
-	$(OPENSSL_LIBS)
+	$(LIBISCCFG_LIBS)

bin/dnssec/dnssec-cds.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -30,7 +28,7 @@
 #include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/print.h>
 #include <isc/serial.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -52,10 +50,15 @@
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/rdatatype.h>
+#include <dns/result.h>
 #include <dns/time.h>
 
 #include <dst/dst.h>
 
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-cds";
@@ -121,32 +124,17 @@ typedef struct keyinfo {
 
 /* A replaceable function that can generate a DS RRset from some input */
 typedef isc_result_t
-ds_maker_func_t(isc_buffer_t *buf, dns_rdata_t *ds, dns_dsdigest_t dt,
-		dns_rdata_t *crdata);
+ds_maker_func_t(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *rdata);
 
-static dns_rdataset_t cdnskey_set = DNS_RDATASET_INIT;
-static dns_rdataset_t cdnskey_sig = DNS_RDATASET_INIT;
-static dns_rdataset_t cds_set = DNS_RDATASET_INIT;
-static dns_rdataset_t cds_sig = DNS_RDATASET_INIT;
-static dns_rdataset_t dnskey_set = DNS_RDATASET_INIT;
-static dns_rdataset_t dnskey_sig = DNS_RDATASET_INIT;
-static dns_rdataset_t old_ds_set = DNS_RDATASET_INIT;
-static dns_rdataset_t new_ds_set = DNS_RDATASET_INIT;
+static dns_rdataset_t cdnskey_set, cdnskey_sig;
+static dns_rdataset_t cds_set, cds_sig;
+static dns_rdataset_t dnskey_set, dnskey_sig;
+static dns_rdataset_t old_ds_set, new_ds_set;
 
-static keyinfo_t *old_key_tbl = NULL, *new_key_tbl = NULL;
+static keyinfo_t *old_key_tbl, *new_key_tbl;
 
 isc_buffer_t *new_ds_buf = NULL; /* backing store for new_ds_set */
 
-static dns_db_t *child_db = NULL;
-static dns_dbnode_t *child_node = NULL;
-static dns_db_t *parent_db = NULL;
-static dns_dbnode_t *parent_node = NULL;
-static dns_db_t *update_db = NULL;
-static dns_dbnode_t *update_node = NULL;
-static dns_dbversion_t *update_version = NULL;
-static bool cleanup_dst = false;
-static bool print_mem_stats = false;
-
 static void
 verbose_time(int level, const char *msg, isc_stdtime_t time) {
 	isc_result_t result;
@@ -247,8 +235,8 @@ static void
 load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) {
 	isc_result_t result;
 
-	result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
-			       rdclass, 0, NULL, dbp);
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, dbp);
 	check_result(result, "dns_db_create()");
 
 	result = dns_db_load(*dbp, filename, dns_masterformat_text,
@@ -264,27 +252,21 @@ load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) {
 }
 
 static void
-free_db(dns_db_t **dbp, dns_dbnode_t **nodep, dns_dbversion_t **versionp) {
-	if (*dbp != NULL) {
-		if (*nodep != NULL) {
-			dns_db_detachnode(*dbp, nodep);
-		}
-		if (versionp != NULL && *versionp != NULL) {
-			dns_db_closeversion(*dbp, versionp, false);
-		}
-		dns_db_detach(dbp);
-	}
+free_db(dns_db_t **dbp, dns_dbnode_t **nodep) {
+	dns_db_detachnode(*dbp, nodep);
+	dns_db_detach(dbp);
 }
 
 static void
 load_child_sets(const char *file) {
-	load_db(file, &child_db, &child_node);
-	findset(child_db, child_node, dns_rdatatype_dnskey, &dnskey_set,
-		&dnskey_sig);
-	findset(child_db, child_node, dns_rdatatype_cdnskey, &cdnskey_set,
-		&cdnskey_sig);
-	findset(child_db, child_node, dns_rdatatype_cds, &cds_set, &cds_sig);
-	free_db(&child_db, &child_node, NULL);
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+
+	load_db(file, &db, &node);
+	findset(db, node, dns_rdatatype_dnskey, &dnskey_set, &dnskey_sig);
+	findset(db, node, dns_rdatatype_cdnskey, &cdnskey_set, &cdnskey_sig);
+	findset(db, node, dns_rdatatype_cds, &cds_set, &cds_sig);
+	free_db(&db, &node);
 }
 
 static void
@@ -333,6 +315,8 @@ get_dsset_name(char *filename, size_t size, const char *path,
 static void
 load_parent_set(const char *path) {
 	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
 	isc_time_t modtime;
 	char filename[PATH_MAX + 1];
 
@@ -345,20 +329,21 @@ load_parent_set(const char *path) {
 	}
 	notbefore = isc_time_seconds(&modtime);
 	if (startstr != NULL) {
-		isc_stdtime_t now = isc_stdtime_now();
+		isc_stdtime_t now;
+		isc_stdtime_get(&now);
 		notbefore = strtotime(startstr, now, notbefore, NULL);
 	}
 	verbose_time(1, "child records must not be signed before", notbefore);
 
-	load_db(filename, &parent_db, &parent_node);
-	findset(parent_db, parent_node, dns_rdatatype_ds, &old_ds_set, NULL);
+	load_db(filename, &db, &node);
+	findset(db, node, dns_rdatatype_ds, &old_ds_set, NULL);
 
 	if (!dns_rdataset_isassociated(&old_ds_set)) {
 		fatal("could not find DS records for %s in %s", namestr,
 		      filename);
 	}
 
-	free_db(&parent_db, &parent_node, NULL);
+	free_db(&db, &node);
 }
 
 #define MAX_CDS_RDATA_TEXT_SIZE DNS_RDATA_MAXLENGTH * 2
@@ -383,19 +368,18 @@ formatset(dns_rdataset_t *rdataset) {
 
 	isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
 	result = dns_master_rdatasettotext(name, rdataset, style, NULL, buf);
-	dns_master_styledestroy(&style, mctx);
 
 	if ((result == ISC_R_SUCCESS) && isc_buffer_availablelength(buf) < 1) {
 		result = ISC_R_NOSPACE;
 	}
 
-	if (result != ISC_R_SUCCESS) {
-		isc_buffer_free(&buf);
-		check_result(result, "dns_rdataset_totext()");
-	}
+	check_result(result, "dns_rdataset_totext()");
 
 	isc_buffer_putuint8(buf, 0);
-	return buf;
+
+	dns_master_styledestroy(&style, mctx);
+
+	return (buf);
 }
 
 static void
@@ -437,7 +421,6 @@ write_parent_set(const char *path, const char *inplace, bool nsupdate,
 
 	result = isc_file_openunique(tmpname, &fp);
 	if (result != ISC_R_SUCCESS) {
-		isc_buffer_free(&buf);
 		fatal("open %s: %s", tmpname, isc_result_totext(result));
 	}
 	fprintf(fp, "%s", (char *)r.base);
@@ -495,7 +478,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness) {
 				 "dns_ds_buildrdata("
 				 "keytag=%d, algo=%d, digest=%d): %s\n",
 				 ds.key_tag, ds.algorithm, ds.digest_type,
-				 isc_result_totext(result));
+				 dns_result_totext(result));
 			continue;
 		}
 		/* allow for both DS and CDS */
@@ -505,14 +488,14 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness) {
 			vbprintf(1, "found matching %s %d %d %d\n",
 				 c ? "CDS" : "DS", ds.key_tag, ds.algorithm,
 				 ds.digest_type);
-			return true;
+			return (true);
 		} else if (strictness == TIGHT) {
 			vbprintf(0,
 				 "key does not match %s %d %d %d "
 				 "when it looks like it should\n",
 				 c ? "CDS" : "DS", ds.key_tag, ds.algorithm,
 				 ds.digest_type);
-			return false;
+			return (false);
 		}
 	}
 
@@ -521,7 +504,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness) {
 		 ki->rdata.type == dns_rdatatype_cdnskey ? "CDNSKEY" : "DNSKEY",
 		 ki->tag, ki->algo);
 
-	return false;
+	return (false);
 }
 
 /*
@@ -532,22 +515,23 @@ static keyinfo_t *
 match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 		   strictness_t strictness) {
 	isc_result_t result;
-	keyinfo_t *keytable, *ki;
+	keyinfo_t *keytable;
 	int i;
 
 	nkey = dns_rdataset_count(keyset);
 
-	keytable = isc_mem_cget(mctx, nkey, sizeof(keytable[0]));
+	keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey);
 
-	for (result = dns_rdataset_first(keyset), i = 0, ki = keytable;
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(keyset), i++, ki++)
+	for (result = dns_rdataset_first(keyset), i = 0;
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(keyset), i++)
 	{
+		keyinfo_t *ki;
 		dns_rdata_dnskey_t dnskey;
 		dns_rdata_t *keyrdata;
 		isc_region_t r;
 
 		INSIST(i < nkey);
+		ki = &keytable[i];
 		keyrdata = &ki->rdata;
 
 		dns_rdata_init(keyrdata);
@@ -571,11 +555,11 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 			vbprintf(3,
 				 "dns_dnssec_keyfromrdata("
 				 "keytag=%d, algo=%d): %s\n",
-				 ki->tag, ki->algo, isc_result_totext(result));
+				 ki->tag, ki->algo, dns_result_totext(result));
 		}
 	}
 
-	return keytable;
+	return (keytable);
 }
 
 static void
@@ -585,15 +569,14 @@ free_keytable(keyinfo_t **keytable_p) {
 	keyinfo_t *ki;
 	int i;
 
-	REQUIRE(keytable != NULL);
-
-	for (i = 0, ki = keytable; i < nkey; i++, ki++) {
+	for (i = 0; i < nkey; i++) {
+		ki = &keytable[i];
 		if (ki->dst != NULL) {
 			dst_key_free(&ki->dst);
 		}
 	}
 
-	isc_mem_cput(mctx, keytable, nkey, sizeof(keytable[0]));
+	isc_mem_put(mctx, keytable, sizeof(keyinfo_t) * nkey);
 }
 
 /*
@@ -612,9 +595,8 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	dns_secalg_t *algo;
 	int i;
 
-	REQUIRE(keytbl != NULL);
-
-	algo = isc_mem_cget(mctx, nkey, sizeof(algo[0]));
+	algo = isc_mem_get(mctx, nkey);
+	memset(algo, 0, nkey);
 
 	for (result = dns_rdataset_first(sigset); result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(sigset))
@@ -655,8 +637,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 						   NULL);
 
 			if (result != ISC_R_SUCCESS &&
-			    result != DNS_R_FROMWILDCARD)
-			{
+			    result != DNS_R_FROMWILDCARD) {
 				vbprintf(1,
 					 "skip RRSIG by key %d:"
 					 " verification failed: %s\n",
@@ -681,7 +662,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 		}
 	}
 
-	return algo;
+	return (algo);
 }
 
 /*
@@ -697,8 +678,8 @@ signed_loose(dns_secalg_t *algo) {
 			ok = true;
 		}
 	}
-	isc_mem_cput(mctx, algo, nkey, sizeof(algo[0]));
-	return ok;
+	isc_mem_put(mctx, algo, nkey);
+	return (ok);
 }
 
 /*
@@ -739,137 +720,143 @@ signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
 		}
 	}
 
-	isc_mem_cput(mctx, algo, nkey, sizeof(algo[0]));
-	return all_ok;
+	isc_mem_put(mctx, algo, nkey);
+	return (all_ok);
+}
+
+static dns_rdata_t *
+rdata_get(void) {
+	dns_rdata_t *rdata;
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	dns_rdata_init(rdata);
+
+	return (rdata);
+}
+
+static isc_result_t
+rdata_put(isc_result_t result, dns_rdatalist_t *rdlist, dns_rdata_t *rdata) {
+	if (result == ISC_R_SUCCESS) {
+		ISC_LIST_APPEND(rdlist->rdata, rdata, link);
+	} else {
+		isc_mem_put(mctx, rdata, sizeof(*rdata));
+	}
+
+	return (result);
 }
 
 /*
  * This basically copies the rdata into the buffer, but going via the
- * unpacked struct lets us change the rdatatype. (The dns_rdata_cds_t
- * and dns_rdata_ds_t types are aliases.)
+ * unpacked struct has the side-effect of changing the rdatatype. The
+ * dns_rdata_cds_t and dns_rdata_ds_t types are aliases.
  */
 static isc_result_t
-ds_from_cds(isc_buffer_t *buf, dns_rdata_t *rds, dns_dsdigest_t dt,
-	    dns_rdata_t *cds) {
+ds_from_cds(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *cds) {
 	isc_result_t result;
 	dns_rdata_ds_t ds;
+	dns_rdata_t *rdata;
 
 	REQUIRE(buf != NULL);
 
+	rdata = rdata_get();
+
 	result = dns_rdata_tostruct(cds, &ds, NULL);
 	check_result(result, "dns_rdata_tostruct(CDS)");
 	ds.common.rdtype = dns_rdatatype_ds;
 
-	if (ds.digest_type != dt) {
-		return ISC_R_IGNORE;
-	}
+	result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds, &ds,
+				      buf);
 
-	return dns_rdata_fromstruct(rds, rdclass, dns_rdatatype_ds, &ds, buf);
+	return (rdata_put(result, dslist, rdata));
 }
 
 static isc_result_t
-ds_from_cdnskey(isc_buffer_t *buf, dns_rdata_t *ds, dns_dsdigest_t dt,
+ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 		dns_rdata_t *cdnskey) {
 	isc_result_t result;
-	isc_region_t r;
+	unsigned i, n;
 
 	REQUIRE(buf != NULL);
 
-	isc_buffer_availableregion(buf, &r);
-	if (r.length < DNS_DS_BUFFERSIZE) {
-		return ISC_R_NOSPACE;
-	}
+	n = sizeof(dtype) / sizeof(dtype[0]);
+	for (i = 0; i < n; i++) {
+		if (dtype[i] != 0) {
+			dns_rdata_t *rdata;
+			isc_region_t r;
 
-	result = dns_ds_buildrdata(name, cdnskey, dt, r.base, ds);
-	if (result == ISC_R_SUCCESS) {
-		isc_buffer_add(buf, DNS_DS_BUFFERSIZE);
-	}
+			isc_buffer_availableregion(buf, &r);
+			if (r.length < DNS_DS_BUFFERSIZE) {
+				return (ISC_R_NOSPACE);
+			}
 
-	return result;
-}
+			rdata = rdata_get();
+			result = dns_ds_buildrdata(name, cdnskey, dtype[i],
+						   r.base, rdata);
+			if (result == ISC_R_SUCCESS) {
+				isc_buffer_add(buf, DNS_DS_BUFFERSIZE);
+			}
 
-static isc_result_t
-append_new_ds_set(ds_maker_func_t *ds_from_rdata, isc_buffer_t *buf,
-		  dns_rdatalist_t *dslist, dns_dsdigest_t dt,
-		  dns_rdataset_t *crdset) {
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(crdset); result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(crdset))
-	{
-		dns_rdata_t crdata = DNS_RDATA_INIT;
-		dns_rdata_t *ds = NULL;
-
-		dns_rdataset_current(crdset, &crdata);
-
-		ds = isc_mem_get(mctx, sizeof(*ds));
-		dns_rdata_init(ds);
-
-		result = ds_from_rdata(buf, ds, dt, &crdata);
-
-		switch (result) {
-		case ISC_R_SUCCESS:
-			ISC_LIST_APPEND(dslist->rdata, ds, link);
-			break;
-		case ISC_R_IGNORE:
-			isc_mem_put(mctx, ds, sizeof(*ds));
-			continue;
-		case ISC_R_NOSPACE:
-			isc_mem_put(mctx, ds, sizeof(*ds));
-			return result;
-		default:
-			isc_mem_put(mctx, ds, sizeof(*ds));
-			check_result(result, "ds_from_rdata()");
+			result = rdata_put(result, dslist, rdata);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
 		}
 	}
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 static void
 make_new_ds_set(ds_maker_func_t *ds_from_rdata, uint32_t ttl,
-		dns_rdataset_t *crdset) {
+		dns_rdataset_t *rdset) {
 	unsigned int size = 16;
-
 	for (;;) {
-		isc_result_t result = ISC_R_SUCCESS;
-		dns_rdatalist_t *dslist = NULL;
-		size_t n;
+		isc_result_t result;
+		dns_rdatalist_t *dslist;
 
 		dslist = isc_mem_get(mctx, sizeof(*dslist));
+
 		dns_rdatalist_init(dslist);
 		dslist->rdclass = rdclass;
 		dslist->type = dns_rdatatype_ds;
 		dslist->ttl = ttl;
 
 		dns_rdataset_init(&new_ds_set);
-		dns_rdatalist_tordataset(dslist, &new_ds_set);
+		result = dns_rdatalist_tordataset(dslist, &new_ds_set);
+		check_result(result, "dns_rdatalist_tordataset(dslist)");
 
 		isc_buffer_allocate(mctx, &new_ds_buf, size);
 
-		n = sizeof(dtype) / sizeof(dtype[0]);
-		for (size_t i = 0; i < n && dtype[i] != 0; i++) {
-			result = append_new_ds_set(ds_from_rdata, new_ds_buf,
-						   dslist, dtype[i], crdset);
-			if (result != ISC_R_SUCCESS) {
+		for (result = dns_rdataset_first(rdset);
+		     result == ISC_R_SUCCESS; result = dns_rdataset_next(rdset))
+		{
+			isc_result_t tresult;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(rdset, &rdata);
+
+			tresult = ds_from_rdata(dslist, new_ds_buf, &rdata);
+			if (tresult == ISC_R_NOSPACE) {
+				vbprintf(20, "DS list buffer size %u\n", size);
+				freelist(&new_ds_set);
+				isc_buffer_free(&new_ds_buf);
+				size *= 2;
 				break;
 			}
-		}
-		if (result == ISC_R_SUCCESS) {
-			return;
+
+			check_result(tresult, "ds_from_rdata()");
 		}
 
-		vbprintf(2, "doubling DS list buffer size from %u\n", size);
-		freelist(&new_ds_set);
-		isc_buffer_free(&new_ds_buf);
-		size *= 2;
+		if (result == ISC_R_NOMORE) {
+			break;
+		}
 	}
 }
 
-static int
+static inline int
 rdata_cmp(const void *rdata1, const void *rdata2) {
-	return dns_rdata_compare((const dns_rdata_t *)rdata1,
-				 (const dns_rdata_t *)rdata2);
+	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
+				  (const dns_rdata_t *)rdata2));
 }
 
 /*
@@ -887,14 +874,13 @@ consistent_digests(dns_rdataset_t *dsset) {
 	int i, j, n, d;
 
 	/*
-	 * First sort the dsset. DS rdata fields are tag, algorithm,
-	 * digest, so sorting them brings together all the records for
-	 * each key.
+	 * First sort the dsset. DS rdata fields are tag, algorithm, digest,
+	 * so sorting them brings together all the records for each key.
 	 */
 
 	n = dns_rdataset_count(dsset);
 
-	arrdata = isc_mem_cget(mctx, n, sizeof(dns_rdata_t));
+	arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
 
 	for (result = dns_rdataset_first(dsset), i = 0; result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(dsset), i++)
@@ -908,7 +894,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 	/*
 	 * Convert sorted arrdata to more accessible format
 	 */
-	ds = isc_mem_cget(mctx, n, sizeof(dns_rdata_ds_t));
+	ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t));
 
 	for (i = 0; i < n; i++) {
 		result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL);
@@ -947,10 +933,10 @@ consistent_digests(dns_rdataset_t *dsset) {
 	/*
 	 * Done!
 	 */
-	isc_mem_cput(mctx, ds, n, sizeof(dns_rdata_ds_t));
-	isc_mem_cput(mctx, arrdata, n, sizeof(dns_rdata_t));
+	isc_mem_put(mctx, ds, n * sizeof(dns_rdata_ds_t));
+	isc_mem_put(mctx, arrdata, n * sizeof(dns_rdata_t));
 
-	return match;
+	return (match);
 }
 
 static void
@@ -976,27 +962,32 @@ static void
 update_diff(const char *cmd, uint32_t ttl, dns_rdataset_t *addset,
 	    dns_rdataset_t *delset) {
 	isc_result_t result;
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	dns_dbversion_t *ver;
 	dns_rdataset_t diffset;
 	uint32_t save;
 
-	result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &update_db);
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
 	check_result(result, "dns_db_create()");
 
-	result = dns_db_newversion(update_db, &update_version);
+	ver = NULL;
+	result = dns_db_newversion(db, &ver);
 	check_result(result, "dns_db_newversion()");
 
-	result = dns_db_findnode(update_db, name, true, &update_node);
+	node = NULL;
+	result = dns_db_findnode(db, name, true, &node);
 	check_result(result, "dns_db_findnode()");
 
 	dns_rdataset_init(&diffset);
 
-	result = dns_db_addrdataset(update_db, update_node, update_version, 0,
-				    addset, DNS_DBADD_MERGE, NULL);
+	result = dns_db_addrdataset(db, node, ver, 0, addset, DNS_DBADD_MERGE,
+				    NULL);
 	check_result(result, "dns_db_addrdataset()");
 
-	result = dns_db_subtractrdataset(update_db, update_node, update_version,
-					 delset, 0, &diffset);
+	result = dns_db_subtractrdataset(db, node, ver, delset, 0, &diffset);
 	if (result == DNS_R_UNCHANGED) {
 		save = addset->ttl;
 		addset->ttl = ttl;
@@ -1009,7 +1000,9 @@ update_diff(const char *cmd, uint32_t ttl, dns_rdataset_t *addset,
 		dns_rdataset_disassociate(&diffset);
 	}
 
-	free_db(&update_db, &update_node, &update_version);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &ver, false);
+	dns_db_detach(&db);
 }
 
 static void
@@ -1029,7 +1022,7 @@ nsdiff(uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
 	}
 }
 
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -1056,33 +1049,7 @@ usage(void) {
 			"    -T <ttl>           TTL of DS records\n"
 			"    -V                 print version\n"
 			"    -v <verbosity>\n");
-	exit(EXIT_FAILURE);
-}
-
-static void
-cleanup(void) {
-	free_db(&child_db, &child_node, NULL);
-	free_db(&parent_db, &parent_node, NULL);
-	free_db(&update_db, &update_node, &update_version);
-	if (old_key_tbl != NULL) {
-		free_keytable(&old_key_tbl);
-	}
-	if (new_key_tbl != NULL) {
-		free_keytable(&new_key_tbl);
-	}
-	free_all_sets();
-	if (lctx != NULL) {
-		cleanup_logging(&lctx);
-	}
-	if (cleanup_dst) {
-		dst_lib_destroy();
-	}
-	if (mctx != NULL) {
-		if (print_mem_stats && verbose > 10) {
-			isc_mem_stats(mctx, stdout);
-		}
-		isc_mem_destroy(&mctx);
-	}
+	exit(1);
 }
 
 int
@@ -1097,10 +1064,13 @@ main(int argc, char *argv[]) {
 	int ch;
 	char *endp;
 
-	setfatalcallback(cleanup);
-
 	isc_mem_create(&mctx);
 
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
 	isc_commandline_errprint = false;
 
 #define OPTIONS "a:c:Dd:f:i:ms:T:uv:V"
@@ -1123,12 +1093,11 @@ main(int argc, char *argv[]) {
 			break;
 		case 'i':
 			/*
-			 * This is a bodge to make the argument
-			 * optional, so that it works just like sed(1).
+			 * This is a bodge to make the argument optional,
+			 * so that it works just like sed(1).
 			 */
 			if (isc_commandline_argument ==
-			    argv[isc_commandline_index - 1])
-			{
+			    argv[isc_commandline_index - 1]) {
 				isc_commandline_index--;
 				inplace = "";
 			} else {
@@ -1185,7 +1154,6 @@ main(int argc, char *argv[]) {
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(result));
 	}
-	cleanup_dst = true;
 
 	if (ds_path == NULL) {
 		fatal("missing -d DS pathname");
@@ -1221,8 +1189,7 @@ main(int argc, char *argv[]) {
 		fatal("missing RRSIG CDNSKEY records for %s", namestr);
 	}
 	if (dns_rdataset_isassociated(&cds_set) &&
-	    !dns_rdataset_isassociated(&cds_sig))
-	{
+	    !dns_rdataset_isassociated(&cds_sig)) {
 		fatal("missing RRSIG CDS records for %s", namestr);
 	}
 
@@ -1230,10 +1197,9 @@ main(int argc, char *argv[]) {
 	old_key_tbl = match_keyset_dsset(&dnskey_set, &old_ds_set, LOOSE);
 
 	/*
-	 * We have now identified the keys that are allowed to
-	 * authenticate the DNSKEY RRset (RFC 4035 section 5.2 bullet
-	 * 2), and CDNSKEY and CDS RRsets (RFC 7344 section 4.1 bullet
-	 * 2).
+	 * We have now identified the keys that are allowed to authenticate
+	 * the DNSKEY RRset (RFC 4035 section 5.2 bullet 2), and CDNSKEY and
+	 * CDS RRsets (RFC 7344 section 4.1 bullet 2).
 	 */
 
 	vbprintf(1, "verify DNSKEY signature(s)\n");
@@ -1245,8 +1211,7 @@ main(int argc, char *argv[]) {
 	if (dns_rdataset_isassociated(&cdnskey_set)) {
 		vbprintf(1, "verify CDNSKEY signature(s)\n");
 		if (!signed_loose(matching_sigs(old_key_tbl, &cdnskey_set,
-						&cdnskey_sig)))
-		{
+						&cdnskey_sig))) {
 			fatal("could not validate child CDNSKEY RRset for %s",
 			      namestr);
 		}
@@ -1254,8 +1219,7 @@ main(int argc, char *argv[]) {
 	if (dns_rdataset_isassociated(&cds_set)) {
 		vbprintf(1, "verify CDS signature(s)\n");
 		if (!signed_loose(
-			    matching_sigs(old_key_tbl, &cds_set, &cds_sig)))
-		{
+			    matching_sigs(old_key_tbl, &cds_set, &cds_sig))) {
 			fatal("could not validate child CDS RRset for %s",
 			      namestr);
 		}
@@ -1285,7 +1249,7 @@ main(int argc, char *argv[]) {
 		vbprintf(1, "%s has neither CDS nor CDNSKEY records\n",
 			 namestr);
 		write_parent_set(ds_path, inplace, nsupdate, &old_ds_set);
-		goto cleanup;
+		exit(0);
 	}
 
 	/*
@@ -1300,24 +1264,6 @@ main(int argc, char *argv[]) {
 		make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set);
 	}
 
-	/*
-	 * Try to use CDNSKEY records if the CDS records are missing
-	 * or did not match.
-	 */
-	if (dns_rdataset_count(&new_ds_set) == 0 &&
-	    dns_rdataset_isassociated(&cdnskey_set))
-	{
-		vbprintf(1, "CDS records have no allowed digest types; "
-			    "using CDNSKEY instead\n");
-		freelist(&new_ds_set);
-		isc_buffer_free(&new_ds_buf);
-		make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set);
-	}
-	if (dns_rdataset_count(&new_ds_set) == 0) {
-		fatal("CDS records at %s do not match any -a digest types",
-		      namestr);
-	}
-
 	/*
 	 * Now we have a candidate DS RRset, we need to check it
 	 * won't break the delegation.
@@ -1351,9 +1297,13 @@ main(int argc, char *argv[]) {
 
 	write_parent_set(ds_path, inplace, nsupdate, &new_ds_set);
 
-cleanup:
-	print_mem_stats = true;
-	cleanup();
+	free_all_sets();
+	cleanup_logging(&lctx);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
 
-	return 0;
+	exit(0);
 }

bin/dnssec/dnssec-cds.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: dnssec-cds
-.. program:: dnssec-cds
 .. _man_dnssec-cds:
 
 dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
@@ -26,104 +34,93 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-The :program:`dnssec-cds` command changes DS records at a delegation point
+The ``dnssec-cds`` command changes DS records at a delegation point
 based on CDS or CDNSKEY records published in the child zone. If both CDS
 and CDNSKEY records are present in the child zone, the CDS is preferred.
 This enables a child zone to inform its parent of upcoming changes to
-its key-signing keys (KSKs); by polling periodically with :program:`dnssec-cds`, the
+its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the
 parent can keep the DS records up-to-date and enable automatic rolling
 of KSKs.
 
-Two input files are required. The :option:`-f child-file <-f>` option specifies a
+Two input files are required. The ``-f child-file`` option specifies a
 file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
-DNSKEY records so that they can be authenticated. The :option:`-d path <-d>` option
+DNSKEY records so that they can be authenticated. The ``-d path`` option
 specifies the location of a file containing the current DS records. For
 example, this could be a ``dsset-`` file generated by
-:iscman:`dnssec-signzone`, or the output of :iscman:`dnssec-dsfromkey`, or the
-output of a previous run of :program:`dnssec-cds`.
+``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
+output of a previous run of ``dnssec-cds``.
 
-The :program:`dnssec-cds` command uses special DNSSEC validation logic
+The ``dnssec-cds`` command uses special DNSSEC validation logic
 specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
 be validly signed by a key represented in the existing DS records. This
 is typically the pre-existing KSK.
 
 For protection against replay attacks, the signatures on the child
 records must not be older than they were on a previous run of
-:program:`dnssec-cds`. Their age is obtained from the modification time of the
-``dsset-`` file, or from the :option:`-s` option.
+``dnssec-cds``. Their age is obtained from the modification time of the
+``dsset-`` file, or from the ``-s`` option.
 
-To protect against breaking the delegation, :program:`dnssec-cds` ensures that
+To protect against breaking the delegation, ``dnssec-cds`` ensures that
 the DNSKEY RRset can be verified by every key algorithm in the new DS
 RRset, and that the same set of keys are covered by every DS digest
 type.
 
 By default, replacement DS records are written to the standard output;
-with the :option:`-i` option the input file is overwritten in place. The
+with the ``-i`` option the input file is overwritten in place. The
 replacement DS records are the same as the existing records, when no
 change is required. The output can be empty if the CDS/CDNSKEY records
 specify that the child zone wants to be insecure.
 
 .. warning::
 
-   Be careful not to delete the DS records when :program:`dnssec-cds` fails!
+   Be careful not to delete the DS records when ``dnssec-cds`` fails!
 
-Alternatively, :option`dnssec-cds -u` writes an :iscman:`nsupdate` script to the
-standard output. The :option:`-u` and :option:`-i` options can be used together to
-maintain a ``dsset-`` file as well as emit an :iscman:`nsupdate` script.
+Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
+standard output. The ``-u`` and ``-i`` options can be used together to
+maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
 
 Options
 ~~~~~~~
 
-.. option:: -a algorithm
-
-   When converting CDS records to DS records, this option specifies
-   the acceptable digest algorithms. This option can be repeated, so
-   that multiple digest types are allowed. If none of the CDS records
-   use an acceptable digest type, :program:`dnssec-cds` will try to use CDNSKEY
-   records instead; if there are no CDNSKEY records, it reports an error.
-
-   When converting CDNSKEY records to DS records, this option specifies the
-   digest algorithm to use. It can be repeated, so that multiple DS records
-   are created for each CDNSKEY records.
+``-a algorithm``
+   This option specifies a digest algorithm to use when converting CDNSKEY records to
+   DS records. This option can be repeated, so that multiple DS records
+   are created for each CDNSKEY record. This option has no effect when
+   using CDS records.
 
    The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
    are case-insensitive, and the hyphen may be omitted. If no algorithm
-   is specified, the default is SHA-256 only.
-
-.. option:: -c class
+   is specified, the default is SHA-256.
 
+``-c class``
    This option specifies the DNS class of the zones.
 
-.. option:: -D
-
+``-D``
    This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
    records are present in the child zone. By default CDS records are
    preferred.
 
-.. option:: -d path
-
+``-d path``
    This specifies the location of the parent DS records. The path can be the name of a file
-   containing the DS records; if it is a directory, :program:`dnssec-cds`
+   containing the DS records; if it is a directory, ``dnssec-cds``
    looks for a ``dsset-`` file for the domain inside the directory.
 
    To protect against replay attacks, child records are rejected if they
    were signed earlier than the modification time of the ``dsset-``
-   file. This can be adjusted with the :option:`-s` option.
-
-.. option:: -f child-file
+   file. This can be adjusted with the ``-s`` option.
 
+``-f child-file``
    This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
    DNSKEY records and the covering RRSIG records, so that they can be
    authenticated.
 
    The examples below describe how to generate this file.
 
-.. option:: -i extension
-
+``-iextension``
    This option updates the ``dsset-`` file in place, instead of writing DS records to
    the standard output.
 
-   There must be no space between the :option:`-i` and the extension. If
+   There must be no space between the ``-i`` and the extension. If
    no extension is provided, the old ``dsset-`` is discarded. If an
    extension is present, a backup of the old ``dsset-`` file is kept
    with the extension appended to its filename.
@@ -133,8 +130,7 @@ Options
    child records, provided that it is later than the file's current
    modification time.
 
-.. option:: -s start-time
-
+``-s start-time``
    This option specifies the date and time after which RRSIG records become
    acceptable. This can be either an absolute or a relative time. An
    absolute start time is indicated by a number in YYYYMMDDHHMMSS
@@ -146,28 +142,24 @@ Options
    If no start-time is specified, the modification time of the
    ``dsset-`` file is used.
 
-.. option:: -T ttl
-
+``-T ttl``
    This option specifies a TTL to be used for new DS records. If not specified, the
    default is the TTL of the old DS records. If they had no explicit TTL,
    the new DS records also have no explicit TTL.
 
-.. option:: -u
-
-   This option writes an :iscman:`nsupdate` script to the standard output, instead of
+``-u``
+   This option writes an ``nsupdate`` script to the standard output, instead of
    printing the new DS reords. The output is empty if no change is
    needed.
 
    Note: The TTL of new records needs to be specified: it can be done in the
-   original ``dsset-`` file, with the :option:`-T` option, or using the
-   :iscman:`nsupdate` ``ttl`` command.
-
-.. option:: -V
+   original ``dsset-`` file, with the ``-T`` option, or using the
+   ``nsupdate`` ``ttl`` command.
 
+``-V``
    This option prints version information.
 
-.. option:: -v level
-
+``-v level``
    This option sets the debugging level. Level 1 is intended to be usefully verbose
    for general users; higher levels are intended for developers.
 
@@ -177,7 +169,7 @@ Options
 Exit Status
 ~~~~~~~~~~~
 
-The :program:`dnssec-cds` command exits 0 on success, or non-zero if an error
+The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
 occurred.
 
 If successful, the DS records may or may not need to be
@@ -186,12 +178,12 @@ changed.
 Examples
 ~~~~~~~~
 
-Before running :iscman:`dnssec-signzone`, ensure that the delegations
-are up-to-date by running :program:`dnssec-cds` on every ``dsset-`` file.
+Before running ``dnssec-signzone``, ensure that the delegations
+are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
 
-To fetch the child records required by :program:`dnssec-cds`, invoke
-:iscman:`dig` as in the script below. It is acceptable if the :iscman:`dig` fails, since
-:program:`dnssec-cds` performs all the necessary checking.
+To fetch the child records required by ``dnssec-cds``, invoke
+``dig`` as in the script below. It is acceptable if the ``dig`` fails, since
+``dnssec-cds`` performs all the necessary checking.
 
 ::
 
@@ -202,8 +194,8 @@ To fetch the child records required by :program:`dnssec-cds`, invoke
        dnssec-cds -i -f /dev/stdin -d $f $d
    done
 
-When the parent zone is automatically signed by :iscman:`named`,
-:program:`dnssec-cds` can be used with :iscman:`nsupdate` to maintain a delegation as follows.
+When the parent zone is automatically signed by ``named``,
+``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows.
 The ``dsset-`` file allows the script to avoid having to fetch and
 validate the parent DS records, and it maintains the replay attack
 protection time.
@@ -217,5 +209,5 @@ protection time.
 See Also
 ~~~~~~~~
 
-:iscman:`dig(1) <dig>`, :iscman:`dnssec-settime(8) <dnssec-settime>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, :iscman:`nsupdate(1) <nsupdate>`, BIND 9 Administrator
+:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
 Reference Manual, :rfc:`7344`.

bin/dnssec/dnssec-dsfromkey.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -23,7 +21,7 @@
 #include <isc/dir.h>
 #include <isc/hash.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -41,9 +39,14 @@
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/rdatatype.h>
+#include <dns/result.h>
 
 #include <dst/dst.h>
 
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-dsfromkey";
@@ -54,7 +57,6 @@ static dns_name_t *name = NULL;
 static isc_mem_t *mctx = NULL;
 static uint32_t ttl;
 static bool emitttl = false;
-static unsigned int split_width = 0;
 
 static isc_result_t
 initname(char *setname) {
@@ -66,7 +68,7 @@ initname(char *setname) {
 	isc_buffer_init(&buf, setname, strlen(setname));
 	isc_buffer_add(&buf, strlen(setname));
 	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	return result;
+	return (result);
 }
 
 static void
@@ -101,8 +103,8 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 
 	dns_name_format(name, setname, sizeof(setname));
 
-	result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
 	if (result != ISC_R_SUCCESS) {
 		fatal("can't create database");
 	}
@@ -138,7 +140,7 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 	if (db != NULL) {
 		dns_db_detach(&db);
 	}
-	return result;
+	return (result);
 }
 
 static isc_result_t
@@ -153,7 +155,7 @@ loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
 	if (dirname != NULL) {
 		/* allow room for a trailing slash */
 		if (strlen(dirname) >= isc_buffer_availablelength(&buf)) {
-			return ISC_R_NOSPACE;
+			return (ISC_R_NOSPACE);
 		}
 		isc_buffer_putstr(&buf, dirname);
 		if (dirname[strlen(dirname) - 1] != '/') {
@@ -162,18 +164,18 @@ loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
 	}
 
 	if (isc_buffer_availablelength(&buf) < 7) {
-		return ISC_R_NOSPACE;
+		return (ISC_R_NOSPACE);
 	}
 	isc_buffer_putstr(&buf, "keyset-");
 
 	result = dns_name_tofilenametext(name, false, &buf);
 	check_result(result, "dns_name_tofilenametext()");
 	if (isc_buffer_availablelength(&buf) == 0) {
-		return ISC_R_NOSPACE;
+		return (ISC_R_NOSPACE);
 	}
 	isc_buffer_putuint8(&buf, 0);
 
-	return loadset(filename, rdataset);
+	return (loadset(filename, rdataset));
 }
 
 static void
@@ -262,10 +264,6 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 		fatal("can't convert DNSKEY");
 	}
 
-	if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
-		return;
-	}
-
 	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
 		return;
 	}
@@ -275,13 +273,13 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 		fatal("can't build record");
 	}
 
-	result = dns_name_totext(name, 0, &nameb);
+	result = dns_name_totext(name, false, &nameb);
 	if (result != ISC_R_SUCCESS) {
 		fatal("can't print name");
 	}
 
-	result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, split_width,
-				     "", &textb);
+	result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, 0, "",
+				     &textb);
 
 	if (result != ISC_R_SUCCESS) {
 		fatal("can't print rdata");
@@ -314,7 +312,7 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 
 static void
 emits(bool showall, bool cds, dns_rdata_t *rdata) {
-	unsigned int i, n;
+	unsigned i, n;
 
 	n = sizeof(dtype) / sizeof(dtype[0]);
 	for (i = 0; i < n; i++) {
@@ -324,7 +322,7 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) {
 	}
 }
 
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -348,14 +346,13 @@ usage(void) {
 			"    -f zonefile: read keys from a zone file\n"
 			"    -h: print help information\n"
 			"    -K directory: where to find key or keyset files\n"
-			"    -w split base64 rdata text into chunks\n"
 			"    -s: read keys from keyset-<dnsname> file\n"
 			"    -T: TTL of output records (omitted by default)\n"
 			"    -v level: verbosity\n"
 			"    -V: print version information\n");
 	fprintf(stderr, "Output: DS or CDS RRs\n");
 
-	exit(EXIT_FAILURE);
+	exit(-1);
 }
 
 int
@@ -380,9 +377,14 @@ main(int argc, char **argv) {
 
 	isc_mem_create(&mctx);
 
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
 	isc_commandline_errprint = false;
 
-#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:whV"
+#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case '1':
@@ -434,18 +436,15 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			}
 			break;
-		case 'w':
-			split_width = UINT_MAX;
-			break;
 		case 'F':
-			/* Reserved for FIPS mode */
-			FALLTHROUGH;
+		/* Reserved for FIPS mode */
+		/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+		/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -457,7 +456,7 @@ main(int argc, char **argv) {
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -558,8 +557,8 @@ main(int argc, char **argv) {
 	fflush(stdout);
 	if (ferror(stdout)) {
 		fprintf(stderr, "write error\n");
-		return 1;
+		return (1);
 	} else {
-		return 0;
+		return (0);
 	}
 }

bin/dnssec/dnssec-dsfromkey.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: dnssec-dsfromkey
-.. program:: dnssec-dsfromkey
 .. _man_dnssec-dsfromkey:
 
 dnssec-dsfromkey - DNSSEC DS RR generation tool
@@ -32,37 +40,30 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records
-(RRs), or CDS (Child DS) RRs with the :option:`-C` option.
-
-By default, only KSKs are converted (keys with flags = 257).  The
-:option:`-A` option includes ZSKs (flags = 256).  Revoked keys are never
-included.
+The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the ``-C`` option.
 
 The input keys can be specified in a number of ways:
 
-By default, :program:`dnssec-dsfromkey` reads a key file named in the format
-``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`.
+By default, ``dnssec-dsfromkey`` reads a key file named in the format
+``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
 
-With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone
+With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
 file or partial zone file (which can contain just the DNSKEY records).
 
-With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file,
-as generated by :iscman:`dnssec-keygen` :option:`-C`.
+With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
+as generated by ``dnssec-keygen`` ``-C``.
 
 Options
 ~~~~~~~
 
-.. option:: -1
+``-1``
+   This option is an abbreviation for ``-a SHA1``.
 
-   This option is an abbreviation for :option:`-a SHA1 <-a>`.
-
-.. option:: -2
-
-   This option is an abbreviation for :option:`-a SHA-256 <-a>`.
-
-.. option:: -a algorithm
+``-2``
+   This option is an abbreviation for ``-a SHA-256``.
 
+``-a algorithm``
    This option specifies a digest algorithm to use when converting DNSKEY records to
    DS records. This option can be repeated, so that multiple DS records
    are created for each DNSKEY record.
@@ -71,57 +72,47 @@ Options
    are case-insensitive, and the hyphen may be omitted. If no algorithm
    is specified, the default is SHA-256.
 
-.. option:: -A
-
+``-A``
    This option indicates that ZSKs are to be included when generating DS records. Without this option, only
    keys which have the KSK flag set are converted to DS records and
-   printed. This option is only useful in :option:`-f` zone file mode.
+   printed. This option is only useful in ``-f`` zone file mode.
 
-.. option:: -c class
-
-   This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset
-   or :option:`-f` zone file mode.
-
-.. option:: -C
+``-c class``
+   This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
+   or ``-f`` zone file mode.
 
+``-C``
    This option generates CDS records rather than DS records.
 
-.. option:: -f file
-
-   This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the
+``-f file``
+   This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
    DNS domain name of a zone whose master file can be read from
    ``file``. If the zone name is the same as ``file``, then it may be
    omitted.
 
    If ``file`` is ``-``, then the zone data is read from the standard
-   input. This makes it possible to use the output of the :iscman:`dig`
+   input. This makes it possible to use the output of the ``dig``
    command as input, as in:
 
    ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
 
-.. option:: -h
-
+``-h``
    This option prints usage information.
 
-.. option:: -K directory
-
+``-K directory``
    This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
 
-.. option:: -s
-
-   This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS
+``-s``
+   This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
    domain name used to locate a ``keyset-`` file.
 
-.. option:: -T TTL
-
+``-T TTL``
    This option specifies the TTL of the DS records. By default the TTL is omitted.
 
-.. option:: -v level
-
+``-v level``
    This option sets the debugging level.
 
-.. option:: -V
-
+``-V``
    This option prints version information.
 
 Example
@@ -141,7 +132,7 @@ Files
 
 The keyfile can be designated by the key identification
 ``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
-generated by :iscman:`dnssec-keygen`.
+generated by ``dnssec-keygen``.
 
 The keyset file name is built from the ``directory``, the string
 ``keyset-``, and the ``dnsname``.
@@ -154,6 +145,6 @@ A keyfile error may return "file not found," even if the file exists.
 See Also
 ~~~~~~~~
 
-:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
 :rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
 :rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).

bin/dnssec/dnssec-importkey.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -21,7 +19,7 @@
 #include <isc/commandline.h>
 #include <isc/hash.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -39,9 +37,14 @@
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/rdatatype.h>
+#include <dns/result.h>
 
 #include <dst/dst.h>
 
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-importkey";
@@ -68,7 +71,7 @@ initname(char *setname) {
 	isc_buffer_init(&buf, setname, strlen(setname));
 	isc_buffer_add(&buf, strlen(setname));
 	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	return result;
+	return (result);
 }
 
 static void
@@ -103,8 +106,8 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 
 	dns_name_format(name, setname, sizeof(setname));
 
-	result = dns_db_create(mctx, ZONEDB_DEFAULT, name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
 	if (result != ISC_R_SUCCESS) {
 		fatal("can't create database");
 	}
@@ -141,7 +144,7 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 	if (db != NULL) {
 		dns_db_detach(&db);
 	}
-	return result;
+	return (result);
 }
 
 static void
@@ -262,7 +265,7 @@ emit(const char *dir, dns_rdata_t *rdata) {
 	dst_key_free(&key);
 }
 
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -289,7 +292,7 @@ usage(void) {
 	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
 			"CDS and CDNSKEY deletion date\n");
 
-	exit(EXIT_FAILURE);
+	exit(-1);
 }
 
 int
@@ -302,9 +305,10 @@ main(int argc, char **argv) {
 	isc_log_t *log = NULL;
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata;
-	isc_stdtime_t now = isc_stdtime_now();
+	isc_stdtime_t now;
 
 	dns_rdata_init(&rdata);
+	isc_stdtime_get(&now);
 
 	if (argc == 1) {
 		usage();
@@ -312,6 +316,11 @@ main(int argc, char **argv) {
 
 	isc_mem_create(&mctx);
 
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
 	isc_commandline_errprint = false;
 
 #define CMDLINE_FLAGS "D:f:hK:L:P:v:V"
@@ -383,7 +392,7 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+		/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -395,7 +404,7 @@ main(int argc, char **argv) {
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -468,8 +477,8 @@ main(int argc, char **argv) {
 	fflush(stdout);
 	if (ferror(stdout)) {
 		fprintf(stderr, "write error\n");
-		return 1;
+		return (1);
 	} else {
-		return 0;
+		return (0);
 	}
 }

bin/dnssec/dnssec-importkey.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: dnssec-importkey
-.. program:: dnssec-importkey
 .. _man_dnssec-importkey:
 
 dnssec-importkey - import DNSKEY records from external systems so they can be managed
@@ -28,7 +36,7 @@ Synopsis
 Description
 ~~~~~~~~~~~
 
-:program:`dnssec-importkey` reads a public DNSKEY record and generates a pair
+``dnssec-importkey`` reads a public DNSKEY record and generates a pair
 of .key/.private files. The DNSKEY record may be read from an
 existing .key file, in which case a corresponding .private file is
 generated, or it may be read from any other file or from the standard
@@ -36,15 +44,14 @@ input, in which case both .key and .private files are generated.
 
 The newly created .private file does *not* contain private key data, and
 cannot be used for signing. However, having a .private file makes it
-possible to set publication (:option:`-P`) and deletion (:option:`-D`) times for the
+possible to set publication (``-P``) and deletion (``-D``) times for the
 key, which means the public key can be added to and removed from the
 DNSKEY RRset on schedule even if the true private key is stored offline.
 
 Options
 ~~~~~~~
 
-.. option:: -f filename
-
+``-f filename``
    This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
    DNS domain name of a zone master file, which can be read from
    ``filename``. If the domain name is the same as ``filename``, then it may be
@@ -53,90 +60,64 @@ Options
    If ``filename`` is set to ``"-"``, then the zone data is read from the
    standard input.
 
-.. option:: -K directory
-
+``-K directory``
    This option sets the directory in which the key files are to reside.
 
-.. option:: -L ttl
-
+``-L ttl``
    This option sets the default TTL to use for this key when it is converted into a
    DNSKEY RR. This is the TTL used when the key is imported into a zone,
    unless there was already a DNSKEY RRset in
    place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
    removes it from the key.
 
-.. option:: -h
-
+``-h``
    This option emits a usage message and exits.
 
-.. option:: -v level
-
+``-v level``
    This option sets the debugging level.
 
-.. option:: -V
-
+``-V``
    This option prints version information.
 
 Timing Options
 ~~~~~~~~~~~~~~
 
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-(which is the format used inside key files),
-or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
-or UNIX epoch time (as printed by ``dnssec-settime -up``),
-or the literal ``now``.
-
-The argument can be followed by ``+`` or ``-`` and an offset from the
-given time. The literal ``now`` can be omitted before an offset. The
-offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
-``d``, ``h``, or ``mi``, so that it is computed in years (defined as
-365 24-hour days, ignoring leap years), months (defined as 30 24-hour
-days), weeks, days, hours, or minutes, respectively. Without a suffix,
-the offset is computed in seconds.
-
-To explicitly prevent a date from being set, use ``none``, ``never``,
-or ``unset``.
-
-All these formats are case-insensitive.
-
-.. option:: -P date/offset
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
 
+``-P date/offset``
    This option sets the date on which a key is to be published to the zone. After
    that date, the key is included in the zone but is not used
    to sign it.
 
-   .. program:: dnssec-importkey -P
-   .. option:: sync date/offset
-
-      This option sets the date on which CDS and CDNSKEY records that match this key
-      are to be published to the zone.
-
-.. program:: dnssec-importkey
-
-.. option:: -D date/offset
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
 
+``-D date/offset``
    This option sets the date on which the key is to be deleted. After that date, the
    key is no longer included in the zone. (However, it may remain in the key
    repository.)
 
-   .. program:: dnssec-importkey -D
-   .. option:: sync date/offset
-
-      This option sets the date on which the CDS and CDNSKEY records that match this
-      key are to be deleted.
-
-.. program:: dnssec-importkey
-
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
 
 Files
 ~~~~~
 
 A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
 or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
-:iscman:`dnssec-keygen`.
+``dnssec-keygen``.
 
 See Also
 ~~~~~~~~
 
-:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
 :rfc:`5011`.

bin/dnssec/dnssec-keyfromlabel.c

@@ -1,8 +1,6 @@
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -22,30 +20,35 @@
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/region.h>
-#include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
+#include <dns/result.h>
 #include <dns/secalg.h>
 
 #include <dst/dst.h>
 
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
 #include "dnssectool.h"
 
 #define MAX_RSA 4096 /* should be long enough... */
 
 const char *program = "dnssec-keyfromlabel";
 
-static uint16_t tag_min = 0, tag_max = 0xffff;
-
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -58,7 +61,7 @@ usage(void) {
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -a algorithm: \n"
-			"        RSASHA1 |\n"
+			"        DH | RSASHA1 |\n"
 			"        NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
@@ -66,13 +69,19 @@ usage(void) {
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 	fprintf(stderr, "    -E <engine>:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"        path to PKCS#11 provider library "
+		"(default is %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
+#endif /* if USE_PKCS11 */
 	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
 			"key files\n");
 	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
 	fprintf(stderr, "    -L ttl: default key TTL\n");
-	fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | "
 			"OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
@@ -105,7 +114,7 @@ usage(void) {
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
 
-	exit(EXIT_FAILURE);
+	exit(-1);
 }
 
 int
@@ -138,6 +147,7 @@ main(int argc, char **argv) {
 	dns_ttl_t ttl = 0;
 	isc_stdtime_t publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t inactive = 0, deltime = 0;
+	isc_stdtime_t now;
 	int prepub = -1;
 	bool setpub = false, setact = false;
 	bool setrev = false, setinact = false;
@@ -153,7 +163,6 @@ main(int argc, char **argv) {
 	isc_stdtime_t syncadd = 0, syncdel = 0;
 	bool unsetsyncadd = false, setsyncadd = false;
 	bool unsetsyncdel = false, setsyncdel = false;
-	isc_stdtime_t now = isc_stdtime_now();
 
 	if (argc == 1) {
 		usage();
@@ -161,9 +170,16 @@ main(int argc, char **argv) {
 
 	isc_mem_create(&mctx);
 
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
 	isc_commandline_errprint = false;
 
-#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:M:n:P:p:R:S:t:v:Vy"
+	isc_stdtime_get(&now);
+
+#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:Vy"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case '3':
@@ -210,20 +226,6 @@ main(int argc, char **argv) {
 		case 'l':
 			label = isc_mem_strdup(mctx, isc_commandline_argument);
 			break;
-		case 'M': {
-			unsigned long ul;
-			tag_min = ul = strtoul(isc_commandline_argument, &endp,
-					       10);
-			if (*endp != ':' || ul > 0xffff) {
-				fatal("-M range invalid");
-			}
-			tag_max = ul = strtoul(endp + 1, &endp, 10);
-			if (*endp != '\0' || ul > 0xffff || tag_max <= tag_min)
-			{
-				fatal("-M range invalid");
-			}
-			break;
-		}
 		case 'n':
 			nametype = isc_commandline_argument;
 			break;
@@ -329,14 +331,14 @@ main(int argc, char **argv) {
 			prepub = strtottl(isc_commandline_argument);
 			break;
 		case 'F':
-			/* Reserved for FIPS mode */
-			FALLTHROUGH;
+		/* Reserved for FIPS mode */
+		/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+		/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -348,7 +350,7 @@ main(int argc, char **argv) {
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -402,6 +404,9 @@ main(int argc, char **argv) {
 		if (ret != ISC_R_SUCCESS) {
 			fatal("unknown algorithm %s", algname);
 		}
+		if (alg == DST_ALG_DH) {
+			options |= DST_TYPE_KEY;
+		}
 
 		if (use_nsec3) {
 			switch (alg) {
@@ -570,8 +575,7 @@ main(int argc, char **argv) {
 		flags |= DNS_KEYOWNER_ZONE;
 	} else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
 		if (strcasecmp(nametype, "host") == 0 ||
-		    strcasecmp(nametype, "entity") == 0)
-		{
+		    strcasecmp(nametype, "entity") == 0) {
 			flags |= DNS_KEYOWNER_ENTITY;
 		} else if (strcasecmp(nametype, "user") == 0) {
 			flags |= DNS_KEYOWNER_USER;
@@ -598,8 +602,7 @@ main(int argc, char **argv) {
 	if (protocol == -1) {
 		protocol = DNS_KEYPROTO_DNSSEC;
 	} else if ((options & DST_TYPE_KEY) == 0 &&
-		   protocol != DNS_KEYPROTO_DNSSEC)
-	{
+		   protocol != DNS_KEYPROTO_DNSSEC) {
 		fatal("invalid DNSKEY protocol: %d", protocol);
 	}
 
@@ -609,10 +612,22 @@ main(int argc, char **argv) {
 		}
 	}
 
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    alg == DNS_KEYALG_DH)
+	{
+		fatal("a key with algorithm '%s' cannot be a zone key",
+		      algname);
+	}
+
 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
 	/* associate the key */
-	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
+	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
+#if USE_PKCS11
+				"pkcs11",
+#else  /* if USE_PKCS11 */
+				engine,
+#endif /* if USE_PKCS11 */
 				label, NULL, mctx, &key);
 
 	if (ret != ISC_R_SUCCESS) {
@@ -622,8 +637,8 @@ main(int argc, char **argv) {
 		dns_secalg_format(alg, algstr, sizeof(algstr));
 		fatal("failed to get key %s/%s: %s", namestr, algstr,
 		      isc_result_totext(ret));
-		UNREACHABLE();
-		exit(EXIT_FAILURE);
+		/* NOTREACHED */
+		exit(-1);
 	}
 
 	/*
@@ -703,8 +718,7 @@ main(int argc, char **argv) {
 	 * is a risk of ID collision due to this key or another key
 	 * being revoked.
 	 */
-	if (key_collision(key, name, directory, mctx, tag_min, tag_max, &exact))
-	{
+	if (key_collision(key, name, directory, mctx, &exact)) {
 		isc_buffer_clear(&buf);
 		ret = dst_key_buildfilename(key, 0, directory, &buf);
 		if (ret != ISC_R_SUCCESS) {
@@ -761,5 +775,5 @@ main(int argc, char **argv) {
 		free(freeit);
 	}
 
-	return 0;
+	return (0);
 }

bin/dnssec/dnssec-keyfromlabel.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: dnssec-keyfromlabel
-.. program:: dnssec-keyfromlabel
 .. _man_dnssec-keyfromlabel:
 
 dnssec-keyfromlabel - DNSSEC key generation tool
@@ -21,15 +29,15 @@ dnssec-keyfromlabel - DNSSEC key generation tool
 Synopsis
 ~~~~~~~~
 
-:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
+:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
 
 Description
 ~~~~~~~~~~~
 
-:program:`dnssec-keyfromlabel` generates a pair of key files that reference a
+``dnssec-keyfromlabel`` generates a pair of key files that reference a
 key object stored in a cryptographic hardware service module (HSM). The
 private key file can be used for DNSSEC signing of zone data as if it
-were a conventional signing key created by :iscman:`dnssec-keygen`, but the
+were a conventional signing key created by ``dnssec-keygen``, but the
 key material is stored within the HSM and the actual signing takes
 place there.
 
@@ -39,40 +47,43 @@ match the name of the zone for which the key is being generated.
 Options
 ~~~~~~~
 
-.. option:: -a algorithm
-
+``-a algorithm``
    This option selects the cryptographic algorithm. The value of ``algorithm`` must
    be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
    ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
 
+   If no algorithm is specified, RSASHA1 is used by default
+   unless the ``-3`` option is specified, in which case NSEC3RSASHA1
+   is used instead. (If ``-3`` is used and an algorithm is
+   specified, that algorithm is checked for compatibility with
+   NSEC3.)
+
    These values are case-insensitive. In some cases, abbreviations are
    supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
-   ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
+   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
    option, then NSEC3RSASHA1 is used instead.
 
-   This option is mandatory except when using the
-   :option:`-S` option, which copies the algorithm from the predecessory key.
-
-   .. versionchanged:: 9.12.0
-      The default value RSASHA1 for newly generated keys was removed.
-
-.. option:: -3
+   Since BIND 9.12.0, this option is mandatory except when using the
+   ``-S`` option, which copies the algorithm from the predecessory key.
+   Previously, the default for newly generated keys was RSASHA1.
 
+``-3``
    This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
    option is used with an algorithm that has both NSEC and NSEC3
    versions, then the NSEC3 version is used; for example,
    ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
 
-.. option:: -E engine
-
+``-E engine``
    This option specifies the cryptographic hardware to use.
 
    When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
    engine identifier that drives the cryptographic accelerator or
-   hardware service module (usually ``pkcs11``).
-
-.. option:: -l label
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
 
+``-l label``
    This option specifies the label for a key pair in the crypto hardware.
 
    When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
@@ -80,79 +91,71 @@ Options
    preceded by an optional OpenSSL engine name, followed by a colon, as
    in ``pkcs11:keylabel``.
 
-.. option:: -n nametype
+   When BIND 9 is built with native PKCS#11 support, the label is a
+   PKCS#11 URI string in the format
+   ``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords
+   include ``token``, which identifies the HSM; ``object``, which identifies
+   the key; and ``pin-source``, which identifies a file from which the
+   HSM's PIN code can be obtained. The label is stored in the
+   on-disk ``private`` file.
 
+   If the label contains a ``pin-source`` field, tools using the
+   generated key files are able to use the HSM for signing and other
+   operations without any need for an operator to manually enter a PIN.
+   Note: Making the HSM's PIN accessible in this manner may reduce the
+   security advantage of using an HSM; use caution
+   with this feature.
+
+``-n nametype``
    This option specifies the owner type of the key. The value of ``nametype`` must
    either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
    (for a key associated with a host (KEY)), USER (for a key associated
    with a user (KEY)), or OTHER (DNSKEY). These values are
    case-insensitive.
 
-.. option:: -C
-
+``-C``
    This option enables compatibility mode, which generates an old-style key, without any metadata.
-   By default, :program:`dnssec-keyfromlabel` includes the key's creation
+   By default, ``dnssec-keyfromlabel`` includes the key's creation
    date in the metadata stored with the private key; other dates may
    be set there as well, including publication date, activation date, etc. Keys
    that include this data may be incompatible with older versions of
-   BIND; the :option:`-C` option suppresses them.
-
-.. option:: -c class
+   BIND; the ``-C`` option suppresses them.
 
+``-c class``
    This option indicates that the DNS record containing the key should have the
    specified class. If not specified, class IN is used.
 
-.. option:: -f flag
-
+``-f flag``
    This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record.
    The only recognized flags are KSK (Key-Signing Key) and REVOKE.
 
-.. option:: -G
-
+``-G``
    This option generates a key, but does not publish it or sign with it. This option is
-   incompatible with :option:`-P` and :option:`-A`.
-
-.. option:: -h
+   incompatible with ``-P`` and ``-A``.
 
+``-h``
    This option prints a short summary of the options and arguments to
-   :program:`dnssec-keyfromlabel`.
-
-.. option:: -K directory
+   ``dnssec-keyfromlabel``.
 
+``-K directory``
    This option sets the directory in which the key files are to be written.
 
-.. option:: -k
-
+``-k``
    This option generates KEY records rather than DNSKEY records.
 
-.. option:: -L ttl
-
+``-L`` ttl
    This option sets the default TTL to use for this key when it is converted into a
    DNSKEY RR. This is the TTL used when the key is imported into a zone,
    unless there was already a DNSKEY RRset in
    place, in which case the existing TTL would take precedence. Setting
    the default TTL to ``0`` or ``none`` removes it.
 
-.. option:: -M tag_min:tag_max
-
-   This option sets the range of key tag values
-   that ``dnssec-keyfromlabel`` will accept. If the key tag of the new
-   key or the key tag of the revoked version of the new key is
-   outside this range, the new key will be rejected.  This is
-   designed to be used when generating keys in a multi-signer
-   scenario, where each operator is given a range of key tags to
-   prevent collisions among different operators.  The valid
-   values for ``tag_min`` and ``tag_max`` are [0..65535].  The
-   default allows all key tag values to be accepted.
-
-.. option:: -p protocol
-
+``-p protocol``
    This option sets the protocol value for the key. The protocol is a number between
    0 and 255. The default is 3 (DNSSEC). Other possible values for this
    argument are listed in :rfc:`2535` and its successors.
 
-.. option:: -S key
-
+``-S key``
    This option generates a key as an explicit successor to an existing key. The name,
    algorithm, size, and type of the key are set to match the
    predecessor. The activation date of the new key is set to the
@@ -160,23 +163,19 @@ Options
    set to the activation date minus the prepublication interval, which
    defaults to 30 days.
 
-.. option:: -t type
-
+``-t type``
    This option indicates the type of the key. ``type`` must be one of AUTHCONF,
    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
    to the ability to authenticate data, and CONF to the ability to encrypt
    data.
 
-.. option:: -v level
-
+``-v level``
    This option sets the debugging level.
 
-.. option:: -V
-
+``-V``
    This option prints version information.
 
-.. option:: -y
-
+``-y``
    This option allows DNSSEC key files to be generated even if the key ID would
    collide with that of an existing key, in the event of either key
    being revoked. (This is only safe to enable if
@@ -186,74 +185,50 @@ Options
 Timing Options
 ~~~~~~~~~~~~~~
 
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
-(which is the format used inside key files),
-or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
-or UNIX epoch time (as printed by ``dnssec-settime -up``),
-or the literal ``now``.
-
-The argument can be followed by ``+`` or ``-`` and an offset from the
-given time. The literal ``now`` can be omitted before an offset. The
-offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
-``d``, ``h``, or ``mi``, so that it is computed in years (defined as
-365 24-hour days, ignoring leap years), months (defined as 30 24-hour
-days), weeks, days, hours, or minutes, respectively. Without a suffix,
-the offset is computed in seconds.
-
-To explicitly prevent a date from being set, use ``none``, ``never``,
-or ``unset``.
-
-All these formats are case-insensitive.
-
-.. option:: -P date/offset
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
 
+``-P date/offset``
    This option sets the date on which a key is to be published to the zone. After
    that date, the key is included in the zone but is not used
-   to sign it. If not set, and if the :option:`-G` option has not been used, the
+   to sign it. If not set, and if the ``-G`` option has not been used, the
    default is the current date.
 
-   .. program:: dnssec-keyfromlabel -P
-   .. option:: sync date/offset
-
-      This option sets the date on which CDS and CDNSKEY records that match this key
-      are to be published to the zone.
-
-.. program:: dnssec-keyfromlabel
-
-.. option:: -A date/offset
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
 
+``-A date/offset``
    This option sets the date on which the key is to be activated. After that date,
    the key is included in the zone and used to sign it. If not set,
-   and if the :option:`-G` option has not been used, the default is the current date.
-
-.. option:: -R date/offset
+   and if the ``-G`` option has not been used, the default is the current date.
 
+``-R date/offset``
    This option sets the date on which the key is to be revoked. After that date, the
    key is flagged as revoked. It is included in the zone and
    is used to sign it.
 
-.. option:: -I date/offset
-
+``-I date/offset``
    This option sets the date on which the key is to be retired. After that date, the
    key is still included in the zone, but it is not used to
    sign it.
 
-.. option:: -D date/offset
-
+``-D date/offset``
    This option sets the date on which the key is to be deleted. After that date, the
    key is no longer included in the zone. (However, it may remain in the key
    repository.)
 
-   .. program:: dnssec-keyfromlabel -D
-   .. option:: sync date/offset
-
-      This option sets the date on which the CDS and CDNSKEY records that match this
-      key are to be deleted.
-
-.. program:: dnssec-keyfromlabel
-
-.. option:: -i interval
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
 
+``-i interval``
    This option sets the prepublication interval for a key. If set, then the
    publication and activation dates must be separated by at least this
    much time. If the activation date is specified but the publication
@@ -274,7 +249,7 @@ All these formats are case-insensitive.
 Generated Key Files
 ~~~~~~~~~~~~~~~~~~~
 
-When :program:`dnssec-keyfromlabel` completes successfully, it prints a string
+When ``dnssec-keyfromlabel`` completes successfully, it prints a string
 of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
 identification string for the key files it has generated.
 
@@ -284,7 +259,7 @@ identification string for the key files it has generated.
 
 -  ``iiiii`` is the key identifier (or footprint).
 
-:program:`dnssec-keyfromlabel` creates two files, with names based on the
+``dnssec-keyfromlabel`` creates two files, with names based on the
 printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
 ``Knnnn.+aaa+iiiii.private`` contains the private key.
 
@@ -297,5 +272,5 @@ security reasons, this file does not have general read permission.
 See Also
 ~~~~~~~~
 
-:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
 :rfc:`4034`, :rfc:`7512`.

bin/dnssec/dnssec-keygen.c

@@ -1,8 +1,6 @@
 /*
  * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
- * SPDX-License-Identifier: MPL-2.0
- *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
@@ -33,18 +31,17 @@
 #include <stdlib.h>
 #include <unistd.h>
 
-#include <openssl/opensslv.h>
-
 #include <isc/attributes.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
-#include <isc/fips.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/region.h>
-#include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/kasp.h>
@@ -52,29 +49,29 @@
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
+#include <dns/result.h>
 #include <dns/secalg.h>
 
 #include <dst/dst.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
-#include <openssl/err.h>
-#include <openssl/provider.h>
-#endif
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/kaspconf.h>
+#include <isccfg/namedconf.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
 
 #include "dnssectool.h"
 
-const char *program = "dnssec-keygen";
+#define MAX_RSA 4096 /* should be long enough... */
 
-/*
- * These are are set here for backwards compatibility.  They are
- * raised to 2048 in FIPS mode.
- */
-static int min_rsa = 1024;
-static int min_dh = 128;
+const char *program = "dnssec-keygen";
 
 isc_log_t *lctx = NULL;
 
-noreturn static void
+ISC_NORETURN static void
 usage(void);
 
 static void
@@ -85,22 +82,19 @@ struct keygen_ctx {
 	const char *policy;
 	const char *configfile;
 	const char *directory;
-	dns_keystore_t *keystore;
 	char *algname;
 	char *nametype;
 	char *type;
+	int generator;
 	int protocol;
 	int size;
-	uint16_t tag_min;
-	uint16_t tag_max;
 	int signatory;
 	dns_rdataclass_t rdclass;
 	int options;
 	int dbits;
 	dns_ttl_t ttl;
-	bool wantzsk;
-	bool wantksk;
-	bool wantrev;
+	uint16_t kskflag;
+	uint16_t revflag;
 	dns_secalg_t alg;
 	/* timing data */
 	int prepub;
@@ -151,22 +145,17 @@ usage(void) {
 	fprintf(stderr, "    -l <file>: configuration file with dnssec-policy "
 			"statement\n");
 	fprintf(stderr, "    -a <algorithm>:\n");
-	if (!isc_fips_mode()) {
-		fprintf(stderr, "        RSASHA1 | NSEC3RSASHA1 |\n");
-	}
+	fprintf(stderr, "        RSASHA1 | NSEC3RSASHA1 |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
-	fprintf(stderr, "        ED25519 | ED448\n");
+	fprintf(stderr, "        ED25519 | ED448 | DH\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
-	if (!isc_fips_mode()) {
-		fprintf(stderr, "        RSASHA1:\t[%d..%d]\n", min_rsa,
-			MAX_RSA);
-		fprintf(stderr, "        NSEC3RSASHA1:\t[%d..%d]\n", min_rsa,
-			MAX_RSA);
-	}
-	fprintf(stderr, "        RSASHA256:\t[%d..%d]\n", min_rsa, MAX_RSA);
-	fprintf(stderr, "        RSASHA512:\t[%d..%d]\n", min_rsa, MAX_RSA);
+	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
 	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
 	fprintf(stderr, "        ED25519:\tignored\n");
@@ -179,11 +168,18 @@ usage(void) {
 	fprintf(stderr, "    -c <class>: (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -E <engine>:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"        path to PKCS#11 provider library "
+		"(default is %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
-	fprintf(stderr, "    -f <keyflag>: ZSK | KSK | REVOKE\n");
-	fprintf(stderr, "    -F: FIPS mode\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
+	fprintf(stderr, "    -g <generator>: use specified generator "
+			"(DH only)\n");
 	fprintf(stderr, "    -L <ttl>: default key TTL\n");
-	fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
 	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
 	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
 			"records with (default: 0)\n");
@@ -194,7 +190,7 @@ usage(void) {
 			"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -h: print usage and exit\n");
 	fprintf(stderr, "    -m <memory debugging mode>:\n");
-	fprintf(stderr, "       usage | trace | record\n");
+	fprintf(stderr, "       usage | trace | record | size | mctx\n");
 	fprintf(stderr, "    -v <level>: set verbosity level (0 - 10)\n");
 	fprintf(stderr, "    -V: print version information\n");
 	fprintf(stderr, "Timing options:\n");
@@ -224,7 +220,7 @@ usage(void) {
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
 
-	exit(EXIT_FAILURE);
+	exit(-1);
 }
 
 static void
@@ -251,6 +247,52 @@ progress(int p) {
 	(void)fflush(stderr);
 }
 
+static void
+kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
+	       dns_kasp_t **kaspp) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *kasps = NULL;
+	dns_kasp_t *kasp = NULL, *kasp_next;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_kasplist_t kasplist;
+
+	ISC_LIST_INIT(kasplist);
+
+	(void)cfg_map_get(config, "dnssec-policy", &kasps);
+	for (element = cfg_list_first(kasps); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *kconfig = cfg_listelt_value(element);
+		kasp = NULL;
+		if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			   name) != 0) {
+			continue;
+		}
+
+		result = cfg_kasp_fromconfig(kconfig, NULL, mctx, lctx,
+					     &kasplist, &kasp);
+		if (result != ISC_R_SUCCESS) {
+			fatal("failed to configure dnssec-policy '%s': %s",
+			      cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			      isc_result_totext(result));
+		}
+		INSIST(kasp != NULL);
+		dns_kasp_freeze(kasp);
+		break;
+	}
+
+	*kaspp = kasp;
+
+	/*
+	 * Cleanup kasp list.
+	 */
+	for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
+		kasp_next = ISC_LIST_NEXT(kasp, link);
+		ISC_LIST_UNLINK(kasplist, kasp, link);
+		dns_kasp_detach(&kasp);
+	}
+}
+
 static void
 keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	char filename[255];
@@ -291,15 +333,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			fatal("unsupported algorithm: %s", algstr);
 		}
 
-		if (isc_fips_mode()) {
-			/* verify only in FIPS mode */
-			switch (ctx->alg) {
-			case DST_ALG_RSASHA1:
-			case DST_ALG_NSEC3RSASHA1:
-				fatal("unsupported algorithm: %s", algstr);
-			default:
-				break;
-			}
+		if (ctx->alg == DST_ALG_DH) {
+			ctx->options |= DST_TYPE_KEY;
 		}
 
 		if (ctx->use_nsec3) {
@@ -344,11 +379,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			switch (ctx->alg) {
 			case DST_ALG_RSASHA1:
 			case DST_ALG_NSEC3RSASHA1:
-				if (isc_fips_mode()) {
-					fatal("key size not specified (-b "
-					      "option)");
-				}
-				FALLTHROUGH;
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
 				ctx->size = 2048;
@@ -372,8 +402,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 
 		if (!ctx->oldstyle && ctx->prepub > 0) {
 			if (ctx->setpub && ctx->setact &&
-			    (ctx->activate - ctx->prepub) < ctx->publish)
-			{
+			    (ctx->activate - ctx->prepub) < ctx->publish) {
 				fatal("Activation and publication dates "
 				      "are closer together than the\n\t"
 				      "prepublication interval.");
@@ -504,18 +533,23 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	switch (ctx->alg) {
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
-		if (isc_fips_mode()) {
-			fatal("SHA1 based keys not supported in FIPS mode");
-		}
-		FALLTHROUGH;
 	case DNS_KEYALG_RSASHA256:
-	case DNS_KEYALG_RSASHA512:
-		if (ctx->size != 0 &&
-		    (ctx->size < min_rsa || ctx->size > MAX_RSA))
+		if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA))
 		{
 			fatal("RSA key size %d out of range", ctx->size);
 		}
 		break;
+	case DNS_KEYALG_RSASHA512:
+		if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA))
+		{
+			fatal("RSA key size %d out of range", ctx->size);
+		}
+		break;
+	case DNS_KEYALG_DH:
+		if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) {
+			fatal("DH key size %d out of range", ctx->size);
+		}
+		break;
 	case DST_ALG_ECDSA256:
 		ctx->size = 256;
 		break;
@@ -530,6 +564,10 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		break;
 	}
 
+	if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) {
+		fatal("specified DH generator for a non-DH key");
+	}
+
 	if (ctx->nametype == NULL) {
 		if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
 			fatal("no nametype specified");
@@ -558,12 +596,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
 		flags |= ctx->signatory;
 	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-		if (ctx->ksk || ctx->wantksk) {
-			flags |= DNS_KEYFLAG_KSK;
-		}
-		if (ctx->wantrev) {
-			flags |= DNS_KEYFLAG_REVOKE;
-		}
+		flags |= ctx->kskflag;
+		flags |= ctx->revflag;
 	}
 
 	if (ctx->protocol == -1) {
@@ -583,6 +617,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		}
 	}
 
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    ctx->alg == DNS_KEYALG_DH)
+	{
+		fatal("a key with algorithm %s cannot be a zone key", algstr);
+	}
+
 	switch (ctx->alg) {
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
@@ -591,6 +631,10 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		show_progress = true;
 		break;
 
+	case DNS_KEYALG_DH:
+		param = ctx->generator;
+		break;
+
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
 	case DST_ALG_ED25519:
@@ -610,27 +654,16 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 
 		if (!ctx->quiet && show_progress) {
 			fprintf(stderr, "Generating key pair.");
-		}
-
-		if (ctx->keystore != NULL && ctx->policy != NULL) {
-			ret = dns_keystore_keygen(
-				ctx->keystore, name, ctx->policy, ctx->rdclass,
-				mctx, ctx->alg, ctx->size, flags, &key);
-		} else if (!ctx->quiet && show_progress) {
 			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
 					       flags, ctx->protocol,
-					       ctx->rdclass, NULL, mctx, &key,
+					       ctx->rdclass, mctx, &key,
 					       &progress);
+			putc('\n', stderr);
+			fflush(stderr);
 		} else {
 			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
 					       flags, ctx->protocol,
-					       ctx->rdclass, NULL, mctx, &key,
-					       NULL);
-		}
-
-		if (!ctx->quiet && show_progress) {
-			putc('\n', stderr);
-			fflush(stderr);
+					       ctx->rdclass, mctx, &key, NULL);
 		}
 
 		if (ret != ISC_R_SUCCESS) {
@@ -686,7 +719,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			}
 
 			if (ctx->setrev) {
-				if (!ctx->wantksk) {
+				if (ctx->kskflag == 0) {
 					fprintf(stderr,
 						"%s: warning: Key is "
 						"not flagged as a KSK, but -R "
@@ -705,8 +738,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 
 			if (ctx->setdel) {
 				if (ctx->setinact &&
-				    ctx->deltime < ctx->inactive)
-				{
+				    ctx->deltime < ctx->inactive) {
 					fprintf(stderr,
 						"%s: warning: Key is "
 						"scheduled to be deleted "
@@ -761,9 +793,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		 * if there is a risk of ID collision due to this key
 		 * or another key being revoked.
 		 */
-		if (key_collision(key, name, ctx->directory, mctx, ctx->tag_min,
-				  ctx->tag_max, NULL))
-		{
+		if (key_collision(key, name, ctx->directory, mctx, NULL)) {
 			conflict = true;
 			if (null_key) {
 				dst_key_free(&key);
@@ -828,18 +858,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	}
 }
 
-static void
-check_keystore_options(keygen_ctx_t *ctx) {
-	ctx->directory = dns_keystore_directory(ctx->keystore, NULL);
-	if (ctx->directory != NULL) {
-		isc_result_t ret = try_dir(ctx->directory);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("cannot open directory %s: %s", ctx->directory,
-			      isc_result_totext(ret));
-		}
-	}
-}
-
 int
 main(int argc, char **argv) {
 	char *algname = NULL, *freeit = NULL;
@@ -851,30 +869,30 @@ main(int argc, char **argv) {
 	const char *engine = NULL;
 	unsigned char c;
 	int ch;
-	bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
-	OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
 
 	keygen_ctx_t ctx = {
 		.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
 		.prepub = -1,
 		.protocol = -1,
 		.size = -1,
-		.now = isc_stdtime_now(),
 	};
 
 	if (argc == 1) {
 		usage();
 	}
 
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
 	isc_commandline_errprint = false;
 
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS                                          \
-	"3A:a:b:Cc:D:d:E:Ff:GhI:i:K:k:L:l:M:m:n:P:p:qR:r:S:s:" \
+#define CMDLINE_FLAGS                                           \
+	"3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \
 	"T:t:v:V"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
@@ -899,6 +917,7 @@ main(int argc, char **argv) {
 	isc_commandline_reset = true;
 
 	isc_mem_create(&mctx);
+	isc_stdtime_get(&ctx.now);
 
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
@@ -929,19 +948,28 @@ main(int argc, char **argv) {
 		case 'E':
 			engine = isc_commandline_argument;
 			break;
+		case 'e':
+			fprintf(stderr, "phased-out option -e "
+					"(was 'use (RSA) large exponent')\n");
+			break;
 		case 'f':
 			c = (unsigned char)(isc_commandline_argument[0]);
 			if (toupper(c) == 'K') {
-				ctx.wantksk = true;
-			} else if (toupper(c) == 'Z') {
-				ctx.wantzsk = true;
+				ctx.kskflag = DNS_KEYFLAG_KSK;
 			} else if (toupper(c) == 'R') {
-				ctx.wantrev = true;
+				ctx.revflag = DNS_KEYFLAG_REVOKE;
 			} else {
 				fatal("unknown flag '%s'",
 				      isc_commandline_argument);
 			}
 			break;
+		case 'g':
+			ctx.generator = strtol(isc_commandline_argument, &endp,
+					       10);
+			if (*endp != '\0' || ctx.generator <= 0) {
+				fatal("-g requires a positive number");
+			}
+			break;
 		case 'K':
 			ctx.directory = isc_commandline_argument;
 			ret = try_dir(ctx.directory);
@@ -963,29 +991,13 @@ main(int argc, char **argv) {
 		case 'n':
 			ctx.nametype = isc_commandline_argument;
 			break;
-		case 'M': {
-			unsigned long ul;
-			ctx.tag_min = ul = strtoul(isc_commandline_argument,
-						   &endp, 10);
-			if (*endp != ':' || ul > 0xffff) {
-				fatal("-M range invalid");
-			}
-			ctx.tag_max = ul = strtoul(endp + 1, &endp, 10);
-			if (*endp != '\0' || ul > 0xffff ||
-			    ctx.tag_max <= ctx.tag_min)
-			{
-				fatal("-M range invalid");
-			}
-			break;
-		}
 		case 'm':
 			break;
 		case 'p':
 			ctx.protocol = strtol(isc_commandline_argument, &endp,
 					      10);
 			if (*endp != '\0' || ctx.protocol < 0 ||
-			    ctx.protocol > 255)
-			{
+			    ctx.protocol > 255) {
 				fatal("-p must be followed by a number "
 				      "[0..255]");
 			}
@@ -1001,8 +1013,7 @@ main(int argc, char **argv) {
 			ctx.signatory = strtol(isc_commandline_argument, &endp,
 					       10);
 			if (*endp != '\0' || ctx.signatory < 0 ||
-			    ctx.signatory > 15)
-			{
+			    ctx.signatory > 15) {
 				fatal("-s must be followed by a number "
 				      "[0..15]");
 			}
@@ -1113,14 +1124,14 @@ main(int argc, char **argv) {
 			ctx.prepub = strtottl(isc_commandline_argument);
 			break;
 		case 'F':
-			set_fips_mode = true;
-			break;
+		/* Reserved for FIPS mode */
+		/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+		/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -1132,7 +1143,7 @@ main(int argc, char **argv) {
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", program,
 				isc_commandline_option);
-			exit(EXIT_FAILURE);
+			exit(1);
 		}
 	}
 
@@ -1140,40 +1151,11 @@ main(int argc, char **argv) {
 		ctx.quiet = true;
 	}
 
-	if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
-		fips = OSSL_PROVIDER_load(NULL, "fips");
-		if (fips == NULL) {
-			ERR_clear_error();
-			fatal("Failed to load FIPS provider");
-		}
-		base = OSSL_PROVIDER_load(NULL, "base");
-		if (base == NULL) {
-			OSSL_PROVIDER_unload(fips);
-			ERR_clear_error();
-			fatal("Failed to load base provider");
-		}
-#endif
-		if (!isc_fips_mode()) {
-			if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
-				fatal("setting FIPS mode failed");
-			}
-		}
-	}
-
 	ret = dst_lib_init(mctx, engine);
 	if (ret != ISC_R_SUCCESS) {
 		fatal("could not initialize dst: %s", isc_result_totext(ret));
 	}
 
-	/*
-	 * After dst_lib_init which will set FIPS mode if requested
-	 * at build time.  The minumums are both raised to 2048.
-	 */
-	if (isc_fips_mode()) {
-		min_rsa = min_dh = 2048;
-	}
-
 	setup_logging(mctx, &lctx);
 
 	ctx.rdclass = strtoclass(classname);
@@ -1225,8 +1207,8 @@ main(int argc, char **argv) {
 		if (ctx.size != -1) {
 			fatal("-k and -b cannot be used together");
 		}
-		if (ctx.wantrev) {
-			fatal("-k and -fR cannot be used together");
+		if (ctx.kskflag || ctx.revflag) {
+			fatal("-k and -f cannot be used together");
 		}
 		if (ctx.options & DST_TYPE_KEY) {
 			fatal("-k and -T KEY cannot be used together");
@@ -1241,13 +1223,12 @@ main(int argc, char **argv) {
 			ctx.use_nsec3 = false;
 			ctx.alg = DST_ALG_ECDSA256;
 			ctx.size = 0;
+			ctx.kskflag = DNS_KEYFLAG_KSK;
 			ctx.ttl = 3600;
 			ctx.setttl = true;
 			ctx.ksk = true;
 			ctx.zsk = true;
 			ctx.lifetime = 0;
-			ctx.tag_min = 0;
-			ctx.tag_max = 0xffff;
 
 			keygen(&ctx, mctx, argc, argv);
 		} else {
@@ -1267,8 +1248,7 @@ main(int argc, char **argv) {
 				      ctx.policy, ctx.configfile);
 			}
 
-			kasp_from_conf(config, mctx, lctx, ctx.policy,
-				       ctx.directory, engine, &kasp);
+			kasp_from_conf(config, mctx, ctx.policy, &kasp);
 			if (kasp == NULL) {
 				fatal("failed to load dnssec-policy '%s'",
 				      ctx.policy);
@@ -1282,28 +1262,22 @@ main(int argc, char **argv) {
 			ctx.ttl = dns_kasp_dnskeyttl(kasp);
 			ctx.setttl = true;
 
-			for (kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
-			     kaspkey != NULL;
-			     kaspkey = ISC_LIST_NEXT(kaspkey, link))
-			{
+			kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+
+			while (kaspkey != NULL) {
 				ctx.use_nsec3 = false;
 				ctx.alg = dns_kasp_key_algorithm(kaspkey);
 				ctx.size = dns_kasp_key_size(kaspkey);
+				ctx.kskflag = dns_kasp_key_ksk(kaspkey)
+						      ? DNS_KEYFLAG_KSK
+						      : 0;
 				ctx.ksk = dns_kasp_key_ksk(kaspkey);
 				ctx.zsk = dns_kasp_key_zsk(kaspkey);
 				ctx.lifetime = dns_kasp_key_lifetime(kaspkey);
-				ctx.keystore = dns_kasp_key_keystore(kaspkey);
-				if (ctx.keystore != NULL) {
-					check_keystore_options(&ctx);
-				}
-				ctx.tag_min = dns_kasp_key_tagmin(kaspkey);
-				ctx.tag_max = dns_kasp_key_tagmax(kaspkey);
-				if ((ctx.ksk && !ctx.wantksk && ctx.wantzsk) ||
-				    (ctx.zsk && !ctx.wantzsk && ctx.wantksk))
-				{
-					continue;
-				}
+
 				keygen(&ctx, mctx, argc, argv);
+
+				kaspkey = ISC_LIST_NEXT(kaspkey, link);
 			}
 
 			dns_kasp_detach(&kasp);
@@ -1321,17 +1295,9 @@ main(int argc, char **argv) {
 	}
 	isc_mem_destroy(&mctx);
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
-	if (base != NULL) {
-		OSSL_PROVIDER_unload(base);
-	}
-	if (fips != NULL) {
-		OSSL_PROVIDER_unload(fips);
-	}
-#endif
 	if (freeit != NULL) {
 		free(freeit);
 	}
 
-	return 0;
+	return (0);
 }

bin/dnssec/dnssec-keygen.rst

@@ -1,18 +1,26 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 ..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
 
 .. highlight: console
 
-.. iscman:: dnssec-keygen
-.. program:: dnssec-keygen
 .. _man_dnssec-keygen:
 
 dnssec-keygen: DNSSEC key generation tool
@@ -21,13 +29,15 @@ dnssec-keygen: DNSSEC key generation tool
 Synopsis
 ~~~~~~~~
 
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
 
 Description
 ~~~~~~~~~~~
 
-:program:`dnssec-keygen` generates keys for DNSSEC (Secure DNS), as defined in
-:rfc:`2535` and :rfc:`4034`.
+``dnssec-keygen`` generates keys for DNSSEC (Secure DNS), as defined in
+:rfc:`2535` and :rfc:`4034`. It can also generate keys for use with TSIG
+(Transaction Signatures) as defined in :rfc:`2845`, or TKEY (Transaction
+Key) as defined in :rfc:`2930`.
 
 The ``name`` of the key is specified on the command line. For DNSSEC
 keys, this must match the name of the zone for which the key is being
@@ -36,33 +46,32 @@ generated.
 Options
 ~~~~~~~
 
-.. option:: -3
-
+``-3``
    This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
    option is used with an algorithm that has both NSEC and NSEC3
    versions, then the NSEC3 version is selected; for example,
-   ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
-
-.. option:: -a algorithm
+   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
 
+``-a algorithm``
    This option selects the cryptographic algorithm. For DNSSEC keys, the value of
    ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
-   RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
+   RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
+   TKEY, the value must be DH (Diffie-Hellman); specifying this value
+   automatically sets the ``-T KEY`` option as well.
 
    These values are case-insensitive. In some cases, abbreviations are
    supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
-   ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
+   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
    option, NSEC3RSASHA1 is used instead.
 
-   This parameter *must* be specified except when using the :option:`-S`
+   This parameter *must* be specified except when using the ``-S``
    option, which copies the algorithm from the predecessor key.
 
    In prior releases, HMAC algorithms could be generated for use as TSIG
    keys, but that feature was removed in BIND 9.13.0. Use
-   :iscman:`tsig-keygen` to generate TSIG keys.
-
-.. option:: -b keysize
+   ``tsig-keygen`` to generate TSIG keys.
 
+``-b keysize``
    This option specifies the number of bits in the key. The choice of key size
    depends on the algorithm used: RSA keys must be between 1024 and 4096
    bits; Diffie-Hellman keys must be between 128 and 4096 bits. Elliptic
@@ -71,80 +80,66 @@ Options
    If the key size is not specified, some algorithms have pre-defined
    defaults. For example, RSA keys for use as DNSSEC zone-signing keys
    have a default size of 1024 bits; RSA keys for use as key-signing
-   keys (KSKs, generated with :option:`-f KSK <-f>`) default to 2048 bits.
-
-.. option:: -C
+   keys (KSKs, generated with ``-f KSK``) default to 2048 bits.
 
+``-C``
    This option enables compatibility mode, which generates an old-style key, without any timing
-   metadata. By default, :program:`dnssec-keygen` includes the key's
+   metadata. By default, ``dnssec-keygen`` includes the key's
    creation date in the metadata stored with the private key; other
    dates may be set there as well, including publication date, activation date,
    etc. Keys that include this data may be incompatible with older
-   versions of BIND; the :option:`-C` option suppresses them.
-
-.. option:: -c class
+   versions of BIND; the ``-C`` option suppresses them.
 
+``-c class``
    This option indicates that the DNS record containing the key should have the
    specified class. If not specified, class IN is used.
 
-.. option:: -d bits
-
+``-d bits``
    This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
    RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
    and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
    ECDSAP384SHA384, ED25519, and ED448.
 
-.. option:: -E engine
-
+``-E engine``
    This option specifies the cryptographic hardware to use, when applicable.
 
    When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
    engine identifier that drives the cryptographic accelerator or
-   hardware service module (usually ``pkcs11``).
-
-.. option:: -f flag
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
 
+``-f flag``
    This option sets the specified flag in the flag field of the KEY/DNSKEY record.
-   The only recognized flags are ZSK (Zone-Signing Key), KSK (Key-Signing Key)
-   and REVOKE.
-
-   Note that ZSK is not a physical flag in the DNSKEY record, it is merely used
-   to explicitly tell that you want to create a ZSK. Setting :option:`-f` in
-   conjunction with :option:`-k` will result in generating keys that only
-   match the given role set with this option.
-
-.. option:: -F
-
-   This options turns on FIPS (US Federal Information Processing Standards)
-   mode if the underlying crytographic library supports running in FIPS
-   mode.
-
-.. option:: -G
+   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
 
+``-G``
    This option generates a key, but does not publish it or sign with it. This option is
-   incompatible with :option:`-P` and :option:`-A`.
+   incompatible with ``-P`` and ``-A``.
 
-.. option:: -h
+``-g generator``
+   This option indicates the generator to use if generating a Diffie-Hellman key. Allowed
+   values are 2 and 5. If no generator is specified, a known prime from
+   :rfc:`2539` is used if possible; otherwise the default is 2.
 
+``-h``
    This option prints a short summary of the options and arguments to
-   :program:`dnssec-keygen`.
-
-.. option:: -K directory
+   ``dnssec-keygen``.
 
+``-K directory``
    This option sets the directory in which the key files are to be written.
 
-.. option:: -k policy
-
+``-k policy``
    This option creates keys for a specific ``dnssec-policy``. If a policy uses multiple keys,
-   :program:`dnssec-keygen` generates multiple keys. This also
+   ``dnssec-keygen`` generates multiple keys. This also
    creates a ".state" file to keep track of the key state.
 
    This option creates keys according to the ``dnssec-policy`` configuration, hence
    it cannot be used at the same time as many of the other options that
-   :program:`dnssec-keygen` provides.
-
-.. option:: -L ttl
+   ``dnssec-keygen`` provides.
 
+``-L ttl``
    This option sets the default TTL to use for this key when it is converted into a
    DNSKEY RR. This is the TTL used when the key is imported into a zone,
    unless there was already a DNSKEY RRset in
@@ -153,43 +148,26 @@ Options
    defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
    is the same as leaving it unset.
 
-.. option:: -l file
-
+``-l file``
    This option provides a configuration file that contains a ``dnssec-policy`` statement
-   (matching the policy set with :option:`-k`).
-
-.. option:: -M tag_min:tag_max
-
-   This option sets the range of acceptable key tag values that ``dnssec-keygen``
-   will produce. If the key tag of the new key or the key tag of
-   the revoked version of the new key is outside this range,
-   the new key will be rejected and another new key will be generated.
-   This is designed to be used when generating keys in a multi-signer
-   scenario, where each operator is given a range of key tags to
-   prevent collisions among different operators.  The valid values
-   for ``tag_min`` and ``tag_max`` are [0..65535].  The default allows all
-   key tag values to be produced.  This option is ignored when ``-k policy``
-   is specified.
-
-.. option:: -n nametype
+   (matching the policy set with ``-k``).
 
+``-n nametype``
    This option specifies the owner type of the key. The value of ``nametype`` must
    either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
    (for a key associated with a host (KEY)), USER (for a key associated
    with a user (KEY)), or OTHER (DNSKEY). These values are
    case-insensitive. The default is ZONE for DNSKEY generation.
 
-.. option:: -p protocol
-
+``-p protocol``
    This option sets the protocol value for the generated key, for use with
-   :option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default
+   ``-T KEY``. The protocol is a number between 0 and 255. The default
    is 3 (DNSSEC). Other possible values for this argument are listed in
    :rfc:`2535` and its successors.
 
-.. option:: -q
-
+``-q``
    This option sets quiet mode, which suppresses unnecessary output, including progress
-   indication. Without this option, when :program:`dnssec-keygen` is run
+   indication. Without this option, when ``dnssec-keygen`` is run
    interactively to generate an RSA or DSA key pair, it prints a
    string of symbols to ``stderr`` indicating the progress of the key
    generation. A ``.`` indicates that a random number has been found which
@@ -197,8 +175,7 @@ Options
    round of the Miller-Rabin primality test; and a space ( ) means that the
    number has passed all the tests and is a satisfactory key.
 
-.. option:: -S key
-
+``-S key``
    This option creates a new key which is an explicit successor to an existing key.
    The name, algorithm, size, and type of the key are set to match
    the existing key. The activation date of the new key is set to
@@ -206,104 +183,77 @@ Options
    set to the activation date minus the prepublication interval,
    which defaults to 30 days.
 
-.. option:: -s strength
-
+``-s strength``
    This option specifies the strength value of the key. The strength is a number
    between 0 and 15, and currently has no defined purpose in DNSSEC.
 
-.. option:: -T rrtype
-
+``-T rrtype``
    This option specifies the resource record type to use for the key. ``rrtype``
    must be either DNSKEY or KEY. The default is DNSKEY when using a
    DNSSEC algorithm, but it can be overridden to KEY for use with
    SIG(0).
 
-.. option:: -t type
-
-   This option indicates the type of the key for use with :option:`-T KEY <-T>`. ``type``
+``-t type``
+   This option indicates the type of the key for use with ``-T KEY``. ``type``
    must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
    is AUTHCONF. AUTH refers to the ability to authenticate data, and
    CONF to the ability to encrypt data.
 
-.. option:: -V
-
+``-V``
    This option prints version information.
 
-.. option:: -v level
-
+``-v level``
    This option sets the debugging level.
 
 Timing Options
 ~~~~~~~~~~~~~~
 
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
-(which is the format used inside key files),
-or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
-or UNIX epoch time (as printed by ``dnssec-settime -up``),
-or the literal ``now``.
-
-The argument can be followed by ``+`` or ``-`` and an offset from the
-given time. The literal ``now`` can be omitted before an offset. The
-offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
-``d``, ``h``, or ``mi``, so that it is computed in years (defined as
-365 24-hour days, ignoring leap years), months (defined as 30 24-hour
-days), weeks, days, hours, or minutes, respectively. Without a suffix,
-the offset is computed in seconds.
-
-To unset a date, use ``none``, ``never``, or ``unset``.
-
-.. option:: -P date/offset
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
 
+``-P date/offset``
    This option sets the date on which a key is to be published to the zone. After
    that date, the key is included in the zone but is not used
-   to sign it. If not set, and if the :option:`-G` option has not been used, the
+   to sign it. If not set, and if the ``-G`` option has not been used, the
    default is the current date.
 
-   .. program:: dnssec-keygen -P
-   .. option:: sync date/offset
-
-      This option sets the date on which CDS and CDNSKEY records that match this key
-      are to be published to the zone.
-
-.. program:: dnssec-keygen
-
-.. option:: -A date/offset
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
 
+``-A date/offset``
    This option sets the date on which the key is to be activated. After that date,
    the key is included in the zone and used to sign it. If not set,
-   and if the :option:`-G` option has not been used, the default is the current date. If set,
-   and :option:`-P` is not set, the publication date is set to the
+   and if the ``-G`` option has not been used, the default is the current date. If set,
+   and ``-P`` is not set, the publication date is set to the
    activation date minus the prepublication interval.
 
-.. option:: -R date/offset
-
+``-R date/offset``
    This option sets the date on which the key is to be revoked. After that date, the
    key is flagged as revoked. It is included in the zone and
    is used to sign it.
 
-.. option:: -I date/offset
-
+``-I date/offset``
    This option sets the date on which the key is to be retired. After that date, the
    key is still included in the zone, but it is not used to
    sign it.
 
-
-.. option:: -D date/offset
-
+``-D date/offset``
    This option sets the date on which the key is to be deleted. After that date, the
    key is no longer included in the zone. (However, it may remain in the key
    repository.)
 
-   .. program:: dnssec-keygen -D
-   .. option:: sync date/offset
-
-      This option sets the date on which the CDS and CDNSKEY records that match this
-      key are to be deleted.
-
-.. program:: dnssec-keygen
-
-.. option:: -i interval
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
 
+``-i interval``
    This option sets the prepublication interval for a key. If set, then the
    publication and activation dates must be separated by at least this
    much time. If the activation date is specified but the publication
@@ -324,7 +274,7 @@ To unset a date, use ``none``, ``never``, or ``unset``.
 Generated Keys
 ~~~~~~~~~~~~~~
 
-When :program:`dnssec-keygen` completes successfully, it prints a string of the
+When ``dnssec-keygen`` completes successfully, it prints a string of the
 form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
 identification string for the key it has generated.
 
@@ -334,12 +284,12 @@ identification string for the key it has generated.
 
 -  ``iiiii`` is the key identifier (or footprint).
 
-:program:`dnssec-keygen` creates two files, with names based on the printed
+``dnssec-keygen`` creates two files, with names based on the printed
 string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
 ``Knnnn.+aaa+iiiii.private`` contains the private key.
 
 The ``.key`` file contains a DNSKEY or KEY record. When a zone is being
-signed by :iscman:`named` or :option:`dnssec-signzone -S`, DNSKEY records are
+signed by ``named`` or ``dnssec-signzone -S``, DNSKEY records are
 included automatically. In other cases, the ``.key`` file can be
 inserted into a zone file manually or with an ``$INCLUDE`` statement.
 
@@ -358,7 +308,7 @@ The command prints a string of the form:
 
 ``Kexample.com.+013+26160``
 
-In this example, :program:`dnssec-keygen` creates the files
+In this example, ``dnssec-keygen`` creates the files
 ``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``.
 
 To generate a matching key-signing key, issue the command:
@@ -368,5 +318,5 @@ To generate a matching key-signing key, issue the command:
 See Also
 ~~~~~~~~
 
-:iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
+:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
 :rfc:`2845`, :rfc:`4034`.