copyrights

(cherry picked from commit 5e1cedb130)

CHANGES

@@ -1,6 +1,369 @@
-	--- 9.10.4-P2 released ---
+	--- 9.10.5-P1 released ---
 
-4406.	[bug]		getrrsetbyname with a non absolute name could
+4632.	[security]	The BIND installer on Windows used an unquoted
+			service path, which can enable privilege escalation.
+			(CVE-2017-3141) [RT #45229]
+
+4631.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
+	--- 9.10.5 released ---
+
+	--- 9.10.5rc3 released ---
+
+4582.	[security]	'rndc ""' could trigger a assertion failure in named.
+			(CVE-2017-3138) [RT #44924]
+
+4581.	[port]		Linux: Add getpid and getrandom to the list of system
+			calls named uses for seccomp. [RT #44883]
+
+4580.	[bug]		4578 introduced a regression when handling CNAME to
+			referral below the current domain. [RT #44850]
+
+	--- 9.10.5rc2 released ---
+
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
+
+4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
+			assertion failure. (CVE-2017-3136) [RT #44653]
+
+	--- 9.10.5rc1 released ---
+
+4571.	[bug]		Out-of-tree builds of backtrace_test failed.
+
+4570.	[cleanup]	named did not correctly fall back to the built-in
+			initializing keys if the bind.keys file was present
+			but empty. [RT #44531]
+
+4568.	[contrib]	Added a --with-bind option to the dnsperf configure
+			script to specify BIND prefix path.
+
+4567.	[port]		Call getprotobyname and getservbyname prior to calling
+			chroot so that shared libraries get loaded. [RT #44537]
+
+4564.	[maint]		Update the built in managed keys to include the
+			upcoming root KSK. [RT #44579]
+
+4563.	[bug]		Modified zones would occasionally fail to reload.
+			[RT #39424]
+
+4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
+
+4560.	[bug]		mdig: add -m option to enable memory debugging rather
+			than having it on all the time. [RT #44509]
+
+4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
+			was turned off.  [RT #44509]
+
+4558.	[bug]		Synthesised CNAME before matching DNAME was still
+			being cached when it should not have been.  [RT #44318]
+
+4557.	[security]	Combining dns64 and rpz can result in dereferencing
+			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
+
+4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
+			[RT #44336]
+
+4553.	[bug]		Named could deadlock there were multiple changes to
+			NSEC/NSEC3 parameters for a zone being processed at
+			the same time. [RT #42770]
+
+4552.	[bug]		Named could trigger a assertion when sending notify
+			messages. [RT #44019]
+
+4551.	[test]		Add system tests for integrity checks of MX and
+			SRV records. [RT #43953]
+
+4550.	[cleanup]	Increased the number of available master file
+			output style flags from 32 to 64. [RT #44043]
+
+4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
+			Keyper HSM. [RT #42463]
+
+	--- 9.10.5b1 released ---
+
+4543.	[bug]		dns_client_startupdate now delays sending the update
+			request until isc_app_ctxrun has been called.
+			[RT #43976]
+
+4541.	[bug]		rndc addzone should properly reject non master/slave
+			zones. [RT #43665]
+
+4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
+			to a assertion failure when configuring. [RT #43787]
+
+4538.	[bug]		Call dns_client_startresolve from client->task.
+			[RT #43896]
+
+4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
+
+4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
+			when reusing the event structure. [RT #43885]
+
+4535.	[bug]		Address race condition in setting / testing of
+			DNS_REQUEST_F_SENDING. [RT #43889]
+
+4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
+
+4533.	[bug]		dns_client_update should terminate on prerequisite
+			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
+			and also on BADZONE.  [RT #43865]
+
+4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
+			[RT #43836]
+
+4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
+			in responses resulting in SERVFAIL being returned.
+			[RT #43779]
+
+4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
+			due to firewall rules. [RT #43847]
+
+4528.	[bug]		Only set the flag bits for the i/o we are waiting
+			for on EPOLLERR or EPOLLHUP. [RT #43617]
+
+4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
+
+4526.	[doc]		Corrected errors and improved formatting of
+			grammar definitions in the ARM. [RT #43739]
+
+4525.	[doc]		Fixed outdated documentation on managed-keys.
+			[RT #43810]
+
+4524.	[bug]		The net zero test was broken causing IPv4 servers
+			with addresses ending in .0 to be rejected. [RT #43776]
+
+4523.	[doc]		Expand config doc for <querysource4> and
+			<querysource6>. [RT #43768]
+
+4522.	[bug]		Handle big gaps in log file version numbers better.
+			[RT #38688]
+
+4521.	[cleanup]	Log it as an error if an entropy source is not
+			found and there is no fallback available. [RT #43659]
+
+4520.	[cleanup]	Alphabetize more of the grammar when printing it
+			out. [RT #43755]
+
+4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
+
+4517.	[security]	Named could mishandle authority sections that were
+			missing RRSIGs triggering an assertion failure.
+			(CVE-2016-9444) [RT # 43632]
+
+4516.	[bug]		isc_socketmgr_renderjson was missing from the
+			windows build. [RT #43602]
+
+4515.	[port]		FreeBSD: Find readline headers when they are in
+			edit/readline/ instead of readline/. [RT #43658]
+
+4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
+			[RT #43566]
+
+4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
+			[RT #43556]
+
+4510.	[security]	Named mishandled some responses where covering RRSIG
+			records are returned without the requested data
+			resulting in a assertion failure. (CVE-2016-9147)
+			[RT #43548]
+
+4509.	[test]		Make the rrl system test more reliable on slower
+			machines by using mdig instead of dig. [RT #43280]
+
+4508.	[security]	Named incorrectly tried to cache TKEY records which
+			could trigger a assertion failure when there was
+			a class mismatch. (CVE-2016-9131) [RT #43522]
+
+4507.	[bug]		Named could incorrectly log 'allows updates by IP
+			address, which is insecure' [RT #43432]
+
+4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
+
+4504.	[security]	Allow the maximum number of records in a zone to
+			be specified.  This provides a control for issues
+			raised in CVE-2016-6170. [RT #42143]
+
+4503.	[cleanup]	"make uninstall" now removes files installed by
+			BIND. (This currently excludes Python files
+			due to lack of support in setup.py.) [RT #42912]
+
+4502.	[func]		Report multiple and experimental options when printing
+			grammar. [RT #43134]
+
+4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
+
+4499.	[port]		MacOSX: silence deprecated function warning
+			by using arc4random_stir() when available
+			instead of arc4random_addrandom(). [RT #43503]
+
+4498.	[test]		Simplify prerequisite checks in system tests.
+			[RT #43516]
+
+4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
+
+4496.	[func]		dig: add +idnout to control whether labels are
+			display in punycode or not.  Requires idn support
+			to be enabled at compile time. [RT #43398]
+
+4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
+
+4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
+			causing bad writes if resolv.conf contained a
+			sortlist directive. [RT #43459]
+
+4491.	[bug]		Improve message emitted when testing whether sendmsg
+			works with TOS/TCLASS fails. [RT #43483]
+
+4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
+
+4489.	[security]	It was possible to trigger assertions when processing
+			a response containing a DNAME answer. (CVE-2016-8864)
+			[RT #43465]
+
+4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
+
+4487.	[test]		Make system tests work on Windows. [RT #42931]
+
+4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
+			the python modules we install. [RT #43330]
+
+4485.	[bug]		Failure to find readline when requested should be
+			fatal to configure. [RT #43328]
+
+4484.	[func]		Check prefixes in acls to make sure the address and
+			prefix lengths are consistent.  Warn only in
+			BIND 9.11 and earlier. [RT #43367]
+
+4483.	[bug]		Address use before require check and remove extraneous
+			dns_message_gettsigkey call in dns_tsig_sign.
+			[RT #43374]
+
+4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
+
+4475.	[doc]		Update named-checkconf documentation. [RT #43153]
+
+4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
+			getprotobyname and getservbyname work.  [RT #43197]
+
+4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
+
+4472.	[bug]		Named could fail to find the correct NSEC3 records when
+			a zone was updated between looking for the answer and
+			looking for the NSEC3 records proving nonexistence
+			of the answer. [RT #43247]
+
+4471.	[cleanup]	Revert a query logging change inadvertently
+			backported from 9.11. [RT #43238]
+
+4468.	[bug]		Address ECS option handling issues. [RT #43191]
+
+4467.	[security]	It was possible to trigger an assertion when
+			rendering a message. (CVE-2016-2776) [RT #43139]
+
+4466.	[bug]		Interface scanning didn't work on a Windows system
+			without a non local IPv6 addresses. [RT #43130]
+
+4464.	[bug]		Fix windows python support. [RT #43173]
+
+4461.	[bug]		win32: not all external data was properly marked
+			as external data for windows dll. [RT #43161]
+
+4458.	[cleanup]	Update assertions to be more correct, and also remove
+			use of a reserved word. [RT #43090]
+
+4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
+
+4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
+			[RT #42587]
+
+4453.	[bug]		Prefetching of DS records failed to update their
+			RRSIGs. [RT #42865]
+
+4451.	[cleanup]	Log more useful information if a PKCS#11 provider
+			library cannot be loaded. [RT #43076]
+
+4450.	[port]		Provide more nuanced HSM support which better matches
+			the specific PKCS11 providers capabilities. [RT #42458]
+
+4448.	[bug]		win32: ::1 was not being found when iterating
+			interfaces. [RT #42993]
+
+4446.	[bug]		The cache_find() and _findrdataset() functions
+			could find rdatasets that had been marked stale.
+			[RT #42853]
+
+4445.	[cleanup]	isc_errno_toresult() can now be used to call the
+			formerly private function isc__errno2result().
+			[RT #43050]
+
+4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
+			TCP sockets. [RT #42864]
+
+4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
+			tree data structure with overlapping networks
+			(longest prefix match was ineffective).
+			[RT #43035]
+
+4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
+
+4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
+			will not fit into a single IPv4 encapsulated IPv6
+			UDP packet when transmitted over a Ethernet link.
+			[RT #42871]
+
+4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
+			to slave zones. [RT #43008]
+
+4433.	[cleanup]	Report an error when passing an invalid option or
+			view name to "rndc dumpdb". [RT #42958]
+
+4432.	[test]		Hide rndc output on expected failures in logfileconfig
+			system test. [RT #27996]
+
+4431.	[bug]		named-checkconf now checks the rate-limit clause.
+			[RT #42970]
+
+4430.	[bug]		Lwresd died if a search list was not defined.
+			Found by 0x710DDDD At Alibaba Security. [RT #42895]
+
+4425.	[bug]		arpaname and named-rrchecker were not being installed
+			into ${prefix}/bin.  [RT #42910]
+
+4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
+			to provide feedback to the trust-anchor administrators
+			about how key rollovers are progressing as per
+			draft-ietf-dnsop-edns-key-tag-02.  This can be
+			disabled using 'trust-anchor-telemetry no;'.
+			[RT #40583]
+
+4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
+			B.ROOT-SERVERS.NET. [RT #42898]
+
+4422.	[port]		Silence clang warnings in dig.c and dighost.c.
+			[RT #42451]
+
+4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
+
+4414.	[bug]		Corrected a bug in the MIPS implementation of
+			isc_atomic_xadd(). [RT #41965]
+
+4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
+			was returned. [RT #42733]
+
+4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
+			removed. [RT #42721]
+
+4409.	[bug]		DNS64 should exclude mapped addresses by default when
+			an exclude acl is not defined. [RT #42810]
+
+4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
+			[RT #42818]
+
+4406.	[security]	getrrsetbyname with a non absolute name could
 			trigger an infinite recursion bug in lwresd
 			and named with lwres configured if when combined
 			with a search list entry the resulting name is
@@ -10,22 +373,96 @@
 			not remove a delegation in a NSEC3 signed zone using
 			OPTOUT via nsupdate. [RT #42702]
 
+4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
+			[RT #42580]
+
+4403.	[bug]		Rename variables and arguments that shadow: basename,
+			clone and gai_error.
+
+4397.	[bug]		Update Windows python support. [RT #42538]
+
+4395.	[bug]		Improve out-of-tree installation of python modules.
+			[RT #42586]
+
 4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
 			being return as NS records expired. [RT #42683]
 
-	--- 9.10.4-P1 released ---
+4384.	[bug]		Change 4256 accidentally disabled logging of the
+			rndc command. [RT #42654]
+
+4379.	[bug]		An INSIST could be triggered if a zone contains
+			RRSIG records with expiry fields that loop
+			using serial number arithmetic. [RT #40571]
+
+4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
+			[RT #42525]
+
+4377.	[bug]		Don't reuse zero TTL responses beyond the current
+			client set (excludes ANY/SIG/RRSIG queries).
+			[RT #42142]
+
+4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
+			probability of reference counting errors as seen
+			in 4365. [RT #42405]
+
+4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
+
+4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
+
+4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
+			support. [RT #42484]
 
 4368.	[bug]		Fix a crash when calling "rndc stats" on some
 			Windows builds because some Visual Studio compilers
 			generated crashing code for the "%z" printf()
 			format specifier. [RT #42380]
 
+4367.	[bug]		Remove unnecessary assignment of loadtime in
+			zone_touched. [RT #42440]
+
 4366.	[bug]		Address race condition when updating rbtnode bit
 			fields. [RT #42379]
 
 4363.	[port]		win32: Disable explicit triggering UAC when running
 			BINDInstall.
 
+4361.	[cleanup]	Where supported, file modification times returned
+			by isc_file_getmodtime() are now accurate to the
+			nanosecond. [RT #41968]
+
+4360.	[bug]		Silence spurious 'bad key type' message when there is
+			a existing TSIG key. [RT #42195]
+
+4359.	[bug]		Inherited 'also-notify' lists were not being checked
+			by named-checkconf. [RT #42174]
+
+4354.	[bug]		Check that the received HMAC length matches the
+			expected length prior to check the contents on the
+			control channel.  This prevents a OOB read error.
+			This was reported by Lian Yihan, <lianyihan@360.cn>.
+			[RT #42215]
+
+4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
+
+4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
+			is scheduled to be disabled in 2017.  A warning is
+			now logged when named is configured to use it,
+			either explicitly or via "dnssec-lookaside auto;"
+			[RT #42207]
+
+4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
+
+4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
+
+4348.	[cleanup]	Refactor dnssec-coverage and dnssec-checkds
+			functionality into an "isc" python module. [RT #39211]
+
+4013.	[func]		Add a new tcp-only option to server (config) /
+			peer (struct) to use TCP transport to send
+			queries (in place of UDP transport with a
+			TCP fallback on truncated (TC set) response).
+			[RT #37800]
+
 	--- 9.10.4 released ---
 
 	--- 9.10.4rc1 released ---
@@ -380,7 +817,7 @@
 4207.	[bug]		Handle class mismatches with raw zone files.
 			[RT #40746]
 
-4206.   [bug]		contrib: fixed a possible NULL dereference in
+4206.	[bug]		contrib: fixed a possible NULL dereference in
 			DLZ wildcard module. [RT #40745]
 
 4205.	[bug]		'named-checkconf -p' could include unwanted spaces
@@ -591,7 +1028,7 @@
 
 4136.	[bug]		Stale statistics counters with the leading
 			'#' prefix (such as #NXDOMAIN) were not being
-			updated correctly. This	has been fixed. [RT #39141]
+			updated correctly. This has been fixed. [RT #39141]
 
 4134.	[cleanup]	Include client-ip rules when logging the number
 			of RPZ rules of each type. [RT #39670]
@@ -1033,7 +1470,7 @@
 3995.	[bug]		receive_secure_serial holds the zone lock for too
 			long. [RT #37626]
 
-3990.	[testing]	Add tests for unknown DNSSEC algorithm handling.
+3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
 			[RT #37541]
 
 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and/or distribute this software for any

FAQ

@@ -1,8 +1,6 @@
-Copyright ? 2004-2010, 2013, 2014 Internet Systems Consortium, Inc.
+Copyright ? 2000-2010, 2013-2016 Internet Systems Consortium, Inc.
 ("ISC")
 
-Copyright ? 2000-2003 Internet Software Consortium.
-
 -----------------------------------------------------------------------
 
 1. Compilation and Installation Questions

FAQ.xml

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2010, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010, 2013-2017  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 <!-- Converted by db4-upgrade version 1.0 -->
 <article xmlns="http://docbook.org/ns/docbook" version="5.0" class="faq">
 
-  <info>
+  <articleinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
@@ -29,6 +29,9 @@
       <year>2010</year>
       <year>2013</year>
       <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -38,7 +41,7 @@
       <year>2003</year>
       <holder>Internet Software Consortium.</holder>
     </copyright>
-  </info>
+  </articleinfo>
   <qandaset defaultlabel="qanda">
 
     <qandadiv><title>Compilation and Installation Questions</title>

Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -69,6 +69,13 @@ install:: isc-config.sh installdirs
 	@LN@ ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
 	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
 
+uninstall::
+	rm -f ${DESTDIR}${sysconfdir}/bind.keys
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	rm -f ${DESTDIR}${bindir}/isc-config.sh
+
 tags:
 	rm -f TAGS
 	find lib bin -name "*.[ch]" -print | @ETAGS@ -

README

@@ -51,26 +51,25 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.10.4-P2
+BIND 9.10.5-P1
 
-	This version contains a fix for CVE-2016-2775 and addresses
-	two regressions introduced with BIND 9.10.4.
+        This version contains a fix for the security flaws
+        disclosed in CVE-2017-3140 and CVE-2017-3141.
 
-BIND 9.10.4-P1
-
-	This version contains three urgent fixes to BIND 9.10.4:
-	1) Windows installation was failing without manual updating
-	   of BINDinstall's attributes.
-	2) Windows doesn't support the %z printf modifier.
-	3) A race condition was causing instability in the RBT
-	   tree state.
+BIND 9.10.5
+	
+	BIND 9.10.5 is a maintenance release and addresses the security
+	flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
+	CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
+	CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
 
 BIND 9.10.4
 
 	BIND 9.10.4 is a maintenance release and addresses bugs
 	found in BIND 9.10.3 and earlier, as well as the security
 	flaws described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
-	CVE-2015-8705, CVE-2016-1285, CVE-2016-1286, and CVE-2016-2088.
+	CVE-2015-8705, CVE-2016-1285, CVE-2016-1286, CVE-2016-2088,
+	CVE-2016-2775 and CVE-2016-2776.
 
 BIND 9.10.3
 
@@ -365,6 +364,7 @@ Building
 		Change the default syslog facility of named/lwresd.
 		  -DISC_FACILITY=LOG_LOCAL0
 		Enable DNSSEC signature chasing support in dig.
+		  (This feature is deprecated. Use `delv` instead.)
 		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
 				    -DDIG_SIGCHASE_BU=1)
 		Disable dropping queries from particular well known ports.
@@ -419,7 +419,7 @@ Building
 	systems.
 
 	For the server to support DNSSEC, you need to build it
-	with crypto support.  You must have OpenSSL 0.9.5a
+	with crypto support.  You must have OpenSSL 1.0.1t
 	or newer installed and specify "--with-openssl" on the
 	configure command line.  If OpenSSL is installed under
 	a nonstandard prefix, you can tell configure where to
@@ -431,6 +431,9 @@ Building
 	If these are installed at a nonstandard prefix, use
 	"--with-libxml2=/prefix" or "--with-libjson=/prefix".
 
+	Python requires 'argparse' to be available.  'argparse' is
+	a standard module as of Python 2.7 and Python 3.2.
+
 	On some platforms it is necessary to explicitly request large
 	file support to handle files bigger than 2GB.  This can be
 	done by "--enable-largefile" on the configure command line.

acconfig.h

@@ -70,12 +70,6 @@
 /** define if gai_strerror() exists */
 #undef HAVE_GAISTRERROR
 
-/** define if arc4random() exists */
-#undef HAVE_ARC4RANDOM
-
-/** define if arc4random_addrandom() exists */
-#undef HAVE_ARC4RANDOM_ADDRANDOM
-
 /**
  * define if pthread_setconcurrency() should be called to tell the
  * OS how many threads we might want to run.

bin/check/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007, 2009, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -24,9 +24,9 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES}
+		${ISC_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES = 	@CRYPTO@ -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
@@ -96,5 +96,12 @@ install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
 	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
 	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 
+uninstall::
+	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
+	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+	rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
+
 clean distclean::
 	rm -f ${TARGETS} r1.htm

bin/check/named-checkconf.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -48,7 +48,7 @@
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-x\fR] [\fB\-z\fR]
+\fBnamed\-checkconf\fR [\fB\-hjvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
@@ -78,11 +78,26 @@ can be run on these files explicitly, however\&.
 Print the usage summary and exit\&.
 .RE
 .PP
+\-j
+.RS 4
+When loading a zonefile read the journal if it exists\&.
+.RE
+.PP
+\-p
+.RS 4
+Print out the
+named\&.conf
+and included files in canonical form if no errors were detected\&. See also the
+\fB\-x\fR
+option\&.
+.RE
+.PP
 \-t \fIdirectory\fR
 .RS 4
 Chroot to
 directory
-so that include directives in the configuration file are processed as if run by a similarly chrooted named\&.
+so that include directives in the configuration file are processed as if run by a similarly chrooted
+\fBnamed\fR\&.
 .RE
 .PP
 \-v
@@ -92,13 +107,6 @@ Print the version of the
 program and exit\&.
 .RE
 .PP
-\-p
-.RS 4
-Print out the
-named\&.conf
-and included files in canonical form if no errors were detected\&.
-.RE
-.PP
 \-x
 .RS 4
 When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
@@ -113,11 +121,6 @@ Perform a test load of all master zones found in
 named\&.conf\&.
 .RE
 .PP
-\-j
-.RS 4
-When loading a zonefile read the journal if it exists\&.
-.RE
-.PP
 filename
 .RS 4
 The name of the configuration file to be checked\&. If not specified, it defaults to
@@ -137,7 +140,7 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000-2002 Internet Software Consortium.
 .br

bin/check/named-checkconf.c

@@ -68,7 +68,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-h] [-j] [-p] [-v] [-z] [-t directory] "
+	fprintf(stderr, "usage: %s [-hjvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }

bin/check/named-checkconf.docbook

@@ -1,7 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
   <info>
     <date>2014-01-10</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2009</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -59,14 +60,12 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>named-checkconf</command>
-      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-hjvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p</option>
+	<arg choice="opt" rep="norepeat"><option>-x</option>
+      </arg></arg>
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req" rep="norepeat">filename</arg>
-      <arg choice="opt" rep="norepeat"><option>-p</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-x</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -93,7 +92,6 @@
 
   <refsection><info><title>OPTIONS</title></info>
 
-
     <variablelist>
       <varlistentry>
         <term>-h</term>
@@ -105,22 +103,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <term>-j</term>
         <listitem>
           <para>
-            Chroot to <filename>directory</filename> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Print the version of the <command>named-checkconf</command>
-            program and exit.
+            When loading a zonefile read the journal if it exists.
           </para>
         </listitem>
       </varlistentry>
@@ -131,6 +117,28 @@
           <para>
 	    Print out the <filename>named.conf</filename> and included files
 	    in canonical form if no errors were detected.
+            See also the <option>-x</option> option.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Chroot to <filename>directory</filename> so that include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <command>named</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkconf</command>
+            program and exit.
           </para>
         </listitem>
       </varlistentry>
@@ -160,15 +168,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-j</term>
-        <listitem>
-          <para>
-            When loading a zonefile read the journal if it exists.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>filename</term>
         <listitem>

bin/check/named-checkconf.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +15,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkconf</title>
@@ -22,24 +23,45 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-checkconf"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
+<p>
+    <span class="application">named-checkconf</span>
+     &#8212; named configuration file syntax checking tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-checkconf</code> 
+       [<code class="option">-hjvz</code>]
+       [<code class="option">-p</code>
+	 [<code class="option">-x</code>
+      ]]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       {filename}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>named-checkconf</strong></span>
+
+    <p><span class="command"><strong>named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a
       <span class="command"><strong>named</strong></span> configuration file.  The file is parsed
       and checked for syntax errors, along with all files included by it.
       If no file is specified, <code class="filename">/etc/named.conf</code> is read
       by default.
     </p>
-<p>
+    <p>
       Note: files that <span class="command"><strong>named</strong></span> reads in separate
       parser contexts, such as <code class="filename">rndc.key</code> and
       <code class="filename">bind.keys</code>, are not automatically read
@@ -49,32 +71,50 @@
       successful.  <span class="command"><strong>named-checkconf</strong></span> can be run
       on these files explicitly, however.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Print the usage summary and exit.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Chroot to <code class="filename">directory</code> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Print the version of the <span class="command"><strong>named-checkconf</strong></span>
-            program and exit.
-          </p></dd>
+          </p>
+        </dd>
+<dt><span class="term">-j</span></dt>
+<dd>
+          <p>
+            When loading a zonefile read the journal if it exists.
+          </p>
+        </dd>
 <dt><span class="term">-p</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Print out the <code class="filename">named.conf</code> and included files
 	    in canonical form if no errors were detected.
-          </p></dd>
+            See also the <code class="option">-x</code> option.
+          </p>
+        </dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            Chroot to <code class="filename">directory</code> so that include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+          <p>
+            Print the version of the <span class="command"><strong>named-checkconf</strong></span>
+            program and exit.
+          </p>
+        </dd>
 <dt><span class="term">-x</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    When printing the configuration files in canonical
             form, obscure shared secrets by replacing them with
             strings of question marks ('?'). This allows the
@@ -82,36 +122,46 @@
             files to be shared &#8212; for example, when submitting
             bug reports &#8212; without compromising private data.
             This option cannot be used without <code class="option">-p</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-z</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Perform a test load of all master zones found in
 	    <code class="filename">named.conf</code>.
-          </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-            When loading a zonefile read the journal if it exists.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">filename</span></dt>
-<dd><p>
+<dd>
+          <p>
             The name of the configuration file to be checked.  If not
             specified, it defaults to <code class="filename">/etc/named.conf</code>.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>RETURN VALUES</h2>
-<p><span class="command"><strong>named-checkconf</strong></span>
+
+    <p><span class="command"><strong>named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named-checkzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-</div>
+  </div>
 </div></body>
 </html>

bin/check/named-checkzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -333,7 +333,7 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000-2002 Internet Software Consortium.
 .br

bin/check/named-checkzone.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
   <info>
     <date>2014-02-19</date>
   </info>
@@ -44,6 +44,7 @@
       <year>2013</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>

bin/check/named-checkzone.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +15,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkzone</title>
@@ -22,24 +23,94 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-checkzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
+<p>
+    <span class="application">named-checkzone</span>, 
+    <span class="application">named-compilezone</span>
+     &#8212; zone file validity checking or converting tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-checkzone</code> 
+       [<code class="option">-d</code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-j</code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
+       {zonename}
+       {filename}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-compilezone</code> 
+       [<code class="option">-d</code>]
+       [<code class="option">-j</code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
+       {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
+       {zonename}
+       {filename}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>named-checkzone</strong></span>
+
+    <p><span class="command"><strong>named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span class="command"><strong>named</strong></span> does when loading a
       zone.  This makes <span class="command"><strong>named-checkzone</strong></span> useful for
       checking zone files before configuring them into a name server.
     </p>
-<p>
+    <p>
         <span class="command"><strong>named-compilezone</strong></span> is similar to
 	<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
         zone contents to a specified file in a specified format.
@@ -50,45 +121,62 @@
         least be as strict as those specified in the
 	<span class="command"><strong>named</strong></span> configuration file.
      </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-d</span></dt>
-<dd><p>
+<dd>
+          <p>
             Enable debugging.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Print the usage summary and exit.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-q</span></dt>
-<dd><p>
+<dd>
+          <p>
             Quiet mode - exit code only.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-v</span></dt>
-<dd><p>
+<dd>
+          <p>
             Print the version of the <span class="command"><strong>named-checkzone</strong></span>
             program and exit.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-j</span></dt>
-<dd><p>
+<dd>
+          <p>
             When loading a zone file, read the journal if it exists.
             The journal file name is assumed to be the zone file name
 	    appended with the string <code class="filename">.jnl</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             When loading the zone file read the journal from the given
             file, if it exists. (Implies -j.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specify the class of the zone.  If not specified, "IN" is assumed.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
 <dd>
-<p>
+	  <p>
 	      Perform post-load zone integrity checks.  Possible modes are
 	      <span class="command"><strong>"full"</strong></span> (default),
 	      <span class="command"><strong>"full-sibling"</strong></span>,
@@ -96,19 +184,19 @@
 	      <span class="command"><strong>"local-sibling"</strong></span> and
 	      <span class="command"><strong>"none"</strong></span>.
 	  </p>
-<p>
+	  <p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that MX records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
 	      checks MX records which refer to in-zone hostnames.
 	  </p>
-<p>
+	  <p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
 	      checks SRV records which refer to in-zone hostnames.
 	  </p>
-<p>
+	  <p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
 	      records refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  It also checks that glue address records
@@ -117,31 +205,33 @@
 	      refer to in-zone hostnames or that some required glue exists,
 	      that is when the nameserver is in a child zone.
 	  </p>
-<p>
+	  <p>
 	      Mode <span class="command"><strong>"full-sibling"</strong></span> and
 	      <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
 	      checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
 	      and <span class="command"><strong>"local"</strong></span> respectively.
 	  </p>
-<p>
+	  <p>
 	      Mode <span class="command"><strong>"none"</strong></span> disables the checks.
 	  </p>
-</dd>
+	</dd>
 <dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Specify the format of the zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
 <dd>
-<p>
+	  <p>
 	    Specify the format of the output file specified.
 	    For <span class="command"><strong>named-checkzone</strong></span>,
 	    this does not cause any effects unless it dumps the zone
 	    contents.
 	  </p>
-<p>
+	  <p>
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    which is the standard textual representation of the zone,
 	    and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
@@ -152,9 +242,10 @@
             any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
             can be read by release 9.9.0 or higher; the default is 1.
 	  </p>
-</dd>
+	</dd>
 <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Perform <span class="command"><strong>"check-names"</strong></span> checks with the
 	    specified failure mode.
             Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -162,38 +253,48 @@
             <span class="command"><strong>"warn"</strong></span>
 	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets a maximum permissible TTL for the input file.
             Any record with a TTL higher than this value will cause
             the zone to be rejected.  This is similar to using the
             <span class="command"><strong>max-zone-ttl</strong></span> option in
             <code class="filename">named.conf</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             When compiling a zone to "raw" or "map" format, set the
             "source serial" value in the header to the specified serial
             number.  (This is expected to be used primarily for testing
             purposes.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specify whether MX records should be checked to see if they
             are addresses.  Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Check if a MX record refers to a CNAME.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specify whether NS records should be checked to see if they
             are addresses.
 	    Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -201,24 +302,30 @@
             <span class="command"><strong>"warn"</strong></span>
 	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Write zone output to <code class="filename">filename</code>.
 	    If <code class="filename">filename</code> is <code class="filename">-</code> then
 	    write to standard out.
 	    This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
             Check for records that are treated as different by DNSSEC but
 	    are semantically equal in plain DNS.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Specify the style of the dumped zone file.
 	    Possible styles are <span class="command"><strong>"full"</strong></span> (default)
 	    and <span class="command"><strong>"relative"</strong></span>.
@@ -231,74 +338,101 @@
 	    contents.
 	    It also does not have any meaning if the output format
 	    is not text.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Check if a SRV record refers to a CNAME.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Chroot to <code class="filename">directory</code> so that
             include
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Check if Sender Policy Framework (SPF) records exist
 	    and issues a warning if an SPF-formatted TXT record is
 	    not also present.  Possible modes are <span class="command"><strong>"warn"</strong></span>
 	    (default), <span class="command"><strong>"ignore"</strong></span>.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             chdir to <code class="filename">directory</code> so that
             relative
             filenames in master file $INCLUDE directives work.  This
             is similar to the directory clause in
             <code class="filename">named.conf</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-D</span></dt>
-<dd><p>
+<dd>
+          <p>
             Dump zone file in canonical format.
 	    This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specify whether to check for non-terminal wildcards.
             Non-terminal wildcards are almost always the result of a
             failure to understand the wildcard matching algorithm (RFC 1034).
             Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
             and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">zonename</span></dt>
-<dd><p>
+<dd>
+          <p>
             The domain name of the zone being checked.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">filename</span></dt>
-<dd><p>
+<dd>
+          <p>
             The name of the zone file.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>RETURN VALUES</h2>
-<p><span class="command"><strong>named-checkzone</strong></span>
+
+    <p><span class="command"><strong>named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named-checkconf</span>(8)
+      </span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/check/win32/checkconf.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR @COPTY@ /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/check/win32/checkconf.mak.in

@@ -138,7 +138,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\checkconf.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\checkconf.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\checkconf.bsc" 
 BSC32_SBRS= \
@@ -203,7 +203,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\checkconf.bsc" 
 BSC32_SBRS= \

bin/check/win32/checkconf.vcxproj.in

@@ -55,7 +55,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -80,7 +80,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/check/win32/checktool.dsp.in

@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fdchecktool
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fdchecktool
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fdchecktool
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fdchecktool
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

bin/check/win32/checktool.vcxproj.in

@@ -58,7 +58,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -79,7 +79,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/check/win32/checkzone.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" @COPTY@ /FD /c
 # SUBTRACT CPP /Fr
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
@@ -67,7 +67,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/check/win32/checkzone.mak.in

@@ -130,7 +130,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\checkzone.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\checkzone.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -221,7 +221,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<

bin/check/win32/checkzone.vcxproj.in

@@ -55,7 +55,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -86,7 +86,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/confgen/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -104,5 +104,13 @@ install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
 	(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
 	(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
 
+uninstall::
+	rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
+	rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
+	rm -f ${DESTDIR}${mandir}/man8/ddns-confgen.8
+	rm -f ${DESTDIR}${mandir}/man8/rndc-confgen.8
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
+
 clean distclean maintainer-clean::
 	rm -f ${TARGETS}

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -163,5 +163,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
   <info>
     <date>2014-03-06</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2009</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>ddns-confgen</title>
@@ -21,31 +22,63 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.ddns-confgen"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">tsig-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [name]</p></div>
-<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ]</p></div>
-</div>
-<div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
 <p>
+    <span class="application">ddns-confgen</span>
+     &#8212; ddns key generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">tsig-keygen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
+       [name]
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">ddns-confgen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
+       [
+         -s <em class="replaceable"><code>name</code></em> 
+         |   -z <em class="replaceable"><code>zone</code></em> 
+      ]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
       <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
       are invocation methods for a utility that generates keys for use
       in TSIG signing.  The resulting keys can be used, for example,
       to secure dynamic DNS updates to a zone or for the
       <span class="command"><strong>rndc</strong></span> command channel.
     </p>
-<p>
+
+    <p>
       When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
       can be specified on the command line which will be used as
       the name of the generated key.  If no name is specified,
       the default is <code class="constant">tsig-key</code>.
     </p>
-<p>
+
+    <p>
       When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
       key is accompanied by configuration text and instructions
       that can be used with <span class="command"><strong>nsupdate</strong></span> and
@@ -55,7 +88,8 @@
       <span class="command"><strong>rndc-confgen</strong></span> command for setting
       up command channel security.)
     </p>
-<p>
+
+    <p>
       Note that <span class="command"><strong>named</strong></span> itself can configure a
       local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
       it does this when a zone is configured with
@@ -65,24 +99,32 @@
       if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
       system.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
             hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
             Options are case-insensitive, and the "hmac-" prefix
             may be omitted.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints a short summary of options and arguments.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Specifies the key name of the DDNS authentication key.
 	    The default is <code class="constant">ddns-key</code> when neither
 	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
@@ -92,15 +134,19 @@
 	    <code class="constant">ddns-key.example.com.</code>
 	    The key name must have the format of a valid domain name,
 	    consisting of letters, digits, hyphens and periods.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-q</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode:  Print
             only the key, with no explanatory text or usage examples;
             This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
             Specifies a source of random data for generating the
             authorization.  If the operating system does not provide a
             <code class="filename">/dev/random</code> or equivalent device, the
@@ -110,9 +156,11 @@
             instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard input
             should be used.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
             (<span class="command"><strong>ddns-confgen</strong></span> only.)
 	    Generate configuration example to allow dynamic updates
             of a single hostname.  The example <span class="command"><strong>named.conf</strong></span>
@@ -123,9 +171,11 @@
 	    Note that the "self" nametype cannot be used, since
 	    the name to be updated may differ from the key name.
 	    This option cannot be used with the <code class="option">-z</code> option.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
             (<span class="command"><strong>ddns-confgen</strong></span> only.)
 	    Generate configuration example to allow dynamic updates
             of a zone:  The example <span class="command"><strong>named.conf</strong></span> text
@@ -135,16 +185,26 @@
             all subdomain names within that
             <em class="replaceable"><code>zone</code></em>.
 	    This option cannot be used with the <code class="option">-s</code> option.
-	  </p></dd>
+	  </p>
+	</dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">nsupdate</span>(1)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named.conf</span>(5)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/confgen/keygen.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -33,6 +33,8 @@
 #include <isc/result.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
@@ -48,8 +50,10 @@
 const char *
 alg_totext(dns_secalg_t alg) {
 	switch (alg) {
+#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
 		return "hmac-md5";
+#endif
 	    case DST_ALG_HMACSHA1:
 		return "hmac-sha1";
 	    case DST_ALG_HMACSHA224:
@@ -74,8 +78,10 @@ alg_fromtext(const char *name) {
 	if (strncasecmp(p, "hmac-", 5) == 0)
 		p = &name[5];
 
+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(p, "md5") == 0)
 		return DST_ALG_HMACMD5;
+#endif
 	if (strcasecmp(p, "sha1") == 0)
 		return DST_ALG_HMACSHA1;
 	if (strcasecmp(p, "sha224") == 0)
@@ -130,7 +136,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 	dst_key_t *key = NULL;
 
 	switch (alg) {
+#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
+#endif
 	    case DST_ALG_HMACSHA1:
 	    case DST_ALG_HMACSHA224:
 	    case DST_ALG_HMACSHA256:

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -120,7 +120,7 @@ as directed\&.
 .PP
 \-A \fIalgorithm\fR
 .RS 4
-Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5\&.
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5 or if MD5 was disabled hmac\-sha256\&.
 .RE
 .PP
 \-b \fIkeysize\fR
@@ -226,7 +226,7 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2009, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2001, 2003 Internet Software Consortium.
 .br

bin/confgen/rndc-confgen.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -48,6 +48,8 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
@@ -74,6 +76,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(int status) {
 
+#ifndef PK11_MD5_DISABLE
 	fprintf(stderr, "\
 Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
@@ -89,6 +92,23 @@ Usage:\n\
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
 		 progname, keydef);
+#else
+	fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+[-s addr] [-t chrootdir] [-u user]\n\
+  -a:		 generate just the key clause and write it to keyfile (%s)\n\
+  -A alg:	 algorithm (default hmac-sha256)\n\
+  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
+  -c keyfile:	 specify an alternate key file (requires -a)\n\
+  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:	 the port named will listen on and rndc will connect to\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s addr:	 the address to which rndc should connect\n\
+  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
+		 progname, keydef);
+#endif
 
 	exit (status);
 }
@@ -124,7 +144,11 @@ main(int argc, char **argv) {
 	progname = program;
 
 	keyname = DEFAULT_KEYNAME;
+#ifndef PK11_MD5_DISABLE
 	alg = DST_ALG_HMACMD5;
+#else
+	alg = DST_ALG_HMACSHA256;
+#endif
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;
 

bin/confgen/rndc-confgen.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
   <info>
     <date>2013-03-14</date>
   </info>
@@ -45,6 +45,7 @@
       <year>2013</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -139,7 +140,8 @@
           <para>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5.
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
+            if MD5 was disabled hmac-sha256.
           </para>
         </listitem>
       </varlistentry>

bin/confgen/rndc-confgen.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +15,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc-confgen</title>
@@ -22,17 +23,43 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.rndc-confgen"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
+<p>
+    <span class="application">rndc-confgen</span>
+     &#8212; rndc key generation tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">rndc-confgen</code> 
+       [<code class="option">-a</code>]
+       [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
+       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>rndc-confgen</strong></span>
+
+    <p><span class="command"><strong>rndc-confgen</strong></span>
       generates configuration files
       for <span class="command"><strong>rndc</strong></span>.  It can be used as a
       convenient alternative to writing the
@@ -45,13 +72,17 @@
       avoid the need for a <code class="filename">rndc.conf</code> file
       and a <span class="command"><strong>controls</strong></span> statement altogether.
     </p>
-</div>
-<div class="refsection">
+
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a</span></dt>
 <dd>
-<p>
+          <p>
             Do automatic <span class="command"><strong>rndc</strong></span> configuration.
             This creates a file <code class="filename">rndc.key</code>
             in <code class="filename">/etc</code> (or whatever
@@ -66,7 +97,7 @@
             <span class="command"><strong>named</strong></span> on the local host
             with no further configuration.
           </p>
-<p>
+          <p>
             Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
             BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
             drop-in
@@ -74,7 +105,7 @@
             with no changes to the existing BIND 8
             <code class="filename">named.conf</code> file.
           </p>
-<p>
+          <p>
             If a more elaborate configuration than that
             generated by <span class="command"><strong>rndc-confgen -a</strong></span>
             is required, for example if rndc is to be used remotely,
@@ -85,43 +116,57 @@
             <code class="filename">named.conf</code>
             as directed.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5.
-          </p></dd>
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
+            if MD5 was disabled hmac-sha256.
+          </p>
+        </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the size of the authentication key in bits.
             Must be between 1 and 512 bits; the default is the
             hash size.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Used with the <span class="command"><strong>-a</strong></span> option to specify
             an alternate location for <code class="filename">rndc.key</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>rndc-confgen</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the key name of the rndc authentication key.
             This must be a valid domain name.
             The default is <code class="constant">rndc-key</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the command channel port where <span class="command"><strong>named</strong></span>
             listens for connections from <span class="command"><strong>rndc</strong></span>.
             The default is 953.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies a source of random data for generating the
             authorization.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
@@ -132,24 +177,30 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the IP address where <span class="command"><strong>named</strong></span>
             listens for command channel connections from
             <span class="command"><strong>rndc</strong></span>.  The default is the loopback
             address 127.0.0.1.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Used with the <span class="command"><strong>-a</strong></span> option to specify
             a directory where <span class="command"><strong>named</strong></span> will run
             chrooted.  An additional copy of the <code class="filename">rndc.key</code>
             will be written relative to this directory so that
             it will be found by the chrooted <span class="command"><strong>named</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Used with the <span class="command"><strong>-a</strong></span> option to set the
             owner
             of the <code class="filename">rndc.key</code> file generated.
@@ -157,33 +208,45 @@
             <span class="command"><strong>-t</strong></span> is also specified only the file
             in
             the chroot area has its owner changed.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>EXAMPLES</h2>
-<p>
+
+    <p>
       To allow <span class="command"><strong>rndc</strong></span> to be used with
       no manual configuration, run
     </p>
-<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+    <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
     </p>
-<p>
+    <p>
       To print a sample <code class="filename">rndc.conf</code> file and
       corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
       statements to be manually inserted into <code class="filename">named.conf</code>,
       run
     </p>
-<p><strong class="userinput"><code>rndc-confgen</code></strong>
+    <p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">rndc</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">rndc.conf</span>(5)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/delv/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -21,9 +21,10 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES}
+		@DST_OPENSSL_INC@ ${IRS_INCLUDES} ${ISCCFG_INCLUDES}
 
-CDEFINES =	-DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
+CDEFINES =	@CRYPTO@ -DVERSION=\"${VERSION}\" \
+		-DSYSCONFDIR=\"${sysconfdir}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -72,6 +73,10 @@ install:: delv@EXEEXT@ installdirs
 		delv@EXEEXT@ ${DESTDIR}${bindir}
 	${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
 
+uninstall::
+	rm -f ${DESTDIR}${mandir}/man1/delv.1
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
+
 doc man:: ${MANOBJS}
 
 docclean manclean maintainer-clean::

bin/delv/delv.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -435,5 +435,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/delv/delv.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -774,7 +774,7 @@ setup_dnsseckeys(dns_client_t *client) {
 static isc_result_t
 addserver(dns_client_t *client) {
 	struct addrinfo hints, *res, *cur;
-	int gai_error;
+	int gaierror;
 	struct in_addr in4;
 	struct in6_addr in6;
 	isc_sockaddr_t *sa;
@@ -813,11 +813,11 @@ addserver(dns_client_t *client) {
 			hints.ai_family = AF_UNSPEC;
 		hints.ai_socktype = SOCK_DGRAM;
 		hints.ai_protocol = IPPROTO_UDP;
-		gai_error = getaddrinfo(server, port, &hints, &res);
-		if (gai_error != 0) {
+		gaierror = getaddrinfo(server, port, &hints, &res);
+		if (gaierror != 0) {
 			delv_log(ISC_LOG_ERROR,
 				  "getaddrinfo failed: %s",
-				  gai_strerror(gai_error));
+				  gai_strerror(gaierror));
 			return (ISC_R_FAILURE);
 		}
 

bin/delv/delv.docbook

@@ -1,7 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
   <info>
     <date>2014-04-23</date>
   </info>
@@ -41,6 +41,7 @@
     <copyright>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/delv/delv.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>delv</title>
@@ -21,25 +22,70 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.delv"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p>delv &#8212; DNS lookup and validation utility</p>
+<p>
+    delv
+     &#8212; DNS lookup and validation utility
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">delv</code>  [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
-<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-h</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-v</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">delv</code>  [queryopt...] [query...]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [@server]
+       [<code class="option">-4</code>]
+       [<code class="option">-6</code>]
+       [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
+       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-i</code>]
+       [<code class="option">-m</code>]
+       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
+       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
+       [name]
+       [type]
+       [class]
+       [queryopt...]
+    </p></div>
+
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [<code class="option">-h</code>]
+    </p></div>
+
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [<code class="option">-v</code>]
+    </p></div>
+
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [queryopt...]
+       [query...]
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>delv</strong></span>
+
+    <p><span class="command"><strong>delv</strong></span>
       (Domain Entity Lookup &amp; Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
       resolver and validator logic as <span class="command"><strong>named</strong></span>.
     </p>
-<p>
+    <p>
       <span class="command"><strong>delv</strong></span> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
@@ -49,7 +95,7 @@
       behavior of a name server configured for DNSSEC validating and
       forwarding.
     </p>
-<p>
+    <p>
       By default, responses are validated using built-in DNSSEC trust
       anchors for the root zone (".") and for the ISC DNSSEC lookaside
       validation zone ("dlv.isc.org").  Records returned by
@@ -61,7 +107,7 @@
       be used to check the validity of DNS responses in environments
       where local name servers may not be trustworthy.
     </p>
-<p>
+    <p>
       Unless it is told to query a specific name server,
       <span class="command"><strong>delv</strong></span> will try each of the servers listed in
       <code class="filename">/etc/resolv.conf</code>. If no usable server
@@ -69,15 +115,18 @@
       queries to the localhost addresses (127.0.0.1 for IPv4, ::1
       for IPv6).
     </p>
-<p>
+    <p>
       When no command line arguments or options are given,
       <span class="command"><strong>delv</strong></span> will perform an NS query for "."
       (the root zone).
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
-<p>
+
+
+    <p>
       A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
       </p>
 <pre class="programlisting"> delv @server name type </pre>
@@ -88,7 +137,7 @@
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd>
-<p>
+	    <p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
 	      address in colon-delimited notation.  When the supplied
@@ -98,7 +147,7 @@
 	      initial lookup is <span class="emphasis"><em>not</em></span> validated
 	      by DNSSEC).
 	    </p>
-<p>
+	    <p>
 	      If no <em class="parameter"><code>server</code></em> argument is
 	      provided, <span class="command"><strong>delv</strong></span> consults
 	      <code class="filename">/etc/resolv.conf</code>; if an
@@ -111,13 +160,16 @@
 	      the localhost addresses (127.0.0.1 for IPv4,
 	      ::1 for IPv6).
 	    </p>
-</dd>
+	  </dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      is the domain name to be looked up.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      indicates what type of query is required &#8212;
 	      ANY, A, MX, etc.
 	      <em class="parameter"><code>type</code></em> can be any valid query
@@ -125,30 +177,34 @@
 	      <em class="parameter"><code>type</code></em> argument is supplied,
 	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
 	      A record.
-	    </p></dd>
+	    </p>
+	  </dd>
 </dl></div>
 <p>
     </p>
-</div>
-<div class="refsection">
+
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
 <dd>
-<p>
+	  <p>
 	    Specifies a file from which to read DNSSEC trust anchors.
 	    The default is <code class="filename">/etc/bind.keys</code>, which
 	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
 	    trust anchors for the root zone (".") and for the ISC
 	    DNSSEC lookaside validation zone ("dlv.isc.org").
 	  </p>
-<p>
+	  <p>
 	    Keys that do not match the root or DLV trust-anchor
 	    names are ignored; these key names can be overridden
 	    using the <code class="option">+dlv=NAME</code> or
 	    <code class="option">+root=NAME</code> options.
 	  </p>
-<p>
+	  <p>
 	    Note: When reading the trust anchor file,
 	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
 	    statements and <code class="option">trusted-keys</code> statements
@@ -162,23 +218,28 @@
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
 	  </p>
-</dd>
+	</dd>
 <dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Sets the source IP address of the query to
 	    <em class="parameter"><code>address</code></em>.  This must be a valid address
 	    on one of the host's network interfaces or "0.0.0.0" or "::".
 	    An optional source port may be specified by appending
 	    "#&lt;port&gt;"
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Sets the query class for the requested data. Currently,
 	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
 	    and any other value is ignored.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Set the systemwide debug level to <code class="option">level</code>.
 	    The allowed range is from 0 to 99.
 	    The default is 0 (no debugging).
@@ -187,13 +248,17 @@
 	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
 	    and <code class="option">+vtrace</code> options below for additional
 	    debugging details.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-i</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Insecure mode. This disables internal DNSSEC validation.
 	    (Note, however, this does not set the CD bit on upstream
 	    queries. If the server being queried is performing DNSSEC
@@ -201,30 +266,37 @@
 	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
 	    is necessary to examine invalid data to debug a DNSSEC
 	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-m</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Enables memory usage debugging.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Specifies a destination port to use for queries instead of
 	    the standard DNS port number 53.  This option would be used
 	    with a name server that has been configured to listen
 	    for queries on a non-standard port number.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Sets the query name to <em class="parameter"><code>name</code></em>.
 	    While the query name can be specified without using the
 	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
 	    names from types or classes (for example, when looking up the
 	    name "ns", which could be misinterpreted as the type NS,
 	    or "ch", which could be misinterpreted as class CH).
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-<p>
+	  <p>
 	    Sets the query type to <em class="parameter"><code>type</code></em>, which
 	    can be any valid query type supported in BIND 9 except
 	    for zone transfer types AXFR and IXFR. As with
@@ -232,18 +304,21 @@
 	    query name type or class when they are ambiguous.
 	    it is sometimes necessary to disambiguate names from types.
 	  </p>
-<p>
+	  <p>
 	    The default query type is "A", unless the <code class="option">-x</code>
 	    option is supplied to indicate a reverse lookup, in which case
 	    it is "PTR".
 	  </p>
-</dd>
+	</dd>
 <dt><span class="term">-v</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Print the <span class="command"><strong>delv</strong></span> version and exit.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Performs a reverse lookup, mapping an addresses to
 	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
 	    dotted-decimal notation, or a colon-delimited IPv6 address.
@@ -253,24 +328,33 @@
 	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
 	    and sets the query type to PTR.  IPv6 addresses are looked up
 	    using nibble format under the IP6.ARPA domain.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-4</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term">-6</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
-	  </p></dd>
+	  </p>
+	</dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
-<p><span class="command"><strong>delv</strong></span>
+
+
+    <p><span class="command"><strong>delv</strong></span>
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
     </p>
-<p>
+
+    <p>
       Each query option is identified by a keyword preceded by a plus sign
       (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded by the string
@@ -282,7 +366,8 @@
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Controls whether to set the CD (checking disabled) bit in
 	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
 	      when troubleshooting DNSSEC problems from behind a validating
@@ -291,20 +376,25 @@
 	      the CD flag on queries will cause the resolver to return
 	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
 	      validate internally and report the errors in detail.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Controls whether to display the CLASS when printing
 	      a record. The default is to display the CLASS.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Controls whether to display the TTL when printing
 	      a record. The default is to display the TTL.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
 <dd>
-<p>
+	    <p>
 	      Toggle resolver fetch logging. This reports the
 	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
 	      in the process of carrying out the resolution and validation
@@ -312,62 +402,69 @@
 	      all subsequent queries to follow CNAMEs and to establish a
 	      chain of trust for DNSSEC validation.
 	    </p>
-<p>
+	    <p>
 	      This is equivalent to setting the debug level to 1 in
 	      the "resolver" logging category. Setting the systemwide
 	      debug level to 1 using the <code class="option">-d</code> option will
 	      product the same output (but will affect other logging
 	      categories as well).
 	    </p>
-</dd>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
 <dd>
-<p>
+	    <p>
 	      Toggle message logging. This produces a detailed dump of
 	      the responses received by <span class="command"><strong>delv</strong></span> in the
 	      process of carrying out the resolution and validation process.
 	    </p>
-<p>
+	    <p>
 	      This is equivalent to setting the debug level to 10
 	      for the the "packets" module of the "resolver" logging
 	      category. Setting the systemwide debug level to 10 using
 	      the <code class="option">-d</code> option will produce the same output
 	      (but will affect other logging categories as well).
 	    </p>
-</dd>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
 <dd>
-<p>
+	    <p>
 	      Toggle validation logging. This shows the internal
 	      process of the validator as it determines whether an
 	      answer is validly signed, unsigned, or invalid.
 	    </p>
-<p>
+	    <p>
 	      This is equivalent to setting the debug level to 3
 	      for the the "validator" module of the "dnssec" logging
 	      category. Setting the systemwide debug level to 3 using
 	      the <code class="option">-d</code> option will produce the same output
 	      (but will affect other logging categories as well).
 	    </p>
-</dd>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Provide a terse answer.  The default is to print the answer in a
 	      verbose form.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Toggle the display of comment lines in the output.  The default
 	      is to print comments.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Toggle the display of per-record comments in the output (for
 	      example, human-readable key information about DNSKEY records).
 	      The default is to print per-record comments.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Toggle the display of cryptographic fields in DNSSEC records.
 	      The contents of these field are unnecessary to debug most DNSSEC
 	      validation failures and removing them makes it easier to see
@@ -375,14 +472,18 @@
 	      When omitted they are replaced by the string "[omitted]" or
 	      in the DNSKEY case the key id is displayed as the replacement,
 	      e.g. "[ key id = value ]".
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]trust</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Controls whether to display the trust level when printing
 	      a record. The default is to display the trust level.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <em class="parameter"><code>W</code></em> characters
 	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
@@ -391,24 +492,30 @@
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
 	      split at all.  The default is 56 characters, or 44 characters
 	      when multiline mode is active.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Set or clear the display options
 	      <code class="option">+[no]comments</code>,
 	      <code class="option">+[no]rrcomments</code>, and
 	      <code class="option">+[no]trust</code> as a group.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Print long records (such as RRSIG, DNSKEY, and SOA records)
 	      in a verbose multi-line format with human-readable comments.
 	      The default is to print each record on a single line, to
 	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
 	      output.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Indicates whether to display RRSIG records in the
 	      <span class="command"><strong>delv</strong></span> output.  The default is to
 	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
@@ -418,9 +525,11 @@
 	      will always occur unless suppressed by the use of
 	      <code class="option">-i</code> or <code class="option">+noroot</code> and
 	      <code class="option">+nodlv</code>.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
@@ -428,9 +537,11 @@
 	      a built-in key.  If specifying a different trust anchor,
 	      then <code class="option">-a</code> must be used to specify a file
 	      containing the key.
-	    </p></dd>
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
-<dd><p>
+<dd>
+	    <p>
 	      Indicates whether to perform DNSSEC lookaside validation,
 	      and if so, specifies the name of the DLV trust anchor.
 	      The default is to perform lookaside validation using
@@ -438,27 +549,37 @@
 	      built-in key.  If specifying a different name, then
 	      <code class="option">-a</code> must be used to specify a file
 	      containing the DLV key.
-	    </p></dd>
+	    </p>
+	  </dd>
 </dl></div>
 <p>
 
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>FILES</h2>
-<p><code class="filename">/etc/bind.keys</code></p>
-<p><code class="filename">/etc/resolv.conf</code></p>
-</div>
-<div class="refsection">
+
+    <p><code class="filename">/etc/bind.keys</code></p>
+    <p><code class="filename">/etc/resolv.conf</code></p>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named</span>(8)
+      </span>,
       <em class="citetitle">RFC4034</em>,
       <em class="citetitle">RFC4035</em>,
       <em class="citetitle">RFC4431</em>,
       <em class="citetitle">RFC5074</em>,
       <em class="citetitle">RFC5155</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/delv/win32/delv.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/delv/win32/delv.mak.in

@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\delv.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\delv.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -192,7 +192,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<

bin/delv/win32/delv.vcxproj.in

@@ -53,14 +53,14 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -78,7 +78,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -86,7 +86,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>

bin/dig/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -26,7 +26,8 @@ VERSION=@BIND9_VERSION@
 READLINE_LIB = @READLINE_LIB@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
+		${ISC_INCLUDES} @DST_OPENSSL_INC@ \
+		${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
 
 CDEFINES =	-DVERSION=\"${VERSION}\" @CRYPTO@
 CWARNINGS =
@@ -108,3 +109,11 @@ install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
 	for m in ${MANPAGES}; do \
 		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
 		done
+
+uninstall::
+	for m in ${MANPAGES}; do \
+		rm -f ${DESTDIR}${mandir}/man1/$$m ; \
+	done
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@

bin/dig/dig.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -270,7 +270,9 @@ hmac\-sha384, or
 hmac\-sha512\&. If
 \fIhmac\fR
 is not specified, the default is
-hmac\-md5\&.
+hmac\-md5
+or if MD5 was disabled
+hmac\-sha256\&.
 .sp
 NOTE: You should use the
 \fB\-k\fR
@@ -437,6 +439,11 @@ Show [or do not show] the IP address and port number that supplied the answer wh
 option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
 .RE
 .PP
+\fB+[no]idnout\fR
+.RS 4
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
+.RE
+.PP
 \fB+[no]ignore\fR
 .RS 4
 Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
@@ -560,7 +567,9 @@ Perform [do not perform] a search showing intermediate results\&.
 .PP
 \fB+[no]sigchase\fR
 .RS 4
-Chase DNSSEC signature chains\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
+Chase DNSSEC signature chains\&. Requires dig be compiled with \-DDIG_SIGCHASE\&. This feature is deprecated\&. Use
+\fBdelv\fR
+instead\&.
 .RE
 .PP
 \fB+[no]sit\fR\fB[=####]\fR
@@ -593,7 +602,7 @@ Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address
 .sp
 \fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
 \fBdig +subnet=0\fR
-for short, sends an EDNS client\-subnet option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
+for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
 \fInot\fR
 be used when resolving this query\&.
 .RE
@@ -616,7 +625,9 @@ to less than 1 will result in a query timeout of 1 second being applied\&.
 .PP
 \fB+[no]topdown\fR
 .RS 4
-When chasing DNSSEC signature chains perform a top\-down validation\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
+When chasing DNSSEC signature chains perform a top\-down validation\&. Requires dig be compiled with \-DDIG_SIGCHASE\&. This feature is deprecated\&. Use
+\fBdelv\fR
+instead\&.
 .RE
 .PP
 \fB+[no]trace\fR
@@ -653,7 +664,9 @@ then
 trusted\-key\&.key
 in the current directory\&.
 .sp
-Requires dig be compiled with \-DDIG_SIGCHASE\&.
+Requires dig be compiled with \-DDIG_SIGCHASE\&. This feature is deprecated\&. Use
+\fBdelv\fR
+instead\&.
 .RE
 .PP
 \fB+[no]ttlid\fR
@@ -725,6 +738,7 @@ runs\&.
 ${HOME}/\&.digrc
 .SH "SEE ALSO"
 .PP
+\fBdelv\fR(1),
 \fBhost\fR(1),
 \fBnamed\fR(8),
 \fBdnssec-keygen\fR(8),
@@ -737,7 +751,7 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000-2003 Internet Software Consortium.
 .br

bin/dig/dig.c

@@ -32,6 +32,8 @@
 #include <isc/task.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
 #include <dns/masterdump.h>
@@ -208,6 +210,7 @@ help(void) {
 "                 +[no]expire         (Request time to expire)\n"
 "                 +[no]fail           (Don't try next server on SERVFAIL)\n"
 "                 +[no]identify       (ID responders in short answers)\n"
+"                 +[no]idnout         (convert IDN response)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)"
 "\n"
 "                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
@@ -714,7 +717,7 @@ cleanup:
 static void
 printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	int i;
-	int remaining;
+	size_t remaining;
 	static isc_boolean_t first = ISC_TRUE;
 	char append[MXNAME];
 
@@ -1022,13 +1025,29 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 	case 'i':
 		switch (cmd[1]) {
 		case 'd': /* identify */
-			FULLCHECK("identify");
-			lookup->identify = state;
+			switch (cmd[2]) {
+			case 'e':
+				FULLCHECK("identify");
+				lookup->identify = state;
+				break;
+			case 'n':
+				FULLCHECK("idnout");
+#ifndef WITH_IDN
+				fprintf(stderr, ";; IDN support not enabled\n");
+#else
+				lookup->idnout = state;
+#endif
+				break;
+			default:
+				goto invalid_option;
+			}
 			break;
 		case 'g': /* ignore */
-		default: /* Inherits default for compatibility */
+		default: /*
+			  * Inherits default for compatibility (+[no]i*).
+			  */
 			FULLCHECK("ignore");
-			lookup->ignore = ISC_TRUE;
+			lookup->ignore = state;
 		}
 		break;
 	case 'k':
@@ -1529,7 +1548,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		}
 		*open_type_class = ISC_FALSE;
 		tr.base = value;
-		tr.length = strlen(value);
+		tr.length = (unsigned int) strlen(value);
 		result = dns_rdataclass_fromtext(&rdclass,
 						 (isc_textregion_t *)&tr);
 		if (result == ISC_R_SUCCESS) {
@@ -1580,7 +1599,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			result = ISC_R_SUCCESS;
 		} else {
 			tr.base = value;
-			tr.length = strlen(value);
+			tr.length = (unsigned int) strlen(value);
 			result = dns_rdatatype_fromtext(&rdtype,
 						(isc_textregion_t *)&tr);
 			if (result == ISC_R_SUCCESS &&
@@ -1635,7 +1654,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
+#ifndef PK11_MD5_DISABLE
 			hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+			hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
 			digestbits = 0;
 		}
 		strncpy(keynametext, ptr, sizeof(keynametext));
@@ -1859,7 +1882,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 					result = ISC_R_SUCCESS;
 				} else {
 					tr.base = rv[0];
-					tr.length = strlen(rv[0]);
+					tr.length =
+						(unsigned int) strlen(rv[0]);
 					result = dns_rdatatype_fromtext(&rdtype,
 						(isc_textregion_t *)&tr);
 					if (result == ISC_R_SUCCESS &&

bin/dig/dig.docbook

@@ -1,7 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2011, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011, 2013-2017  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
   <info>
     <date>2014-02-19</date>
   </info>
@@ -52,6 +52,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -402,7 +403,8 @@
 	    <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
 	    <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
 	    <literal>hmac-sha512</literal>.  If <parameter>hmac</parameter>
-	    is not specified, the default is <literal>hmac-md5</literal>.
+	    is not specified, the default is <literal>hmac-md5</literal>
+	    or if MD5 was disabled <literal>hmac-sha256</literal>.
 	  </para>
 	  <para>
 	    NOTE: You should use the <option>-k</option> option and
@@ -721,6 +723,17 @@
 	  </listitem>
 	</varlistentry>
 
+	<varlistentry>
+	  <term><option>+[no]idnout</option></term>
+	  <listitem>
+	    <para>
+	      Convert [do not convert] puny code on output.
+	      This requires IDN SUPPORT to have been enabled at
+	      compile time.  The default is to convert output.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
 	<varlistentry>
 	  <term><option>+[no]ignore</option></term>
 	  <listitem>
@@ -929,8 +942,9 @@
 	  <term><option>+[no]sigchase</option></term>
 	  <listitem>
 	    <para>
-	      Chase DNSSEC signature chains.  Requires dig be
-	      compiled with -DDIG_SIGCHASE.
+	      Chase DNSSEC signature chains. Requires dig be compiled
+	      with -DDIG_SIGCHASE. This feature is deprecated.
+	      Use <command>delv</command> instead.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -986,7 +1000,7 @@
 	    <para>
               <command>dig +subnet=0.0.0.0/0</command>, or simply
               <command>dig +subnet=0</command> for short, sends an EDNS
-              client-subnet option with an empty address and a source
+              CLIENT-SUBNET option with an empty address and a source
               prefix-length of zero, which signals a resolver that
               the client's address information must
               <emphasis>not</emphasis> be used when resolving
@@ -1029,6 +1043,7 @@
 	    <para>
 	      When chasing DNSSEC signature chains perform a top-down
 	      validation.  Requires dig be compiled with -DDIG_SIGCHASE.
+	      This feature is deprecated. Use <command>delv</command> instead.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1082,6 +1097,7 @@
 	      directory.
 	    </para> <para>
 	      Requires dig be compiled with -DDIG_SIGCHASE.
+	      This feature is deprecated. Use <command>delv</command> instead.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1188,6 +1204,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
   <refsection><info><title>SEE ALSO</title></info>
 
     <para><citerefentry>
+	<refentrytitle>delv</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
 	<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
       </citerefentry>,
       <citerefentry>

bin/dig/dighost.c

@@ -93,6 +93,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>
 
 #include <lwres/lwres.h>
@@ -476,9 +478,9 @@ reverse_octets(const char *in, char **p, char *end) {
 		result = append(".", 1, p, end);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		len = (int)(dot - in);
+		len = (int) (dot - in);
 	} else {
-		len = strlen(in);
+		len = (int) strlen(in);
 	}
 	return (append(in, len, p, end));
 }
@@ -770,7 +772,6 @@ make_empty_lookup(void) {
 	looknew->sendmsg = NULL;
 	looknew->name = NULL;
 	looknew->oname = NULL;
-	looknew->timer = NULL;
 	looknew->xfr_q = NULL;
 	looknew->current_query = NULL;
 	looknew->doing_xfr = ISC_FALSE;
@@ -787,6 +788,11 @@ make_empty_lookup(void) {
 	looknew->opcode = dns_opcode_query;
 	looknew->expire = ISC_FALSE;
 	looknew->nsid = ISC_FALSE;
+#ifdef WITH_IDN
+	looknew->idnout = ISC_TRUE;
+#else
+	looknew->idnout = ISC_FALSE;
+#endif
 #ifdef ISC_PLATFORM_USESIT
 	looknew->sit = ISC_FALSE;
 #endif
@@ -890,6 +896,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->ednsopts = lookold->ednsopts;
 	looknew->ednsoptscnt = lookold->ednsoptscnt;
 	looknew->ednsneg = lookold->ednsneg;
+	looknew->idnout = lookold->idnout;
 #ifdef DIG_SIGCHASE
 	looknew->sigchase = lookold->sigchase;
 #if DIG_SIGCHASE_TD
@@ -974,7 +981,7 @@ setup_text_key(void) {
 	isc_result_t result;
 	dns_name_t keyname;
 	isc_buffer_t secretbuf;
-	int secretsize;
+	unsigned int secretsize;
 	unsigned char *secretstore;
 
 	debug("setup_text_key()");
@@ -983,7 +990,7 @@ setup_text_key(void) {
 	dns_name_init(&keyname, NULL);
 	check_result(result, "dns_name_init");
 	isc_buffer_putstr(namebuf, keynametext);
-	secretsize = strlen(keysecret) * 3 / 4;
+	secretsize = (unsigned int) strlen(keysecret) * 3 / 4;
 	secretstore = isc_mem_allocate(mctx, secretsize);
 	if (secretstore == NULL)
 		fatal("memory allocation failure in %s:%d",
@@ -1005,8 +1012,8 @@ setup_text_key(void) {
 		goto failure;
 
 	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
-				    secretsize, ISC_FALSE, NULL, 0, 0, mctx,
-				    NULL, &key);
+				    (int)secretsize, ISC_FALSE, NULL, 0, 0,
+				    mctx, NULL, &key);
  failure:
 	if (result != ISC_R_SUCCESS)
 		printf(";; Couldn't create key %s: %s\n",
@@ -1068,11 +1075,24 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 	isc_uint32_t prefix_length = 0xffffffff;
 	char *slash = NULL;
 	isc_boolean_t parsed = ISC_FALSE;
+	isc_boolean_t prefix_parsed = ISC_FALSE;
 	char buf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX/128")];
 
 	if (strlcpy(buf, value, sizeof(buf)) >= sizeof(buf))
 		fatal("invalid prefix '%s'\n", value);
 
+	sa = isc_mem_allocate(mctx, sizeof(*sa));
+	if (sa == NULL)
+		fatal("out of memory");
+	memset(sa, 0, sizeof(*sa));
+
+	if (strcmp(buf, "0") == 0) {
+		sa->type.sa.sa_family = AF_UNSPEC;
+		parsed = ISC_TRUE;
+		prefix_length = 0;
+		goto done;
+	}
+
 	slash = strchr(buf, '/');
 	if (slash != NULL) {
 		*slash = '\0';
@@ -1081,16 +1101,9 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 			fatal("invalid prefix length in '%s': %s\n",
 			      value, isc_result_totext(result));
 		}
+		prefix_parsed = ISC_TRUE;
 	}
 
-	if (strcmp(buf, "0") == 0) {
-		parsed = ISC_TRUE;
-		prefix_length = 0;
-	}
-
-	sa = isc_mem_allocate(mctx, sizeof(*sa));
-	if (sa == NULL)
-		fatal("out of memory");
 	if (inet_pton(AF_INET6, buf, &in6) == 1) {
 		parsed = ISC_TRUE;
 		isc_sockaddr_fromin6(sa, &in6, 0);
@@ -1101,7 +1114,7 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 		isc_sockaddr_fromin(sa, &in4, 0);
 		if (prefix_length > 32)
 			prefix_length = 32;
-	} else if (prefix_length != 0xffffffff && prefix_length != 0) {
+	} else if (prefix_parsed) {
 		int i;
 
 		for (i = 0; i < 3 && strlen(buf) < sizeof(buf) - 2; i++) {
@@ -1120,10 +1133,8 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 	if (!parsed)
 		fatal("invalid address '%s'", value);
 
+done:
 	sa->length = prefix_length;
-	if (prefix_length == 0)
-		sa->type.sa.sa_family = AF_UNSPEC;
-
 	*sap = sa;
 
 	return (ISC_R_SUCCESS);
@@ -1135,23 +1146,26 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 void
 parse_hmac(const char *hmac) {
 	char buf[20];
-	int len;
+	size_t len;
 
 	REQUIRE(hmac != NULL);
 
 	len = strlen(hmac);
-	if (len >= (int) sizeof(buf))
-		fatal("unknown key type '%.*s'", len, hmac);
+	if (len >= sizeof(buf))
+		fatal("unknown key type '%.*s'", (int)len, hmac);
 	strlcpy(buf, hmac, sizeof(buf));
 
 	digestbits = 0;
 
+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(buf, "hmac-md5") == 0) {
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
-	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+	} else
+#endif
+	if (strcasecmp(buf, "hmac-sha1") == 0) {
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		digestbits = 0;
 	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
@@ -1264,9 +1278,11 @@ setup_file_key(void) {
 	}
 
 	switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		break;
+#endif
 	case DST_ALG_HMACSHA1:
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		break;
@@ -1543,7 +1559,7 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) {
 		buf = isc_mem_allocate(mctx, strlen(value)/2 + 1);
 		if (buf == NULL)
 			fatal("out of memory");
-		isc_buffer_init(&b, buf, strlen(value)/2 + 1);
+		isc_buffer_init(&b, buf, (unsigned int) strlen(value)/2 + 1);
 		result = isc_hex_decodestring(value, &b);
 		check_result(result, "isc_hex_decodestring");
 		ednsopts[ednsoptscnt].value = isc_buffer_base(&b);
@@ -1628,6 +1644,8 @@ clear_query(dig_query_t *query) {
 
 	debug("clear_query(%p)", query);
 
+	if (query->timer != NULL)
+		isc_timer_detach(&query->timer);
 	lookup = query->lookup;
 
 	if (lookup->current_query == query)
@@ -1721,8 +1739,6 @@ destroy_lookup(dig_lookup_t *lookup) {
 		debug("freeing buffer %p", lookup->querysig);
 		isc_buffer_free(&lookup->querysig);
 	}
-	if (lookup->timer != NULL)
-		isc_timer_detach(&lookup->timer);
 	if (lookup->sendspace != NULL)
 		isc_mempool_put(commctx, lookup->sendspace);
 
@@ -2177,7 +2193,7 @@ isc_boolean_t
 setup_lookup(dig_lookup_t *lookup) {
 	isc_result_t result;
 	isc_uint32_t id;
-	int len;
+	unsigned int len;
 	dig_server_t *serv;
 	dig_query_t *query;
 	isc_buffer_t b;
@@ -2193,7 +2209,8 @@ setup_lookup(dig_lookup_t *lookup) {
 #endif
 
 #ifdef WITH_IDN
-	result = dns_name_settotextfilter(output_filter);
+	result = dns_name_settotextfilter(lookup->idnout ?
+					  output_filter : NULL);
 	check_result(result, "dns_name_settotextfilter");
 #endif
 
@@ -2286,7 +2303,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		check_result(result, "dns_message_gettempname");
 		dns_name_init(lookup->oname, NULL);
 		/* XXX Helper funct to conv char* to name? */
-		len = strlen(lookup->origin->origin);
+		len = (unsigned int) strlen(lookup->origin->origin);
 		isc_buffer_init(&b, lookup->origin->origin, len);
 		isc_buffer_add(&b, len);
 		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
@@ -2308,7 +2325,7 @@ setup_lookup(dig_lookup_t *lookup) {
 
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
-			len = strlen(lookup->textname);
+			len = (unsigned int) strlen(lookup->textname);
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(name, &b, NULL, 0, NULL);
@@ -2342,14 +2359,14 @@ setup_lookup(dig_lookup_t *lookup) {
 			dns_name_clone(dns_rootname, lookup->name);
 		else {
 #ifdef WITH_IDN
-			len = strlen(idn_textname);
+			len = (unsigned int) strlen(idn_textname);
 			isc_buffer_init(&b, idn_textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
 						   dns_rootname, 0,
 						   &lookup->namebuf);
 #else
-			len = strlen(lookup->textname);
+			len = (unsigned int) strlen(lookup->textname);
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
@@ -2473,7 +2490,8 @@ setup_lookup(dig_lookup_t *lookup) {
 		}
 
 		if (lookup->ecs_addr != NULL) {
-			isc_uint8_t addr[16], family, proto;
+			isc_uint8_t addr[16];
+			isc_uint16_t family;
 			isc_uint32_t plen;
 			struct sockaddr *sa;
 			struct sockaddr_in *sin;
@@ -2490,46 +2508,65 @@ setup_lookup(dig_lookup_t *lookup) {
 			opts[i].code = DNS_OPT_CLIENT_SUBNET;
 			opts[i].length = (isc_uint16_t) addrl + 4;
 			check_result(result, "isc_buffer_allocate");
-			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
 
-			/* If prefix length is zero, don't set family */
-			proto = sa->sa_family;
-			if (plen == 0)
-				proto = AF_UNSPEC;
-
-			switch (proto) {
+			/*
+			 * XXXMUKS: According to RFC7871, "If there is
+			 * no ADDRESS set, i.e., SOURCE PREFIX-LENGTH is
+			 * set to 0, then FAMILY SHOULD be set to the
+			 * transport over which the query is sent."
+			 *
+			 * However, at this point we don't know what
+			 * transport(s) we'll be using, so we can't
+			 * set the value now. For now, we're using
+			 * IPv4 as the default the +subnet option
+			 * used an IPv4 prefix, or for +subnet=0,
+			 * and IPv6 if the +subnet option used an
+			 * IPv6 prefix.
+			 *
+			 * (For future work: preserve the offset into
+			 * the buffer where the family field is;
+			 * that way we can update it in send_udp()
+			 * or send_tcp_connect() once we know
+			 * what it outght to be.)
+			 */
+			switch (sa->sa_family) {
 			case AF_UNSPEC:
 				INSIST(plen == 0);
-				family = 0;
+				family = 1;
 				break;
 			case AF_INET:
+				INSIST(plen <= 32);
 				family = 1;
 				sin = (struct sockaddr_in *) sa;
-				memmove(addr, &sin->sin_addr, 4);
+				memmove(addr, &sin->sin_addr, addrl);
 				break;
 			case AF_INET6:
+				INSIST(plen <= 128);
 				family = 2;
 				sin6 = (struct sockaddr_in6 *) sa;
-				memmove(addr, &sin6->sin6_addr, 16);
+				memmove(addr, &sin6->sin6_addr, addrl);
 				break;
 			default:
 				INSIST(0);
 			}
 
-			/* Mask off last address byte */
-			if (addrl > 0 && (plen % 8) != 0)
-				addr[addrl - 1] &= ~0 << (8 - (plen % 8));
-
+			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
 			/* family */
 			isc_buffer_putuint16(&b, family);
 			/* source prefix-length */
 			isc_buffer_putuint8(&b, plen);
 			/* scope prefix-length */
 			isc_buffer_putuint8(&b, 0);
+
 			/* address */
-			if (addrl > 0)
+			if (addrl > 0) {
+				/* Mask off last address byte */
+				if ((plen % 8) != 0)
+					addr[addrl - 1] &=
+						~0U << (8 - (plen % 8));
 				isc_buffer_putmem(&b, addr,
 						  (unsigned)addrl);
+			}
 
 			opts[i].value = (isc_uint8_t *) ecsbuf;
 			i++;
@@ -2607,6 +2644,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		debug("create query %p linked to lookup %p",
 		       query, lookup);
 		query->lookup = lookup;
+		query->timer = NULL;
 		query->waiting_connect = ISC_FALSE;
 		query->waiting_senddone = ISC_FALSE;
 		query->pending_free = ISC_FALSE;
@@ -2616,6 +2654,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		query->second_rr_rcvd = ISC_FALSE;
 		query->first_repeat_rcvd = ISC_FALSE;
 		query->warn_id = ISC_TRUE;
+		query->timedout = ISC_FALSE;
 		query->first_rr_serial = 0;
 		query->second_rr_serial = 0;
 		query->servname = serv->servername;
@@ -2721,8 +2760,6 @@ cancel_lookup(dig_lookup_t *lookup) {
 		}
 		query = next;
 	}
-	if (lookup->timer != NULL)
-		isc_timer_detach(&lookup->timer);
 	lookup->pending = ISC_FALSE;
 	lookup->retries = 0;
 }
@@ -2740,7 +2777,7 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
 	 * just reset it.
 	 */
 	l = query->lookup;
-	if (ISC_LIST_NEXT(query, link) != NULL)
+	if (ISC_LINK_LINKED(query, link) && ISC_LIST_NEXT(query, link) != NULL)
 		local_timeout = SERVER_TIMEOUT;
 	else {
 		if (timeout == 0)
@@ -2750,21 +2787,21 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
 	}
 	debug("have local timeout of %d", local_timeout);
 	isc_interval_set(&l->interval, local_timeout, 0);
-	if (l->timer != NULL)
-		isc_timer_detach(&l->timer);
+	if (query->timer != NULL)
+		isc_timer_detach(&query->timer);
 	result = isc_timer_create(timermgr, isc_timertype_once, NULL,
 				  &l->interval, global_task, connect_timeout,
-				  l, &l->timer);
+				  query, &query->timer);
 	check_result(result, "isc_timer_create");
 }
 
 static void
-force_timeout(dig_lookup_t *l, dig_query_t *query) {
+force_timeout(dig_query_t *query) {
 	isc_event_t *event;
 
 	debug("force_timeout ()");
 	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
-				   connect_timeout, l,
+				   connect_timeout, query,
 				   sizeof(isc_event_t));
 	if (event == NULL) {
 		fatal("isc_event_allocate: %s",
@@ -2778,8 +2815,8 @@ force_timeout(dig_lookup_t *l, dig_query_t *query) {
 	 * We need to cancel the possible timeout event not to confuse
 	 * ourselves due to the duplicate events.
 	 */
-	if (l->timer != NULL)
-		isc_timer_detach(&l->timer);
+	if (query->timer != NULL)
+		isc_timer_detach(&query->timer);
 }
 
 
@@ -2809,7 +2846,7 @@ send_tcp_connect(dig_query_t *query) {
 		 * by triggering an immediate 'timeout' (we lie, but the effect
 		 * is the same).
 		 */
-		force_timeout(l, query);
+		force_timeout(query);
 		return;
 	}
 
@@ -2819,7 +2856,10 @@ send_tcp_connect(dig_query_t *query) {
 		printf(";; Skipping server %s, incompatible "
 		       "address family\n", query->servname);
 		query->waiting_connect = ISC_FALSE;
-		next = ISC_LIST_NEXT(query, link);
+		if (ISC_LINK_LINKED(query, link))
+			next = ISC_LIST_NEXT(query, link);
+		else
+			next = NULL;
 		l = query->lookup;
 		clear_query(query);
 		if (next == NULL) {
@@ -2870,9 +2910,11 @@ send_tcp_connect(dig_query_t *query) {
 	 */
 	if (l->ns_search_only && !l->trace_root) {
 		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (ISC_LINK_LINKED(query, link))
+		if (ISC_LINK_LINKED(query, link)) {
+			next = ISC_LIST_NEXT(query, link);
 			ISC_LIST_DEQUEUE(l->q, query, link);
+		} else
+			next = NULL;
 		ISC_LIST_ENQUEUE(l->connecting, query, clink);
 		if (next != NULL)
 			send_tcp_connect(next);
@@ -2913,7 +2955,7 @@ send_udp(dig_query_t *query) {
 		result = get_address(query->servname, port, &query->sockaddr);
 		if (result != ISC_R_SUCCESS) {
 			/* This servname doesn't have an address. */
-			force_timeout(l, query);
+			force_timeout(query);
 			return;
 		}
 
@@ -2968,7 +3010,7 @@ send_udp(dig_query_t *query) {
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event) {
 	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL, *next, *cq;
+	dig_query_t *query = NULL, *cq;
 
 	UNUSED(task);
 	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@@ -2976,13 +3018,14 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 	debug("connect_timeout()");
 
 	LOCK_LOOKUP;
-	l = event->ev_arg;
-	query = l->current_query;
+	query = event->ev_arg;
+	l = query->lookup;
 	isc_event_free(&event);
 
 	INSIST(!free_now);
 
 	if ((query != NULL) && (query->lookup->current_query != NULL) &&
+	    ISC_LINK_LINKED(query->lookup->current_query, link) &&
 	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
 		debug("trying next server...");
 		cq = query->lookup->current_query;
@@ -2992,14 +3035,17 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 			if (query->sock != NULL)
 				isc_socket_cancel(query->sock, NULL,
 						  ISC_SOCKCANCEL_ALL);
-			next = ISC_LIST_NEXT(cq, link);
-			if (next != NULL)
-				send_tcp_connect(next);
+			send_tcp_connect(ISC_LIST_NEXT(cq, link));
 		}
 		UNLOCK_LOOKUP;
 		return;
 	}
 
+	if (l->tcp_mode && query->sock != NULL) {
+		query->timedout = ISC_TRUE;
+		isc_socket_cancel(query->sock, NULL, ISC_SOCKCANCEL_ALL);
+	}
+
 	if (l->retries > 1) {
 		if (!l->tcp_mode) {
 			l->retries--;
@@ -3014,9 +3060,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 			check_next_lookup(l);
 		}
 	} else {
-		fputs(l->cmdline, stdout);
-		printf(";; connection timed out; no servers could be "
-		       "reached\n");
+		if (!l->ns_search_only) {
+			fputs(l->cmdline, stdout);
+			printf(";; connection timed out; no servers could be "
+			       "reached\n");
+		}
 		cancel_lookup(l);
 		check_next_lookup(l);
 		if (exitcode < 9)
@@ -3182,6 +3230,7 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
  */
 static void
 connect_done(isc_task_t *task, isc_event_t *event) {
+	char sockstr[ISC_SOCKADDR_FORMATSIZE];
 	isc_socketevent_t *sevent = NULL;
 	dig_query_t *query = NULL, *next;
 	dig_lookup_t *l;
@@ -3203,6 +3252,12 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 
 	if (sevent->result == ISC_R_CANCELED) {
 		debug("in cancel handler");
+		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
+		if (query->timedout)
+			printf(";; Connection to %s(%s) for %s failed: %s.\n",
+			       sockstr, query->servname,
+			       query->lookup->textname,
+			       isc_result_totext(ISC_R_TIMEDOUT));
 		isc_socket_detach(&query->sock);
 		INSIST(sockcount > 0);
 		sockcount--;
@@ -3216,7 +3271,6 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 	if (sevent->result != ISC_R_SUCCESS) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 
 		debug("unsuccessful connection: %s",
 		      isc_result_totext(sevent->result));
@@ -3227,8 +3281,8 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 			       query->servname, query->lookup->textname,
 			       isc_result_totext(sevent->result));
 		isc_socket_detach(&query->sock);
+		INSIST(sockcount > 0);
 		sockcount--;
-		INSIST(sockcount >= 0);
 		/* XXX Clean up exitcodes */
 		if (exitcode < 9)
 			exitcode = 9;
@@ -3557,8 +3611,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	INSIST(b == &query->recvbuf);
 	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
 
-	if ((l->tcp_mode) && (l->timer != NULL))
-		isc_timer_touch(l->timer);
+	if ((l->tcp_mode) && (query->timer != NULL))
+		isc_timer_touch(query->timer);
 	if ((!l->pending && !l->ns_search_only) || cancel_now) {
 		debug("no longer pending.  Got %s",
 			isc_result_totext(sevent->result));
@@ -3869,7 +3923,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		 * the timeout to much longer, so brief network
 		 * outages won't cause the XFR to abort
 		 */
-		if (timeout != INT_MAX && l->timer != NULL) {
+		if (timeout != INT_MAX && query->timer != NULL) {
 			unsigned int local_timeout;
 
 			if (timeout == 0) {
@@ -3885,7 +3939,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			}
 			debug("have local timeout of %d", local_timeout);
 			isc_interval_set(&l->interval, local_timeout, 0);
-			result = isc_timer_reset(l->timer,
+			result = isc_timer_reset(query->timer,
 						 isc_timertype_once,
 						 NULL,
 						 &l->interval,
@@ -4178,8 +4232,6 @@ cancel_all(void) {
 	}
 	cancel_now = ISC_TRUE;
 	if (current_lookup != NULL) {
-		if (current_lookup->timer != NULL)
-			isc_timer_detach(&current_lookup->timer);
 		for (q = ISC_LIST_HEAD(current_lookup->q);
 		     q != NULL;
 		     q = nq)
@@ -4587,27 +4639,33 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
 	     msg = ISC_LIST_NEXT(msg, link)) {
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
 		    == ISC_R_SUCCESS)
+		{
 			rdataset = chase_scanname_section(msg->msg, name,
 							  type, covers,
 							  DNS_SECTION_ANSWER);
 			if (rdataset != NULL)
 				return (rdataset);
+		}
 		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
 		    == ISC_R_SUCCESS)
+		{
 			rdataset =
 				chase_scanname_section(msg->msg, name,
 						       type, covers,
 						       DNS_SECTION_AUTHORITY);
 			if (rdataset != NULL)
 				return (rdataset);
+		}
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
 		    == ISC_R_SUCCESS)
+		{
 			rdataset =
 				chase_scanname_section(msg->msg, name, type,
 						       covers,
 						       DNS_SECTION_ADDITIONAL);
 			if (rdataset != NULL)
 				return (rdataset);
+		}
 	}
 
 	return (NULL);

bin/dig/host.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -65,56 +65,74 @@ is an optional argument which is either the name or IP address of the name serve
 \fBhost\fR
 should query instead of the server or servers listed in
 /etc/resolv\&.conf\&.
+.SH "OPTIONS"
 .PP
-The
+\-4
+.RS 4
+Use IPv4 only for query transport\&. See also the
+\fB\-6\fR
+option\&.
+.RE
+.PP
+\-6
+.RS 4
+Use IPv6 only for query transport\&. See also the
+\fB\-4\fR
+option\&.
+.RE
+.PP
+\-a
+.RS 4
+"All"\&. The
 \fB\-a\fR
-(all) option is equivalent to setting the
-\fB\-v\fR
-option and asking
-\fBhost\fR
-to make a query of type ANY\&.
+option is normally equivalent to
+\fB\-v \-t \fR\fBANY\fR\&. It also affects the behaviour of the
+\fB\-l\fR
+list zone option\&.
+.RE
 .PP
-When the
-\fB\-C\fR
-option is used,
+\-c \fIclass\fR
+.RS 4
+Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records\&. The default class is IN (Internet)\&.
+.RE
+.PP
+\-C
+.RS 4
+Check consistency:
 \fBhost\fR
-will attempt to display the SOA records for zone
+will query the SOA records for zone
 \fIname\fR
 from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
+.RE
 .PP
-The
-\fB\-c\fR
-option instructs to make a DNS query of class
-\fIclass\fR\&. This can be used to lookup Hesiod or Chaosnet class resource records\&. The default class is IN (Internet)\&.
-.PP
-Verbose output is generated by
-\fBhost\fR
-when the
-\fB\-d\fR
-or
+\-d
+.RS 4
+Print debugging traces\&. Equivalent to the
 \fB\-v\fR
-option is used\&. The two options are equivalent\&. They have been provided for backwards compatibility\&. In previous versions, the
-\fB\-d\fR
-option switched on debugging traces and
-\fB\-v\fR
-enabled verbose output\&.
+verbose option\&.
+.RE
 .PP
-List mode is selected by the
-\fB\-l\fR
-option\&. This makes
+\-i
+.RS 4
+Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
+.RE
+.PP
+\-l
+.RS 4
+List zone: The
 \fBhost\fR
-perform a zone transfer for zone
-\fIname\fR\&. Transfer the zone printing out the NS, PTR and address records (A/AAAA)\&. If combined with
-\fB\-a\fR
-all records will be printed\&.
+command performs a zone transfer of zone
+\fIname\fR
+and prints out the NS, PTR and address records (A/AAAA)\&.
+.sp
+Together, the
+\fB\-l \-a\fR
+options print all records in the zone\&.
+.RE
 .PP
-The
-\fB\-i\fR
-option specifies that reverse lookups of IPv6 addresses should use the IP6\&.INT domain as defined in RFC1886\&. The default is to use IP6\&.ARPA\&.
-.PP
-The
-\fB\-N\fR
-option sets the number of dots that have to be in
+\-N \fIndots\fR
+.RS 4
+The number of dots that have to be in
 \fIname\fR
 for it to be considered absolute\&. The default value is that defined using the ndots statement in
 /etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
@@ -123,97 +141,106 @@ or
 \fBdomain\fR
 directive in
 /etc/resolv\&.conf\&.
+.RE
 .PP
-The number of UDP retries for a lookup can be changed with the
-\fB\-R\fR
-option\&.
-\fInumber\fR
-indicates how many times
-\fBhost\fR
-will repeat a query that does not get answered\&. The default number of retries is 1\&. If
-\fInumber\fR
-is negative or zero, the number of retries will default to 1\&.
-.PP
-Non\-recursive queries can be made via the
-\fB\-r\fR
-option\&. Setting this option clears the
-\fBRD\fR
-\(em recursion desired \(em bit in the query which
-\fBhost\fR
-makes\&. This should mean that the name server receiving the query will not attempt to resolve
+\-r
+.RS 4
+Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
 \fIname\fR\&. The
 \fB\-r\fR
 option enables
 \fBhost\fR
-to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers\&.
+to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers\&.
+.RE
 .PP
-By default,
+\-R \fInumber\fR
+.RS 4
+Number of retries for UDP queries: If
+\fInumber\fR
+is negative or zero, the number of retries will default to 1\&. The default value is 1\&.
+.RE
+.PP
+\-s
+.RS 4
+Do
+\fInot\fR
+send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Query type: The
+\fItype\fR
+argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc\&.
+.sp
+When no query type is specified,
+\fBhost\fR
+automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records\&. If the
+\fB\-C\fR
+option is given, queries will be made for SOA records\&. If
+\fIname\fR
+is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
+\fBhost\fR
+will query for PTR records\&.
+.sp
+If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like
+\fB\-t \fR\fBIXFR=12345678\fR)\&.
+.RE
+.PP
+\-T
+.RS 4
+TCP: By default,
 \fBhost\fR
 uses UDP when making queries\&. The
 \fB\-T\fR
 option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&.
+.RE
 .PP
-The
-\fB\-4\fR
-option forces
-\fBhost\fR
-to only use IPv4 query transport\&. The
-\fB\-6\fR
-option forces
-\fBhost\fR
-to only use IPv6 query transport\&.
-.PP
-The
-\fB\-t\fR
-option is used to select the query type\&.
-\fItype\fR
-can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc\&. When no query type is specified,
-\fBhost\fR
-automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records, but if the
-\fB\-C\fR
-option was given, queries will be made for SOA records, and if
-\fIname\fR
-is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
-\fBhost\fR
-will query for PTR records\&. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e\&.g\&. \-t IXFR=12345678)\&.
-.PP
-The time to wait for a reply can be controlled through the
-\fB\-W\fR
-and
-\fB\-w\fR
-options\&. The
-\fB\-W\fR
-option makes
-\fBhost\fR
-wait for
-\fIwait\fR
-seconds\&. If
-\fIwait\fR
-is less than one, the wait interval is set to one second\&. When the
-\fB\-w\fR
-option is used,
-\fBhost\fR
-will effectively wait forever for a reply\&. The time to wait for a response will be set to the number of seconds given by the hardware\*(Aqs maximum value for an integer quantity\&.
-.PP
-The
-\fB\-s\fR
-option tells
-\fBhost\fR\fInot\fR
-to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
-.PP
-The
-\fB\-m\fR
-can be used to set the memory usage debugging flags
+\-m \fIflag\fR
+.RS 4
+Memory usage debugging: the flag can be
 \fIrecord\fR,
-\fIusage\fR
-and
-\fItrace\fR\&.
+\fIusage\fR, or
+\fItrace\fR\&. You can specify the
+\fB\-m\fR
+option more than once to set multiple flags\&.
+.RE
 .PP
-The
-\fB\-V\fR
-option causes
+\-v
+.RS 4
+Verbose output\&. Equivalent to the
+\fB\-d\fR
+debug option\&.
+.RE
+.PP
+\-V
+.RS 4
+Print the version number and exit\&.
+.RE
+.PP
+\-w
+.RS 4
+Wait forever: The query timeout is set to the maximum possible\&. See also the
+\fB\-W\fR
+option\&.
+.RE
+.PP
+\-W \fIwait\fR
+.RS 4
+Timeout: Wait for up to
+\fIwait\fR
+seconds for a reply\&. If
+\fIwait\fR
+is less than one, the wait interval is set to one second\&.
+.sp
+By default,
 \fBhost\fR
-to print the version number and exit\&.
+will wait for 5 seconds for UDP responses and 10 seconds for TCP connections\&.
+.sp
+See also the
+\fB\-w\fR
+option\&.
+.RE
 .SH "IDN SUPPORT"
 .PP
 If
@@ -237,7 +264,7 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000-2002 Internet Software Consortium.
 .br

bin/dig/host.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -145,14 +145,15 @@ show_usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 show_usage(void) {
 	fputs(
-"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
+"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]\n"
 "            [-R number] [-m flag] hostname [server]\n"
 "       -a is equivalent to -v -t ANY\n"
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
-"       -l lists all hosts in a domain, using AXFR\n"
 "       -i IP6.INT reverse lookups\n"
+"       -l lists all hosts in a domain, using AXFR\n"
+"       -m set memory debugging flag (trace|record|usage)\n"
 "       -N changes the number of dots allowed before root lookup is done\n"
 "       -r disables recursive processing\n"
 "       -R specifies number of retries for UDP packets\n"
@@ -160,12 +161,11 @@ show_usage(void) {
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
 "       -v enables verbose output\n"
+"       -V print version number and exit\n"
 "       -w specifies to wait forever for a reply\n"
 "       -W specifies how long to wait for a reply\n"
 "       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n"
-"       -m set memory debugging flag (trace|record|usage)\n"
-"       -V print version number and exit\n", stderr);
+"       -6 use IPv6 query transport only\n", stderr);
 	exit(1);
 }
 
@@ -620,8 +620,8 @@ pre_parse_args(int argc, char **argv) {
 			memdebugging = ISC_TRUE;
 			if (strcasecmp("trace", isc_commandline_argument) == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			else if (!strcasecmp("record",
-					     isc_commandline_argument) == 0)
+			else if (strcasecmp("record",
+					    isc_commandline_argument) == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
 			else if (strcasecmp("usage",
 					    isc_commandline_argument) == 0)

bin/dig/host.docbook

@@ -1,7 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
   <info>
     <date>2009-01-20</date>
   </info>
@@ -47,6 +47,7 @@
       <year>2009</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -100,155 +101,269 @@
       <filename>/etc/resolv.conf</filename>.
     </para>
 
-    <para>
-      The <option>-a</option> (all) option is equivalent to setting the
-      <option>-v</option> option and asking <command>host</command> to make
-      a query of type ANY.
-    </para>
+  </refsection>
 
-    <para>
-      When the <option>-C</option> option is used, <command>host</command>
-      will attempt to display the SOA records for zone
-      <parameter>name</parameter> from all the listed
-      authoritative name
-      servers for that zone.  The list of name servers is defined by the NS
-      records that are found for the zone.
-    </para>
+  <refsection><info><title>OPTIONS</title></info>
 
-    <para>
-      The <option>-c</option> option instructs to make a DNS query of class
-      <parameter>class</parameter>.  This can be used to lookup
-      Hesiod or
-      Chaosnet class resource records.  The default class is IN (Internet).
-    </para>
+    <variablelist>
 
-    <para>
-      Verbose output is generated by <command>host</command> when
-      the
-      <option>-d</option> or <option>-v</option> option is used.  The two
-      options are equivalent.  They have been provided for backwards
-      compatibility.  In previous versions, the <option>-d</option> option
-      switched on debugging traces and <option>-v</option> enabled verbose
-      output.
-    </para>
+      <varlistentry>
+	<term>-4</term>
+	<listitem>
+	  <para>
+	    Use IPv4 only for query transport.
+	    See also the <option>-6</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      List mode is selected by the <option>-l</option> option.  This makes
-      <command>host</command> perform a zone transfer for zone
-      <parameter>name</parameter>.  Transfer the zone printing out
-      the NS, PTR
-      and address records (A/AAAA).  If combined with <option>-a</option>
-      all records will be printed.
-    </para>
+      <varlistentry>
+	<term>-6</term>
+	<listitem>
+	  <para>
+	    Use IPv6 only for query transport.
+	    See also the <option>-4</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The <option>-i</option>
-      option specifies that reverse lookups of IPv6 addresses should
-      use the IP6.INT domain as defined in RFC1886.
-      The default is to use IP6.ARPA.
-    </para>
+      <varlistentry>
+	<term>-a</term>
+	<listitem>
+	  <para>
+	    "All". The <option>-a</option> option is normally equivalent
+	    to <option>-v -t <literal>ANY</literal></option>.
+	    It also affects the behaviour of the <option>-l</option>
+	    list zone option.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The <option>-N</option> option sets the number of dots that have to be
-      in <parameter>name</parameter> for it to be considered
-      absolute.  The
-      default value is that defined using the ndots statement in
-      <filename>/etc/resolv.conf</filename>, or 1 if no ndots
-      statement is
-      present.  Names with fewer dots are interpreted as relative names and
-      will be searched for in the domains listed in the <type>search</type>
-      or <type>domain</type> directive in
-      <filename>/etc/resolv.conf</filename>.
-    </para>
+      <varlistentry>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	    Query class: This can be used to lookup HS (Hesiod) or CH
+	    (Chaosnet) class resource records. The default class is IN
+	    (Internet).
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The number of UDP retries for a lookup can be changed with the
-      <option>-R</option> option.  <parameter>number</parameter>
-      indicates
-      how many times <command>host</command> will repeat a query
-      that does
-      not get answered.  The default number of retries is 1.  If
-      <parameter>number</parameter> is negative or zero, the
-      number of
-      retries will default to 1.
-    </para>
+      <varlistentry>
+	<term>-C</term>
+	<listitem>
+	  <para>
+	    Check consistency: <command>host</command> will query the
+	    SOA records for zone <parameter>name</parameter> from all
+	    the listed authoritative name servers for that zone. The
+	    list of name servers is defined by the NS records that are
+	    found for the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      Non-recursive queries can be made via the <option>-r</option> option.
-      Setting this option clears the <type>RD</type> &mdash; recursion
-      desired &mdash; bit in the query which <command>host</command> makes.
-      This should mean that the name server receiving the query will not
-      attempt to resolve <parameter>name</parameter>.  The
-      <option>-r</option> option enables <command>host</command>
-      to mimic
-      the behavior of a name server by making non-recursive queries and
-      expecting to receive answers to those queries that are usually
-      referrals to other name servers.
-    </para>
+      <varlistentry>
+	<term>-d</term>
+	<listitem>
+	  <para>
+	    Print debugging traces.
+	    Equivalent to the <option>-v</option> verbose option.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      By default, <command>host</command> uses UDP when making
-      queries.  The
-      <option>-T</option> option makes it use a TCP connection when querying
-      the name server.  TCP will be automatically selected for queries that
-      require it, such as zone transfer (AXFR) requests.
-    </para>
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The <option>-4</option> option forces <command>host</command> to only
-      use IPv4 query transport.  The <option>-6</option> option forces
-      <command>host</command> to only use IPv6 query transport.
-    </para>
+      <varlistentry>
+	<term>-l</term>
+	<listitem>
+	  <para>
+	    List zone:
+	    The <command>host</command> command performs a zone transfer of
+	    zone <parameter>name</parameter> and prints out the NS,
+	    PTR and address records (A/AAAA).
+	  </para>
+	  <para>
+	    Together, the <option>-l -a</option>
+	    options print all records in the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The <option>-t</option> option is used to select the query type.
-      <parameter>type</parameter> can be any recognized query
-      type: CNAME,
-      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-      <command>host</command> automatically selects an appropriate
-      query
-      type.  By default, it looks for A, AAAA, and MX records, but if the
-      <option>-C</option> option was given, queries will be made for SOA
-      records, and if <parameter>name</parameter> is a
-      dotted-decimal IPv4
-      address or colon-delimited IPv6 address, <command>host</command> will
-      query for PTR records.  If a query type of IXFR is chosen the starting
-      serial number can be specified by appending an equal followed by the
-      starting serial number (e.g. -t IXFR=12345678).
-    </para>
+      <varlistentry>
+	<term>-N <replaceable class="parameter">ndots</replaceable></term>
+	<listitem>
+	  <para>
+	    The number of dots that have to be
+	    in <parameter>name</parameter> for it to be considered
+	    absolute. The default value is that defined using the
+	    ndots statement in <filename>/etc/resolv.conf</filename>,
+	    or 1 if no ndots statement is present. Names with fewer
+	    dots are interpreted as relative names and will be
+	    searched for in the domains listed in
+	    the <type>search</type> or <type>domain</type> directive
+	    in <filename>/etc/resolv.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The time to wait for a reply can be controlled through the
-      <option>-W</option> and <option>-w</option> options.  The
-      <option>-W</option> option makes <command>host</command>
-      wait for
-      <parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
-      is less than one, the wait interval is set to one second.  When the
-      <option>-w</option> option is used, <command>host</command>
-      will
-      effectively wait forever for a reply.  The time to wait for a response
-      will be set to the number of seconds given by the hardware's maximum
-      value for an integer quantity.
-    </para>
+      <varlistentry>
+	<term>-r</term>
+	<listitem>
+	  <para>
+	    Non-recursive query:
+	    Setting this option clears the RD (recursion desired) bit
+	    in the query. This should mean that the name server
+	    receiving the query will not attempt to
+	    resolve <parameter>name</parameter>.
+	    The <option>-r</option> option
+	    enables <command>host</command> to mimic the behavior of a
+	    name server by making non-recursive queries and expecting
+	    to receive answers to those queries that can be
+	    referrals to other name servers.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The <option>-s</option> option tells <command>host</command>
-      <emphasis>not</emphasis> to send the query to the next nameserver
-      if any server responds with a SERVFAIL response, which is the
-      reverse of normal stub resolver behavior.
-    </para>
+      <varlistentry>
+	<term>-R <replaceable class="parameter">number</replaceable></term>
+	<listitem>
+	  <para>
+	    Number of retries for UDP queries:
+	    If <parameter>number</parameter> is negative or zero, the
+	    number of retries will default to 1. The default value is 1.
+	  </para>
+	</listitem>
+      </varlistentry>
 
-    <para>
-      The <option>-m</option> can be used to set the memory usage debugging
-      flags
-      <parameter>record</parameter>, <parameter>usage</parameter> and
-      <parameter>trace</parameter>.
-    </para>
+      <varlistentry>
+	<term>-s</term>
+	<listitem>
+	  <para>
+	    Do <emphasis>not</emphasis> send the query to the next
+	    nameserver if any server responds with a SERVFAIL
+	    response, which is the reverse of normal stub resolver
+	    behavior.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">type</replaceable></term>
+	<listitem>
+	  <para>
+	    Query type:
+	    The <parameter>type</parameter> argument can be any
+	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+	  </para>
+	  <para>
+	    When no query type is specified, <command>host</command>
+	    automatically selects an appropriate query type. By default, it
+	    looks for A, AAAA, and MX records.
+	    If the <option>-C</option> option is given, queries will
+	    be made for SOA records.
+	    If <parameter>name</parameter> is a dotted-decimal IPv4
+	    address or colon-delimited IPv6
+	    address, <command>host</command> will query for PTR
+	    records.
+	  </para>
+	  <para>
+	    If a query type of IXFR is chosen the starting serial
+	    number can be specified by appending an equal followed by
+	    the starting serial number
+	    (like <option>-t <literal>IXFR=12345678</literal></option>).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T</term>
+	<listitem>
+	  <para>
+	    TCP:
+	    By default, <command>host</command> uses UDP when making
+	    queries. The <option>-T</option> option makes it use a TCP
+	    connection when querying the name server. TCP will be
+	    automatically selected for queries that require it, such
+	    as zone transfer (AXFR) requests.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-m <replaceable class="parameter">flag</replaceable></term>
+	<listitem>
+	  <para>
+	    Memory usage debugging: the flag can
+	    be <parameter>record</parameter>, <parameter>usage</parameter>,
+	    or <parameter>trace</parameter>. You can specify
+	    the <option>-m</option> option more than once to set
+	    multiple flags.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v</term>
+	<listitem>
+	  <para>
+	    Verbose output.
+	    Equivalent to the <option>-d</option> debug option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Print the version number and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-w</term>
+	<listitem>
+	  <para>
+	    Wait forever: The query timeout is set to the maximum possible.
+	    See also the <option>-W</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-W <replaceable class="parameter">wait</replaceable></term>
+	<listitem>
+	  <para>
+	    Timeout: Wait for up to <parameter>wait</parameter>
+	    seconds for a reply. If <parameter>wait</parameter> is
+	    less than one, the wait interval is set to one second.
+	  </para>
+	  <para>
+	    By default, <command>host</command> will wait for 5
+	    seconds for UDP responses and 10 seconds for TCP
+	    connections.
+	  </para>
+	  <para>
+	    See also the <option>-w</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
 
-    <para>
-      The <option>-V</option> option causes <command>host</command>
-      to print the version number and exit.
-    </para>
   </refsection>
 
   <refsection><info><title>IDN SUPPORT</title></info>

bin/dig/host.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +15,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
@@ -22,24 +23,54 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.host"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p>host &#8212; DNS lookup utility</p>
+<p>
+    host
+     &#8212; DNS lookup utility
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">host</code> 
+       [<code class="option">-aCdlnrsTwv</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
+       [<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
+       [<code class="option">-4</code>]
+       [<code class="option">-6</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-V</code>]
+       {name}
+       [server]
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>host</strong></span>
+
+
+    <p><span class="command"><strong>host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
       When no arguments or options are given,
       <span class="command"><strong>host</strong></span>
       prints a short summary of its command line arguments and options.
     </p>
-<p><em class="parameter"><code>name</code></em> is the domain name that is to be
+
+    <p><em class="parameter"><code>name</code></em> is the domain name that is to be
       looked
       up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
       IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
@@ -51,144 +82,219 @@
       should query instead of the server or servers listed in
       <code class="filename">/etc/resolv.conf</code>.
     </p>
-<p>
-      The <code class="option">-a</code> (all) option is equivalent to setting the
-      <code class="option">-v</code> option and asking <span class="command"><strong>host</strong></span> to make
-      a query of type ANY.
-    </p>
-<p>
-      When the <code class="option">-C</code> option is used, <span class="command"><strong>host</strong></span>
-      will attempt to display the SOA records for zone
-      <em class="parameter"><code>name</code></em> from all the listed
-      authoritative name
-      servers for that zone.  The list of name servers is defined by the NS
-      records that are found for the zone.
-    </p>
-<p>
-      The <code class="option">-c</code> option instructs to make a DNS query of class
-      <em class="parameter"><code>class</code></em>.  This can be used to lookup
-      Hesiod or
-      Chaosnet class resource records.  The default class is IN (Internet).
-    </p>
-<p>
-      Verbose output is generated by <span class="command"><strong>host</strong></span> when
-      the
-      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
-      options are equivalent.  They have been provided for backwards
-      compatibility.  In previous versions, the <code class="option">-d</code> option
-      switched on debugging traces and <code class="option">-v</code> enabled verbose
-      output.
-    </p>
-<p>
-      List mode is selected by the <code class="option">-l</code> option.  This makes
-      <span class="command"><strong>host</strong></span> perform a zone transfer for zone
-      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
-      the NS, PTR
-      and address records (A/AAAA).  If combined with <code class="option">-a</code>
-      all records will be printed.
-    </p>
-<p>
-      The <code class="option">-i</code>
-      option specifies that reverse lookups of IPv6 addresses should
-      use the IP6.INT domain as defined in RFC1886.
-      The default is to use IP6.ARPA.
-    </p>
-<p>
-      The <code class="option">-N</code> option sets the number of dots that have to be
-      in <em class="parameter"><code>name</code></em> for it to be considered
-      absolute.  The
-      default value is that defined using the ndots statement in
-      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
-      statement is
-      present.  Names with fewer dots are interpreted as relative names and
-      will be searched for in the domains listed in the <span class="type">search</span>
-      or <span class="type">domain</span> directive in
-      <code class="filename">/etc/resolv.conf</code>.
-    </p>
-<p>
-      The number of UDP retries for a lookup can be changed with the
-      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
-      indicates
-      how many times <span class="command"><strong>host</strong></span> will repeat a query
-      that does
-      not get answered.  The default number of retries is 1.  If
-      <em class="parameter"><code>number</code></em> is negative or zero, the
-      number of
-      retries will default to 1.
-    </p>
-<p>
-      Non-recursive queries can be made via the <code class="option">-r</code> option.
-      Setting this option clears the <span class="type">RD</span> &#8212; recursion
-      desired &#8212; bit in the query which <span class="command"><strong>host</strong></span> makes.
-      This should mean that the name server receiving the query will not
-      attempt to resolve <em class="parameter"><code>name</code></em>.  The
-      <code class="option">-r</code> option enables <span class="command"><strong>host</strong></span>
-      to mimic
-      the behavior of a name server by making non-recursive queries and
-      expecting to receive answers to those queries that are usually
-      referrals to other name servers.
-    </p>
-<p>
-      By default, <span class="command"><strong>host</strong></span> uses UDP when making
-      queries.  The
-      <code class="option">-T</code> option makes it use a TCP connection when querying
-      the name server.  TCP will be automatically selected for queries that
-      require it, such as zone transfer (AXFR) requests.
-    </p>
-<p>
-      The <code class="option">-4</code> option forces <span class="command"><strong>host</strong></span> to only
-      use IPv4 query transport.  The <code class="option">-6</code> option forces
-      <span class="command"><strong>host</strong></span> to only use IPv6 query transport.
-    </p>
-<p>
-      The <code class="option">-t</code> option is used to select the query type.
-      <em class="parameter"><code>type</code></em> can be any recognized query
-      type: CNAME,
-      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-      <span class="command"><strong>host</strong></span> automatically selects an appropriate
-      query
-      type.  By default, it looks for A, AAAA, and MX records, but if the
-      <code class="option">-C</code> option was given, queries will be made for SOA
-      records, and if <em class="parameter"><code>name</code></em> is a
-      dotted-decimal IPv4
-      address or colon-delimited IPv6 address, <span class="command"><strong>host</strong></span> will
-      query for PTR records.  If a query type of IXFR is chosen the starting
-      serial number can be specified by appending an equal followed by the
-      starting serial number (e.g. -t IXFR=12345678).
-    </p>
-<p>
-      The time to wait for a reply can be controlled through the
-      <code class="option">-W</code> and <code class="option">-w</code> options.  The
-      <code class="option">-W</code> option makes <span class="command"><strong>host</strong></span>
-      wait for
-      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
-      is less than one, the wait interval is set to one second.  When the
-      <code class="option">-w</code> option is used, <span class="command"><strong>host</strong></span>
-      will
-      effectively wait forever for a reply.  The time to wait for a response
-      will be set to the number of seconds given by the hardware's maximum
-      value for an integer quantity.
-    </p>
-<p>
-      The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
-      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
-      if any server responds with a SERVFAIL response, which is the
-      reverse of normal stub resolver behavior.
-    </p>
-<p>
-      The <code class="option">-m</code> can be used to set the memory usage debugging
-      flags
-      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
-      <em class="parameter"><code>trace</code></em>.
-    </p>
-<p>
-      The <code class="option">-V</code> option causes <span class="command"><strong>host</strong></span>
-      to print the version number and exit.
-    </p>
-</div>
-<div class="refsection">
-<a name="id-1.8"></a><h2>IDN SUPPORT</h2>
-<p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-4</span></dt>
+<dd>
+	  <p>
+	    Use IPv4 only for query transport.
+	    See also the <code class="option">-6</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-6</span></dt>
+<dd>
+	  <p>
+	    Use IPv6 only for query transport.
+	    See also the <code class="option">-4</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-a</span></dt>
+<dd>
+	  <p>
+	    "All". The <code class="option">-a</code> option is normally equivalent
+	    to <code class="option">-v -t <code class="literal">ANY</code></code>.
+	    It also affects the behaviour of the <code class="option">-l</code>
+	    list zone option.
+	  </p>
+	</dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+	  <p>
+	    Query class: This can be used to lookup HS (Hesiod) or CH
+	    (Chaosnet) class resource records. The default class is IN
+	    (Internet).
+	  </p>
+	</dd>
+<dt><span class="term">-C</span></dt>
+<dd>
+	  <p>
+	    Check consistency: <span class="command"><strong>host</strong></span> will query the
+	    SOA records for zone <em class="parameter"><code>name</code></em> from all
+	    the listed authoritative name servers for that zone. The
+	    list of name servers is defined by the NS records that are
+	    found for the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-d</span></dt>
+<dd>
+	  <p>
+	    Print debugging traces.
+	    Equivalent to the <code class="option">-v</code> verbose option.
+	  </p>
+	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </p>
+	</dd>
+<dt><span class="term">-l</span></dt>
+<dd>
+	  <p>
+	    List zone:
+	    The <span class="command"><strong>host</strong></span> command performs a zone transfer of
+	    zone <em class="parameter"><code>name</code></em> and prints out the NS,
+	    PTR and address records (A/AAAA).
+	  </p>
+	  <p>
+	    Together, the <code class="option">-l -a</code>
+	    options print all records in the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
+<dd>
+	  <p>
+	    The number of dots that have to be
+	    in <em class="parameter"><code>name</code></em> for it to be considered
+	    absolute. The default value is that defined using the
+	    ndots statement in <code class="filename">/etc/resolv.conf</code>,
+	    or 1 if no ndots statement is present. Names with fewer
+	    dots are interpreted as relative names and will be
+	    searched for in the domains listed in
+	    the <span class="type">search</span> or <span class="type">domain</span> directive
+	    in <code class="filename">/etc/resolv.conf</code>.
+	  </p>
+	</dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+	  <p>
+	    Non-recursive query:
+	    Setting this option clears the RD (recursion desired) bit
+	    in the query. This should mean that the name server
+	    receiving the query will not attempt to
+	    resolve <em class="parameter"><code>name</code></em>.
+	    The <code class="option">-r</code> option
+	    enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
+	    name server by making non-recursive queries and expecting
+	    to receive answers to those queries that can be
+	    referrals to other name servers.
+	  </p>
+	</dd>
+<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
+<dd>
+	  <p>
+	    Number of retries for UDP queries:
+	    If <em class="parameter"><code>number</code></em> is negative or zero, the
+	    number of retries will default to 1. The default value is 1.
+	  </p>
+	</dd>
+<dt><span class="term">-s</span></dt>
+<dd>
+	  <p>
+	    Do <span class="emphasis"><em>not</em></span> send the query to the next
+	    nameserver if any server responds with a SERVFAIL
+	    response, which is the reverse of normal stub resolver
+	    behavior.
+	  </p>
+	</dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd>
+	  <p>
+	    Query type:
+	    The <em class="parameter"><code>type</code></em> argument can be any
+	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+	  </p>
+	  <p>
+	    When no query type is specified, <span class="command"><strong>host</strong></span>
+	    automatically selects an appropriate query type. By default, it
+	    looks for A, AAAA, and MX records.
+	    If the <code class="option">-C</code> option is given, queries will
+	    be made for SOA records.
+	    If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
+	    address or colon-delimited IPv6
+	    address, <span class="command"><strong>host</strong></span> will query for PTR
+	    records.
+	  </p>
+	  <p>
+	    If a query type of IXFR is chosen the starting serial
+	    number can be specified by appending an equal followed by
+	    the starting serial number
+	    (like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
+	  </p>
+	</dd>
+<dt><span class="term">-T</span></dt>
+<dd>
+	  <p>
+	    TCP:
+	    By default, <span class="command"><strong>host</strong></span> uses UDP when making
+	    queries. The <code class="option">-T</code> option makes it use a TCP
+	    connection when querying the name server. TCP will be
+	    automatically selected for queries that require it, such
+	    as zone transfer (AXFR) requests.
+	  </p>
+	</dd>
+<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
+<dd>
+	  <p>
+	    Memory usage debugging: the flag can
+	    be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
+	    or <em class="parameter"><code>trace</code></em>. You can specify
+	    the <code class="option">-m</code> option more than once to set
+	    multiple flags.
+	  </p>
+	</dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+	  <p>
+	    Verbose output.
+	    Equivalent to the <code class="option">-d</code> debug option.
+	  </p>
+	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Print the version number and exit.
+	  </p>
+	</dd>
+<dt><span class="term">-w</span></dt>
+<dd>
+	  <p>
+	    Wait forever: The query timeout is set to the maximum possible.
+	    See also the <code class="option">-W</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
+<dd>
+	  <p>
+	    Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
+	    seconds for a reply. If <em class="parameter"><code>wait</code></em> is
+	    less than one, the wait interval is set to one second.
+	  </p>
+	  <p>
+	    By default, <span class="command"><strong>host</strong></span> will wait for 5
+	    seconds for UDP responses and 10 seconds for TCP
+	    connections.
+	  </p>
+	  <p>
+	    See also the <code class="option">-w</code> option.
+	  </p>
+	</dd>
+</dl></div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
+
+    <p>
       If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
@@ -199,17 +305,26 @@
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.
     </p>
-</div>
-<div class="refsection">
-<a name="id-1.9"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>FILES</h2>
+
+    <p><code class="filename">/etc/resolv.conf</code>
     </p>
-</div>
-<div class="refsection">
-<a name="id-1.10"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dig/include/dig/dig.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -134,7 +134,9 @@ struct dig_lookup {
 		sit,
 #endif
 		nsid,   /*% Name Server ID (RFC 5001) */
-		ednsneg;
+		ednsneg,
+		mapped,
+		idnout;
 #ifdef DIG_SIGCHASE
 isc_boolean_t	sigchase;
 #if DIG_SIGCHASE_TD
@@ -166,7 +168,6 @@ isc_boolean_t	sigchase;
 	isc_buffer_t renderbuf;
 	char *sendspace;
 	dns_name_t *name;
-	isc_timer_t *timer;
 	isc_interval_t interval;
 	dns_message_t *sendmsg;
 	dns_name_t *oname;
@@ -209,7 +210,8 @@ struct dig_query {
 		second_rr_rcvd,
 		first_repeat_rcvd,
 		recv_made,
-		warn_id;
+		warn_id,
+		timedout;
 	isc_uint32_t first_rr_serial;
 	isc_uint32_t second_rr_serial;
 	isc_uint32_t msg_count;
@@ -234,6 +236,7 @@ struct dig_query {
 	isc_time_t time_recv;
 	isc_uint64_t byte_count;
 	isc_buffer_t sendbuf;
+	isc_timer_t *timer;
 };
 
 struct dig_server {

bin/dig/nslookup.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -27,7 +27,6 @@
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/string.h>
-#include <isc/timer.h>
 #include <isc/util.h>
 #include <isc/task.h>
 #include <isc/netaddr.h>
@@ -45,9 +44,20 @@
 #include <dig/dig.h>
 
 #if defined(HAVE_READLINE)
+#if defined(HAVE_EDIT_READLINE_READLINE_H)
+#include <edit/readline/readline.h>
+#if defined(HAVE_EDIT_READLINE_HISTORY_H)
+#include <edit/readline/history.h>
+#endif
+#elif defined(HAVE_EDITLINE_READLINE_H)
+#include <editline/readline.h>
+#elif defined(HAVE_READLINE_READLINE_H)
 #include <readline/readline.h>
+#if defined (HAVE_READLINE_HISTORY_H)
 #include <readline/history.h>
 #endif
+#endif
+#endif
 
 static isc_boolean_t short_form = ISC_TRUE,
 	tcpmode = ISC_FALSE,
@@ -866,8 +876,6 @@ flush_lookup_list(void) {
 		}
 		if (l->sendmsg != NULL)
 			dns_message_destroy(&l->sendmsg);
-		if (l->timer != NULL)
-			isc_timer_detach(&l->timer);
 		lp = l;
 		l = ISC_LIST_NEXT(l, link);
 		ISC_LIST_DEQUEUE(lookup_list, lp, link);

bin/dig/nslookup.docbook

@@ -43,7 +43,7 @@
  - SUCH DAMAGE.
 -->
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
   <info>
     <date>2014-01-24</date>
   </info>

bin/dig/nslookup.html

@@ -1,3 +1,4 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
  - Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
@@ -13,25 +14,43 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nslookup</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="id-1"></a><div class="titlepage"></div>
-<div class="refnamediv">
+<a name="man.nslookup"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p>nslookup &#8212; query Internet name servers interactively</p>
+<p>
+    nslookup
+     &#8212; query Internet name servers interactively
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">nslookup</code> 
+       [<code class="option">-option</code>]
+       [name | -]
+       [server]
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>Nslookup</strong></span>
+
+    <p><span class="command"><strong>Nslookup</strong></span>
       is a program to query Internet domain name servers.  <span class="command"><strong>Nslookup</strong></span>
       has two modes: interactive and non-interactive.  Interactive mode allows
       the user to query name servers for information about various hosts and
@@ -40,29 +59,37 @@
       used to print just the name and requested information for a host or
       domain.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-<p>
+
+    <p>
       Interactive mode is entered in the following cases:
       </p>
 <div class="orderedlist"><ol class="orderedlist" type="a">
-<li class="listitem"><p>
+<li class="listitem">
+          <p>
             when no arguments are given (the default name server will be used)
-          </p></li>
-<li class="listitem"><p>
+          </p>
+        </li>
+<li class="listitem">
+          <p>
             when the first argument is a hyphen (-) and the second argument is
             the host name or Internet address of a name server.
-          </p></li>
+          </p>
+        </li>
 </ol></div>
 <p>
     </p>
-<p>
+
+    <p>
       Non-interactive mode is used when the name or Internet address of the
       host to be looked up is given as the first argument. The optional second
       argument specifies the host name or address of a name server.
     </p>
-<p>
+
+    <p>
       Options can also be specified on the command line if they precede the
       arguments and are prefixed with a hyphen.  For example, to
       change the default query type to host information, and the initial
@@ -75,246 +102,299 @@ nslookup -query=hinfo  -timeout=10
 <p>
       
     </p>
-<p>
+    <p>
       The <code class="option">-version</code> option causes
       <span class="command"><strong>nslookup</strong></span> to print the version
       number and immediately exits.
     </p>
-</div>
-<div class="refsection">
+
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
 <dd>
-<p>
+          <p>
             Look up information for host using the current default server or
             using server, if specified.  If host is an Internet address and
             the query type is A or PTR, the name of the host is returned.
             If host is a name and does not have a trailing period, the
             search list is used to qualify the name.
           </p>
-<p>
+
+          <p>
             To look up a host not in the current domain, append a period to
             the name.
           </p>
-</dd>
+        </dd>
 <dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p></p></dd>
+<dd>
+          <p></p>
+        </dd>
 <dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
             server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
             the current default server.  If an authoritative answer can't be
             found, the names of servers that might have the answer are
             returned.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">root</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             not implemented
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             not implemented
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             not implemented
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">view</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             not implemented
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">help</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             not implemented
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">?</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             not implemented
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd><p>
+<dd>
+          <p>
             Exits the program.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term"><code class="constant">set</code>
           <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
 <dd>
-<p>
+          <p>
             This command is used to change state information that affects
             the lookups.  Valid keywords are:
             </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">all</code></span></dt>
-<dd><p>
+<dd>
+                  <p>
                     Prints the current values of the frequently used
                     options to <span class="command"><strong>set</strong></span>.
                     Information about the  current default
                     server and host is also printed.
-                  </p></dd>
+                  </p>
+                </dd>
 <dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-<p>
+                  <p>
                     Change the query class to one of:
                     </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd><p>
+<dd>
+                          <p>
                             the Internet class
-                          </p></dd>
+                          </p>
+                        </dd>
 <dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd><p>
+<dd>
+                          <p>
                             the Chaos class
-                          </p></dd>
+                          </p>
+                        </dd>
 <dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd><p>
+<dd>
+                          <p>
                             the Hesiod class
-                          </p></dd>
+                          </p>
+                        </dd>
 <dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd><p>
+<dd>
+                          <p>
                             wildcard
-                          </p></dd>
+                          </p>
+                        </dd>
 </dl></div>
 <p>
                     The class specifies the protocol group of the information.
 
                   </p>
-<p>
+		  <p>
                     (Default = IN; abbreviation = cl)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">
                     <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
 <dd>
-<p>
+                  <p>
 		    Turn on or off the display of the full response packet and
 		    any intermediate response packets when searching.
                   </p>
-<p>
+		  <p>
                     (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">
                     <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
 <dd>
-<p>
+                  <p>
                     Turn debugging mode on or off.  This displays more about
 	            what nslookup is doing.
                   </p>
-<p>
+		  <p>
                     (Default = nod2)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
+<dd>
+                  <p>
                     Sets the search list to <em class="replaceable"><code>name</code></em>.
-                  </p></dd>
+                  </p>
+                </dd>
 <dt><span class="term"><code class="constant">
                     <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
 <dd>
-<p>
+                  <p>
                     If the lookup request contains at least one period but
                     doesn't end with a trailing period, append the domain
                     names in the domain search list to the request until an
                     answer is received.
                   </p>
-<p>
+		  <p>
                     (Default = search)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-<p>
+                  <p>
                     Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
                   </p>
-<p>
+		  <p>
                     (Default = 53; abbreviation = po)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd><p></p></dd>
+<dd>
+                  <p></p>
+                </dd>
 <dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-<p>
+                  <p>
                     Change the type of the information query.
                   </p>
-<p>
+		  <p>
                     (Default = A; abbreviations = q, ty)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">
                     <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
 <dd>
-<p>
+                  <p>
                     Tell the name server to query other servers if it does not
                     have the
                     information.
                   </p>
-<p>
+		  <p>
                     (Default = recurse; abbreviation = [no]rec)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
+<dd>
+                  <p>
 		    Set the number of dots (label separators) in a domain
 		    that will disable searching.  Absolute names always
 		    stop searching.
-                  </p></dd>
+                  </p>
+                </dd>
 <dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
+<dd>
+                  <p>
                     Set the number of retries to number.
-                  </p></dd>
+                  </p>
+                </dd>
 <dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
+<dd>
+                  <p>
                     Change the initial timeout interval for waiting for a
                     reply to number seconds.
-                  </p></dd>
+                  </p>
+                </dd>
 <dt><span class="term"><code class="constant">
                     <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
 <dd>
-<p>
+                  <p>
                     Always use a virtual circuit when sending requests to the
                     server.
                   </p>
-<p>
+		  <p>
                     (Default = novc)
                   </p>
-</dd>
+                </dd>
 <dt><span class="term"><code class="constant">
                     <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
 <dd>
-<p>
+                  <p>
 		    Try the next nameserver if a nameserver responds with
 		    SERVFAIL or a referral (nofail) or terminate query
 		    (fail) on such a response.
 		  </p>
-<p>
+		  <p>
                     (Default = nofail)
                   </p>
-</dd>
+	        </dd>
 </dl></div>
 <p>
           </p>
-</dd>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>RETURN VALUES</h2>
-<p>
+    <p>
       <span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
       if any query failed, and 0 otherwise.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
+
+    <p><code class="filename">/etc/resolv.conf</code>
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">host</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>.
     </p>
-</div>
+  </div>
 </div></body>
 </html>

bin/dig/win32/dig.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/dig/win32/dig.mak.in

@@ -132,7 +132,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
 BSC32_SBRS= \
@@ -192,7 +192,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
 BSC32_SBRS= \

bin/dig/win32/dig.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -78,7 +78,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/dig/win32/dighost.dsp.in

@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fddighost
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" @CRYPTO@ /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fddighost
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fddighost
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fddighost
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

bin/dig/win32/dighost.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -76,7 +76,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/dig/win32/host.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/dig/win32/host.mak.in

@@ -132,7 +132,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
 BSC32_SBRS= \
@@ -192,7 +192,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
 BSC32_SBRS= \

bin/dig/win32/host.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -78,7 +78,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/dig/win32/nslookup.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/dig/win32/nslookup.mak.in

@@ -132,7 +132,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
 BSC32_SBRS= \
@@ -192,7 +192,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
 BSC32_SBRS= \

bin/dig/win32/nslookup.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -78,7 +78,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/dnssec/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007-2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007-2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -23,7 +23,7 @@ VERSION=@BIND9_VERSION@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 
 CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
 		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
@@ -120,6 +120,10 @@ install:: ${TARGETS} installdirs
 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
 	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
 
+uninstall::
+	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
+
 clean distclean::
 	rm -f ${TARGETS}
 

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -186,5 +186,5 @@ RFC 4509\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
   <info>
     <date>2012-05-02</date>
   </info>
@@ -44,6 +44,7 @@
       <year>2012</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-dsfromkey.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-dsfromkey</title>
@@ -21,158 +22,242 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
+<p>
+    <span class="application">dnssec-dsfromkey</span>
+     &#8212; DNSSEC DS RR generation tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       {keyfile}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       {-s}
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-s</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+       [<code class="option">-A</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       {dnsname}
+   </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       [<code class="option">-h</code>]
+       [<code class="option">-V</code>]
+   </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
+
+    <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
-<dd><p>
+<dd>
+          <p>
             Use SHA-1 as the digest algorithm (the default is to use
             both SHA-1 and SHA-256).
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-2</span></dt>
-<dd><p>
+<dd>
+          <p>
             Use SHA-256 as the digest algorithm.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Select the digest algorithm. The value of
             <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
             SHA-256 (SHA256), GOST or SHA-384 (SHA384).
             These values are case insensitive.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-C</span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate CDS records rather than DS records.  This is mutually
 	    exclusive with generating lookaside records.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the TTL of the DS records.
-          </p></dd>
+          </p>
+	  </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Look for key files (or, in keyset mode,
             <code class="filename">keyset-</code> files) in
             <code class="option">directory</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Zone file mode: in place of the keyfile name, the argument is
             the DNS domain name of a zone master file, which can be read
             from <code class="option">file</code>.  If the zone name is the same as
             <code class="option">file</code>, then it may be omitted.
           </p>
-<p>
+          <p>
             If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
             the zone data is read from the standard input.  This makes it
             possible to use the output of the <span class="command"><strong>dig</strong></span>
             command as input, as in:
           </p>
-<p>
+          <p>
             <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-A</span></dt>
-<dd><p>
+<dd>
+          <p>
             Include ZSK's when generating DS records.  Without this option,
             only keys which have the KSK flag set will be converted to DS
             records and printed.  Useful only in zone file mode.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate a DLV set instead of a DS set.  The specified
             <code class="option">domain</code> is appended to the name for each
             record in the set.
             The DNSSEC Lookaside Validation (DLV) RR is described
             in RFC 4431.  This is mutually exclusive with generating
 	    CDS records.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-s</span></dt>
-<dd><p>
+<dd>
+          <p>
             Keyset mode: in place of the keyfile name, the argument is
             the DNS domain name of a keyset file.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the DNS class (default is IN).  Useful only
             in keyset or zone file mode.
-          </p></dd>
+          </p>
+	  </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Prints usage information.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+          <p>
             Prints version information.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>EXAMPLE</h2>
-<p>
+
+    <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
       keyfile name, the following command would be issued:
     </p>
-<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+    <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
-<p>
+    <p>
       The command would print something like:
     </p>
-<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
+    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
-<p>
+
+    <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
-<p>
+    <p>
       The keyset file name is built from the <code class="option">directory</code>,
       the string <code class="filename">keyset-</code> and the
       <code class="option">dnsname</code>.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>CAVEAT</h2>
-<p>
+
+    <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em>,
       <em class="citetitle">RFC 4431</em>.
       <em class="citetitle">RFC 4509</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -132,5 +132,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
   <info>
     <date>2014-02-20</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2013</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-importkey.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-importkey</title>
@@ -21,18 +22,52 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-importkey"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-importkey</span> &#8212; import DNSKEY records from external systems so they can be managed</p>
+<p>
+    <span class="application">dnssec-importkey</span>
+     &#8212; import DNSKEY records from external systems so they can be managed
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-importkey</code> 
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       {<code class="option">keyfile</code>}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-importkey</code> 
+       {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">dnsname</code>]
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-importkey</strong></span>
+
+    <p><span class="command"><strong>dnssec-importkey</strong></span>
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
       existing .key file, in which case a corresponding .private file
@@ -40,7 +75,7 @@
       from the standard input, in which case both .key and .private
       files will be generated.
     </p>
-<p>
+    <p>
       The newly-created .private file does <span class="emphasis"><em>not</em></span>
       contain private key data, and cannot be used for signing.
       However, having a .private file makes it possible to set
@@ -49,53 +84,68 @@
       public key can be added to and removed from the DNSKEY RRset
       on schedule even if the true private key is stored offline.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Zone file mode: instead of a public keyfile name, the argument
 	    is the DNS domain name of a zone master file, which can be read
             from <code class="option">file</code>.  If the domain name is the same as
             <code class="option">file</code>, then it may be omitted.
           </p>
-<p>
+          <p>
             If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
             the zone data is read from the standard input.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the directory in which the key files are to reside.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
             would take precedence.  Setting the default TTL to
             <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Emit usage message and exit.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-<p>
+
+    <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -106,37 +156,51 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
-<p>
+
+    <p>
       A keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -299,5 +299,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keyfromlabel.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -30,6 +30,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -379,10 +381,20 @@ main(int argc, char **argv) {
 		}
 
 		if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
 			fprintf(stderr, "The use of RSA (RSAMD5) is not "
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
+#else
+			fprintf(stderr,
+				"The use of RSA (RSAMD5) was disabled\n");
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else if (strcasecmp(algname, "RSAMD5") == 0) {
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
+#endif
 			if (freeit != NULL)
 				free(freeit);
 			return (1);
@@ -479,6 +491,11 @@ main(int argc, char **argv) {
 		alg = dst_key_alg(prevkey);
 		flags = dst_key_flags(prevkey);
 
+#ifdef PK11_MD5_DISABLE
+		if (alg == DST_ALG_RSAMD5)
+			fatal("Key %s uses disabled RSAMD5", predecessor);
+#endif
+
 		dst_key_format(prevkey, keystr, sizeof(keystr));
 		dst_key_getprivateformat(prevkey, &major, &minor);
 		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
   <info>
     <date>2014-02-27</date>
   </info>
@@ -44,6 +44,7 @@
       <year>2012</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-keyfromlabel.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keyfromlabel</title>
@@ -21,17 +22,56 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
+<p>
+    <span class="application">dnssec-keyfromlabel</span>
+     &#8212; DNSSEC key generation tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-keyfromlabel</code> 
+       {-l <em class="replaceable"><code>label</code></em>}
+       [<code class="option">-3</code>]
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
+       [<code class="option">-G</code>]
+       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
+       [<code class="option">-k</code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
+       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-y</code>]
+       {name}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+
+    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
       file can be used for DNSSEC signing of zone data as if it were a
@@ -39,52 +79,57 @@
       but the key material is stored within the HSM, and the actual signing
       takes place there.
     </p>
-<p>
+    <p>
       The <code class="option">name</code> of the key is specified on the command
       line.  This must match the name of the zone for which the key is
       being generated.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-<p>
+	  <p>
 	    Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </p>
-<p>
+          <p>
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the <code class="option">-3</code> option is specified,
             in which case NSEC3RSASHA1 will be used instead.  (If
             <code class="option">-3</code> is used and an algorithm is specified,
             that algorithm will be checked for compatibility with NSEC3.)
           </p>
-<p>
+          <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.
           </p>
-<p>
+          <p>
             Note 2: DH automatically sets the -k flag.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-3</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
             default.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the cryptographic hardware to use.
           </p>
-<p>
+          <p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -92,20 +137,20 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the label for a key pair in the crypto hardware.
           </p>
-<p>
+          <p>
             When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
             PKCS#11 support, the label is an arbitrary string that
             identifies a particular key.  It may be preceded by an
             optional OpenSSL engine name, followed by a colon, as in
             "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
           </p>
-<p>
+          <p>
             When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
             support, the label is a PKCS#11 URI string in the format
             "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
@@ -114,7 +159,7 @@
             which the HSM's PIN code can be obtained.  The label will be
             stored in the on-disk "private" file.
           </p>
-<p>
+          <p>
             If the label contains a
             <code class="option">pin-source</code> field, tools using the generated
             key files will be able to use the HSM for signing and other
@@ -123,18 +168,21 @@
             may reduce the security advantage of using an HSM; be sure
             this is what you want to do before making use of this feature.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the owner type of the key.  The value of
             <code class="option">nametype</code> must either be ZONE (for a DNSSEC
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
             These values are case insensitive.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-C</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Compatibility mode:  generates an old-style key, without
 	    any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
 	    will include the key's creation date in the metadata stored
@@ -142,53 +190,71 @@
 	    (publication date, activation date, etc).  Keys that include
 	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-G</span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate a key, but do not publish it or sign with it.  This
             option is incompatible with -P and -A.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the directory in which the key files are to be written.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-k</span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate KEY records rather than DNSKEY records.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
             would take precedence.  Setting the default TTL to
             <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate a key as an explicit successor to an existing key.
 	    The name, algorithm, size, and type of the key will be set
 	    to match the predecessor. The activation date of the new
@@ -196,35 +262,47 @@
 	    one. The publication date will be set to the activation
 	    date minus the prepublication interval, which defaults to
 	    30 days.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Indicates the use of the key.  <code class="option">type</code> must be
             one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
             is AUTHCONF.  AUTH refers to the ability to authenticate
             data, and CONF the ability to encrypt data.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-y</span></dt>
-<dd><p>
+<dd>
+          <p>
             Allows DNSSEC key files to be generated even if the key ID
 	    would collide with that of an existing key, in the event of
 	    either key being revoked.  (This is only safe to use if you
             are sure you won't be using RFC 5011 trust anchor maintenance
             with either of the keys involved.)
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-<p>
+
+
+    <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -235,42 +313,53 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.  If not set, and if the -G option has
             not been used, the default is "now".
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -279,68 +368,83 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-<p>
+          <p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-<p>
+          <p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-</dd>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
-<p>
+
+    <p>
       When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key files it has generated.
     </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p><code class="filename">nnnn</code> is the key name.
+        </p>
+      </li>
+<li class="listitem">
+        <p><code class="filename">aaa</code> is the numeric representation
           of the algorithm.
-        </p></li>
-<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
+        </p>
+      </li>
+<li class="listitem">
+        <p><code class="filename">iiiii</code> is the key identifier (or
           footprint).
-        </p></li>
+        </p>
+      </li>
 </ul></div>
-<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
       private key.
     </p>
-<p>
+    <p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
-<p>
+    <p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4034</em>,
       <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-keygen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -319,7 +319,7 @@ Both
 \&.key
 and
 \&.private
-files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
+files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
 To generate a 768\-bit DSA key for the domain
@@ -349,7 +349,7 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000-2003 Internet Software Consortium.
 .br

bin/dnssec/dnssec-keygen.c

@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -46,6 +46,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -525,15 +527,30 @@ main(int argc, char **argv) {
 		}
 
 		if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
 			fprintf(stderr, "The use of RSA (RSAMD5) is not "
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
 			INSIST(freeit == NULL);
 			return (1);
-		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
+		} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
 			alg = DST_ALG_HMACMD5;
-		else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+#else
+			fprintf(stderr,
+				"The use of RSA (RSAMD5) was disabled\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else if (strcasecmp(algname, "RSAMD5") == 0) {
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
+			fprintf(stderr,
+				"The use of HMAC-MD5 was disabled\n");
+			return (1);
+#endif
+		} else if (strcasecmp(algname, "HMAC-SHA1") == 0)
 			alg = DST_ALG_HMACSHA1;
 		else if (strcasecmp(algname, "HMAC-SHA224") == 0)
 			alg = DST_ALG_HMACSHA224;
@@ -553,6 +570,10 @@ main(int argc, char **argv) {
 				options |= DST_TYPE_KEY;
 		}
 
+#ifdef PK11_MD5_DISABLE
+		INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
+#endif
+
 		if (!dst_algorithm_supported(alg))
 			fatal("unsupported algorithm: %d", alg);
 

bin/dnssec/dnssec-keygen.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
   <info>
     <date>2014-02-06</date>
   </info>
@@ -48,6 +48,7 @@
       <year>2012</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -594,7 +595,7 @@
     </para>
     <para>
       Both <filename>.key</filename> and <filename>.private</filename>
-      files are generated for symmetric encryption algorithms such as
+      files are generated for symmetric cryptography algorithms such as
       HMAC-MD5, even though the public and private key are equivalent.
     </para>
   </refsection>

bin/dnssec/dnssec-keygen.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +15,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keygen</title>
@@ -22,34 +23,82 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-keygen"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
+<p>
+    <span class="application">dnssec-keygen</span>
+     &#8212; DNSSEC key generation tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-keygen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-3</code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
+       [<code class="option">-G</code>]
+       [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-k</code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-z</code>]
+       {name}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-keygen</strong></span>
+
+    <p><span class="command"><strong>dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     </p>
-<p>
+    <p>
       The <code class="option">name</code> of the key is specified on the command
       line.  For DNSSEC keys, this must match the name of the zone for
       which the key is being generated.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
@@ -59,26 +108,26 @@
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
           </p>
-<p>
+          <p>
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the <code class="option">-3</code> option is specified,
             in which case NSEC3RSASHA1 will be used instead.  (If
             <code class="option">-3</code> is used and an algorithm is specified,
             that algorithm will be checked for compatibility with NSEC3.)
           </p>
-<p>
+          <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
           </p>
-<p>
+          <p>
             Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
             automatically set the -T KEY option.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
@@ -87,7 +136,7 @@
             between 1 and 512 bits. Elliptic curve algorithms don't need
             this parameter.
           </p>
-<p>
+          <p>
             The key size does not need to be specified if using a default
             algorithm.  The default key size is 1024 bits for zone signing
             keys (ZSK's) and 2048 bits for key signing keys (KSK's,
@@ -96,9 +145,10 @@
             then there is no default key size, and the <code class="option">-b</code>
             must be used.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the owner type of the key.  The value of
             <code class="option">nametype</code> must either be ZONE (for a DNSSEC
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
@@ -106,18 +156,22 @@
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
             These values are case insensitive.  Defaults to ZONE for DNSKEY
 	    generation.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-3</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
             default. Note that RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
 	    are NSEC3-capable.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-C</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Compatibility mode:  generates an old-style key, without
 	    any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
 	    will include the key's creation date in the metadata stored
@@ -125,18 +179,21 @@
 	    (publication date, activation date, etc).  Keys that include
 	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-<p>
+          <p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -144,39 +201,52 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-G</span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate a key, but do not publish it or sign with it.  This
             option is incompatible with -P and -A.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             If generating a Diffie Hellman key, use this generator.
             Allowed values are 2 and 5.  If no generator
             is specified, a known prime from RFC 2539 will be used
             if possible; otherwise the default is 2.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>dnssec-keygen</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the directory in which the key files are to be written.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-k</span></dt>
-<dd><p>
+<dd>
+          <p>
             Deprecated in favor of -T KEY.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
@@ -185,16 +255,20 @@
             is no existing DNSKEY RRset, the TTL will default to the
             SOA TTL. Setting the default TTL to <code class="literal">0</code>
             or <code class="literal">none</code> is the same as leaving it unset.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the protocol value for the generated key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-q</span></dt>
-<dd><p>
+<dd>
+          <p>
             Quiet mode: Suppresses unnecessary output, including
             progress indication.  Without this option, when
             <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
@@ -206,9 +280,11 @@
             round of the Miller-Rabin primality test; a space
             means that the number has passed all the tests and is
             a satisfactory key.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the source of randomness.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
@@ -218,9 +294,11 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Create a new key which is an explicit successor to an
             existing key.  The name, algorithm, size, and type of the
             key will be set to match the existing key.  The activation
@@ -228,16 +306,19 @@
             the existing one.  The publication date will be set to the
             activation date minus the prepublication interval, which
             defaults to 30 days.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the strength value of the key.  The strength is
             a number between 0 and 15, and currently has no defined
             purpose in DNSSEC.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the resource record type to use for the key.
             <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
             default is DNSKEY when using a DNSSEC algorithm, but it can be
@@ -249,27 +330,36 @@
             Using any TSIG algorithm (HMAC-* or DH) forces this option
             to KEY.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Indicates the use of the key.  <code class="option">type</code> must be
             one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
             is AUTHCONF.  AUTH refers to the ability to authenticate
             data, and CONF the ability to encrypt data.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-<p>
+
+
+    <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -280,44 +370,55 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.  If not set, and if the -G option has
             not been used, the default is "now".
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".  If set, if and -P is not set, then
             the publication date will be set to the activation date
             minus the prepublication interval.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -326,42 +427,51 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-<p>
+          <p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-<p>
+          <p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-</dd>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>GENERATED KEYS</h2>
-<p>
+
+    <p>
       When <span class="command"><strong>dnssec-keygen</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key it has generated.
     </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p><code class="filename">nnnn</code> is the key name.
+        </p>
+      </li>
+<li class="listitem">
+        <p><code class="filename">aaa</code> is the numeric representation
           of the
           algorithm.
-        </p></li>
-<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
+        </p>
+      </li>
+<li class="listitem">
+        <p><code class="filename">iiiii</code> is the key identifier (or
           footprint).
-        </p></li>
+        </p>
+      </li>
 </ul></div>
-<p><span class="command"><strong>dnssec-keygen</strong></span>
+    <p><span class="command"><strong>dnssec-keygen</strong></span>
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
@@ -369,53 +479,60 @@
       private
       key.
     </p>
-<p>
+    <p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
-<p>
+    <p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-<p>
+    <p>
       Both <code class="filename">.key</code> and <code class="filename">.private</code>
-      files are generated for symmetric encryption algorithms such as
+      files are generated for symmetric cryptography algorithms such as
       HMAC-MD5, even though the public and private key are equivalent.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>EXAMPLE</h2>
-<p>
+
+    <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
       issued:
     </p>
-<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
-<p>
+    <p>
       The command would print a string of the form:
     </p>
-<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
-<p>
+    <p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
       the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
       <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
       <em class="citetitle">RFC 2845</em>,
       <em class="citetitle">RFC 4034</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-revoke.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -107,5 +107,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-revoke.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009, 2011, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2011</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-revoke.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-revoke</title>
@@ -21,52 +22,88 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-revoke"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-revoke</span> &#8212; set the REVOKED bit on a DNSSEC key</p>
+<p>
+    <span class="application">dnssec-revoke</span>
+     &#8212; set the REVOKED bit on a DNSSEC key
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-revoke</code> 
+       [<code class="option">-hr</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-f</code>]
+       [<code class="option">-R</code>]
+       {keyfile}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-revoke</strong></span>
+
+    <p><span class="command"><strong>dnssec-revoke</strong></span>
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
       now-revoked key.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Emit usage message and exit.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the directory in which the key files are to reside.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-r</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    After writing the new keyset files remove the original keyset
 	    files.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-<p>
+          <p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -74,26 +111,35 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-f</span></dt>
-<dd><p>
+<dd>
+          <p>
             Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
             write the new key pair even if a file already exists matching
             the algorithm and key ID of the revoked key.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-R</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Print the key tag of the key with the REVOKE bit set but do
 	    not revoke the key.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-settime.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -194,5 +194,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-settime.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2016  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -472,11 +472,12 @@ main(int argc, char **argv) {
 	if ((setdel && setinact && del < inact) ||
 	    (dst_key_gettime(key, DST_TIME_INACTIVE,
 			     &previnact) == ISC_R_SUCCESS &&
-	     setdel && !setinact && del < previnact) ||
+	     setdel && !setinact && !unsetinact && del < previnact) ||
 	    (dst_key_gettime(key, DST_TIME_DELETE,
 			     &prevdel) == ISC_R_SUCCESS &&
-	     setinact && !setdel && prevdel < inact) ||
-	    (!setdel && !setinact && prevdel < previnact))
+	     setinact && !setdel && !unsetdel && prevdel < inact) ||
+	    (!setdel && !unsetdel && !setinact && !unsetinact &&
+	     prevdel < previnact))
 		fprintf(stderr, "%s: warning: Key is scheduled to "
 				"be deleted before it is\n\t"
 				"scheduled to be inactive.\n",

bin/dnssec/dnssec-settime.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009-2011, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
   <info>
     <date>2014-02-06</date>
   </info>
@@ -42,6 +42,7 @@
       <year>2011</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-settime.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-settime</title>
@@ -21,17 +22,45 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-settime"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-settime</span> &#8212; set the key timing metadata for a DNSSEC key</p>
+<p>
+    <span class="application">dnssec-settime</span>
+     &#8212; set the key timing metadata for a DNSSEC key
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-settime</code> 
+       [<code class="option">-f</code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       {keyfile}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-settime</strong></span>
+
+    <p><span class="command"><strong>dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
       <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
@@ -40,12 +69,12 @@
       determine when a key is to be published, whether it should be
       used for signing a zone, etc.
     </p>
-<p>
+    <p>
       If none of these options is set on the command line,
       then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
       metadata already stored in the key.
     </p>
-<p>
+    <p>
       When key metadata fields are changed, both files of a key
       pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
       <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
@@ -54,12 +83,16 @@
       file.  The private file's permissions are always set to be
       inaccessible to anyone other than the owner (mode 0600).
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Force an update of an old-format key with no metadata fields.
             Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
             fail when attempting to update a legacy key.  With this option,
@@ -68,13 +101,17 @@
             set to the present time.  If no other values are specified,
             then the key's publication and activation dates will also
             be set to the present time.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the directory in which the key files are to reside.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
@@ -83,25 +120,32 @@
             is no existing DNSKEY RRset, the TTL will default to the
             SOA TTL. Setting the default TTL to <code class="literal">0</code>
             or <code class="literal">none</code> removes it from the key.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Emit usage message and exit.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-<p>
+          <p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -109,12 +153,14 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-</dd>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-<p>
+
+    <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -124,39 +170,51 @@
       days, hours, or minutes, respectively.  Without a suffix, the offset
       is computed in seconds.  To unset a date, use 'none' or 'never'.
     </p>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Select a key for which the key being modified will be an
             explicit successor.  The name, algorithm, size, and type of the
             predecessor key must exactly match those of the key being
@@ -164,10 +222,11 @@
             to the inactivation date of the predecessor.  The publication
             date will be set to the activation date minus the prepublication
             interval, which defaults to 30 days.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -176,34 +235,40 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-<p>
+          <p>
             If the key is being set to be an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-<p>
+          <p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-</dd>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
-<p>
+
+    <p>
       <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
     </p>
-<div class="variablelist"><dl class="variablelist">
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-u</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Print times in UNIX epoch format.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Print a specific metadata value or set of metadata values.
             The <code class="option">-p</code> option may be followed by one or more
             of the following letters to indicate which value or values to print:
@@ -214,16 +279,24 @@
             <code class="option">I</code> for the inactivation date, or
             <code class="option">D</code> for the deletion date.
             To print all of the metadata, use <code class="option">-p all</code>.
-	  </p></dd>
+	  </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-signzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -48,7 +48,7 @@
 dnssec-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-signzone\fR\ 'u
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-p\fR] [\fB\-R\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-p\fR] [\fB\-R\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -480,7 +480,7 @@ RFC 4641\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000-2003 Internet Software Consortium.
 .br

bin/dnssec/dnssec-signzone.c

@@ -3152,6 +3152,10 @@ main(int argc, char *argv[]) {
 	}
 	isc_commandline_reset = ISC_TRUE;
 
+#ifdef _WIN32
+	InitSockets();
+#endif
+
 	masterstyle = &dns_master_style_explicitttl;
 
 	check_result(isc_app_start(), "isc_app_start");
@@ -3856,5 +3860,8 @@ main(int argc, char *argv[]) {
 			    &sign_start, &sign_finish);
 	}
 
+#ifdef _WIN32
+	DestroySockets();
+#endif
 	return (0);
 }

bin/dnssec/dnssec-signzone.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009, 2011-2017  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
   <info>
     <date>2014-02-18</date>
   </info>
@@ -49,6 +49,8 @@
       <year>2013</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -72,14 +74,14 @@
       <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-g</option></arg>
       <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">domain</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">maxttl</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>

bin/dnssec/dnssec-signzone.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +15,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
@@ -22,17 +23,71 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
+<p>
+    <span class="application">dnssec-signzone</span>
+     &#8212; DNSSEC zone signing tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-signzone</code> 
+       [<code class="option">-a</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
+       [<code class="option">-g</code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
+       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
+       [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
+       [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
+       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
+       [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
+       [<code class="option">-P</code>]
+       [<code class="option">-p</code>]
+       [<code class="option">-R</code>]
+       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
+       [<code class="option">-S</code>]
+       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-t</code>]
+       [<code class="option">-u</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
+       [<code class="option">-x</code>]
+       [<code class="option">-z</code>]
+       [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
+       [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
+       [<code class="option">-A</code>]
+       {zonefile}
+       [key...]
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-signzone</strong></span>
+
+    <p><span class="command"><strong>dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
       zone. The security status of delegations from the signed zone
@@ -40,34 +95,46 @@
       determined by the presence or absence of a
       <code class="filename">keyset</code> file for each child zone.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a</span></dt>
-<dd><p>
+<dd>
+          <p>
             Verify all generated signatures.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the DNS class of the zone.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-C</span></dt>
-<dd><p>
+<dd>
+          <p>
             Compatibility mode: Generate a
             <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
             file in addition to
             <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
             when signing a zone, for use by older versions of
             <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Look for <code class="filename">dsset-</code> or
             <code class="filename">keyset-</code> files in <code class="option">directory</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-D</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Output only those record types automatically managed by
 	    <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
 	    NSEC3 and NSEC3PARAM records. If smart signing
@@ -76,15 +143,16 @@
 	    zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
 	    cannot be combined with <code class="option">-O raw</code>,
             <code class="option">-O map</code>, or serial number updating.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-<p>
+          <p>
             When applicable, specifies the hardware to use for
             cryptographic operations, such as a secure key store used
             for signing.
           </p>
-<p>
+          <p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -92,30 +160,39 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-g</span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate DS records for child zones from
             <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
             file.  Existing DS records will be removed.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Key repository: Specify a directory to search for DNSSEC keys.
             If not specified, defaults to the current directory.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Treat specified key as a key signing key ignoring any
             key flags.  This option may be specified multiple times.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate a DLV set in addition to the key (DNSKEY) and DS sets.
             The domain is appended to the name of the records.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the maximum TTL for the signed zone.
             Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
             input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
@@ -128,9 +205,11 @@
             <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
             (Note: This option is incompatible with <code class="option">-D</code>,
             because it modifies non-DNSSEC data in the output zone.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specify the date and time when the generated RRSIG records
             become valid.  This can be either an absolute or relative
             time.  An absolute start time is indicated by a number
@@ -139,9 +218,11 @@
             indicated by +N, which is N seconds from the current time.
             If no <code class="option">start-time</code> is specified, the current
             time minus 1 hour (to allow for clock skew) is used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specify the date and time when the generated RRSIG records
             expire.  As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
@@ -151,10 +232,11 @@
             specified, 30 days from the start time is used as a default.
             <code class="option">end-time</code> must be later than
             <code class="option">start-time</code>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specify the date and time when the generated RRSIG records
             for the DNSKEY RRset will expire.  This is to be used in cases
             when the DNSKEY signatures need to persist longer than
@@ -162,7 +244,7 @@
             of the KSK is kept offline and the KSK signature is to be
             refreshed manually.
           </p>
-<p>
+          <p>
             As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
             to the start time is indicated with +N, which is N seconds from
@@ -173,28 +255,34 @@
             30 days from the start time.) <code class="option">extended end-time</code>
             must be later than <code class="option">start-time</code>.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             The name of the output file containing the signed zone.  The
             default is to append <code class="filename">.signed</code> to
             the input filename.  If <code class="option">output-file</code> is
             set to <code class="literal">"-"</code>, then the signed zone is
             written to the standard output, with a default output
             format of "full".
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-h</span></dt>
-<dd><p>
+<dd>
+          <p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-<p>
+          <p>
             When a previously-signed zone is passed as input, records
             may be resigned.  The <code class="option">interval</code> option
             specifies the cycle interval as an offset from the current
@@ -202,7 +290,7 @@
             cycle interval, it is retained.  Otherwise, it is considered
             to be expiring soon, and it will be replaced.
           </p>
-<p>
+          <p>
             The default cycle interval is one quarter of the difference
             between the signature end and start times.  So if neither
             <code class="option">end-time</code> or <code class="option">start-time</code>
@@ -213,9 +301,10 @@
             are due to expire in less than 7.5 days, they would be
             replaced.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             The format of the input zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
@@ -224,10 +313,11 @@
             format containing updates can be signed directly.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
 <dd>
-<p>
+          <p>
             When signing a zone with a fixed signature lifetime, all
             RRSIG records issued at the time of signing expires
             simultaneously.  If the zone is incrementally signed, i.e.
@@ -238,52 +328,67 @@
             expire time, thus spreading incremental signature
             regeneration over time.
           </p>
-<p>
+          <p>
             Signature lifetime jitter also to some extent benefits
             validators and servers by spreading out cache expiration,
             i.e. if large numbers of RRSIGs don't expire at the same time
             from all caches there will be less congestion than if all
             validators need to refetch at mostly the same time.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             When writing a signed zone to "raw" or "map" format, set the
             "source serial" value in the header to the specified serial
             number.  (This is expected to be used primarily for testing
             purposes.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the number of threads to use.  By default, one
             thread is started for each detected CPU.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
 <dd>
-<p>
+          <p>
             The SOA serial number format of the signed zone.
 	    Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
             <span class="command"><strong>"increment"</strong></span> and
 	    <span class="command"><strong>"unixtime"</strong></span>.
           </p>
-<div class="variablelist"><dl class="variablelist">
+
+          <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
-<dd><p>Do not modify the SOA serial number.</p></dd>
+<dd>
+                <p>Do not modify the SOA serial number.</p>
+	      </dd>
 <dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
-<dd><p>Increment the SOA serial number using RFC 1982
-                      arithmetics.</p></dd>
+<dd>
+                <p>Increment the SOA serial number using RFC 1982
+                      arithmetics.</p>
+	      </dd>
 <dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
-<dd><p>Set the SOA serial number to the number of seconds
-	        since epoch.</p></dd>
+<dd>
+                <p>Set the SOA serial number to the number of seconds
+	        since epoch.</p>
+	      </dd>
 </dl></div>
-</dd>
+
+        </dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             The format of the output file containing the signed zone.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
             which is the standard textual representation of the zone;
@@ -296,33 +401,36 @@
             the raw zone file: if N is 0, the raw file can be read by
             any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
             can be read by release 9.9.0 or higher; the default is 1.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-p</span></dt>
-<dd><p>
+<dd>
+          <p>
             Use pseudo-random data when signing the zone.  This is faster,
             but less secure, than using real random data.  This option
             may be useful when signing large zones or when the entropy
             source is limited.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-P</span></dt>
 <dd>
-<p>
+          <p>
 	    Disable post sign verification tests.
           </p>
-<p>
+          <p>
 	    The post sign verification test ensures that for each algorithm
 	    in use there is at least one non revoked self signed KSK key,
 	    that all revoked KSK keys are self signed, and that all records
 	    in the zone are signed by the algorithm.
 	    This option skips these tests.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-Q</span></dt>
 <dd>
-<p>
+          <p>
 	    Remove signatures from keys that are no longer active.
           </p>
-<p>
+          <p>
             Normally, when a previously-signed zone is passed as input
             to the signer, and a DNSKEY record has been removed and
             replaced with a new one, signatures from the old key
@@ -334,22 +442,23 @@
             enables ZSK rollover using the procedure described in
             RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-R</span></dt>
 <dd>
-<p>
+          <p>
 	    Remove signatures from keys that are no longer published.
           </p>
-<p>
+          <p>
             This option is similar to <code class="option">-Q</code>, except it
             forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
             keys that are no longer published. This enables ZSK rollover
             using the procedure described in RFC 4641, section 4.2.1.2
             ("Double Signature Zone Signing Key Rollover").
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the source of randomness.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
@@ -359,53 +468,65 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-S</span></dt>
 <dd>
-<p>
+          <p>
             Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
             search the key repository for keys that match the zone being
             signed, and to include them in the zone if appropriate.
           </p>
-<p>
+          <p>
             When a key is found, its timing metadata is examined to
             determine how it should be used, according to the following
             rules.  Each successive rule takes priority over the prior
             ones:
           </p>
-<div class="variablelist"><dl class="variablelist">
+          <div class="variablelist"><dl class="variablelist">
 <dt></dt>
-<dd><p>
+<dd>
+                <p>
                   If no timing metadata has been set for the key, the key is
                   published in the zone and used to sign the zone.
-                </p></dd>
+                </p>
+	      </dd>
 <dt></dt>
-<dd><p>
+<dd>
+                <p>
                   If the key's publication date is set and is in the past, the
                   key is published in the zone.
-                </p></dd>
+                </p>
+	      </dd>
 <dt></dt>
-<dd><p>
+<dd>
+                <p>
                   If the key's activation date is set and in the past, the
                   key is published (regardless of publication date) and
                   used to sign the zone.
-                </p></dd>
+                </p>
+	      </dd>
 <dt></dt>
-<dd><p>
+<dd>
+                <p>
                   If the key's revocation date is set and in the past, and the
                   key is published, then the key is revoked, and the revoked key
                   is used to sign the zone.
-                </p></dd>
+                </p>
+	      </dd>
 <dt></dt>
-<dd><p>
+<dd>
+                <p>
                   If either of the key's unpublication or deletion dates are set
                   and in the past, the key is NOT published or used to sign the
                   zone, regardless of any other metadata.
-                </p></dd>
+                </p>
+	      </dd>
 </dl></div>
-</dd>
+        </dd>
 <dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies a TTL to be used for new DNSKEY records imported
             into the zone from the key repository.  If not
             specified, the default is the TTL value from the zone's SOA
@@ -417,81 +538,102 @@
             them, or if any of the imported DNSKEY records had a default
             TTL value.  In the event of a a conflict between TTL values in
             imported keys, the shortest one is used.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-t</span></dt>
-<dd><p>
+<dd>
+          <p>
             Print statistics at completion.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-u</span></dt>
-<dd><p>
+<dd>
+          <p>
             Update NSEC/NSEC3 chain when re-signing a previously signed
             zone.  With this option, a zone signed with NSEC can be
             switched to NSEC3, or a zone signed with NSEC3 can
             be switch to NSEC or to NSEC3 with different parameters.
             Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
             retain the existing chain when re-signing.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-x</span></dt>
-<dd><p>
+<dd>
+          <p>
             Only sign the DNSKEY RRset with key-signing keys, and omit
             signatures from zone-signing keys.  (This is similar to the
             <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
             <span class="command"><strong>named</strong></span>.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-z</span></dt>
-<dd><p>
+<dd>
+          <p>
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
             DNSKEY RRset.  (This is similar to the
             <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
             <span class="command"><strong>named</strong></span>.)
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<em class="replaceable"><code>salt</code></em>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
 	    When generating an NSEC3 chain, use this many iterations.  The
 	    default is 10.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-A</span></dt>
 <dd>
-<p>
+          <p>
 	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           </p>
-<p>
+          <p>
 	    Using this option twice (i.e., <code class="option">-AA</code>)
 	    turns the OPTOUT flag off for all records.  This is useful
 	    when using the <code class="option">-u</code> option to modify an NSEC3
 	    chain which previously had OPTOUT set.
           </p>
-</dd>
+        </dd>
 <dt><span class="term">zonefile</span></dt>
-<dd><p>
+<dd>
+          <p>
             The file containing the zone to be signed.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">key</span></dt>
-<dd><p>
+<dd>
+          <p>
 	    Specify which keys should be used to sign the zone.  If
 	    no keys are specified, then the zone will be examined
 	    for DNSKEY records at the zone apex.  If these are found and
 	    there are matching private keys, in the current directory,
 	    then these will be used for signing.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>EXAMPLE</h2>
-<p>
+
+    <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
       (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
@@ -504,13 +646,13 @@
 Kexample.com.+003+17247
 db.example.com.signed
 %</pre>
-<p>
+    <p>
       In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
       the file <code class="filename">db.example.com.signed</code>.  This
       file should be referenced in a zone statement in a
       <code class="filename">named.conf</code> file.
     </p>
-<p>
+    <p>
       This example re-signs a previously signed zone with default parameters.
       The private keys are assumed to be in the current directory.
     </p>
@@ -518,13 +660,18 @@ db.example.com.signed
 % dnssec-signzone -o example.com db.example.com
 db.example.com.signed
 %</pre>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssec-verify.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -121,5 +121,5 @@ RFC 4033\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-verify.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2012</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-verify.html

@@ -1,5 +1,6 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<html>
+<html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-verify</title>
@@ -21,35 +22,64 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-verify"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
+<p>
+    <span class="application">dnssec-verify</span>
+     &#8212; DNSSEC zone verification tool
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-verify</code> 
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
+       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-x</code>]
+       [<code class="option">-z</code>]
+       {zonefile}
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><span class="command"><strong>dnssec-verify</strong></span>
+
+    <p><span class="command"><strong>dnssec-verify</strong></span>
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
       chains are complete.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Specifies the DNS class of the zone.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-<p>
+          <p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-<p>
+          <p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -57,9 +87,10 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-</dd>
+        </dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             The format of the input zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default)
 	    and <span class="command"><strong>"raw"</strong></span>.
@@ -68,32 +99,41 @@
             format containing updates can be verified independently.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+          <p>
             Sets the debugging level.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Prints version information.
-	  </p></dd>
+	  </p>
+        </dd>
 <dt><span class="term">-x</span></dt>
-<dd><p>
+<dd>
+          <p>
             Only verify that the DNSKEY RRset is signed with key-signing
             keys.  Without this flag, it is assumed that the DNSKEY RRset
             will be signed by all active keys.  When this flag is set,
             it will not be an error if the DNSKEY RRset is not signed
             by zone-signing keys.  This corresponds to the <code class="option">-x</code>
             option in <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p></dd>
+          </p>
+        </dd>
 <dt><span class="term">-z</span></dt>
 <dd>
-<p>
+	  <p>
 	    Ignore the KSK flag on the keys when determining whether
             the zone if correctly signed.  Without this flag it is
 	    assumed that there will be a non-revoked, self-signed
@@ -101,7 +141,7 @@
 	    that RRsets other than DNSKEY RRset will be signed with
             a different DNSKEY without the KSK flag set.
 	  </p>
-<p>
+	  <p>
 	    With this flag set, we only require that for each algorithm,
             there will be at least one non-revoked, self-signed DNSKEY,
             regardless of the KSK flag state, and that other RRsets
@@ -110,20 +150,27 @@
             for both purposes.  This corresponds to the <code class="option">-z</code>
             option in <span class="command"><strong>dnssec-signzone</strong></span>.
 	  </p>
-</dd>
+	</dd>
 <dt><span class="term">zonefile</span></dt>
-<dd><p>
+<dd>
+          <p>
             The file containing the zone to be signed.
-          </p></dd>
+          </p>
+        </dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+
+    <p>
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

bin/dnssec/dnssectool.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -25,10 +25,15 @@
 
 #include <stdlib.h>
 
+#ifdef _WIN32
+#include <Winsock2.h>
+#endif
+
 #include <isc/base32.h>
 #include <isc/buffer.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
+#include <isc/file.h>
 #include <isc/heap.h>
 #include <isc/list.h>
 #include <isc/mem.h>
@@ -472,6 +477,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
 	isc_uint16_t id, oldid;
 	isc_uint32_t rid, roldid;
 	dns_secalg_t alg;
+	char filename[ISC_DIR_NAMEMAX];
+	isc_buffer_t fileb;
 
 	if (exact != NULL)
 		*exact = ISC_FALSE;
@@ -480,6 +487,28 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
 	rid = dst_key_rid(dstkey);
 	alg = dst_key_alg(dstkey);
 
+	/*
+	 * For HMAC and Diffie Hellman just check if there is a
+	 * direct collision as they can't be revoked.  Additionally
+	 * dns_dnssec_findmatchingkeys only handles DNSKEY which is
+	 * not used for HMAC.
+	 */
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
+	case DST_ALG_DH:
+		isc_buffer_init(&fileb, filename, sizeof(filename));
+		result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE,
+					       dir, &fileb);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_TRUE);
+		return (isc_file_exists(filename));
+	}
+
 	ISC_LIST_INIT(matchkeys);
 	result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
 	if (result == ISC_R_NOTFOUND)
@@ -1834,3 +1863,25 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 		}
 	}
 }
+
+#ifdef _WIN32
+void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup( wVersionRequested, &wsaData );
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+void
+DestroySockets(void) {
+	WSACleanup();
+}
+#endif

bin/dnssec/dnssectool.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -98,4 +98,10 @@ void
 verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 		   dns_name_t *origin, isc_mem_t *mctx,
 		   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
+
+#ifdef _WIN32
+void InitSockets(void);
+void DestroySockets(void);
+#endif
+
 #endif /* DNSSEC_DNSSECTOOL_H */

bin/dnssec/win32/dnssectool.dsp.in

@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fddnssectool
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fddnssectool
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fddnssectool
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fddnssectool
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

bin/dnssec/win32/dnssectool.vcxproj.in

@@ -61,7 +61,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -83,7 +83,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/dnssec/win32/dsfromkey.dsp.in

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" @CRYPTO@ /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
-# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/dnssec-dsfromkey.exe"
+# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ws2_32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/dnssec-dsfromkey.exe"
 
 !ELSEIF  "$(CFG)" == "dsfromkey - @PLATFORM@ Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/dnssec-dsfromkey.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ws2_32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/dnssec-dsfromkey.exe" /pdbtype:sept
 
 !ENDIF 
 

bin/dnssec/win32/dsfromkey.mak.in

@@ -119,7 +119,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dsfromkey.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" @CRYPTO@ /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dsfromkey.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -157,7 +157,7 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\dsfromkey.bsc"
 BSC32_SBRS= \
 	
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-dsfromkey.pdb" @MACHINE@ /out:"../../../Build/Release/dnssec-dsfromkey.exe" 
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ws2_32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-dsfromkey.pdb" @MACHINE@ /out:"../../../Build/Release/dnssec-dsfromkey.exe" 
 LINK32_OBJS= \
 	"$(INTDIR)\dnssec-dsfromkey.obj" \
 	"$(INTDIR)\dnssectool.obj"
@@ -196,7 +196,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -241,7 +241,7 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-dsfromkey.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/dnssec-dsfromkey.exe" /pdbtype:sept 
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ws2_32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-dsfromkey.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/dnssec-dsfromkey.exe" /pdbtype:sept 
 LINK32_OBJS= \
 	"$(INTDIR)\dnssec-dsfromkey.obj" \
 	"$(INTDIR)\dnssectool.obj"