Rewrite isc_refcount API after stdatomics and use release-acquire memory barriers

* Re-introduce ISC_STATS_LOCKCOUNTERS so that it is an optional feature (it adds lock contention)
* Fix desired rwlock type in lock calls (they were opposite of what should be used)
* Add locking to isc_stats_set()
* Inline create_stats()

.dir-locals.el

@@ -1,64 +0,0 @@
-;;; Directory Local Variables
-;;; For more information see (info "(emacs) Directory Variables")
-
-((c-mode .
-  ((eval .
-	 (set (make-local-variable 'directory-of-current-dir-locals-file)
-	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
-	      )
-	 )
-   (eval .
-	 (set (make-local-variable 'include-directories)
-	      (list
-
-	       ;; top directory
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "./"))
-
-	       ;; current directory
-	       (expand-file-name (concat default-directory "./"))
-
-	       ;; libisc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/pthreads/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/include"))
-
-	       ;; libdns
-
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns/include"))
-
-	       ;; libisccc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
-
-	       ;; libisccfg
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
-
-	       ;; libns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/ns/include"))
-
-	       ;; libirs
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/irs/include"))
-
-	       ;; libbind9
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
-
-	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
-	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/include")
-	       )
-	      )
-	 )
-
-   (eval setq flycheck-clang-include-path include-directories)
-   (eval setq flycheck-cppcheck-include-path include-directories)
-   )
-  ))

.gitignore

@@ -1,58 +1,62 @@
-*-symtbl.c
-*.a
-*.gcda
-*.gcno
-*.la
-*.lo
+Makefile
+config.log
+config.h
+config.cache
+config.status
+libtool
+/isc-config.sh
+/configure.lineno
+autom4te.cache/
 *.o
-*.orig
-*.plist/ # ccc-analyzer store its results in .plist directories
-*.rej
+*.lo
 *.so
+*.a
+*.la
+*.gcno
+*.gcda
 *_test
-*~
+*-symtbl.c
+timestamp
+ans.run
+named.run
+named.memstats
+gen.dSYM/
 .ccache/
-.cproject
 .deps/
 .dirstamp
 .libs/
+unit/atf-src/atf-c++/atf-c++.pc
+unit/atf-src/atf-c/atf-c.pc
+unit/atf-src/atf-c/defs.h
+unit/atf-src/atf-c/detail/process_helpers
+unit/atf-src/atf-config/atf-config
+unit/atf-src/atf-report/atf-report
+unit/atf-src/atf-report/fail_helper
+unit/atf-src/atf-report/misc_helpers
+unit/atf-src/atf-report/pass_helper
+unit/atf-src/atf-run/atf-run
+unit/atf-src/atf-run/bad_metadata_helper
+unit/atf-src/atf-run/expect_helpers
+unit/atf-src/atf-run/misc_helpers
+unit/atf-src/atf-run/pass_helper
+unit/atf-src/atf-run/several_tcs_helper
+unit/atf-src/atf-run/zero_tcs_helper
+unit/atf-src/atf-sh/atf-check
+unit/atf-src/atf-sh/atf-sh
+unit/atf-src/atf-sh/misc_helpers
+unit/atf-src/atf-version/atf-version
+unit/atf-src/atf-version/revision.h
+unit/atf-src/atf-version/revision.h.stamp
+unit/atf-src/bconfig.h
+unit/atf-src/bootstrap/atconfig
+unit/atf-src/doc/atf.7
+unit/atf-src/stamp-h1
+unit/atf-src/test-programs/c_helpers
+unit/atf-src/test-programs/cpp_helpers
+unit/atf-src/test-programs/sh_helpers
+# ccc-analyzer store its results in .plist directories
+*.plist/
+*~
 .project
+.cproject
 .settings
-/aclocal.m4
-/ar-lib
-/autom4te.cache/
-/bind.keys.h
-/compile
-/config.cache
-/config.guess
-/config.h
-/config.h.in
-/config.log
-/config.status
-/config.sub
-/configure
-/configure.lineno
-/depcomp
-/install-sh
-/isc-config.sh
-/libltdl/*
-/libtool
-/ltmain.sh
-/m4/libtool.m4
-/m4/ltargz.m4
-/m4/ltdl.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
-/missing
-/py-compile
-/stamp-h1
-/test-driver
-Makefile
-ans.run
-gen.dSYM/
-kyua.log
-named.memstats
-named.run
-timestamp

.gitlab-ci.yml

@@ -1,526 +1,233 @@
 variables:
-  # Not normally needed, but may be if some script uses `apt-get install`.
   DEBIAN_FRONTEND: noninteractive
-  # Locale settings do not affect the build, but might affect tests.
   LC_ALL: C
-
-  CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/images/bind9
+  DOCKER_DRIVER: overlay2
+  CI_REGISTRY_IMAGE: oerdnj/bind9
   CCACHE_DIR: "/ccache"
-  SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
-
-  # VirtualBox driver needs to set build_dir to "/builds" in gitlab-runner.toml
-  KYUA_RESULT: "$CI_PROJECT_DIR/kyua.results"
-
-  BUILD_PARALLEL_JOBS: 6
-  TEST_PARALLEL_JOBS: 6
 
 stages:
   - precheck
   - build
   - test
-  - push
-
-### Runner Tag Templates
-
-.linux-amd64: &linux_amd64
-  tags:
-    - linux
-    - amd64
-
-.linux-i386: &linux_i386
-  tags:
-    - linux
-    - i386
-
-### Docker Image Templates
-
-# CentOS
-
-.centos-centos6-amd64: &centos_centos6_amd64_image
-  image: "$CI_REGISTRY_IMAGE:centos-centos6-amd64"
-  <<: *linux_amd64
-
-.centos-centos7-amd64: &centos_centos7_amd64_image
-  image: "$CI_REGISTRY_IMAGE:centos-centos7-amd64"
-  <<: *linux_amd64
-
-# Debian
 
 .debian-jessie-amd64: &debian_jessie_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-jessie-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .debian-jessie-i386: &debian_jessie_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-jessie-i386"
-  <<: *linux_i386
+  tags:
+    - linux
+    - docker
+    - i386
 
 .debian-stretch-amd64: &debian_stretch_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-stretch-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
-.debian-stretch-i386: &debian_stretch_i386_image
+.debian-stretch-i386:: &debian_stretch_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-stretch-i386"
-  <<: *linux_i386
+  tags:
+    - linux
+    - docker
+    - i386
+
+.debian-buster-amd64: &debian_buster_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.debian-buster-i386:: &debian_buster_i386_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-i386"
+  tags:
+    - linux
+    - docker
+    - i386
 
 .debian-sid-amd64: &debian_sid_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .debian-sid-i386: &debian_sid_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-sid-i386"
-  <<: *linux_i386
+  tags:
+    - linux
+    - docker
+    - i386
 
-# Fedora
+.ubuntu-trusty-amd64: &ubuntu_trusty_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-trusty-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
 
-.fedora-29-amd64: &fedora_29_amd64_image
-  image: "$CI_REGISTRY_IMAGE:fedora-29-amd64"
-  <<: *linux_amd64
-
-# Ubuntu
+.ubuntu-trusty-i386: &ubuntu_trusty_i386_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-trusty-i386"
+  tags:
+    - linux
+    - docker
+    - i386
 
 .ubuntu-xenial-amd64: &ubuntu_xenial_amd64_image
   image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .ubuntu-xenial-i386: &ubuntu_xenial_i386_image
   image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-i386"
-  <<: *linux_i386
-
-.ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64"
-  <<: *linux_amd64
-
-.ubuntu-bionic-i386: &ubuntu_bionic_i386_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-i386"
-  <<: *linux_i386
-
-# FreeBSD
-
-.freebsd-12-amd64: &freebsd_12_amd64_image
   tags:
-    - freebsd12
-    - amd64
-  allow_failure: true
-
-### Job Templates
-
-.default-triggering-rules: &default_triggering_rules
-  only:
-    - merge_requests
-    - tags
-    - web
-
-.precheck: &precheck_job
-  <<: *default_triggering_rules
-  <<: *debian_sid_amd64_image
-  stage: precheck
+    - linux
+    - docker
+    - i386
 
 .build: &build_job
-  <<: *default_triggering_rules
   stage: build
   before_script:
     - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
+    - ./autogen.sh
   script:
-    - ./configure --enable-developer --with-libtool --with-geoip2=auto --disable-static --with-cmocka --prefix=$HOME/.local --without-make-clean $EXTRA_CONFIGURE || cat config.log
-    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
-    - test -z "${RUN_MAKE_INSTALL}" || make install
+    - ./configure --enable-developer --with-libtool --disable-static --with-atf=/usr/local --with-libidn2
+    - make -j${PARALLEL_JOBS_BUILD:-1} -k all V=1
   artifacts:
+    expire_in: '1 hour'
     untracked: true
-    expire_in: "1 hour"
-
-.setup_interfaces: &setup_interfaces |
-    if [ "$(id -u)" -eq "0" ]; then
-      bash -x bin/tests/system/ifconfig.sh up;
-    else
-      sudo bash -x bin/tests/system/ifconfig.sh up;
-    fi
-
-.setup_softhsm: &setup_softhsm |
-    bash -x util/prepare-softhsm2.sh
 
 .system_test: &system_test_job
-  <<: *default_triggering_rules
   stage: test
-  retry: 2
   before_script:
-    - *setup_interfaces
-    - *setup_softhsm
+    - rm -rf .ccache
+    - bash -x bin/tests/system/ifconfig.sh up
   script:
     - ( cd bin/tests && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
     - test -s bin/tests/system/systests.output
   artifacts:
     untracked: true
-    expire_in: "1 week"
+    expire_in: '1 week'
     when: on_failure
 
-.kyua_report: &kyua_report_html |
-  kyua report-html \
-       --force \
-       --results-file "$KYUA_RESULT" \
-       --results-filter "" \
-       --output kyua_html
-
 .unit_test: &unit_test_job
-  <<: *default_triggering_rules
   stage: test
   before_script:
-    - *setup_softhsm
+    - export KYUA_RESULT="$CI_PROJECT_DIR/kyua.results"
   script:
     - make unit
   after_script:
-    - *kyua_report_html
+    - kyua report-html --force --results-file kyua.results --results-filter "" --output kyua_html
   artifacts:
     paths:
-      - kyua.log
-      - kyua.results
-      - kyua_html/
-    expire_in: "1 week"
+    - atf.out
+    - kyua.log
+    - kyua.results
+    - kyua_html/
+    expire_in: '1 week'
     when: on_failure
 
-### Job Definitions
-
-# Jobs in the precheck stage
-
-misc:sid:amd64:
-  <<: *precheck_job
+precheck:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  stage: precheck
   script:
-    - sh util/check-ans-prereq.sh
-    - sh util/checklibs.sh > checklibs.out
-    - sh util/tabify-changes < CHANGES > CHANGES.tmp
-    - diff -urNap CHANGES CHANGES.tmp
-    - rm CHANGES.tmp
     - perl util/check-changes CHANGES
     - perl -w util/merge_copyrights
     - diff -urNap util/copyrights util/newcopyrights
     - rm util/newcopyrights
-    - perl -w util/update_copyrights < util/copyrights
-    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
-    - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'`
-    - xmllint --noout --nonet --html `git ls-files '*.html'`
-    - sh util/check-win32util-configure
   artifacts:
     paths:
-      - util/newcopyrights
-      - checklibs.out
-    expire_in: "1 week"
+    - util/newcopyrights
+    expire_in: '1 week'
     when: on_failure
 
-🐞:sid:amd64:
-  <<: *precheck_job
-  script: util/check-cocci
+#build:debian:jessie:amd64:
+#  <<: *debian_jessie_amd64_image
+#  <<: *build_job
+#
+#build:debian:jessie:i386:
+#  <<: *debian_jessie_i386_image
+#  <<: *build_job
+#
+#build:debian:stretch:amd64:
+#  <<: *debian_stretch_amd64_image
+#  <<: *build_job
+#
+#build:debian:buster:i386:
+#  <<: *debian_buster_i386_image
+#  <<: *build_job
+#
+#build:ubuntu:trusty:amd64:
+#  <<: *ubuntu_trusty_amd64_image
+#  <<: *build_job
+#
+#build:ubuntu:xenial:i386:
+#  <<: *ubuntu_xenial_i386_image
+#  <<: *build_job
 
-# Jobs for doc builds on Debian Sid (amd64)
-
-docs:sid:amd64:
-  <<: *debian_sid_amd64_image
-  stage: build
-  script:
-    - ./configure || cat config.log
-    - make -C doc/misc docbook
-    - make -C doc/arm Bv9ARM.html
-  artifacts:
-    paths:
-      - doc/arm/
-    expire_in: "1 month"
-  only:
-    - merge_requests
-    - tags
-    - web
-    - master@isc-projects/bind9
-    - /^v9_[1-9][0-9]$/@isc-projects/bind9
-
-push:docs:sid:amd64:
-  <<: *debian_sid_amd64_image
-  stage: push
-  dependencies: []
-  script:
-    - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=master $GITLAB_PAGES_DOCS_TRIGGER_URL
-  only:
-    - master@isc-projects/bind9
-    - /^v9_[1-9][0-9]$/@isc-projects/bind9
-
-# Jobs for regular GCC builds on CentOS 6 (amd64)
-
-gcc:centos6:amd64:
+build:clang:debian:sid:amd64:
   variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error"
-  <<: *centos_centos6_amd64_image
-  <<: *build_job
-
-system:gcc:centos6:amd64:
-  <<: *centos_centos6_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:centos6:amd64
-
-unit:gcc:centos6:amd64:
-  <<: *centos_centos6_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:centos6:amd64
-
-# Jobs for regular GCC builds on CentOS 7 (amd64)
-
-gcc:centos7:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *centos_centos7_amd64_image
-  <<: *build_job
-
-system:gcc:centos7:amd64:
-  <<: *centos_centos7_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:centos7:amd64
-
-unit:gcc:centos7:amd64:
-  <<: *centos_centos7_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:centos7:amd64
-
-# Jobs for regular GCC builds on Debian 8 Jessie (amd64)
-
-gcc:jessie:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--without-cmocka --with-python"
-  <<: *debian_jessie_amd64_image
-  <<: *build_job
-
-system:gcc:jessie:amd64:
-  <<: *debian_jessie_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:jessie:amd64
-
-unit:gcc:jessie:amd64:
-  <<: *debian_jessie_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:jessie:amd64
-
-# Jobs for regular GCC builds on Debian 9 Stretch (amd64)
-
-gcc:stretch:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-  <<: *debian_stretch_amd64_image
-  <<: *build_job
-
-system:gcc:stretch:amd64:
-  <<: *debian_stretch_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:stretch:amd64
-
-unit:gcc:stretch:amd64:
-  <<: *debian_stretch_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:stretch:amd64
-
-# Jobs for regular GCC builds on Debian Sid (amd64)
-
-gcc:sid:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O3 -g"
-    EXTRA_CONFIGURE: "--with-libidn2"
-    RUN_MAKE_INSTALL: 1
-  <<: *debian_sid_amd64_image
-  <<: *build_job
-
-system:gcc:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:sid:amd64
-
-unit:gcc:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:sid:amd64
-
-# Jobs for regular GCC builds on Debian Sid (i386)
-
-gcc:sid:i386:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O3 -g"
-    EXTRA_CONFIGURE: "--with-libidn2 --without-python"
-  <<: *debian_sid_i386_image
-  <<: *build_job
-
-system:gcc:sid:i386:
-  <<: *debian_sid_i386_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:sid:i386
-
-unit:gcc:sid:i386:
-  <<: *debian_sid_i386_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:sid:i386
-
-# Jobs for regular GCC builds on Fedora 29 (amd64)
-
-gcc:fedora29:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *fedora_29_amd64_image
-  <<: *build_job
-
-system:gcc:fedora29:amd64:
-  <<: *fedora_29_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:fedora29:amd64
-
-unit:gcc:fedora29:amd64:
-  <<: *fedora_29_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:fedora29:amd64
-
-# Jobs for regular GCC builds on Ubuntu 16.04 Xenial Xerus (amd64)
-
-gcc:xenial:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-  <<: *ubuntu_xenial_amd64_image
-  <<: *build_job
-
-system:gcc:xenial:amd64:
-  <<: *ubuntu_xenial_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:xenial:amd64
-
-unit:gcc:xenial:amd64:
-  <<: *ubuntu_xenial_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:xenial:amd64
-
-# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64)
-
-gcc:bionic:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *ubuntu_bionic_amd64_image
-  <<: *build_job
-
-system:gcc:bionic:amd64:
-  <<: *ubuntu_bionic_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:bionic:amd64
-
-unit:gcc:bionic:amd64:
-  <<: *ubuntu_bionic_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:bionic:amd64
-
-# Jobs for default CC builds on FreeBSD 12 (amd64)
-
-clang:freebsd12:amd64:
-  <<: *freebsd_12_amd64_image
-  <<: *build_job
-
-system:clang:freebsd12:amd64:
-  <<: *freebsd_12_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - clang:freebsd12:amd64
-
-unit:clang:freebsd12:amd64:
-  <<: *freebsd_12_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - clang:freebsd12:amd64
-
-# Jobs for GCC builds with ASAN enabled on Debian Sid (amd64)
-
-asan:sid:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
-    LDFLAGS: "-fsanitize=address,undefined"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *debian_sid_amd64_image
-  <<: *build_job
-
-system:asan:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - asan:sid:amd64
-
-unit:asan:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - asan:sid:amd64
-
-# Jobs for Clang builds on Debian Stretch (amd64)
-
-clang:stretch:amd64:
-  variables:
-    CC: clang
+    CC: clang-6.0
     CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
-    EXTRA_CONFIGURE: "--with-python=python3"
-  <<: *debian_stretch_amd64_image
+  <<: *debian_sid_amd64_image
   <<: *build_job
 
-unit:clang:stretch:amd64:
-  <<: *debian_stretch_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - clang:stretch:amd64
-
-# Jobs for Clang builds on Debian Stretch (i386)
-
-clang:stretch:i386:
-  variables:
-    CC: clang
-    CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
-    EXTRA_CONFIGURE: "--with-python=python2"
-  <<: *debian_stretch_i386_image
-  <<: *build_job
-
-# Jobs for PKCS#11-enabled GCC builds on Debian Sid (amd64)
-
-pkcs11:sid:amd64:
+build:debian:sid:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so"
   <<: *debian_sid_amd64_image
   <<: *build_job
 
-system:pkcs11:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - pkcs11:sid:amd64
+build:clang:debian:sid:i386:
+  variables:
+    CC: clang-6.0
+    CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
+  <<: *debian_sid_i386_image
+  <<: *build_job
 
-unit:pkcs11:sid:amd64:
+build:debian:sid:i386:
+  variables:
+    CC: gcc
+    CFLAGS: "-Wall -Wextra -O2 -g"
+  <<: *debian_sid_i386_image
+  <<: *build_job
+
+unittest:debian:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *unit_test_job
   dependencies:
-    - pkcs11:sid:amd64
+    - build:debian:sid:amd64
+
+unittest:clang:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:clang:debian:sid:amd64
+
+unittest:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:sid:i386
+
+systemtest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:sid:amd64
+
+systemtest:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:sid:i386

.gitlab/issue_templates/Bug.md

@@ -9,10 +9,6 @@ email to [security-officer@isc.org](security-officer@isc.org).
 
 (Summarize the bug encountered concisely.)
 
-### BIND version used
-
-(Paste the output of `named -V`.)
-
 ### Steps to reproduce
 
 (How one can reproduce the issue - this is very important.)

.gitlab/issue_templates/release.md

@@ -1,44 +0,0 @@
-## Release Checklist
-
- - [ ] (Manager) Check for the presence of a milestone for the release:
-    - If there is a milestone, are all the issues for the milestone resolved? (other than this checklist).
- - [ ] (Manager) Inform Support/Marketing of impending release (and give estimated release dates).
- - (SwEng) Prepare the sources for tarball generation:
-   - [ ] Check perflab to ensure there has been no unexplained drop in performance for the version being released.
-   - [ ] Ensure that there are no outstanding merge requests in the private repository (subscription version only).
-   - [ ] Update API files for libraries with new version information.
-   - [ ] Change software version and library versions in configure.in (new major release only).
-   - [ ] Rebuild configure using autoconf on docs.isc.org.
-   - [ ] Update CHANGES.
-   - [ ] Update CHANGES.SE (subscription branch only).
-   - [ ] Update "version".
-   - [ ] Update "readme.md".
-   - Check the release notes are correct:
-     - [ ] Compare content with merge requests for the release.
-     - [ ] Check formatting.
-   - [ ] Build documentation on docs.isc.org.
-   - [ ] Commit changes and make sure the gitlab-ci tests are passing.
-   - [ ] Push the changes and tag ("alphatag" is an optional string such as "b1", "rc1" etc.). (```git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]```)
-   - [ ] If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` (this allows development to continue on the release branch whilst release engineering continues).
- - [ ] (SwEng) Run the "make release" Jenkins job to produce the tarballs and zips.
- - [ ] (SwEng) Ask QA to sanity check the tarball and zips (passing to them the number of the Jenkins job).
- - [ ] (QA) Sanity check the tarballs.
- - [ ] (QA) Request the signature on the tarballs.
- - [ ] (QA) Check signatures on tarballs.
- - [ ] (QA) Tell Support to handle notification of release.
- - [ ] (Manager) Inform Marketing of the release
- - [ ] (Manager) Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
-
- - [ ] (SwEng) Update DEB and RPM packages
- - [ ] (SwEng) Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`)
-
-## Support
- - [ ] Make tarballs and signatures available to download.
- - [ ] Write release email to bind9-announce.
- - [ ] Write email to bind9-users (if a major release).
- - [ ] Update tickets in case of waiting support customers.
-
-## Marketing
- - [ ] Post short note to Twitter.
- - [ ] Update [Wikipedia entry for BIND](http://en.wikipedia.org/wiki/BIND).
- - [ ] Write blog article (if a major release).

Atffile

@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: lib

CONTRIBUTING

@@ -1,5 +1,3 @@
-CONTRIBUTING
-
 BIND Source Access and Contributor Guidelines
 
 Feb 22, 2018

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this

HISTORY

@@ -1,5 +1,3 @@
-HISTORY
-
 Functional enhancements from prior major releases of BIND 9
 
 BIND 9.11
@@ -433,11 +431,11 @@ BIND 9.4.0
   * Detect duplicates of UDP queries we are recursing on and drop them.
     New stats category "duplicates".
   * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a <qname,qclass,qtype> basis as some
-    servers only appear to be lame for certain query types.
+  * The lame cache is now done on a basis as some servers only appear to
+    be lame for certain query types.
   * Limit the number of recursive clients that can be waiting for a single
-    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
-    and max-clients-per-query.
+    query () to resolve. New options clients-per-query and
+    max-clients-per-query.
   * dig: report the number of extra bytes still left in the packet after
     processing all the records.
   * Support for IPSECKEY rdata type.

Makefile.in

@@ -14,7 +14,7 @@ top_builddir =  @top_builddir@
 
 VERSION=@BIND9_VERSION@
 
-SUBDIRS =	make lib fuzz bin doc
+SUBDIRS =	make unit lib bin doc
 TARGETS =
 PREREQS =	bind.keys.h
 
@@ -22,8 +22,7 @@ MANPAGES =	isc-config.sh.1
 
 HTMLPAGES =	isc-config.sh.html
 
-MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS \
-		${MANPAGES} ${HTMLPAGES}
+MANOBJS =	README HISTORY OPTIONS CONTRIBUTING ${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
@@ -90,34 +89,28 @@ force-test: test-force
 
 test-force:
 	status=0; \
-	(cd fuzz && ${MAKE} check) || status=1; \
 	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
 	(test -f ${top_builddir}/unit/unittest.sh && \
 		$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
 	exit $$status
 
 README: README.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
+	${PANDOC} --email-obfuscation=none -s -t html README.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 HISTORY: HISTORY.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
+	${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 OPTIONS: OPTIONS.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
+	${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 CONTRIBUTING: CONTRIBUTING.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
-		sed -e '$${/^$$/d;}' > $@
-
-PLATFORMS: PLATFORMS.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
+	${PANDOC} --email-obfuscation=none -s -t html CONTRIBUTING.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 

OPTIONS

@@ -1,12 +1,10 @@
-OPTIONS
-
 Setting the STD_CDEFINES environment variable before running configure can
 be used to enable certain compile-time options that are not explicitly
 defined in configure.
 
 Some of these settings are:
 
-         Setting                            Description
+Setting                   Description
                           Overwrite memory with tag values when allocating
 -DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
                           makes debugging of memory problems easier.

PLATFORMS

@@ -1,75 +0,0 @@
-PLATFORMS
-
-Supported platforms
-
-In general, this version of BIND will build and run on any POSIX-compliant
-system with a C99-compliant C compiler, BSD-style sockets with
-RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
-cryptography library. Atomic operations support from the compiler is
-needed, either in the form of builtin operations, C11 atomics or the
-Interlocked family of functions on Windows.
-
-ISC regularly tests BIND on many operating systems and architectures, but
-lacks the resources to test all of them. Consequently, ISC is only able to
-offer support on a "best effort" basis for some.
-
-Regularly tested platforms
-
-As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
-following systems:
-
-  * Debian 8, 9, 10
-  * Ubuntu 16.04, 18.04
-  * Fedora 28, 29
-  * Red Hat Enterprise Linux / CentOS 6, 7
-  * FreeBSD 11.x
-  * OpenBSD 6.2, 6.3
-
-The amd64, i386, armhf and arm64 CPU architectures are all fully
-supported.
-
-Best effort
-
-The following are platforms on which BIND is known to build and run. ISC
-makes every effort to fix bugs on these platforms, but may be unable to do
-so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
-
-  * Windows Server 2012 R2, 2016 / x64
-  * Windows 10 / x64
-  * macOS 10.12+
-  * Solaris 11
-  * FreeBSD 10.x, 12.0+
-  * OpenBSD 6.4+
-  * NetBSD
-  * Other Linux distributions still supported by their vendors, such as:
-      + Ubuntu 14.04, 18.10+
-      + Gentoo
-      + Arch Linux
-      + Alpine Linux
-  * OpenWRT/LEDE 17.01+
-  * Other CPU architectures (mips, mipsel, sparc, ...)
-
-Unsupported platforms
-
-These are platforms on which BIND 9.14 is known not to build or run:
-
-  * Platforms without at least OpenSSL 1.0.2
-  * Windows 10 / x86
-  * Windows Server 2012 and older
-  * Solaris 10 and older
-  * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
-  * Platforms that don't support atomic operations (via compiler or
-    library)
-  * Linux without NPTL (Native POSIX Thread Library)
-
-Platform quirks
-
-NetBSD 6 i386
-
-The i386 build of NetBSD requires the libatomic library, available from
-the gcc5-libs package. Because this library is in a non-standard path, its
-location must be specified in the configure command line:
-
-LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure

PLATFORMS.md

@@ -1,83 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-## Supported platforms
-
-In general, this version of BIND will build and run on any POSIX-compliant
-system with a C99-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
-Atomic operations support from the compiler is needed, either in the form of
-builtin operations, C11 atomics or the Interlocked family of functions on
-Windows.
-
-ISC regularly tests BIND on many operating systems and architectures, but
-lacks the resources to test all of them. Consequently, ISC is only able to
-offer support on a "best effort" basis for some.
-
-### Regularly tested platforms
-
-As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
-following systems:
-
-* Debian 8, 9, 10
-* Ubuntu 16.04, 18.04
-* Fedora 28, 29
-* Red Hat Enterprise Linux / CentOS 6, 7
-* FreeBSD 11.x
-* OpenBSD 6.2, 6.3
-
-The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
-
-### Best effort
-
-The following are platforms on which BIND is known to build and run.
-ISC makes every effort to fix bugs on these platforms, but may be unable to
-do so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
-
-* Windows Server 2012 R2, 2016 / x64
-* Windows 10 / x64
-* macOS 10.12+
-* Solaris 11
-* FreeBSD 10.x, 12.0+
-* OpenBSD 6.4+
-* NetBSD
-* Other Linux distributions still supported by their vendors, such as:
-    * Ubuntu 14.04, 18.10+
-    * Gentoo
-    * Arch Linux
-    * Alpine Linux
-* OpenWRT/LEDE 17.01+
-* Other CPU architectures (mips, mipsel, sparc, ...)
-
-## Unsupported platforms
-
-These are platforms on which BIND 9.14 is known *not* to build or run:
-
-* Platforms without at least OpenSSL 1.0.2
-* Windows 10 / x86
-* Windows Server 2012 and older
-* Solaris 10 and older
-* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
-* Platforms that don't support atomic operations (via compiler or library)
-* Linux without NPTL (Native POSIX Thread Library)
-
-## Platform quirks
-
-### NetBSD 6 i386
-
-The i386 build of NetBSD requires the `libatomic` library, available from
-the `gcc5-libs` package.  Because this library is in a non-standard path,
-its location must be specified in the `configure` command line:
-
-```
-LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
-```

README

@@ -1,5 +1,3 @@
-README
-
 BIND 9
 
 Contents
@@ -7,15 +5,14 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.14 features
+ 4. BIND 9.13 features
  5. Building BIND
  6. macOS
- 7. Dependencies
- 8. Compile-time options
- 9. Automated testing
-10. Documentation
-11. Change log
-12. Acknowledgments
+ 7. Compile-time options
+ 8. Automated testing
+ 9. Documentation
+10. Change log
+11. Acknowledgments
 
 Introduction
 
@@ -34,12 +31,12 @@ administrative tools, including the dig and delv DNS lookup tools,
 nsupdate for dynamic DNS zone updates, rndc for remote name server
 administration, and more.
 
-BIND 9 began as a complete re-write of the BIND architecture that was used
-in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
-501(c)(3) public benefit corporation dedicated to providing software and
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
+(c)(3) public benefit corporation dedicated to providing software and
 services in support of the Internet infrastructure, developed BIND 9 and
 is responsible for its ongoing maintenance and improvement. BIND is open
-source software licensed under the terms of the Mozilla Public License,
+source software licenced under the terms of the Mozilla Public License,
 version 2.0.
 
 For a summary of features introduced in past major releases of BIND, see
@@ -51,8 +48,6 @@ the file CHANGES. See below for details on the CHANGES file format.
 For up-to-date release notes and errata, see http://www.isc.org/software/
 bind9/releasenotes
 
-For information about supported platforms, see PLATFORMS.
-
 Reporting bugs and getting help
 
 To report non-security-sensitive bugs or request new features, you may
@@ -102,82 +97,21 @@ If you prefer, you may also submit code by opening a GitLab Issue and
 including your patch as an attachment, preferably generated by git
 format-patch.
 
-BIND 9.14 features
+BIND 9.13 features
 
-BIND 9.14.0 is the first release from a new stable branch of BIND 9,
-incorporating all changes from the 9.13 development branch, updating the
-most recent stable branch, 9.12. These changes include:
+BIND 9.13.0 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.12 and earlier releases. New features
+include:
 
-  * A new "plugin" mechanism has been added to allow query functionality
-    to be extended using dynamically loadable libraries. The "filter-aaaa"
-    feature has been removed from named and is now implemented as a
-    plugin.
-  * QNAME minimization, as described in RFC 7816, is now supported.
-  * Socket and task code has been refactored to improve performance on
-    most modern machines.
-  * "Root key sentinel" support, enabling validating resolvers to indicate
-    via a special query which trust anchors are configured for the root
-    zone.
-  * Secondary zones can now be configured as "mirror" zones; their
-    contents are transferred in as with traditional slave zones, but are
-    subject to DNSSEC validation and are not treated as authoritative data
-    when answering. This makes it easier to configure a local copy of the
-    root zone as described in RFC 7706.
-  * The "validate-except" option allows configuration of domains below
-    which DNSSEC validation should not be performed.
-  * The default value of "dnssec-validation" is now "auto".
-  * IDNA2008 is now supported when linking with libidn2.
-  * "named -V" now outputs the default paths for files used by named and
-    other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See https://dnsflagday.net for more details.
-
-Cryptographic support has been modernized. BIND now uses the best
-available pseudo-random number generator for the platform on which it's
-built. Very old versions of OpenSSL are no longer supported. Cryptography
-is now mandatory: building BIND without DNSSEC is no longer supported.
-
-Special code to support certain legacy operating systems has also been
-removed; see the file PLATFORMS.md for details of supported platforms. In
-addition to OpenSSL, BIND now requires support for IPv6, threads, and
-standard atomic operations provided by the C compiler. Non-threaded builds
-are no longer supported.
-
-BIND 9.14.1
-
-BIND 9.14.1 is a maintenance release, and addresses security
-vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
-
-BIND 9.14.2
-
-BIND 9.14.2 is a maintenance release.
-
-BIND 9.14.3
-
-BIND 9.14.3 is a maintenance release, and addresses the security
-vulnerability disclosed in CVE-2019-6471.
-
-BIND 9.14.4
-
-BIND 9.14.4 is a maintenance release, and also adds support for the new
-MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
+  * TBD
 
 Building BIND
 
-Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. Successful builds have
-been observed on many versions of Linux and UNIX, including RedHat,
-Fedora, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS
-X, Solaris, HP-UX, and OpenWRT.
-
-BIND requires a cryptography provider library such as OpenSSL or a
-hardware service module supporting PKCS#11. On Linux, BIND requires the
-libcap library to set process privileges, though this requirement can be
-overridden by disabling capability support at compile time. See
-Compile-time options below for details on other libraries that may be
-required to support optional features.
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed
+on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
+Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
+HP-UX, AIX, SCO OpenServer, and OpenWRT.
 
 BIND is also available for Windows 2008 and higher. See win32utils/
 readme1st.txt for details on building for Windows systems.
@@ -193,7 +127,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
 Several environment variables that can be set before running configure
 will affect compilation:
 
-   Variable                            Description
+Variable       Description
 CC             The C compiler to use. configure tries to figure out the
                right one for supported systems.
                C compiler flags. Defaults to include -g and/or -O2 as
@@ -221,28 +155,38 @@ if you have Xcode already installed you can run "xcode-select --install".
 This will add /usr/include to the system and install the compiler and
 other tools so that they can be easily found.
 
-Dependencies
-
-Portions of BIND that are written in Python, including dnssec-keymgr,
-dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-'argparse' and 'ply' modules to be available. 'argparse' is a standard
-module as of Python 2.7 and Python 3.2. 'ply' is available from https://
-pypi.python.org/pypi/ply.
-
 Compile-time options
 
 To see a full list of configuration options, run configure --help.
 
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
 To build shared libraries, specify --with-libtool on the configure command
 line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto
 support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
 installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using --with-openssl=<PREFIX> on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
+specify the prefix using "--with-openssl=<PREFIX>" on the configure
+command line. To use a PKCS#11 hardware service module for cryptographic
 operations, specify the path to the PKCS#11 provider library using
---with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
+"--with-pkcs11=<PREFIX>", and configure BIND with
+"--enable-native-pkcs11".
 
 To support the HTTP statistics channel, the server must be linked with at
 least one of the following: libxml2 http://xmlsoft.org or json-c https://
@@ -255,29 +199,23 @@ specify the prefix using --with-zlib=/prefix.
 
 To support storing configuration data for runtime-added zones in an LMDB
 database, the server must be linked with liblmdb. If this is installed in
-a nonstandard location, specify the prefix using with-lmdb=/prefix.
+a nonstandard location, specify the prefix using "with-lmdb=/prefix".
 
 To support GeoIP location-based ACLs, the server must be linked with
 libGeoIP. This is not turned on by default; BIND must be configured with
---with-geoip. If the library is installed in a nonstandard location,
-specify the prefix using --with-geoip=/prefix.
+"--with-geoip". If the library is installed in a nonstandard location, use
+specify the prefix using "--with-geoip=/prefix".
 
 For DNSTAP packet logging, you must have installed libfstrm https://
 github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
---enable-dnstap.
+"--enable-dnstap".
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
-On Linux, process capabilities are managed in user space using the libcap
-library, which can be installed on most Linux systems via the libcap-dev
-or libcap-devel module. Process capability support can also be disabled by
-configuring with --disable-linux-caps.
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+'argparse' and 'ply' modules to be available. 'argparse' is a standard
+module as of Python 2.7 and Python 3.2. 'ply' is available from https://
+pypi.python.org/pypi/ply.
 
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB. This can be done by using
@@ -288,9 +226,9 @@ specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
 command line. By default, fixed rrset-order is disabled to reduce memory
 footprint.
 
-The --enable-querytrace option causes named to log every step of
-processing every query. This should only be enabled when debugging,
-because it has a significant negative impact on query performance.
+If your operating system has integrated support for IPv6, it will be used
+automatically. If you have installed KAME IPv6 separately, use --with-kame
+[=PATH] to specify its location.
 
 make install will install named and the various BIND 9 libraries. By
 default, installation is into /usr/local, but this can be changed with the
@@ -317,10 +255,8 @@ and will be skipped if these are not available. Some tests require Python
 and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework. To
-build them, use configure --with-cmocka. Execution of tests is done by the
-Kyua test execution engine; if the kyua command is available, then unit
-tests can be run via make test or make unit.
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
 
 Documentation
 
@@ -345,7 +281,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
 changes listed first. Change notes include tags indicating the category of
 the change that was made; these categories are:
 
-   Category                            Description
+Category       Description
 [func]         New feature
 [bug]          General bug fix
 [security]     Fix for a significant security flaw
@@ -373,46 +309,26 @@ releases (i.e., those with version numbers ending in zero). Some new
 functionality may be backported to older releases on a case-by-case basis.
 All other change types may be applied to all currently-supported releases.
 
-Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form [RT #NNN] and
-referred to entries in the "bind9-bugs" RT database, which was not open to
-the public. More recent entries use the form [GL #NNN] or, less often, [GL
-!NNN], which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publically readable, unless they
-include information which is confidential or security senstive.
-
-To look up a Gitlab issue by its number, use the URL https://
-gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
-use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-Gitlab instance, which is not visible to the public.
-
 Acknowledgments
 
   * The original development of BIND 9 was underwritten by the following
     organizations:
 
-      Sun Microsystems, Inc.
-      Hewlett Packard
-      Compaq Computer Corporation
-      IBM
-      Process Software Corporation
-      Silicon Graphics, Inc.
-      Network Associates, Inc.
-      U.S. Defense Information Systems Agency
-      USENIX Association
-      Stichting NLnet - NLnet Foundation
-      Nominum, Inc.
+    Sun Microsystems, Inc.
+    Hewlett Packard
+    Compaq Computer Corporation
+    IBM
+    Process Software Corporation
+    Silicon Graphics, Inc.
+    Network Associates, Inc.
+    U.S. Defense Information Systems Agency
+    USENIX Association
+    Stichting NLnet - NLnet Foundation
+    Nominum, Inc.
 
   * This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
-
   * This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
-
   * This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)

README.md

@@ -15,10 +15,9 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
-1. [BIND 9.14 features](#features)
+1. [BIND 9.13 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
-1. [Dependencies](#dependencies)
 1. [Compile-time options](#opts)
 1. [Automated testing](#testing)
 1. [Documentation](#doc)
@@ -42,13 +41,13 @@ administrative tools, including the `dig` and `delv` DNS lookup tools,
 `nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
 administration, and more.
 
-BIND 9 began as a complete re-write of the BIND architecture that was
-used in versions 4 and 8.  Internet Systems Consortium
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8.  Internet Systems Consortium
 ([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
 corporation dedicated to providing software and services in support of the
 Internet infrastructure, developed BIND 9 and is responsible for its
 ongoing maintenance and improvement.  BIND is open source software
-licensed under the terms of the Mozilla Public License, version 2.0.
+licenced under the terms of the Mozilla Public License, version 2.0.
 
 For a summary of features introduced in past major releases of BIND,
 see the file [HISTORY](HISTORY.md).
@@ -60,8 +59,6 @@ CHANGES file format.
 For up-to-date release notes and errata, see
 [http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
 
-For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
-
 ### <a name="help"/> Reporting bugs and getting help
 
 To report non-security-sensitive bugs or request new features, you may
@@ -117,83 +114,21 @@ If you prefer, you may also submit code by opening a
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="features"/> BIND 9.14 features
+### <a name="features"/> BIND 9.13 features
 
-BIND 9.14.0 is the first release from a new stable branch of BIND 9,
-incorporating all changes from the 9.13 development branch, updating
-the most recent stable branch, 9.12.  These changes include:
+BIND 9.13.0 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.12 and earlier releases.  New features
+include:
 
-* A new "plugin" mechanism has been added to allow query functionality
-  to be extended using dynamically loadable libraries. The "filter-aaaa"
-  feature has been removed from named and is now implemented as a plugin.
-* QNAME minimization, as described in RFC 7816, is now supported.
-* Socket and task code has been refactored to improve performance on most
-  modern machines.
-* "Root key sentinel" support, enabling validating resolvers to indicate
-  via a special query which trust anchors are configured for the root zone.
-* Secondary zones can now be configured as "mirror" zones; their contents
-  are transferred in as with traditional slave zones, but are subject to
-  DNSSEC validation and are not treated as authoritative data when
-  answering. This makes it easier to configure a local copy of the root
-  zone as described in RFC 7706.
-* The "validate-except" option allows configuration of domains below which
-  DNSSEC validation should not be performed.
-* The default value of "dnssec-validation" is now "auto".
-* IDNA2008 is now supported when linking with `libidn2`.
-* "named -V" now outputs the default paths for files used by named
-  and other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
-for more details.
-
-Cryptographic support has been modernized. BIND now uses the
-best available pseudo-random number generator for the platform on which
-it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory: building BIND without DNSSEC is no
-longer supported.
-
-Special code to support certain legacy operating systems has also
-been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
-of supported platforms. In addition to OpenSSL, BIND now requires
-support for IPv6, threads, and standard atomic operations provided
-by the C compiler. Non-threaded builds are no longer supported.
-
-#### BIND 9.14.1
-
-BIND 9.14.1 is a maintenance release, and addresses security
-vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
-
-#### BIND 9.14.2
-
-BIND 9.14.2 is a maintenance release.
-
-#### BIND 9.14.3
-
-BIND 9.14.3 is a maintenance release, and addresses the security
-vulnerability disclosed in CVE-2019-6471.
-
-#### BIND 9.14.4
-
-BIND 9.14.4 is a maintenance release, and also adds support for
-the new MaxMind GeoIP2 geolocation API when built with
-`configure --with-geoip2`.
+* TBD
 
 ### <a name="build"/> Building BIND
 
-Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. Successful builds have been
-observed on many versions of Linux and UNIX, including RedHat, Fedora,
-Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X,
-Solaris, HP-UX, and OpenWRT.
-
-BIND requires a cryptography provider library such as OpenSSL or a
-hardware service module supporting PKCS#11. On Linux, BIND requires
-the `libcap` library to set process privileges, though this requirement
-can be overridden by disabling capability support at compile time.
-See [Compile-time options](#opts) below for details on other libraries
-that may be required to support optional features.
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed on
+many versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
+SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
+SCO OpenServer, and OpenWRT. 
 
 BIND is also available for Windows 2008 and higher.  See
 `win32utils/readme1st.txt` for details on building for Windows
@@ -231,28 +166,38 @@ or if you have Xcode already installed you can run "xcode-select --install".
 This will add /usr/include to the system and install the compiler and other
 tools so that they can be easily found.
 
-### <a name="dependencies"/> Dependencies
-
-Portions of BIND that are written in Python, including
-`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
-system tests, require the 'argparse' and 'ply' modules to be available.
-'argparse' is a standard module as of Python 2.7 and Python 3.2.
-'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
 
 #### <a name="opts"/> Compile-time options
 
 To see a full list of configuration options, run `configure --help`.
 
+On most platforms, BIND 9 is built with multithreading support, allowing it
+to take advantage of multiple CPUs.  You can configure this by specifying
+`--enable-threads` or `--disable-threads` on the `configure` command line.
+The default is to enable threads, except on some older operating systems on
+which threads are known to have had problems in the past.  (Note: Prior to
+BIND 9.10, the default was to disable threads on Linux systems; this has
+now been reversed.  On Linux systems, the threaded build is known to change
+BIND's behavior with respect to file permissions; it may be necessary to
+specify a user with the -u option when running `named`.)
+
 To build shared libraries, specify `--with-libtool` on the `configure`
 command line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying
+`--with-tuning=large` on the `configure` command line. This can improve
+performance on big servers, but will consume more memory and may degrade
+performance on smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto support.
 To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
-using `--with-openssl=<PREFIX>` on the configure command line. To use a
+using "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a
 PKCS#11 hardware service module for cryptographic operations, specify the
-path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
-configure BIND with `--enable-native-pkcs11`.
+path to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and
+configure BIND with "--enable-native-pkcs11".
 
 To support the HTTP statistics channel, the server must be linked with at
 least one of the following: libxml2
@@ -267,30 +212,24 @@ specify the prefix using `--with-zlib=/prefix`.
 
 To support storing configuration data for runtime-added zones in an LMDB
 database, the server must be linked with liblmdb. If this is installed in a
-nonstandard location, specify the prefix using `with-lmdb=/prefix`.
+nonstandard location, specify the prefix using "with-lmdb=/prefix".
 
 To support GeoIP location-based ACLs, the server must be linked with
 libGeoIP. This is not turned on by default; BIND must be configured with
-`--with-geoip`. If the library is installed in a nonstandard location,
-specify the prefix using `--with-geoip=/prefix`.
+"--with-geoip". If the library is installed in a nonstandard location, use
+specify the prefix using "--with-geoip=/prefix".
 
 For DNSTAP packet logging, you must have installed libfstrm
 [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
 and libprotobuf-c
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
-and BIND must be configured with `--enable-dnstap`.
+and BIND must be configured with "--enable-dnstap".
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying
-`--with-tuning=large` on the `configure` command line. This can improve
-performance on big servers, but will consume more memory and may degrade
-performance on smaller systems.
-
-On Linux, process capabilities are managed in user space using
-the `libcap` library, which can be installed on most Linux systems via
-the `libcap-dev` or `libcap-devel` module. Process capability support can
-also be disabled by configuring with `--disable-linux-caps`.
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' and 'ply' modules to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2.
+'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
 
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB.  This can be done by using
@@ -301,9 +240,9 @@ specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
 configure command line.  By default, fixed rrset-order is disabled to
 reduce memory footprint.
 
-The `--enable-querytrace` option causes `named` to log every step of
-processing every query. This should only be enabled when debugging, because
-it has a significant negative impact on query performance.
+If your operating system has integrated support for IPv6, it will be used
+automatically.  If you have installed KAME IPv6 separately, use
+`--with-kame[=PATH]` to specify its location.
 
 `make install` will install `named` and the various BIND 9 libraries.  By
 default, installation is into /usr/local, but this can be changed with the
@@ -330,10 +269,9 @@ and will be skipped if these are not available. Some tests require Python
 and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework.
-To build them, use `configure --with-cmocka`. Execution of tests is done
-by the Kyua test execution engine; if the `kyua` command is available,
-then unit tests can be run via `make test` or `make unit`.
+Unit tests are implemented using Automated Testing Framework (ATF).
+To run them, use `configure --with-atf`, then run `make test` or
+`make unit`.
 
 ### <a name="doc"/> Documentation
 
@@ -381,25 +319,6 @@ releases (i.e., those with version numbers ending in zero).  Some new
 functionality may be backported to older releases on a case-by-case basis.
 All other change types may be applied to all currently-supported releases.
 
-#### Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
-and referred to entries in the "bind9-bugs" RT database, which was not open
-to the public. More recent entries use the form `[GL #NNN]` or, less often,
-`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publically readable, unless they include
-information which is confidential or security senstive.
-
-To look up a Gitlab issue by its number, use the URL
-[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
-To look up a merge request, use
-[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-Gitlab instance, which is not visible to the public.
-
 ### <a name="ack"/> Acknowledgments
 
 * The original development of BIND 9 was underwritten by the

acconfig.h

@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** This file is not to be included by any public header files, because
+ *** it does not get installed.
+ ***/
+@TOP@
+
+/** define on DEC OSF to enable 4.4BSD style sa_len support */
+#undef _SOCKADDR_LEN
+
+/** define if your system needs pthread_init() before using pthreads */
+#undef NEED_PTHREAD_INIT
+
+/** define if your system has sigwait() */
+#undef HAVE_SIGWAIT
+
+/** define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
+/** define on Solaris to get sigwait() to work using pthreads semantics */
+#undef _POSIX_PTHREAD_SEMANTICS
+
+/** define if LinuxThreads is in use */
+#undef HAVE_LINUXTHREADS
+
+/** define if sysconf() is available */
+#undef HAVE_SYSCONF
+
+/** define if sysctlbyname() is available */
+#undef HAVE_SYSCTLBYNAME
+
+/** define if catgets() is available */
+#undef HAVE_CATGETS
+
+/** define if getifaddrs() exists */
+#undef HAVE_GETIFADDRS
+
+/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
+#undef HAVE_IFLIST_SYSCTL
+
+/** define if tzset() is available */
+#undef HAVE_TZSET
+
+/** define if struct addrinfo exists */
+#undef HAVE_ADDRINFO
+
+/** define if getaddrinfo() exists */
+#undef HAVE_GETADDRINFO
+
+/** define if gai_strerror() exists */
+#undef HAVE_GAISTRERROR
+
+/**
+ * define if pthread_setconcurrency() should be called to tell the
+ * OS how many threads we might want to run.
+ */
+#undef CALL_PTHREAD_SETCONCURRENCY
+
+/** define if IPv6 is not disabled */
+#undef WANT_IPV6
+
+/** define if flockfile() is available */
+#undef HAVE_FLOCKFILE
+
+/** define if getc_unlocked() is available */
+#undef HAVE_GETCUNLOCKED
+
+/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+
+/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+#undef SHUTUP_SIGWAIT
+#ifdef SHUTUP_SIGWAIT
+int sigwait(const unsigned int *set, int *sig);
+#endif
+
+/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+#undef SHUTUP_STDARG_CAST
+#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
+#include <stdarg.h>		/** Grr.  Must be included *every time*. */
+/**
+ * The silly continuation line is to keep configure from
+ * commenting out the #undef.
+ */
+
+#undef \
+	va_start
+#define	va_start(ap, last) \
+	do { \
+		union { const void *konst; long *var; } _u; \
+		_u.konst = &(last); \
+		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
+	} while (0)
+#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
+
+/** define if the system has a random number generating device */
+#undef PATH_RANDOMDEV
+
+/** define if pthread_attr_getstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
+
+/** define if pthread_attr_setstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
+
+/** define if you have strerror in the C library. */
+#undef HAVE_STRERROR
+
+/* Define if OpenSSL includes DSA support */
+#undef HAVE_OPENSSL_DSA
+
+/* Define if you have getpassphrase in the C library. */
+#undef HAVE_GETPASSPHRASE
+
+/* Define to the length type used by the socket API (socklen_t, size_t, int). */
+#undef ISC_SOCKADDR_LEN_T
+
+/* Define if threads need PTHREAD_SCOPE_SYSTEM */
+#undef NEED_PTHREAD_SCOPE_SYSTEM
+
+/* Define to 1 if you have the uname library function. */
+#undef HAVE_UNAME

aclocal.m4

@@ -1,300 +1,17 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+sinclude(libtool.m4/libtool.m4)dnl
+sinclude(libtool.m4/ltoptions.m4)dnl
+sinclude(libtool.m4/ltsugar.m4)dnl
+sinclude(libtool.m4/ltversion.m4)dnl
+sinclude(libtool.m4/lt~obsolete.m4)dnl
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+m4_divert_text(HELP_CANON, [[
+  NOTE: If PREFIX is not set, then the default values for --sysconfdir
+  and --localstatedir are /etc and /var, respectively.]])
+m4_divert_text(HELP_END, [[
+Professional support for BIND is provided by Internet Systems Consortium,
+Inc.  Information about paid support and training options is available at
+https://www.isc.org/support.
 
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
-# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-# serial 12 (pkg-config-0.29.2)
-
-dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
-dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
-dnl
-dnl This program is free software; you can redistribute it and/or modify
-dnl it under the terms of the GNU General Public License as published by
-dnl the Free Software Foundation; either version 2 of the License, or
-dnl (at your option) any later version.
-dnl
-dnl This program is distributed in the hope that it will be useful, but
-dnl WITHOUT ANY WARRANTY; without even the implied warranty of
-dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-dnl General Public License for more details.
-dnl
-dnl You should have received a copy of the GNU General Public License
-dnl along with this program; if not, write to the Free Software
-dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-dnl 02111-1307, USA.
-dnl
-dnl As a special exception to the GNU General Public License, if you
-dnl distribute this file as part of a program that contains a
-dnl configuration script generated by Autoconf, you may include it under
-dnl the same distribution terms that you use for the rest of that
-dnl program.
-
-dnl PKG_PREREQ(MIN-VERSION)
-dnl -----------------------
-dnl Since: 0.29
-dnl
-dnl Verify that the version of the pkg-config macros are at least
-dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
-dnl installed version of pkg-config, this checks the developer's version
-dnl of pkg.m4 when generating configure.
-dnl
-dnl To ensure that this macro is defined, also add:
-dnl m4_ifndef([PKG_PREREQ],
-dnl     [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])])
-dnl
-dnl See the "Since" comment for each macro you use to see what version
-dnl of the macros you require.
-m4_defun([PKG_PREREQ],
-[m4_define([PKG_MACROS_VERSION], [0.29.2])
-m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
-    [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
-])dnl PKG_PREREQ
-
-dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
-dnl ----------------------------------
-dnl Since: 0.16
-dnl
-dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
-dnl first found in the path. Checks that the version of pkg-config found
-dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
-dnl used since that's the first version where most current features of
-dnl pkg-config existed.
-AC_DEFUN([PKG_PROG_PKG_CONFIG],
-[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
-m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
-AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
-AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
-AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
-
-if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
-fi
-if test -n "$PKG_CONFIG"; then
-	_pkg_min_version=m4_default([$1], [0.9.0])
-	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
-	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-		AC_MSG_RESULT([yes])
-	else
-		AC_MSG_RESULT([no])
-		PKG_CONFIG=""
-	fi
-fi[]dnl
-])dnl PKG_PROG_PKG_CONFIG
-
-dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
-dnl -------------------------------------------------------------------
-dnl Since: 0.18
-dnl
-dnl Check to see whether a particular set of modules exists. Similar to
-dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
-dnl
-dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-dnl only at the first occurence in configure.ac, so if the first place
-dnl it's called might be skipped (such as if it is within an "if", you
-dnl have to call PKG_CHECK_EXISTS manually
-AC_DEFUN([PKG_CHECK_EXISTS],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-if test -n "$PKG_CONFIG" && \
-    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
-  m4_default([$2], [:])
-m4_ifvaln([$3], [else
-  $3])dnl
-fi])
-
-dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
-dnl ---------------------------------------------
-dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting
-dnl pkg_failed based on the result.
-m4_define([_PKG_CONFIG],
-[if test -n "$$1"; then
-    pkg_cv_[]$1="$$1"
- elif test -n "$PKG_CONFIG"; then
-    PKG_CHECK_EXISTS([$3],
-                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes ],
-		     [pkg_failed=yes])
- else
-    pkg_failed=untried
-fi[]dnl
-])dnl _PKG_CONFIG
-
-dnl _PKG_SHORT_ERRORS_SUPPORTED
-dnl ---------------------------
-dnl Internal check to see if pkg-config supports short errors.
-AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi[]dnl
-])dnl _PKG_SHORT_ERRORS_SUPPORTED
-
-
-dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
-dnl   [ACTION-IF-NOT-FOUND])
-dnl --------------------------------------------------------------
-dnl Since: 0.4.0
-dnl
-dnl Note that if there is a possibility the first call to
-dnl PKG_CHECK_MODULES might not happen, you should be sure to include an
-dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
-AC_DEFUN([PKG_CHECK_MODULES],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
-AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
-
-pkg_failed=no
-AC_MSG_CHECKING([for $2])
-
-_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
-_PKG_CONFIG([$1][_LIBS], [libs], [$2])
-
-m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
-and $1[]_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.])
-
-if test $pkg_failed = yes; then
-        AC_MSG_RESULT([no])
-        _PKG_SHORT_ERRORS_SUPPORTED
-        if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
-        else
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
-
-	m4_default([$4], [AC_MSG_ERROR(
-[Package requirements ($2) were not met:
-
-$$1_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-_PKG_TEXT])[]dnl
-        ])
-elif test $pkg_failed = untried; then
-        AC_MSG_RESULT([no])
-	m4_default([$4], [AC_MSG_FAILURE(
-[The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-_PKG_TEXT
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
-        ])
-else
-	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
-	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
-        AC_MSG_RESULT([yes])
-	$3
-fi[]dnl
-])dnl PKG_CHECK_MODULES
-
-
-dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
-dnl   [ACTION-IF-NOT-FOUND])
-dnl ---------------------------------------------------------------------
-dnl Since: 0.29
-dnl
-dnl Checks for existence of MODULES and gathers its build flags with
-dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags
-dnl and VARIABLE-PREFIX_LIBS from --libs.
-dnl
-dnl Note that if there is a possibility the first call to
-dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to
-dnl include an explicit call to PKG_PROG_PKG_CONFIG in your
-dnl configure.ac.
-AC_DEFUN([PKG_CHECK_MODULES_STATIC],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-_save_PKG_CONFIG=$PKG_CONFIG
-PKG_CONFIG="$PKG_CONFIG --static"
-PKG_CHECK_MODULES($@)
-PKG_CONFIG=$_save_PKG_CONFIG[]dnl
-])dnl PKG_CHECK_MODULES_STATIC
-
-
-dnl PKG_INSTALLDIR([DIRECTORY])
-dnl -------------------------
-dnl Since: 0.27
-dnl
-dnl Substitutes the variable pkgconfigdir as the location where a module
-dnl should install pkg-config .pc files. By default the directory is
-dnl $libdir/pkgconfig, but the default can be changed by passing
-dnl DIRECTORY. The user can override through the --with-pkgconfigdir
-dnl parameter.
-AC_DEFUN([PKG_INSTALLDIR],
-[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
-m4_pushdef([pkg_description],
-    [pkg-config installation directory @<:@]pkg_default[@:>@])
-AC_ARG_WITH([pkgconfigdir],
-    [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
-    [with_pkgconfigdir=]pkg_default)
-AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
-m4_popdef([pkg_default])
-m4_popdef([pkg_description])
-])dnl PKG_INSTALLDIR
-
-
-dnl PKG_NOARCH_INSTALLDIR([DIRECTORY])
-dnl --------------------------------
-dnl Since: 0.27
-dnl
-dnl Substitutes the variable noarch_pkgconfigdir as the location where a
-dnl module should install arch-independent pkg-config .pc files. By
-dnl default the directory is $datadir/pkgconfig, but the default can be
-dnl changed by passing DIRECTORY. The user can override through the
-dnl --with-noarch-pkgconfigdir parameter.
-AC_DEFUN([PKG_NOARCH_INSTALLDIR],
-[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
-m4_pushdef([pkg_description],
-    [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
-AC_ARG_WITH([noarch-pkgconfigdir],
-    [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
-    [with_noarch_pkgconfigdir=]pkg_default)
-AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
-m4_popdef([pkg_default])
-m4_popdef([pkg_description])
-])dnl PKG_NOARCH_INSTALLDIR
-
-
-dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
-dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
-dnl -------------------------------------------
-dnl Since: 0.28
-dnl
-dnl Retrieves the value of the pkg-config variable for the given module.
-AC_DEFUN([PKG_CHECK_VAR],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
-
-_PKG_CONFIG([$1], [variable="][$3]["], [$2])
-AS_VAR_COPY([$1], [pkg_cv_][$1])
-
-AS_VAR_IF([$1], [""], [$5], [$4])dnl
-])dnl PKG_CHECK_VAR
-
-m4_include([m4/ax_check_openssl.m4])
-m4_include([m4/ax_posix_shell.m4])
-m4_include([m4/ax_pthread.m4])
-m4_include([m4/ax_restore_flags.m4])
-m4_include([m4/ax_save_flags.m4])
-m4_include([m4/libtool.m4])
-m4_include([m4/ltoptions.m4])
-m4_include([m4/ltsugar.m4])
-m4_include([m4/ltversion.m4])
-m4_include([m4/lt~obsolete.m4])
+Help can also often be found on the BIND Users mailing list
+(https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind
+channel of the Freenode IRC service.]])

autogen.sh

@@ -10,4 +10,4 @@
 # information regarding copyright ownership.
 
 # Run this script after modifying configure.in to generate configure
-autoreconf -f -i
+autoreconf -i

bin/Makefile.in

@@ -12,7 +12,7 @@ VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
 TARGETS =
 
 @BIND9_MAKE_RULES@

bin/check/Makefile.in

@@ -16,15 +16,15 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES} @OPENSSL_INCLUDES@
+		${ISC_INCLUDES} @DST_OPENSSL_INC@
 
 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 NSLIBS =	../../lib/ns/libns.@A@
 
@@ -66,7 +66,7 @@ named-checkzone.@O@: named-checkzone.c
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
 	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
-	export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	export LIBS0="${NSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
@@ -88,12 +88,12 @@ install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
 	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
 	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
+	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
 	rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@

bin/check/check-tool.c

@@ -14,9 +14,7 @@
 
 #include <config.h>
 
-#include <stdbool.h>
 #include <stdio.h>
-#include <inttypes.h>
 
 #ifdef _WIN32
 #include <Winsock2.h>
@@ -62,6 +60,14 @@
 #define CHECK_LOCAL 1
 #endif
 
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
 #define CHECK(r) \
 	do { \
 		result = (r); \
@@ -82,15 +88,15 @@ static const char *dbtype[] = { "rbt" };
 
 int debug = 0;
 const char *journal = NULL;
-bool nomerge = true;
+isc_boolean_t nomerge = ISC_TRUE;
 #if CHECK_LOCAL
-bool docheckmx = true;
-bool dochecksrv = true;
-bool docheckns = true;
+isc_boolean_t docheckmx = ISC_TRUE;
+isc_boolean_t dochecksrv = ISC_TRUE;
+isc_boolean_t docheckns = ISC_TRUE;
 #else
-bool docheckmx = false;
-bool dochecksrv = false;
-bool docheckns = false;
+isc_boolean_t docheckmx = ISC_FALSE;
+isc_boolean_t dochecksrv = ISC_FALSE;
+isc_boolean_t docheckns = ISC_FALSE;
 #endif
 dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS |
 			     DNS_ZONEOPT_CHECKMX |
@@ -136,7 +142,7 @@ add(char *key, int value) {
 
 	if (symtab == NULL) {
 		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
-					   false, &symtab);
+					   ISC_FALSE, &symtab);
 		if (result != ISC_R_SUCCESS)
 			return;
 	}
@@ -152,31 +158,32 @@ add(char *key, int value) {
 		isc_mem_free(sym_mctx, key);
 }
 
-static bool
+static isc_boolean_t
 logged(char *key, int value) {
 	isc_result_t result;
 
 	if (symtab == NULL)
-		return (false);
+		return (ISC_FALSE);
 
 	result = isc_symtab_lookup(symtab, key, value, NULL);
 	if (result == ISC_R_SUCCESS)
-		return (true);
-	return (false);
+		return (ISC_TRUE);
+	return (ISC_FALSE);
 }
 
-static bool
+static isc_boolean_t
 checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	dns_rdataset_t *a, dns_rdataset_t *aaaa)
 {
+#ifdef USE_GETADDRINFO
 	dns_rdataset_t *rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	struct addrinfo hints, *ai, *cur;
 	char namebuf[DNS_NAME_FORMATSIZE + 1];
 	char ownerbuf[DNS_NAME_FORMATSIZE];
 	char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
-	bool answer = true;
-	bool match;
+	isc_boolean_t answer = ISC_TRUE;
+	isc_boolean_t match;
 	const char *type;
 	void *ptr = NULL;
 	int result;
@@ -225,7 +232,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 				     ownerbuf, namebuf,
 				     cur->ai_canonname);
 			/* XXX950 make fatal for 9.5.0 */
-			/* answer = false; */
+			/* answer = ISC_FALSE; */
 			add(namebuf, ERR_IS_CNAME);
 		}
 		break;
@@ -241,7 +248,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 			add(namebuf, ERR_NO_ADDRESSES);
 		}
 		/* XXX950 make fatal for 9.5.0 */
-		return (true);
+		return (ISC_TRUE);
 
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
@@ -250,7 +257,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 				     namebuf, gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
-		return (true);
+		return (ISC_TRUE);
 	}
 
 	/*
@@ -261,13 +268,13 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	result = dns_rdataset_first(a);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(a, &rdata);
-		match = false;
+		match = ISC_FALSE;
 		for (cur = ai; cur != NULL; cur = cur->ai_next) {
 			if (cur->ai_family != AF_INET)
 				continue;
 			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
 			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
-				match = true;
+				match = ISC_TRUE;
 				break;
 			}
 		}
@@ -279,7 +286,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 					       addrbuf, sizeof(addrbuf)));
 			add(namebuf, ERR_EXTRA_A);
 			/* XXX950 make fatal for 9.5.0 */
-			/* answer = false; */
+			/* answer = ISC_FALSE; */
 		}
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(a);
@@ -291,13 +298,13 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	result = dns_rdataset_first(aaaa);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(aaaa, &rdata);
-		match = false;
+		match = ISC_FALSE;
 		for (cur = ai; cur != NULL; cur = cur->ai_next) {
 			if (cur->ai_family != AF_INET6)
 				continue;
 			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
 			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
-				match = true;
+				match = ISC_TRUE;
 				break;
 			}
 		}
@@ -309,7 +316,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 					       addrbuf, sizeof(addrbuf)));
 			add(namebuf, ERR_EXTRA_AAAA);
 			/* XXX950 make fatal for 9.5.0. */
-			/* answer = false; */
+			/* answer = ISC_FALSE; */
 		}
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(aaaa);
@@ -320,7 +327,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	 * Check that all addresses appear in the glue.
 	 */
 	if (!logged(namebuf, ERR_MISSING_GLUE)) {
-		bool missing_glue = false;
+		isc_boolean_t missing_glue = ISC_FALSE;
 		for (cur = ai; cur != NULL; cur = cur->ai_next) {
 			switch (cur->ai_family) {
 			case AF_INET:
@@ -336,7 +343,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 			default:
 				 continue;
 			}
-			match = false;
+			match = ISC_FALSE;
 			if (dns_rdataset_isassociated(rdataset))
 				result = dns_rdataset_first(rdataset);
 			else
@@ -344,7 +351,7 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 			while (result == ISC_R_SUCCESS && !match) {
 				dns_rdataset_current(rdataset, &rdata);
 				if (memcmp(ptr, rdata.data, rdata.length) == 0)
-					match = true;
+					match = ISC_TRUE;
 				dns_rdata_reset(&rdata);
 				result = dns_rdataset_next(rdataset);
 			}
@@ -355,8 +362,8 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 					     inet_ntop(cur->ai_family, ptr,
 						       addrbuf, sizeof(addrbuf)));
 				/* XXX950 make fatal for 9.5.0. */
-				/* answer = false; */
-				missing_glue = true;
+				/* answer = ISC_FALSE; */
+				missing_glue = ISC_TRUE;
 			}
 		}
 		if (missing_glue)
@@ -364,16 +371,20 @@ checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
 	}
 	freeaddrinfo(ai);
 	return (answer);
+#else
+	return (ISC_TRUE);
+#endif
 }
 
-static bool
+static isc_boolean_t
 checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
+#ifdef USE_GETADDRINFO
 	struct addrinfo hints, *ai, *cur;
 	char namebuf[DNS_NAME_FORMATSIZE + 1];
 	char ownerbuf[DNS_NAME_FORMATSIZE];
 	int result;
 	int level = ISC_LOG_ERROR;
-	bool answer = true;
+	isc_boolean_t answer = ISC_TRUE;
 
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
@@ -417,7 +428,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 					add(namebuf, ERR_IS_MXCNAME);
 				}
 				if (level == ISC_LOG_ERROR)
-					answer = false;
+					answer = ISC_FALSE;
 			}
 		}
 		freeaddrinfo(ai);
@@ -435,7 +446,7 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			add(namebuf, ERR_NO_ADDRESSES);
 		}
 		/* XXX950 make fatal for 9.5.0. */
-		return (true);
+		return (ISC_TRUE);
 
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
@@ -444,18 +455,22 @@ checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			     namebuf, gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
-		return (true);
+		return (ISC_TRUE);
 	}
+#else
+	return (ISC_TRUE);
+#endif
 }
 
-static bool
+static isc_boolean_t
 checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
+#ifdef USE_GETADDRINFO
 	struct addrinfo hints, *ai, *cur;
 	char namebuf[DNS_NAME_FORMATSIZE + 1];
 	char ownerbuf[DNS_NAME_FORMATSIZE];
 	int result;
 	int level = ISC_LOG_ERROR;
-	bool answer = true;
+	isc_boolean_t answer = ISC_TRUE;
 
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
@@ -498,7 +513,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 					add(namebuf, ERR_IS_SRVCNAME);
 				}
 				if (level == ISC_LOG_ERROR)
-					answer = false;
+					answer = ISC_FALSE;
 			}
 		}
 		freeaddrinfo(ai);
@@ -516,7 +531,7 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 			add(namebuf, ERR_NO_ADDRESSES);
 		}
 		/* XXX950 make fatal for 9.5.0. */
-		return (true);
+		return (ISC_TRUE);
 
 	default:
 		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
@@ -525,8 +540,11 @@ checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
 				     namebuf, gai_strerror(result));
 			add(namebuf, ERR_LOOKUP_FAILURE);
 		}
-		return (true);
+		return (ISC_TRUE);
 	}
+#else
+	return (ISC_TRUE);
+#endif
 }
 
 isc_result_t
@@ -632,7 +650,7 @@ check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
 	if (dbiter != NULL)
 		dns_dbiterator_destroy(&dbiter);
 	if (version != NULL)
-		dns_db_closeversion(db, &version, false);
+		dns_db_closeversion(db, &version, ISC_FALSE);
 	if (db != NULL)
 		dns_db_detach(&db);
 
@@ -679,7 +697,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
 
 	dns_zone_setclass(zone, rdclass);
-	dns_zone_setoption(zone, zone_options, true);
+	dns_zone_setoption(zone, zone_options, ISC_TRUE);
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
 
 	dns_zone_setmaxttl(zone, maxttl);
@@ -691,7 +709,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	if (dochecksrv)
 		dns_zone_setchecksrv(zone, checksrv);
 
-	CHECK(dns_zone_load(zone, false));
+	CHECK(dns_zone_load(zone));
 
 	/*
 	 * When loading map files we can't catch oversize TTLs during
@@ -716,7 +734,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 isc_result_t
 dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const uint32_t rawversion)
+	  const isc_uint32_t rawversion)
 {
 	isc_result_t result;
 	FILE *output = stdout;
@@ -771,3 +789,4 @@ DestroySockets(void) {
 	WSACleanup();
 }
 #endif
+

bin/check/check-tool.h

@@ -15,9 +15,6 @@
 
 /*! \file */
 
-#include <inttypes.h>
-#include <stdbool.h>
-
 #include <isc/lang.h>
 #include <isc/stdio.h>
 #include <isc/types.h>
@@ -39,7 +36,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 isc_result_t
 dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const uint32_t rawversion);
+	  const isc_uint32_t rawversion);
 
 #ifdef _WIN32
 void InitSockets(void);
@@ -48,10 +45,10 @@ void DestroySockets(void);
 
 extern int debug;
 extern const char *journal;
-extern bool nomerge;
-extern bool docheckmx;
-extern bool docheckns;
-extern bool dochecksrv;
+extern isc_boolean_t nomerge;
+extern isc_boolean_t docheckmx;
+extern isc_boolean_t docheckns;
+extern isc_boolean_t dochecksrv;
 extern dns_zoneopt_t zone_options;
 
 ISC_LANG_ENDDECLS

bin/check/named-checkconf.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
@@ -79,13 +79,6 @@ When loading a zonefile read the journal if it exists\&.
 List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
 .RE
 .PP
-\-c
-.RS 4
-Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
-\fBplugin\fR
-statements to be ignored\&.
-.RE
-.PP
 \-p
 .RS 4
 Print out the
@@ -143,5 +136,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkconf.c

@@ -15,7 +15,6 @@
 #include <config.h>
 
 #include <errno.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <stdio.h>
 
@@ -46,8 +45,6 @@
 
 static const char *program = "named-checkconf";
 
-static bool loadplugins = true;
-
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -63,7 +60,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-chjlvz] [-p [-x]] [-t directory] "
+	fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }
@@ -94,18 +91,18 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	return (ISC_R_SUCCESS);
 }
 
-static bool
+static isc_boolean_t
 get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 	for (i = 0;; i++) {
 		if (maps[i] == NULL)
-			return (false);
+			return (ISC_FALSE);
 		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
-			return (true);
+			return (ISC_TRUE);
 	}
 }
 
-static bool
+static isc_boolean_t
 get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *checknames;
@@ -116,14 +113,14 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 
 	for (i = 0;; i++) {
 		if (maps[i] == NULL)
-			return (false);
+			return (ISC_FALSE);
 		checknames = NULL;
 		result = cfg_map_get(maps[i], "check-names", &checknames);
 		if (result != ISC_R_SUCCESS)
 			continue;
 		if (checknames != NULL && !cfg_obj_islist(checknames)) {
 			*obj = checknames;
-			return (true);
+			return (ISC_TRUE);
 		}
 		for (element = cfg_list_first(checknames);
 		     element != NULL;
@@ -138,7 +135,7 @@ get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
 				continue;
 			}
 			*obj = cfg_tuple_get(value, "mode");
-			return (true);
+			return (ISC_TRUE);
 		}
 	}
 }
@@ -171,7 +168,7 @@ configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
 static isc_result_t
 configure_zone(const char *vclass, const char *view,
 	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-	       const cfg_obj_t *config, isc_mem_t *mctx, bool list)
+	       const cfg_obj_t *config, isc_mem_t *mctx, isc_boolean_t list)
 {
 	int i = 0;
 	isc_result_t result;
@@ -284,10 +281,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
 		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
@@ -304,10 +299,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKMX;
 			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKMX;
 		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
@@ -333,10 +326,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
@@ -353,10 +344,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
@@ -376,10 +365,8 @@ configure_zone(const char *vclass, const char *view,
 			zone_options |= DNS_ZONEOPT_CHECKSPF;
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKSPF;
 	}
@@ -395,10 +382,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
 	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
@@ -408,16 +393,14 @@ configure_zone(const char *vclass, const char *view,
 	fmtobj = NULL;
 	if (get_maps(maps, "masterfile-format", &fmtobj)) {
 		const char *masterformatstr = cfg_obj_asstring(fmtobj);
-		if (strcasecmp(masterformatstr, "text") == 0) {
+		if (strcasecmp(masterformatstr, "text") == 0)
 			masterformat = dns_masterformat_text;
-		} else if (strcasecmp(masterformatstr, "raw") == 0) {
+		else if (strcasecmp(masterformatstr, "raw") == 0)
 			masterformat = dns_masterformat_raw;
-		} else if (strcasecmp(masterformatstr, "map") == 0) {
+		else if (strcasecmp(masterformatstr, "map") == 0)
 			masterformat = dns_masterformat_map;
-		} else {
+		else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	}
 
 	obj = NULL;
@@ -437,7 +420,7 @@ configure_zone(const char *vclass, const char *view,
 /*% configure a view */
 static isc_result_t
 configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list)
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, isc_boolean_t list)
 {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *voptions;
@@ -486,7 +469,7 @@ config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 /*% load zones from the configuration */
 static isc_result_t
 load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
-		      bool list_zones)
+		      isc_boolean_t list_zones)
 {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *views;
@@ -554,17 +537,17 @@ main(int argc, char **argv) {
 	isc_mem_t *mctx = NULL;
 	isc_result_t result;
 	int exit_status = 0;
-	bool load_zones = false;
-	bool list_zones = false;
-	bool print = false;
+	isc_boolean_t load_zones = ISC_FALSE;
+	isc_boolean_t list_zones = ISC_FALSE;
+	isc_boolean_t print = ISC_FALSE;
 	unsigned int flags = 0;
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "cdhjlm:t:pvxz"
+#define CMDLINE_FLAGS "dhjlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -583,26 +566,22 @@ main(int argc, char **argv) {
 			break;
 		}
 	}
-	isc_commandline_reset = true;
+	isc_commandline_reset = ISC_TRUE;
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
-		case 'c':
-			loadplugins = false;
-			break;
-
 		case 'd':
 			debug++;
 			break;
 
 		case 'j':
-			nomerge = false;
+			nomerge = ISC_FALSE;
 			break;
 
 		case 'l':
-			list_zones = true;
+			list_zones = ISC_TRUE;
 			break;
 
 		case 'm':
@@ -618,7 +597,7 @@ main(int argc, char **argv) {
 			break;
 
 		case 'p':
-			print = true;
+			print = ISC_TRUE;
 			break;
 
 		case 'v':
@@ -630,10 +609,10 @@ main(int argc, char **argv) {
 			break;
 
 		case 'z':
-			load_zones = true;
-			docheckmx = false;
-			docheckns = false;
-			dochecksrv = false;
+			load_zones = ISC_TRUE;
+			docheckmx = ISC_FALSE;
+			docheckns = ISC_FALSE;
+			dochecksrv = ISC_FALSE;
 			break;
 
 		case '?':
@@ -683,10 +662,9 @@ main(int argc, char **argv) {
 	    ISC_R_SUCCESS)
 		exit(1);
 
-	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
 		exit_status = 1;
-	}
 
 	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
 		result = load_zones_fromconfig(config, mctx, list_zones);

bin/check/named-checkconf.docbook

@@ -40,7 +40,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -53,7 +52,7 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>named-checkconf</command>
-      <arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-hjlvz</option></arg>
       <arg choice="opt" rep="norepeat"><option>-p</option>
 	<arg choice="opt" rep="norepeat"><option>-x</option>
       </arg></arg>
@@ -115,17 +114,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-c</term>
-        <listitem>
-          <para>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <command>plugin</command> statements to be ignored.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-p</term>
         <listitem>

bin/check/named-checkconf.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,7 +33,7 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">named-checkconf</code> 
-       [<code class="option">-chjlvz</code>]
+       [<code class="option">-hjlvz</code>]
        [<code class="option">-p</code>
 	 [<code class="option">-x</code>
       ]]
@@ -88,14 +88,6 @@
             (e.g. master or slave).
           </p>
         </dd>
-<dt><span class="term">-c</span></dt>
-<dd>
-          <p>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
-          </p>
-        </dd>
 <dt><span class="term">-p</span></dt>
 <dd>
           <p>

bin/check/named-checkzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkzone.c

@@ -14,9 +14,7 @@
 
 #include <config.h>
 
-#include <stdbool.h>
 #include <stdlib.h>
-#include <inttypes.h>
 
 #include <isc/app.h>
 #include <isc/commandline.h>
@@ -108,10 +106,10 @@ main(int argc, char **argv) {
 	dns_masterformat_t inputformat = dns_masterformat_text;
 	dns_masterformat_t outputformat = dns_masterformat_text;
 	dns_masterrawheader_t header;
-	uint32_t rawversion = 1, serialnum = 0;
+	isc_uint32_t rawversion = 1, serialnum = 0;
 	dns_ttl_t maxttl = 0;
-	bool snset = false;
-	bool logdump = false;
+	isc_boolean_t snset = ISC_FALSE;
+	isc_boolean_t logdump = ISC_FALSE;
 	FILE *errout = stdout;
 	char *endp;
 
@@ -139,14 +137,12 @@ main(int argc, char **argv) {
 #define PROGCMP(X) \
 	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
 
-	if (PROGCMP("named-checkzone")) {
+	if (PROGCMP("named-checkzone"))
 		progmode = progmode_check;
-	} else if (PROGCMP("named-compilezone")) {
+	else if (PROGCMP("named-compilezone"))
 		progmode = progmode_compile;
-	} else {
+	else
 		INSIST(0);
-		ISC_UNREACHABLE();
-	}
 
 	/* Compilation specific defaults */
 	if (progmode == progmode_compile) {
@@ -163,7 +159,7 @@ main(int argc, char **argv) {
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	while ((c = isc_commandline_parse(argc, argv,
 			       "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
@@ -181,33 +177,33 @@ main(int argc, char **argv) {
 			if (ARGCMP("full")) {
 				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
 						DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = true;
-				docheckns = true;
-				dochecksrv = true;
+				docheckmx = ISC_TRUE;
+				docheckns = ISC_TRUE;
+				dochecksrv = ISC_TRUE;
 			} else if (ARGCMP("full-sibling")) {
 				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
 				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = true;
-				docheckns = true;
-				dochecksrv = true;
+				docheckmx = ISC_TRUE;
+				docheckns = ISC_TRUE;
+				dochecksrv = ISC_TRUE;
 			} else if (ARGCMP("local")) {
 				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
 				zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = false;
-				docheckns = false;
-				dochecksrv = false;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
 			} else if (ARGCMP("local-sibling")) {
 				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
 				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = false;
-				docheckns = false;
-				dochecksrv = false;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
 			} else if (ARGCMP("none")) {
 				zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
 				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = false;
-				docheckns = false;
-				dochecksrv = false;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
 			} else {
 				fprintf(stderr, "invalid argument to -i: %s\n",
 					isc_commandline_argument);
@@ -224,12 +220,12 @@ main(int argc, char **argv) {
 			break;
 
 		case 'j':
-			nomerge = false;
+			nomerge = ISC_FALSE;
 			break;
 
 		case 'J':
 			journal = isc_commandline_argument;
-			nomerge = false;
+			nomerge = ISC_FALSE;
 			break;
 
 		case 'k':
@@ -250,7 +246,7 @@ main(int argc, char **argv) {
 			break;
 
 		case 'L':
-			snset = true;
+			snset = ISC_TRUE;
 			endp = NULL;
 			serialnum = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0') {
@@ -509,7 +505,7 @@ main(int argc, char **argv) {
 	     strcmp(output_filename, "/dev/fd/1") == 0 ||
 	     strcmp(output_filename, "/dev/stdout") == 0)) {
 		errout = stderr;
-		logdump = false;
+		logdump = ISC_FALSE;
 	}
 
 	if (isc_commandline_index + 2 != argc)

bin/check/named-checkzone.docbook

@@ -43,7 +43,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/check/named-checkzone.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/check/win32/checkconf.vcxproj.in

@@ -55,7 +55,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -70,7 +70,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -81,7 +81,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -99,7 +99,7 @@
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>

bin/check/win32/checktool.vcxproj.in

@@ -58,7 +58,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -80,7 +80,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/check/win32/checkzone.vcxproj.in

@@ -55,7 +55,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -70,7 +70,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
@@ -87,7 +87,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -105,7 +105,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
     <PostBuildEvent>

bin/confgen/Makefile.in

@@ -27,9 +27,9 @@ CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -144,5 +144,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.c

@@ -19,15 +19,15 @@
 
 #include <config.h>
 
-#include <stdarg.h>
-#include <stdbool.h>
 #include <stdlib.h>
+#include <stdarg.h>
 
 #include <isc/assertions.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/file.h>
+#include <isc/keyboard.h>
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/print.h>
@@ -36,7 +36,7 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
@@ -56,7 +56,7 @@
 static char program[256];
 const char *progname;
 static enum { progmode_keygen, progmode_confgen} progmode;
-bool verbose = false; /* needed by util.c but not used here */
+isc_boolean_t verbose = ISC_FALSE; /* needed by util.c but not used here */
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(int status) ISC_PLATFORM_NORETURN_POST;
@@ -87,8 +87,8 @@ Usage:\n\
 int
 main(int argc, char **argv) {
 	isc_result_t result = ISC_R_SUCCESS;
-	bool show_final_mem = false;
-	bool quiet = false;
+	isc_boolean_t show_final_mem = ISC_FALSE;
+	isc_boolean_t quiet = ISC_FALSE;
 	isc_buffer_t key_txtbuffer;
 	char key_txtsecret[256];
 	isc_mem_t *mctx = NULL;
@@ -102,7 +102,7 @@ main(int argc, char **argv) {
 	int len = 0;
 	int ch;
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
@@ -124,15 +124,13 @@ main(int argc, char **argv) {
 
 	if (PROGCMP("tsig-keygen")) {
 		progmode = progmode_keygen;
-		quiet = true;
-	} else if (PROGCMP("ddns-confgen")) {
+		quiet = ISC_TRUE;
+	} else if (PROGCMP("ddns-confgen"))
 		progmode = progmode_confgen;
-	} else {
+	else
 		INSIST(0);
-		ISC_UNREACHABLE();
-	}
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
 					   "a:hk:Mmr:qs:y:z:")) != -1) {
@@ -157,11 +155,11 @@ main(int argc, char **argv) {
 			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
 			break;
 		case 'm':
-			show_final_mem = true;
+			show_final_mem = ISC_TRUE;
 			break;
 		case 'q':
 			if (progmode == progmode_confgen)
-				quiet = true;
+				quiet = ISC_TRUE;
 			else
 				usage(1);
 			break;

bin/confgen/ddns-confgen.docbook

@@ -37,7 +37,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/keygen.c

@@ -20,6 +20,7 @@
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/file.h>
+#include <isc/keyboard.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/result.h>
@@ -42,8 +43,10 @@
 const char *
 alg_totext(dns_secalg_t alg) {
 	switch (alg) {
+#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
 		return "hmac-md5";
+#endif
 	    case DST_ALG_HMACSHA1:
 		return "hmac-sha1";
 	    case DST_ALG_HMACSHA224:
@@ -68,8 +71,10 @@ alg_fromtext(const char *name) {
 	if (strncasecmp(p, "hmac-", 5) == 0)
 		p = &name[5];
 
+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(p, "md5") == 0)
 		return DST_ALG_HMACMD5;
+#endif
 	if (strcasecmp(p, "sha1") == 0)
 		return DST_ALG_HMACSHA1;
 	if (strcasecmp(p, "sha224") == 0)
@@ -119,7 +124,9 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
 	dst_key_t *key = NULL;
 
 	switch (alg) {
+#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
+#endif
 	    case DST_ALG_HMACSHA1:
 	    case DST_ALG_HMACSHA224:
 	    case DST_ALG_HMACSHA256:
@@ -191,3 +198,4 @@ write_key_file(const char *keyfile, const char *user,
 		fatal("fclose(%s) failed\n", keyfile);
 	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
 }
+

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -206,5 +206,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.c

@@ -22,15 +22,15 @@
 
 #include <config.h>
 
-#include <stdarg.h>
-#include <stdbool.h>
 #include <stdlib.h>
+#include <stdarg.h>
 
 #include <isc/assertions.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/file.h>
+#include <isc/keyboard.h>
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/print.h>
@@ -57,7 +57,7 @@
 static char program[256];
 const char *progname;
 
-bool verbose = false;
+isc_boolean_t verbose = ISC_FALSE;
 
 const char *keyfile, *keydef;
 
@@ -87,7 +87,7 @@ Usage:\n\
 
 int
 main(int argc, char **argv) {
-	bool show_final_mem = false;
+	isc_boolean_t show_final_mem = ISC_FALSE;
 	isc_buffer_t key_txtbuffer;
 	char key_txtsecret[256];
 	isc_mem_t *mctx = NULL;
@@ -104,7 +104,7 @@ main(int argc, char **argv) {
 	struct in6_addr addr6_dummy;
 	char *chrootdir = NULL;
 	char *user = NULL;
-	bool keyonly = false;
+	isc_boolean_t keyonly = ISC_FALSE;
 	int len;
 
 	keydef = keyfile = RNDC_KEYFILE;
@@ -119,14 +119,14 @@ main(int argc, char **argv) {
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
 					   "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
 	{
 		switch (ch) {
 		case 'a':
-			keyonly = true;
+			keyonly = ISC_TRUE;
 			break;
 		case 'A':
 			algname = isc_commandline_argument;
@@ -153,7 +153,7 @@ main(int argc, char **argv) {
 			break;
 
 		case 'm':
-			show_final_mem = true;
+			show_final_mem = ISC_TRUE;
 			break;
 		case 'p':
 			port = strtol(isc_commandline_argument, &p, 10);
@@ -177,7 +177,7 @@ main(int argc, char **argv) {
 			user = isc_commandline_argument;
 			break;
 		case 'V':
-			verbose = true;
+			verbose = ISC_TRUE;
 			break;
 		case '?':
 			if (isc_commandline_option != '?') {

bin/confgen/rndc-confgen.docbook

@@ -44,7 +44,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/rndc-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/util.c

@@ -15,15 +15,15 @@
 #include <config.h>
 
 #include <stdarg.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <stdio.h>
 
+#include <isc/boolean.h>
 #include <isc/print.h>
 
 #include "util.h"
 
-extern bool verbose;
+extern isc_boolean_t verbose;
 extern const char *progname;
 
 void

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -70,7 +70,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
@@ -106,7 +106,7 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -70,7 +70,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -100,7 +100,7 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

bin/delv/Makefile.in

@@ -16,16 +16,16 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
 
 CDEFINES =	-DVERSION=\"${VERSION}\" \
 		-DSYSCONFDIR=\"${sysconfdir}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/delv/delv.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -437,5 +437,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/delv/delv.c

@@ -24,9 +24,7 @@
 #include <netdb.h>
 #endif
 
-#include <stdbool.h>
 #include <stdio.h>
-#include <inttypes.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@@ -96,40 +94,40 @@ static const char *port = "53";
 static isc_sockaddr_t *srcaddr4 = NULL, *srcaddr6 = NULL;
 static isc_sockaddr_t a4, a6;
 static char *curqname = NULL, *qname = NULL;
-static bool classset = false;
+static isc_boolean_t classset = ISC_FALSE;
 static dns_rdatatype_t qtype = dns_rdatatype_none;
-static bool typeset = false;
+static isc_boolean_t typeset = ISC_FALSE;
 
 static unsigned int styleflags = 0;
-static uint32_t splitwidth = 0xffffffff;
-static bool
-	showcomments = true,
-	showdnssec = true,
-	showtrust = true,
-	rrcomments = true,
-	noclass = false,
-	nocrypto = false,
-	nottl = false,
-	multiline = false,
-	short_form = false,
-	print_unknown_format = false;
+static isc_uint32_t splitwidth = 0xffffffff;
+static isc_boolean_t
+	showcomments = ISC_TRUE,
+	showdnssec = ISC_TRUE,
+	showtrust = ISC_TRUE,
+	rrcomments = ISC_TRUE,
+	noclass = ISC_FALSE,
+	nocrypto = ISC_FALSE,
+	nottl = ISC_FALSE,
+	multiline = ISC_FALSE,
+	short_form = ISC_FALSE,
+	print_unknown_format = ISC_FALSE;
 
-static bool
-	resolve_trace = false,
-	validator_trace = false,
-	message_trace = false;
+static isc_boolean_t
+	resolve_trace = ISC_FALSE,
+	validator_trace = ISC_FALSE,
+	message_trace = ISC_FALSE;
 
-static bool
-	use_ipv4 = true,
-	use_ipv6 = true;
+static isc_boolean_t
+	use_ipv4 = ISC_TRUE,
+	use_ipv6 = ISC_TRUE;
 
-static bool
-	cdflag = false,
-	no_sigs = false,
-	root_validation = true,
-	dlv_validation = true;
+static isc_boolean_t
+	cdflag = ISC_FALSE,
+	no_sigs = ISC_FALSE,
+	root_validation = ISC_TRUE,
+	dlv_validation = ISC_TRUE;
 
-static bool use_tcp = false;
+static isc_boolean_t use_tcp = ISC_FALSE;
 
 static char *anchorfile = NULL;
 static char *trust_anchor = NULL;
@@ -146,10 +144,10 @@ static char anchortext[] = MANAGED_KEYS;
  * Static function prototypes
  */
 static isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict);
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t strict);
 
 static isc_result_t
-parse_uint(uint32_t *uip, const char *value, uint32_t max,
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
 	   const char *desc);
 
 static void
@@ -410,7 +408,7 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	static dns_trust_t trust;
-	static bool first = true;
+	static isc_boolean_t first = ISC_TRUE;
 	isc_buffer_t target;
 	isc_region_t r;
 	char *t = NULL;
@@ -432,7 +430,7 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 			putchar('\n');
 		print_status(rdataset);
 		trust = rdataset->trust;
-		first = false;
+		first = ISC_FALSE;
 	}
 
 	do {
@@ -568,7 +566,7 @@ convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) {
 static isc_result_t
 key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	dns_rdata_dnskey_t keystruct;
-	uint32_t flags, proto, alg;
+	isc_uint32_t flags, proto, alg;
 	const char *keystr, *keynamestr;
 	unsigned char keydata[4096];
 	isc_buffer_t keydatabuf;
@@ -578,7 +576,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	dns_fixedname_t fkeyname;
 	dns_name_t *keyname;
 	isc_result_t result;
-	bool match_root = false, match_dlv = false;
+	isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
 
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@@ -623,9 +621,9 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	if (alg > 0xff)
 		CHECK(ISC_R_RANGE);
 
-	keystruct.flags = (uint16_t)flags;
-	keystruct.protocol = (uint8_t)proto;
-	keystruct.algorithm = (uint8_t)alg;
+	keystruct.flags = (isc_uint16_t)flags;
+	keystruct.protocol = (isc_uint8_t)proto;
+	keystruct.algorithm = (isc_uint8_t)alg;
 
 	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
 	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
@@ -743,8 +741,8 @@ setup_dnsseckeys(dns_client_t *client) {
 
 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
 		isc_buffer_add(&b, sizeof(anchortext) - 1);
-		result = cfg_parse_buffer(parser, &b, NULL, 0,
-					  &cfg_type_bindkeys, 0, &bindkeys);
+		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
+					  &bindkeys);
 		if (result != ISC_R_SUCCESS)
 			fatal("Unable to parse built-in keys");
 	}
@@ -765,14 +763,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (dlv_validation)
 		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
 
-
  cleanup:
-	if (bindkeys != NULL) {
-		cfg_obj_destroy(parser, &bindkeys);
-	}
-	if (parser != NULL) {
-		cfg_parser_destroy(&parser);
-	}
 	if (result != ISC_R_SUCCESS)
 		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
 			  isc_result_totext(result));
@@ -787,7 +778,7 @@ addserver(dns_client_t *client) {
 	struct in6_addr in6;
 	isc_sockaddr_t *sa;
 	isc_sockaddrlist_t servers;
-	uint32_t destport;
+	isc_uint32_t destport;
 	isc_result_t result;
 	dns_name_t *name = NULL;
 
@@ -878,7 +869,7 @@ findserver(dns_client_t *client) {
 	irs_resconf_t *resconf = NULL;
 	isc_sockaddrlist_t *nameservers;
 	isc_sockaddr_t *sa, *next;
-	uint32_t destport;
+	isc_uint32_t destport;
 
 	result = parse_uint(&destport, port, 0xffff, "port");
 	if (result != ISC_R_SUCCESS)
@@ -953,9 +944,9 @@ cleanup:
 }
 
 static isc_result_t
-parse_uint(uint32_t *uip, const char *value, uint32_t max,
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
 	   const char *desc) {
-	uint32_t n;
+	isc_uint32_t n;
 	isc_result_t result = isc_parse_uint32(&n, value, 10);
 	if (result == ISC_R_SUCCESS && n > max)
 		result = ISC_R_RANGE;
@@ -972,7 +963,7 @@ static void
 plus_option(char *option) {
 	isc_result_t result;
 	char *cmd, *value, *last = NULL;
-	bool state = true;
+	isc_boolean_t state = ISC_TRUE;
 
 	INSIST(option != NULL);
 
@@ -983,7 +974,7 @@ plus_option(char *option) {
 	}
 	if (strncasecmp(cmd, "no", 2)==0) {
 		cmd += 2;
-		state = false;
+		state = ISC_FALSE;
 	}
 
 	value = strtok_r(NULL, "\0", &last);
@@ -1010,7 +1001,7 @@ plus_option(char *option) {
 			break;
 		case 'l': /* class */
 			FULLCHECK("class");
-			noclass = !state;
+			noclass = ISC_TF(!state);
 			break;
 		case 'o': /* comments */
 			FULLCHECK("comments");
@@ -1018,7 +1009,7 @@ plus_option(char *option) {
 			break;
 		case 'r': /* crypto */
 			FULLCHECK("crypto");
-			nocrypto = !state;
+			nocrypto = ISC_TF(!state);
 			break;
 		default:
 			goto invalid_option;
@@ -1091,10 +1082,10 @@ plus_option(char *option) {
 			FULLCHECK("short");
 			short_form = state;
 			if (short_form) {
-				multiline = false;
-				showcomments = false;
-				showtrust = false;
-				showdnssec = false;
+				multiline = ISC_FALSE;
+				showcomments = ISC_FALSE;
+				showtrust = ISC_FALSE;
+				showdnssec = ISC_FALSE;
 			}
 			break;
 		case 'p': /* split */
@@ -1146,7 +1137,7 @@ plus_option(char *option) {
 			break;
 		case 't': /* ttl */
 			FULLCHECK("ttl");
-			nottl = !state;
+			nottl = ISC_TF(!state);
 			break;
 		default:
 			goto invalid_option;
@@ -1174,13 +1165,11 @@ plus_option(char *option) {
  * options: "46a:b:c:d:himp:q:t:vx:";
  */
 static const char *single_dash_opts = "46himv";
-static const char *dash_opts = "46abcdhimpqtvx";
-
-static bool
-dash_option(char *option, char *next, bool *open_type_class) {
+static isc_boolean_t
+dash_option(char *option, char *next, isc_boolean_t *open_type_class) {
 	char opt, *value;
 	isc_result_t result;
-	bool value_from_next;
+	isc_boolean_t value_from_next;
 	isc_textregion_t tr;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
@@ -1188,7 +1177,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 	struct in_addr in4;
 	struct in6_addr in6;
 	in_port_t srcport;
-	uint32_t num;
+	isc_uint32_t num;
 	char *hash;
 
 	while (strpbrk(option, single_dash_opts) == &option[0]) {
@@ -1204,7 +1193,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 				fatal("IPv4 networking not available");
 			if (use_ipv6) {
 				isc_net_disableipv6();
-				use_ipv6 = false;
+				use_ipv6 = ISC_FALSE;
 			}
 			break;
 		case '6':
@@ -1212,7 +1201,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 				fatal("IPv6 networking not available");
 			if (use_ipv4) {
 				isc_net_disableipv4();
-				use_ipv4 = false;
+				use_ipv4 = ISC_FALSE;
 			}
 			break;
 		case 'h':
@@ -1220,9 +1209,9 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			exit(0);
 			/* NOTREACHED */
 		case 'i':
-			no_sigs = true;
-			dlv_validation = false;
-			root_validation = false;
+			no_sigs = ISC_TRUE;
+			dlv_validation = ISC_FALSE;
+			root_validation = ISC_FALSE;
 			break;
 		case 'm':
 			/* handled in preparse_args() */
@@ -1233,19 +1222,18 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			/* NOTREACHED */
 		default:
 			INSIST(0);
-			ISC_UNREACHABLE();
 		}
 		if (strlen(option) > 1U)
 			option = &option[1];
 		else
-			return (false);
+			return (ISC_FALSE);
 	}
 	opt = option[0];
 	if (strlen(option) > 1U) {
-		value_from_next = false;
+		value_from_next = ISC_FALSE;
 		value = &option[1];
 	} else {
-		value_from_next = true;
+		value_from_next = ISC_TRUE;
 		value = next;
 	}
 	if (value == NULL)
@@ -1291,13 +1279,13 @@ dash_option(char *option, char *next, bool *open_type_class) {
 		if (classset)
 			warn("extra query class");
 
-		*open_type_class = false;
+		*open_type_class = ISC_FALSE;
 		tr.base = value;
 		tr.length = strlen(value);
 		result = dns_rdataclass_fromtext(&rdclass,
 						 (isc_textregion_t *)&tr);
 		if (result == ISC_R_SUCCESS)
-			classset = true;
+			classset = ISC_TRUE;
 		else if (rdclass != dns_rdataclass_in)
 			warn("ignoring non-IN query class");
 		else
@@ -1322,7 +1310,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			fatal("out of memory");
 		return (value_from_next);
 	case 't':
-		*open_type_class = false;
+		*open_type_class = ISC_FALSE;
 		tr.base = value;
 		tr.length = strlen(value);
 		result = dns_rdatatype_fromtext(&rdtype,
@@ -1334,13 +1322,13 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			    rdtype == dns_rdatatype_axfr)
 				fatal("Transfer not supported");
 			qtype = rdtype;
-			typeset = true;
+			typeset = ISC_TRUE;
 		} else
 			warn("ignoring invalid type");
 		return (value_from_next);
 	case 'x':
 		result = get_reverse(textname, sizeof(textname), value,
-				     false);
+				     ISC_FALSE);
 		if (result == ISC_R_SUCCESS) {
 			if (curqname != NULL) {
 				isc_mem_free(mctx, curqname);
@@ -1352,7 +1340,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			if (typeset)
 				warn("extra query type");
 			qtype = dns_rdatatype_ptr;
-			typeset = true;
+			typeset = ISC_TRUE;
 		} else {
 			fprintf(stderr, "Invalid IP address %s\n", value);
 			exit(1);
@@ -1364,7 +1352,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 		usage();
 	}
 	/* NOTREACHED */
-	return (false);
+	return (ISC_FALSE);
 }
 
 /*
@@ -1373,14 +1361,12 @@ dash_option(char *option, char *next, bool *open_type_class) {
  */
 static void
 preparse_args(int argc, char **argv) {
-	bool ipv4only = false, ipv6only = false;
+	isc_boolean_t ipv4only = ISC_FALSE, ipv6only = ISC_FALSE;
 	char *option;
 
 	for (argc--, argv++; argc > 0; argc--, argv++) {
-		if (argv[0][0] != '-') {
+		if (argv[0][0] != '-')
 			continue;
-		}
-
 		option = &argv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
@@ -1392,38 +1378,17 @@ preparse_args(int argc, char **argv) {
 				if (ipv6only) {
 					fatal("only one of -4 and -6 allowed");
 				}
-				ipv4only = true;
+				ipv4only = ISC_TRUE;
 				break;
 			case '6':
 				if (ipv4only) {
 					fatal("only one of -4 and -6 allowed");
 				}
-				ipv6only = true;
+				ipv6only = ISC_TRUE;
 				break;
 			}
 			option = &option[1];
 		}
-
-		if (strlen(option) == 0U) {
-			continue;
-		}
-
-		/* Look for dash value option. */
-		if (strpbrk(option, dash_opts) != &option[0] ||
-		    strlen(option) > 1U)
-		{
-			/* Error or value in option. */
-			continue;
-		}
-
-		/* Dash value is next argument so we need to skip it. */
-		argc--;
-		argv++;
-
-		/* Handle missing argument */
-		if (argc == 0) {
-			break;
-		}
 	}
 }
 
@@ -1439,7 +1404,7 @@ parse_args(int argc, char **argv) {
 	isc_textregion_t tr;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
-	bool open_type_class = true;
+	isc_boolean_t open_type_class = ISC_TRUE;
 
 	for (; argc > 0; argc--, argv++) {
 		if (argv[0][0] == '@') {
@@ -1478,7 +1443,7 @@ parse_args(int argc, char **argv) {
 					    rdtype == dns_rdatatype_axfr)
 						fatal("Transfer not supported");
 					qtype = rdtype;
-					typeset = true;
+					typeset = ISC_TRUE;
 					continue;
 				}
 				result = dns_rdataclass_fromtext(&rdclass,
@@ -1547,7 +1512,7 @@ reverse_octets(const char *in, char **p, char *end) {
 }
 
 static isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict) {
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t strict) {
 	int r;
 	isc_result_t result;
 	isc_netaddr_t addr;

bin/delv/delv.docbook

@@ -39,7 +39,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/delv/delv.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/delv/win32/delv.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -68,7 +68,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -79,7 +79,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -98,7 +98,7 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

bin/dig/Makefile.in

@@ -19,16 +19,16 @@ READLINE_LIB = @READLINE_LIB@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@
 
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -64,8 +64,6 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-LDFLAGS =	@LDFLAGS@ @LIBIDN2_LDFLAGS@
-
 dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
 	export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
 	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
@@ -101,12 +99,12 @@ install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
 		nslookup@EXEEXT@ ${DESTDIR}${bindir}
 	for m in ${MANPAGES}; do \
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
-	done
+		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
+		done
 
 uninstall::
 	for m in ${MANPAGES}; do \
-		rm -f ${DESTDIR}${mandir}/man1/$$m || exit 1; \
+		rm -f ${DESTDIR}${mandir}/man1/$$m ; \
 	done
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@

bin/dig/dig.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -74,9 +74,7 @@ will perform an NS query for "\&." (the root)\&.
 It is possible to set per\-user defaults for
 \fBdig\fR
 via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
-\fB\-r\fR
-option disables this feature, for scripts that need predictable behaviour\&.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
 .PP
 The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
 \fB\-t\fR
@@ -176,6 +174,11 @@ reads a list of lookup requests to process from the given
 using the command\-line interface\&.
 .RE
 .PP
+\-i
+.RS 4
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
+.RE
+.PP
 \-k \fIkeyfile\fR
 .RS 4
 Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
@@ -205,12 +208,6 @@ The domain name to query\&. This is useful to distinguish the
 from other arguments\&.
 .RE
 .PP
-\-r
-.RS 4
-Do not read options from
-${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
-.RE
-.PP
 \-t \fItype\fR
 .RS 4
 The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
@@ -249,7 +246,9 @@ arguments\&.
 \fBdig\fR
 automatically performs a lookup for a name like
 94\&.2\&.0\&.192\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
+\fB\-i\fR
+option)\&.
 .RE
 .PP
 \-y \fI[hmac:]\fR\fIkeyname:secret\fR
@@ -469,16 +468,12 @@ option is enabled\&. If short form answers are requested, the default is not to
 .PP
 \fB+[no]idnin\fR
 .RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
 .RE
 .PP
 \fB+[no]idnout\fR
 .RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
 .RE
 .PP
 \fB+[no]ignore\fR
@@ -584,11 +579,11 @@ A synonym for
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
 \fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when using the
+normally sends recursive queries\&. Recursion is automatically disabled when the
 \fI+nssearch\fR
-option, and when using
+or
 \fI+trace\fR
-except for an initial recursive query to get the list of root servers\&.
+query options are used\&.
 .RE
 .PP
 \fB+retry=T\fR
@@ -800,10 +795,7 @@ has been built with IDN (internationalized domain name) support, it can accept a
 appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
 \fI+noidnin\fR
 and
-\fI+noidnout\fR
-or define the
-\fBIDN_DISABLE\fR
-environment variable\&.
+\fI+noidnout\fR\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -824,5 +816,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/dig.c

@@ -12,9 +12,6 @@
 /*! \file */
 
 #include <config.h>
-
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <time.h>
 #include <ctype.h>
@@ -64,10 +61,10 @@ static int addresscount = 0;
 static char domainopt[DNS_NAME_MAXTEXT];
 static char hexcookie[81];
 
-static bool short_form = false, printcmd = true,
-	plusquest = false, pluscomm = false,
-	ipv4only = false, ipv6only = false, digrc = true;
-static uint32_t splitwidth = 0xffffffff;
+static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
+	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
+	ipv4only = ISC_FALSE, ipv6only = ISC_FALSE;
+static isc_uint32_t splitwidth = 0xffffffff;
 
 /*% opcode text */
 static const char * const opcodetext[] = {
@@ -153,11 +150,11 @@ help(void) {
 "                 -b address[#port]   (bind to source address/port)\n"
 "                 -c class            (specify query class)\n"
 "                 -f filename         (batch mode)\n"
+"                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
 "                 -k keyfile          (specify tsig key file)\n"
 "                 -m                  (enable memory usage debugging)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
-"                 -r                  (do not read ~/.digrc)\n"
 "                 -t type             (specify query type)\n"
 "                 -u                  (display times in usec instead of msec)\n"
 "                 -x dot-notation     (shortcut for reverse lookups)\n"
@@ -193,10 +190,8 @@ help(void) {
 "                 +[no]fail           (Don't try next server on SERVFAIL)\n"
 "                 +[no]header-only    (Send query without a question section)\n"
 "                 +[no]identify       (ID responders in short answers)\n"
-#ifdef HAVE_LIBIDN2
-"                 +[no]idnin          (Parse IDN names [default=on on tty])\n"
-"                 +[no]idnout         (Convert IDN response [default=on on tty])\n"
-#endif
+"                 +[no]idnin          (Parse IDN names)\n"
+"                 +[no]idnout         (Convert IDN response)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)\n"
 "                 +[no]keepalive      (Request EDNS TCP keepalive)\n"
 "                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
@@ -245,7 +240,7 @@ help(void) {
  */
 static void
 received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
-	uint64_t diff;
+	isc_uint64_t diff;
 	time_t tnow;
 	struct tm tmnow;
 #ifdef WIN32
@@ -265,7 +260,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 			printf(";; Query time: %ld msec\n", (long) diff / 1000);
 		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
 		time(&tnow);
-#if !defined(WIN32)
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
 		(void)localtime_r(&tnow, &tmnow);
 #else
 		tmnow  = *localtime(&tnow);
@@ -286,7 +281,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 #endif
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
-			       "bytes %" PRIu64 ")\n",
+			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
 			       query->rr_count, query->msg_count,
 			       query->byte_count);
 		} else {
@@ -304,18 +299,18 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	} else if (query->lookup->identify && !short_form) {
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		if (query->lookup->use_usec)
-			printf(";; Received %" PRIu64 " bytes "
+			printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes "
 			       "from %s(%s) in %ld us\n\n",
 			       query->lookup->doing_xfr
 				 ? query->byte_count
-				 : (uint64_t)bytes,
+				 : (isc_uint64_t)bytes,
 			       fromtext, query->userarg, (long) diff);
 		else
-			printf(";; Received %" PRIu64 " bytes "
+			printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes "
 			       "from %s(%s) in %ld ms\n\n",
 			       query->lookup->doing_xfr
 				 ?  query->byte_count
-				 : (uint64_t)bytes,
+				 : (isc_uint64_t)bytes,
 			       fromtext, query->userarg, (long) diff / 1000);
 	}
 }
@@ -337,7 +332,7 @@ trying(char *frm, dig_lookup_t *lookup) {
 static isc_result_t
 say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	isc_result_t result;
-	uint64_t diff;
+	isc_uint64_t diff;
 	char store[sizeof(" in 18446744073709551616 us.")];
 	unsigned int styleflags = 0;
 
@@ -365,11 +360,10 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		ADD_STRING(buf, " from server ");
 		ADD_STRING(buf, query->servname);
-		if (query->lookup->use_usec) {
-			snprintf(store, sizeof(store), " in %" PRIu64 " us.", diff);
-		} else {
-			snprintf(store, sizeof(store), " in %" PRIu64 " ms.", diff / 1000);
-		}
+		if (query->lookup->use_usec)
+			snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u us.", diff);
+		else
+			snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u ms.", diff / 1000);
 		ADD_STRING(buf, store);
 	}
 	ADD_STRING(buf, "\n");
@@ -427,7 +421,7 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
 	return (ISC_R_SUCCESS);
 }
 
-static bool
+static isc_boolean_t
 isdotlocal(dns_message_t *msg) {
 	isc_result_t result;
 	static unsigned char local_ndata[] = { "\005local\0" };
@@ -442,16 +436,16 @@ isdotlocal(dns_message_t *msg) {
 		dns_name_t *name = NULL;
 		dns_message_currentname(msg, DNS_SECTION_QUESTION, &name);
 		if (dns_name_issubdomain(name, &local))
-			return (true);
+			return (ISC_TRUE);
 	}
-	return (false);
+	return (ISC_FALSE);
 }
 
 /*
  * Callback from dighost.c to print the reply from a server
  */
 static isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_result_t result;
 	dns_messagetextflag_t flags;
 	isc_buffer_t *buf = NULL;
@@ -695,7 +689,7 @@ cleanup:
 static void
 printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	int i;
-	static bool first = true;
+	static isc_boolean_t first = ISC_TRUE;
 	char append[MXNAME];
 
 	if (printcmd) {
@@ -722,7 +716,7 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 				 ";; global options:%s%s\n",
 				 short_form ? " +short" : "",
 				 printcmd ? " +cmd" : "");
-			first = false;
+			first = ISC_FALSE;
 			strlcat(lookup->cmdline, append,
 				sizeof(lookup->cmdline));
 		}
@@ -737,13 +731,13 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
  */
 
 static void
-plus_option(char *option, bool is_batchfile,
+plus_option(char *option, isc_boolean_t is_batchfile,
 	    dig_lookup_t *lookup)
 {
 	isc_result_t result;
 	char *cmd, *value, *last = NULL, *code, *extra;
-	uint32_t num;
-	bool state = true;
+	isc_uint32_t num;
+	isc_boolean_t state = ISC_TRUE;
 	size_t n;
 
 	INSIST(option != NULL);
@@ -754,7 +748,7 @@ plus_option(char *option, bool is_batchfile,
 	}
 	if (strncasecmp(cmd, "no", 2)==0) {
 		cmd += 2;
-		state = false;
+		state = ISC_FALSE;
 	}
 	/* parse the rest of the string */
 	value = strtok_r(NULL, "", &last);
@@ -861,7 +855,7 @@ plus_option(char *option, bool is_batchfile,
 		case 'l': /* class */
 			/* keep +cl for backwards compatibility */
 			FULLCHECK2("cl", "class");
-			lookup->noclass = !state;
+			lookup->noclass = ISC_TF(!state);
 			break;
 		case 'm': /* cmd */
 			FULLCHECK("cmd");
@@ -897,7 +891,7 @@ plus_option(char *option, bool is_batchfile,
 			break;
 		case 'r':
 			FULLCHECK("crypto");
-			lookup->nocrypto = !state;
+			lookup->nocrypto = ISC_TF(!state);
 			break;
 		default:
 			goto invalid_option;
@@ -1007,20 +1001,14 @@ plus_option(char *option, bool is_batchfile,
 							lookup->ednsoptscnt = 0;
 							break;
 						}
-						code = NULL;
-						if (value != NULL) {
-							code = strtok_r(value,
-									":",
-									&last);
-						}
-						if (code == NULL) {
+						if (value == NULL) {
 							warn("ednsopt no "
 							     "code point "
 							     "specified");
 							goto exit_or_usage;
 						}
-						extra = strtok_r(NULL, "\0",
-								 &last);
+						code = strtok_r(value, ":", &last);
+						extra = strtok_r(NULL, "\0", &last);
 						save_opt(lookup, code, extra);
 						break;
 					default:
@@ -1063,7 +1051,7 @@ plus_option(char *option, bool is_batchfile,
 				switch (cmd[3]) {
 				case 'i':
 					FULLCHECK("idnin");
-#ifndef HAVE_LIBIDN2
+#ifndef WITH_IDN_SUPPORT
 					fprintf(stderr, ";; IDN input support"
 						" not enabled\n");
 #else
@@ -1072,7 +1060,7 @@ plus_option(char *option, bool is_batchfile,
 				break;
 				case 'o':
 					FULLCHECK("idnout");
-#ifndef HAVE_LIBIDN2
+#ifndef WITH_IDN_OUT_SUPPORT
 					fprintf(stderr, ";; IDN output support"
 						" not enabled\n");
 #else
@@ -1168,17 +1156,17 @@ plus_option(char *option, bool is_batchfile,
 				FULLCHECK("nssearch");
 				lookup->ns_search_only = state;
 				if (state) {
-					lookup->trace_root = true;
-					lookup->recurse = true;
-					lookup->identify = true;
-					lookup->stats = false;
-					lookup->comments = false;
-					lookup->section_additional = false;
-					lookup->section_authority = false;
-					lookup->section_question = false;
+					lookup->trace_root = ISC_TRUE;
+					lookup->recurse = ISC_TRUE;
+					lookup->identify = ISC_TRUE;
+					lookup->stats = ISC_FALSE;
+					lookup->comments = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_authority = ISC_FALSE;
+					lookup->section_question = ISC_FALSE;
 					lookup->rdtype = dns_rdatatype_ns;
-					lookup->rdtypeset = true;
-					short_form = true;
+					lookup->rdtypeset = ISC_TRUE;
+					short_form = ISC_TRUE;
 					lookup->rrcomments = 0;
 				}
 				break;
@@ -1236,7 +1224,7 @@ plus_option(char *option, bool is_batchfile,
 			warn("Couldn't parse padding");
 			goto exit_or_usage;
 		}
-		lookup->padding = (uint16_t)num;
+		lookup->padding = (isc_uint16_t)num;
 		break;
 	case 'q':
 		switch (cmd[1]) {
@@ -1312,13 +1300,13 @@ plus_option(char *option, bool is_batchfile,
 				FULLCHECK("short");
 				short_form = state;
 				if (state) {
-					printcmd = false;
-					lookup->section_additional = false;
-					lookup->section_answer = true;
-					lookup->section_authority = false;
-					lookup->section_question = false;
-					lookup->comments = false;
-					lookup->stats = false;
+					printcmd = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_answer = ISC_TRUE;
+					lookup->section_authority = ISC_FALSE;
+					lookup->section_question = ISC_FALSE;
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
 					lookup->rrcomments = -1;
 				}
 				break;
@@ -1412,7 +1400,7 @@ plus_option(char *option, bool is_batchfile,
 				FULLCHECK("tcp");
 				if (!is_batchfile) {
 					lookup->tcp_mode = state;
-					lookup->tcp_mode_set = true;
+					lookup->tcp_mode_set = ISC_TRUE;
 				}
 				break;
 			default:
@@ -1445,17 +1433,17 @@ plus_option(char *option, bool is_batchfile,
 				lookup->trace = state;
 				lookup->trace_root = state;
 				if (state) {
-					lookup->recurse = true;
-					lookup->identify = true;
-					lookup->comments = false;
+					lookup->recurse = ISC_FALSE;
+					lookup->identify = ISC_TRUE;
+					lookup->comments = ISC_FALSE;
 					lookup->rrcomments = 0;
-					lookup->stats = false;
-					lookup->section_additional = false;
-					lookup->section_authority = true;
-					lookup->section_question = false;
-					lookup->dnssec = true;
-					lookup->sendcookie = true;
-					usesearch = false;
+					lookup->stats = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_authority = ISC_TRUE;
+					lookup->section_question = ISC_FALSE;
+					lookup->dnssec = ISC_TRUE;
+					lookup->sendcookie = ISC_TRUE;
+					usesearch = ISC_FALSE;
 				}
 				break;
 			case 'i': /* tries */
@@ -1489,12 +1477,12 @@ plus_option(char *option, bool is_batchfile,
 				case 0:
 				case 'i': /* ttlid */
 					FULLCHECK2("ttl", "ttlid");
-					lookup->nottl = !state;
+					lookup->nottl = ISC_TF(!state);
 					break;
 				case 'u': /* ttlunits */
 					FULLCHECK("ttlunits");
-					lookup->nottl = false;
-					lookup->ttlunits = state;
+					lookup->nottl = ISC_FALSE;
+					lookup->ttlunits = ISC_TF(state);
 					break;
 				default:
 					goto invalid_option;
@@ -1516,7 +1504,7 @@ plus_option(char *option, bool is_batchfile,
 		FULLCHECK("vc");
 		if (!is_batchfile) {
 			lookup->tcp_mode = state;
-			lookup->tcp_mode_set = true;
+			lookup->tcp_mode_set = ISC_TRUE;
 		}
 		break;
 	case 'z': /* zflag */
@@ -1542,19 +1530,19 @@ plus_option(char *option, bool is_batchfile,
 }
 
 /*%
- * #true returned if value was used
+ * #ISC_TRUE returned if value was used
  */
-static const char *single_dash_opts = "46dhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
-static bool
+static const char *single_dash_opts = "46dhimnuv";
+static const char *dash_opts = "46bcdfhikmnptvyx";
+static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
-	    bool *open_type_class, bool *need_clone,
-	    bool config_only, int argc, char **argv,
-	    bool *firstarg)
+	    isc_boolean_t *open_type_class, isc_boolean_t *need_clone,
+	    isc_boolean_t config_only, int argc, char **argv,
+	    isc_boolean_t *firstarg)
 {
 	char opt, *value, *ptr, *ptr2, *ptr3, *last;
 	isc_result_t result;
-	bool value_from_next;
+	isc_boolean_t value_from_next;
 	isc_textregion_t tr;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
@@ -1563,7 +1551,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	struct in6_addr in6;
 	in_port_t srcport;
 	char *hash, *cmd;
-	uint32_t num;
+	isc_uint32_t num;
 
 	while (strpbrk(option, single_dash_opts) == &option[0]) {
 		/*
@@ -1576,21 +1564,21 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		case '4':
 			if (have_ipv4) {
 				isc_net_disableipv6();
-				have_ipv6 = false;
+				have_ipv6 = ISC_FALSE;
 			} else {
 				fatal("can't find IPv4 networking");
 				/* NOTREACHED */
-				return (false);
+				return (ISC_FALSE);
 			}
 			break;
 		case '6':
 			if (have_ipv6) {
 				isc_net_disableipv4();
-				have_ipv4 = false;
+				have_ipv4 = ISC_FALSE;
 			} else {
 				fatal("can't find IPv6 networking");
 				/* NOTREACHED */
-				return (false);
+				return (ISC_FALSE);
 			}
 			break;
 		case 'd':
@@ -1598,17 +1586,17 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			if (ptr != &option[1]) {
 				cmd = option;
 				FULLCHECK("debug");
-				debugging = true;
-				return (false);
+				debugging = ISC_TRUE;
+				return (ISC_FALSE);
 			} else
-				debugging = true;
+				debugging = ISC_TRUE;
 			break;
 		case 'h':
 			help();
 			exit(0);
 			break;
 		case 'i':
-			/* deprecated */
+			ip6_int = ISC_TRUE;
 			break;
 		case 'm': /* memdebug */
 			/* memdebug is handled in preparse_args() */
@@ -1616,12 +1604,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		case 'n':
 			/* deprecated */
 			break;
-		case 'r':
-			debug("digrc (late)");
-			digrc = false;
-			break;
 		case 'u':
-			(*lookup)->use_usec = true;
+			(*lookup)->use_usec = ISC_TRUE;
 			break;
 		case 'v':
 			version();
@@ -1631,14 +1615,14 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		if (strlen(option) > 1U)
 			option = &option[1];
 		else
-			return (false);
+			return (ISC_FALSE);
 	}
 	opt = option[0];
 	if (strlen(option) > 1U) {
-		value_from_next = false;
+		value_from_next = ISC_FALSE;
 		value = &option[1];
 	} else {
-		value_from_next = true;
+		value_from_next = ISC_TRUE;
 		value = next;
 	}
 	if (value == NULL)
@@ -1668,20 +1652,20 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		}
 		if (hash != NULL)
 			*hash = '#';
-		specified_source = true;
+		specified_source = ISC_TRUE;
 		return (value_from_next);
 	case 'c':
 		if ((*lookup)->rdclassset) {
 			fprintf(stderr, ";; Warning, extra class option\n");
 		}
-		*open_type_class = false;
+		*open_type_class = ISC_FALSE;
 		tr.base = value;
 		tr.length = (unsigned int) strlen(value);
 		result = dns_rdataclass_fromtext(&rdclass,
 						 (isc_textregion_t *)&tr);
 		if (result == ISC_R_SUCCESS) {
 			(*lookup)->rdclass = rdclass;
-			(*lookup)->rdclassset = true;
+			(*lookup)->rdclassset = ISC_TRUE;
 		} else
 			fprintf(stderr, ";; Warning, ignoring "
 				"invalid class %s\n",
@@ -1703,23 +1687,23 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		if (!config_only) {
 			if (*need_clone)
 				(*lookup) = clone_lookup(default_lookup,
-							 true);
-			*need_clone = true;
+							 ISC_TRUE);
+			*need_clone = ISC_TRUE;
 			strlcpy((*lookup)->textname, value,
 				sizeof((*lookup)->textname));
-			(*lookup)->trace_root = ((*lookup)->trace  ||
-						 (*lookup)->ns_search_only);
-			(*lookup)->new_search = true;
+			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
+						     (*lookup)->ns_search_only);
+			(*lookup)->new_search = ISC_TRUE;
 			if (*firstarg) {
 				printgreeting(argc, argv, *lookup);
-				*firstarg = false;
+				*firstarg = ISC_FALSE;
 			}
 			ISC_LIST_APPEND(lookup_list, (*lookup), link);
 			debug("looking up %s", (*lookup)->textname);
 		}
 		return (value_from_next);
 	case 't':
-		*open_type_class = false;
+		*open_type_class = ISC_FALSE;
 		if (strncasecmp(value, "ixfr=", 5) == 0) {
 			rdtype = dns_rdatatype_ixfr;
 			result = ISC_R_SUCCESS;
@@ -1739,9 +1723,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 						"extra type option\n");
 			}
 			if (rdtype == dns_rdatatype_ixfr) {
-				uint32_t serial;
+				isc_uint32_t serial;
 				(*lookup)->rdtype = dns_rdatatype_ixfr;
-				(*lookup)->rdtypeset = true;
+				(*lookup)->rdtypeset = ISC_TRUE;
 				result = parse_uint(&serial, &value[5],
 					   MAXSERIAL, "serial number");
 				if (result != ISC_R_SUCCESS)
@@ -1750,19 +1734,19 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				(*lookup)->section_question = plusquest;
 				(*lookup)->comments = pluscomm;
 				if (!(*lookup)->tcp_mode_set)
-					(*lookup)->tcp_mode = true;
+					(*lookup)->tcp_mode = ISC_TRUE;
 			} else {
 				(*lookup)->rdtype = rdtype;
 				if (!config_only)
-					(*lookup)->rdtypeset = true;
+					(*lookup)->rdtypeset = ISC_TRUE;
 				if (rdtype == dns_rdatatype_axfr) {
 					(*lookup)->section_question = plusquest;
 					(*lookup)->comments = pluscomm;
 				} else if (rdtype == dns_rdatatype_any) {
 					if (!(*lookup)->tcp_mode_set)
-						(*lookup)->tcp_mode = true;
+						(*lookup)->tcp_mode = ISC_TRUE;
 				}
-				(*lookup)->ixfr_serial = false;
+				(*lookup)->ixfr_serial = ISC_FALSE;
 			}
 		} else
 			fprintf(stderr, ";; Warning, ignoring "
@@ -1781,7 +1765,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
+#ifndef PK11_MD5_DISABLE
 			hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+			hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
 			digestbits = 0;
 		}
 		/* XXXONDREJ: FIXME */
@@ -1790,23 +1778,24 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		return (value_from_next);
 	case 'x':
 		if (*need_clone)
-			*lookup = clone_lookup(default_lookup, true);
-		*need_clone = true;
+			*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		*need_clone = ISC_TRUE;
 		if (get_reverse(textname, sizeof(textname), value,
-				false) == ISC_R_SUCCESS) {
+				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
 			strlcpy((*lookup)->textname, textname,
 				sizeof((*lookup)->textname));
 			debug("looking up %s", (*lookup)->textname);
-			(*lookup)->trace_root = ((*lookup)->trace  ||
-						 (*lookup)->ns_search_only);
+			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
+						(*lookup)->ns_search_only);
+			(*lookup)->ip6_int = ip6_int;
 			if (!(*lookup)->rdtypeset)
 				(*lookup)->rdtype = dns_rdatatype_ptr;
 			if (!(*lookup)->rdclassset)
 				(*lookup)->rdclass = dns_rdataclass_in;
-			(*lookup)->new_search = true;
+			(*lookup)->new_search = ISC_TRUE;
 			if (*firstarg) {
 				printgreeting(argc, argv, *lookup);
-				*firstarg = false;
+				*firstarg = ISC_FALSE;
 			}
 			ISC_LIST_APPEND(lookup_list, *lookup, link);
 		} else {
@@ -1820,7 +1809,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		usage();
 	}
 	/* NOTREACHED */
-	return (false);
+	return (ISC_FALSE);
 }
 
 /*%
@@ -1846,50 +1835,24 @@ preparse_args(int argc, char **argv) {
 		option = &rv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
-			case 'd':
-				/* For debugging early startup */
-				debugging = true;
-				break;
 			case 'm':
-				memdebugging = true;
+				memdebugging = ISC_TRUE;
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
 					ISC_MEM_DEBUGRECORD;
 				break;
-			case 'r':
-				/*
-				 * Must be done early, because ~/.digrc
-				 * is read before command line parsing
-				 */
-				debug("digrc (early)");
-				digrc = false;
-				break;
 			case '4':
 				if (ipv6only)
 					fatal("only one of -4 and -6 allowed");
-				ipv4only = true;
+				ipv4only = ISC_TRUE;
 				break;
 			case '6':
 				if (ipv4only)
 					fatal("only one of -4 and -6 allowed");
-				ipv6only = true;
+				ipv6only = ISC_TRUE;
 				break;
 			}
 			option = &option[1];
 		}
-		if (strlen(option) == 0U) {
-			continue;
-		}
-		/* Look for dash value option. */
-		if (strpbrk(option, dash_opts) != &option[0] ||
-		    strlen(option) > 1U) {
-			/* Error or value in option. */
-			continue;
-		}
-		/* Dash value is next argument so we need to skip it. */
-		rc--, rv++;
-		/* Handle missing argument */
-		if (rc == 0)
-			break;
 	}
 }
 
@@ -1910,16 +1873,16 @@ split_batchline(char *batchline, char **bargv, int len, const char *msg) {
 }
 
 static void
-parse_args(bool is_batchfile, bool config_only,
+parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 	   int argc, char **argv)
 {
 	isc_result_t result;
 	isc_textregion_t tr;
-	bool firstarg = true;
+	isc_boolean_t firstarg = ISC_TRUE;
 	dig_lookup_t *lookup = NULL;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
-	bool open_type_class = true;
+	isc_boolean_t open_type_class = ISC_TRUE;
 	char batchline[MXNAME];
 	int bargc;
 	char *bargv[64];
@@ -1929,7 +1892,7 @@ parse_args(bool is_batchfile, bool config_only,
 	char *homedir;
 	char rcfile[PATH_MAX];
 #endif
-	bool need_clone = true;
+	isc_boolean_t need_clone = ISC_TRUE;
 
 	/*
 	 * The semantics for parsing the args is a bit complex; if
@@ -1946,9 +1909,9 @@ parse_args(bool is_batchfile, bool config_only,
 	if (!is_batchfile) {
 		debug("making new lookup");
 		default_lookup = make_empty_lookup();
-		default_lookup->adflag = true;
+		default_lookup->adflag = ISC_TRUE;
 		default_lookup->edns = 0;
-		default_lookup->sendcookie = true;
+		default_lookup->sendcookie = ISC_TRUE;
 
 #ifndef NOPOSIX
 		/*
@@ -1956,9 +1919,8 @@ parse_args(bool is_batchfile, bool config_only,
 		 */
 		INSIST(batchfp == NULL);
 		homedir = getenv("HOME");
-		if (homedir != NULL && digrc) {
+		if (homedir != NULL) {
 			unsigned int n;
-			debug("digrc (open)");
 			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
 				     homedir);
 			if (n < sizeof(rcfile)) {
@@ -1974,7 +1936,7 @@ parse_args(bool is_batchfile, bool config_only,
 							".digrc argv");
 				bargv[0] = argv[0];
 				argv0 = argv[0];
-				parse_args(true, true,
+				parse_args(ISC_TRUE, ISC_TRUE,
 					   bargc, (char **)bargv);
 			}
 			fclose(batchfp);
@@ -1984,8 +1946,8 @@ parse_args(bool is_batchfile, bool config_only,
 
 	if (is_batchfile && !config_only) {
 		/* Processing '-f batchfile'. */
-		lookup = clone_lookup(default_lookup, true);
-		need_clone = false;
+		lookup = clone_lookup(default_lookup, ISC_TRUE);
+		need_clone = ISC_FALSE;
 	} else {
 		lookup = default_lookup;
 	}
@@ -2068,10 +2030,10 @@ parse_args(bool is_batchfile, bool config_only,
 							"extra type option\n");
 					}
 					if (rdtype == dns_rdatatype_ixfr) {
-						uint32_t serial;
+						isc_uint32_t serial;
 						lookup->rdtype =
 							dns_rdatatype_ixfr;
-						lookup->rdtypeset = true;
+						lookup->rdtypeset = ISC_TRUE;
 						result = parse_uint(&serial,
 								    &rv[0][5],
 								    MAXSERIAL,
@@ -2084,10 +2046,10 @@ parse_args(bool is_batchfile, bool config_only,
 							plusquest;
 						lookup->comments = pluscomm;
 						if (!lookup->tcp_mode_set)
-							lookup->tcp_mode = true;
+							lookup->tcp_mode = ISC_TRUE;
 					} else {
 						lookup->rdtype = rdtype;
-						lookup->rdtypeset = true;
+						lookup->rdtypeset = ISC_TRUE;
 						if (rdtype ==
 						    dns_rdatatype_axfr) {
 						    lookup->section_question =
@@ -2097,8 +2059,8 @@ parse_args(bool is_batchfile, bool config_only,
 						if (rdtype ==
 						    dns_rdatatype_any &&
 						    !lookup->tcp_mode_set)
-							lookup->tcp_mode = true;
-						lookup->ixfr_serial = false;
+							lookup->tcp_mode = ISC_TRUE;
+						lookup->ixfr_serial = ISC_FALSE;
 					}
 					continue;
 				}
@@ -2110,7 +2072,7 @@ parse_args(bool is_batchfile, bool config_only,
 							"extra class option\n");
 					}
 					lookup->rdclass = rdclass;
-					lookup->rdclassset = true;
+					lookup->rdclassset = ISC_TRUE;
 					continue;
 				}
 			}
@@ -2118,16 +2080,16 @@ parse_args(bool is_batchfile, bool config_only,
 			if (!config_only) {
 				if (need_clone)
 					lookup = clone_lookup(default_lookup,
-								      true);
-				need_clone = true;
+								      ISC_TRUE);
+				need_clone = ISC_TRUE;
 				strlcpy(lookup->textname, rv[0],
 					sizeof(lookup->textname));
-				lookup->trace_root = (lookup->trace ||
-						      lookup->ns_search_only);
-				lookup->new_search = true;
+				lookup->trace_root = ISC_TF(lookup->trace  ||
+						     lookup->ns_search_only);
+				lookup->new_search = ISC_TRUE;
 				if (firstarg) {
 					printgreeting(argc, argv, lookup);
-					firstarg = false;
+					firstarg = ISC_FALSE;
 				}
 				ISC_LIST_APPEND(lookup_list, lookup, link);
 				debug("looking up %s", lookup->textname);
@@ -2163,7 +2125,7 @@ parse_args(bool is_batchfile, bool config_only,
 						"batch argv");
 			bargv[0] = argv[0];
 			argv0 = argv[0];
-			parse_args(true, false, bargc, (char **)bargv);
+			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
 			return;
 		}
 		return;
@@ -2173,17 +2135,17 @@ parse_args(bool is_batchfile, bool config_only,
 	 */
 	if ((lookup_list.head == NULL) && !config_only) {
 		if (need_clone)
-			lookup = clone_lookup(default_lookup, true);
-		need_clone = true;
-		lookup->trace_root = (lookup->trace ||
-				      lookup->ns_search_only);
-		lookup->new_search = true;
+			lookup = clone_lookup(default_lookup, ISC_TRUE);
+		need_clone = ISC_TRUE;
+		lookup->trace_root = ISC_TF(lookup->trace ||
+					    lookup->ns_search_only);
+		lookup->new_search = ISC_TRUE;
 		strlcpy(lookup->textname, ".", sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ns;
-		lookup->rdtypeset = true;
+		lookup->rdtypeset = ISC_TRUE;
 		if (firstarg) {
 			printgreeting(argc, argv, lookup);
-			firstarg = false;
+			firstarg = ISC_FALSE;
 		}
 		ISC_LIST_APPEND(lookup_list, lookup, link);
 	}
@@ -2220,7 +2182,7 @@ query_finished(void) {
 		debug("batch line %s", batchline);
 		bargc = split_batchline(batchline, bargv, 14, "batch argv");
 		bargv[0] = argv0;
-		parse_args(true, false, bargc, (char **)bargv);
+		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
 		start_lookup();
 	} else {
 		batchname = NULL;
@@ -2257,7 +2219,7 @@ void dig_setup(int argc, char **argv)
 	setup_system(ipv4only, ipv6only);
 }
 
-void dig_query_setup(bool is_batchfile, bool config_only,
+void dig_query_setup(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		int argc, char **argv)
 {
 	debug("dig_query_setup");
@@ -2269,7 +2231,7 @@ void dig_query_setup(bool is_batchfile, bool config_only,
 		setup_text_key();
 	if (domainopt[0] != '\0') {
 		set_search_domain(domainopt);
-		usesearch = true;
+		usesearch = ISC_TRUE;
 	}
 }
 
@@ -2306,7 +2268,7 @@ int
 main(int argc, char **argv) {
 
 	dig_setup(argc, argv);
-	dig_query_setup(false, false, argc, argv);
+	dig_query_setup(ISC_FALSE, ISC_FALSE, argc, argv);
 	dig_startup();
 	dig_shutdown();
 

bin/dig/dig.docbook

@@ -52,7 +52,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -132,10 +131,9 @@
 
     <para>
       It is possible to set per-user defaults for <command>dig</command> via
-      <filename>${HOME}/.digrc</filename>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <option>-r</option> option disables this feature, for
-      scripts that need predictable behaviour.
+      <filename>${HOME}/.digrc</filename>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </para>
 
     <para>
@@ -273,6 +271,17 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-k <replaceable class="parameter">keyfile</replaceable></term>
 	<listitem>
@@ -325,16 +334,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-r</term>
-	<listitem>
-	  <para>
-	    Do not read options from <filename>${HOME}/.digrc</filename>.
-	    This is useful for scripts that need predictable behaviour.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-t <replaceable class="parameter">type</replaceable></term>
 	<listitem>
@@ -395,7 +394,8 @@
 	    <literal>94.2.0.192.in-addr.arpa</literal> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <option>-i</option>
+	    option).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -789,13 +789,7 @@
 	    <para>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </para>
-	    <para>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -806,13 +800,7 @@
 	    <para>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </para>
-	    <para>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1000,10 +988,8 @@
 	      in the query.  This bit is set by default, which means
 	      <command>dig</command> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      using the <parameter>+nssearch</parameter> option, and
-	      when using <parameter>+trace</parameter> except for
-	      an initial recursive query to get the list of root
-	      servers.
+	      the <parameter>+nssearch</parameter> or
+	      <parameter>+trace</parameter> query options are used.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1344,9 +1330,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <parameter>+noidnin</parameter> and
-      <parameter>+noidnout</parameter> or define
-      the <envar>IDN_DISABLE</envar> environment variable.
-
+      <parameter>+noidnout</parameter>.
     </para>
   </refsection>
 

bin/dig/dig.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -106,10 +106,9 @@
 
     <p>
       It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
-      <code class="filename">${HOME}/.digrc</code>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <code class="option">-r</code> option disables this feature, for
-      scripts that need predictable behaviour.
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </p>
 
     <p>
@@ -228,6 +227,14 @@
 	    <span class="command"><strong>dig</strong></span> using the command-line interface.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </p>
+	</dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
 <dd>
 	  <p>
@@ -267,13 +274,6 @@
 	    the <em class="parameter"><code>name</code></em> from other arguments.
 	  </p>
 	</dd>
-<dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
-	    Do not read options from <code class="filename">${HOME}/.digrc</code>.
-	    This is useful for scripts that need predictable behaviour.
-	  </p>
-	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
@@ -324,7 +324,8 @@
 	    <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <code class="option">-i</code>
+	    option).
 	  </p>
 	</dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
@@ -630,13 +631,7 @@
 	    <p>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
@@ -644,13 +639,7 @@
 	    <p>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
@@ -790,10 +779,8 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      using the <em class="parameter"><code>+nssearch</code></em> option, and
-	      when using <em class="parameter"><code>+trace</code></em> except for
-	      an initial recursive query to get the list of root
-	      servers.
+	      the <em class="parameter"><code>+nssearch</code></em> or
+	      <em class="parameter"><code>+trace</code></em> query options are used.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
@@ -1074,9 +1061,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <em class="parameter"><code>+noidnin</code></em> and
-      <em class="parameter"><code>+noidnout</code></em> or define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-
+      <em class="parameter"><code>+noidnout</code></em>.
     </p>
   </div>
 

bin/dig/host.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -112,6 +112,11 @@ Print debugging traces\&. Equivalent to the
 verbose option\&.
 .RE
 .PP
+\-i
+.RS 4
+Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
+.RE
+.PP
 \-l
 .RS 4
 List zone: The
@@ -252,7 +257,7 @@ If
 \fBhost\fR
 has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
 \fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
 \fBIDN_DISABLE\fR
 environment variable\&. The IDN support is disabled if the variable is set when
 \fBhost\fR
@@ -269,5 +274,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/host.c

@@ -12,9 +12,6 @@
 /*! \file */
 
 #include <config.h>
-
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <limits.h>
 
@@ -29,6 +26,7 @@
 #include <isc/string.h>
 #include <isc/util.h>
 #include <isc/task.h>
+#include <isc/stdlib.h>
 
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
@@ -42,14 +40,14 @@
 
 #include <dig/dig.h>
 
-static bool short_form = true, listed_server = false;
-static bool default_lookups = true;
+static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
+static isc_boolean_t default_lookups = ISC_TRUE;
 static int seen_error = -1;
-static bool list_addresses = true;
-static bool list_almost_all = false;
+static isc_boolean_t list_addresses = ISC_TRUE;
+static isc_boolean_t list_almost_all = ISC_FALSE;
 static dns_rdatatype_t list_type = dns_rdatatype_a;
-static bool printed_server = false;
-static bool ipv4only = false, ipv6only = false;
+static isc_boolean_t printed_server = ISC_FALSE;
+static isc_boolean_t ipv4only = ISC_FALSE, ipv6only = ISC_FALSE;
 
 static const char *opcodetext[] = {
 	"QUERY",
@@ -143,6 +141,7 @@ show_usage(void) {
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
+"       -i IP6.INT reverse lookups\n"
 "       -l lists all hosts in a domain, using AXFR\n"
 "       -m set memory debugging flag (trace|record|usage)\n"
 "       -N changes the number of dots allowed before root lookup is done\n"
@@ -151,7 +150,6 @@ show_usage(void) {
 "       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
-"       -U enables UDP mode\n"
 "       -v enables verbose output\n"
 "       -V print version number and exit\n"
 "       -w specifies to wait forever for a reply\n"
@@ -226,7 +224,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 
 static isc_result_t
 printsection(dns_message_t *msg, dns_section_t sectionid,
-	     const char *section_name, bool headers,
+	     const char *section_name, isc_boolean_t headers,
 	     dig_query_t *query)
 {
 	dns_name_t *name, *print_name;
@@ -237,13 +235,13 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 	isc_region_t r;
 	dns_name_t empty_name;
 	char tbuf[4096];
-	bool first;
-	bool no_rdata;
+	isc_boolean_t first;
+	isc_boolean_t no_rdata;
 
 	if (sectionid == DNS_SECTION_QUESTION)
-		no_rdata = true;
+		no_rdata = ISC_TRUE;
 	else
-		no_rdata = false;
+		no_rdata = ISC_FALSE;
 
 	if (headers)
 		printf(";; %s SECTION:\n", section_name);
@@ -261,7 +259,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 		dns_message_currentname(msg, sectionid, &name);
 
 		isc_buffer_init(&target, tbuf, sizeof(tbuf));
-		first = true;
+		first = ISC_TRUE;
 		print_name = name;
 
 		for (rdataset = ISC_LIST_HEAD(name->list);
@@ -285,7 +283,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 			if (!short_form) {
 				result = dns_rdataset_totext(rdataset,
 							     print_name,
-							     false,
+							     ISC_FALSE,
 							     no_rdata,
 							     &target);
 				if (result != ISC_R_SUCCESS)
@@ -293,7 +291,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 #ifdef USEINITALWS
 				if (first) {
 					print_name = &empty_name;
-					first = false;
+					first = ISC_FALSE;
 				}
 #else
 				UNUSED(first); /* Shut up compiler. */
@@ -352,7 +350,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 static isc_result_t
 printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
 	   const dns_name_t *owner, const char *set_name,
-	   bool headers)
+	   isc_boolean_t headers)
 {
 	isc_buffer_t target;
 	isc_result_t result;
@@ -365,7 +363,7 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
 
 	isc_buffer_init(&target, tbuf, sizeof(tbuf));
 
-	result = dns_rdataset_totext(rdataset, owner, false, false,
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
 				     &target);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -402,8 +400,8 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
-	bool did_flag = false;
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	isc_boolean_t did_flag = ISC_FALSE;
 	dns_rdataset_t *opt, *tsig = NULL;
 	const dns_name_t *tsigname;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -426,7 +424,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 				    sizeof(sockstr));
 		printf("Address: %s\n", sockstr);
 		printf("Aliases: \n\n");
-		printed_server = true;
+		printed_server = ISC_TRUE;
 	}
 
 	if (msg->rcode != 0) {
@@ -458,22 +456,22 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 		dns_name_copy(query->lookup->name, name, NULL);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
-		lookup = clone_lookup(query->lookup, false);
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
 			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
 			lookup->rdtype = dns_rdatatype_aaaa;
-			lookup->rdtypeset = true;
+			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
 			lookup->retries = tries;
 			ISC_LIST_APPEND(lookup_list, lookup, link);
 		}
-		lookup = clone_lookup(query->lookup, false);
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
 			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
 			lookup->rdtype = dns_rdatatype_mx;
-			lookup->rdtypeset = true;
+			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
 			lookup->retries = tries;
 			ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -487,31 +485,31 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 		printf(";; flags: ");
 		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
 			printf("qr");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 		}
 		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
 			printf("%saa", did_flag ? " " : "");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 		}
 		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
 			printf("%stc", did_flag ? " " : "");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 		}
 		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
 			printf("%srd", did_flag ? " " : "");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 		}
 		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
 			printf("%sra", did_flag ? " " : "");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 		}
 		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
 			printf("%sad", did_flag ? " " : "");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 		}
 		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
 			printf("%scd", did_flag ? " " : "");
-			did_flag = true;
+			did_flag = ISC_TRUE;
 			POST(did_flag);
 		}
 		printf("; QUERY: %u, ANSWER: %u, "
@@ -534,7 +532,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	    !short_form) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
-				      true, query);
+				      ISC_TRUE, query);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
@@ -542,7 +540,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 		if (!short_form)
 			printf("\n");
 		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
-				      !short_form, query);
+				      ISC_TF(!short_form), query);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
@@ -551,7 +549,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	    !short_form) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
-				      true, query);
+				      ISC_TRUE, query);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
@@ -559,14 +557,14 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	    !short_form) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_ADDITIONAL,
-				      "ADDITIONAL", true, query);
+				      "ADDITIONAL", ISC_TRUE, query);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	if ((tsig != NULL) && !short_form) {
 		printf("\n");
 		result = printrdata(msg, tsig, tsigname,
-				    "PSEUDOSECTION TSIG", true);
+				    "PSEUDOSECTION TSIG", ISC_TRUE);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
@@ -601,7 +599,7 @@ pre_parse_args(int argc, char **argv) {
 	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
 		switch (c) {
 		case 'm':
-			memdebugging = true;
+			memdebugging = ISC_TRUE;
 			if (strcasecmp("trace", isc_commandline_argument) == 0)
 				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
 			else if (strcasecmp("record",
@@ -615,50 +613,49 @@ pre_parse_args(int argc, char **argv) {
 		case '4':
 			if (ipv6only)
 				fatal("only one of -4 and -6 allowed");
-			ipv4only = true;
+			ipv4only = ISC_TRUE;
 			break;
 		case '6':
 			if (ipv4only)
 				fatal("only one of -4 and -6 allowed");
-			ipv6only = true;
+			ipv6only = ISC_TRUE;
 			break;
 		case 'a': break;
 		case 'A': break;
 		case 'c': break;
-		case 'C': break;
 		case 'd': break;
-		case 'D':
-			if (debugging)
-				debugtiming = true;
-			debugging = true;
-			break;
 		case 'i': break;
 		case 'l': break;
 		case 'n': break;
-		case 'N': break;
 		case 'r': break;
-		case 'R': break;
 		case 's': break;
 		case 't': break;
-		case 'T': break;
-		case 'U': break;
 		case 'v': break;
 		case 'V':
 			  version();
 			  exit(0);
 			  break;
 		case 'w': break;
+		case 'C': break;
+		case 'D':
+			if (debugging)
+				debugtiming = ISC_TRUE;
+			debugging = ISC_TRUE;
+			break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
 		case 'W': break;
 		default:
 			show_usage();
 		}
 	}
-	isc_commandline_reset = true;
+	isc_commandline_reset = ISC_TRUE;
 	isc_commandline_index = 1;
 }
 
 static void
-parse_args(bool is_batchfile, int argc, char **argv) {
+parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	char hostname[MXNAME];
 	dig_lookup_t *lookup;
 	int c;
@@ -667,30 +664,30 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
-	uint32_t serial = 0;
+	isc_uint32_t serial = 0;
 
 	UNUSED(is_batchfile);
 
 	lookup = make_empty_lookup();
 
-	lookup->servfail_stops = false;
-	lookup->comments = false;
+	lookup->servfail_stops = ISC_FALSE;
+	lookup->comments = ISC_FALSE;
 	short_form = !verbose;
 
 	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
 		switch (c) {
 		case 'l':
-			lookup->tcp_mode = true;
+			lookup->tcp_mode = ISC_TRUE;
 			lookup->rdtype = dns_rdatatype_axfr;
-			lookup->rdtypeset = true;
+			lookup->rdtypeset = ISC_TRUE;
 			fatalexit = 3;
 			break;
 		case 'v':
 		case 'd':
-			short_form = false;
+			short_form = ISC_FALSE;
 			break;
 		case 'r':
-			lookup->recurse = false;
+			lookup->recurse = ISC_FALSE;
 			break;
 		case 't':
 			if (strncasecmp(isc_commandline_argument,
@@ -715,23 +712,23 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			if (!lookup->rdtypeset ||
 			    lookup->rdtype != dns_rdatatype_axfr)
 				lookup->rdtype = rdtype;
-			lookup->rdtypeset = true;
+			lookup->rdtypeset = ISC_TRUE;
 			if (rdtype == dns_rdatatype_axfr) {
 				/* -l -t any -v */
 				list_type = dns_rdatatype_any;
-				short_form = false;
-				lookup->tcp_mode = true;
+				short_form = ISC_FALSE;
+				lookup->tcp_mode = ISC_TRUE;
 			} else if (rdtype == dns_rdatatype_ixfr) {
 				lookup->ixfr_serial = serial;
-				lookup->tcp_mode = true;
+				lookup->tcp_mode = ISC_TRUE;
 				list_type = rdtype;
 			} else if (rdtype == dns_rdatatype_any) {
 				if (!lookup->tcp_mode_set)
-					lookup->tcp_mode = true;
+					lookup->tcp_mode = ISC_TRUE;
 			} else
 				list_type = rdtype;
-			list_addresses = false;
-			default_lookups = false;
+			list_addresses = ISC_FALSE;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'c':
 			tr.base = isc_commandline_argument;
@@ -745,25 +742,25 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 				      isc_commandline_argument);
 			} else {
 				lookup->rdclass = rdclass;
-				lookup->rdclassset = true;
+				lookup->rdclassset = ISC_TRUE;
 			}
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'A':
-			list_almost_all = true;
+			list_almost_all = ISC_TRUE;
 			/* FALL THROUGH */
 		case 'a':
 			if (!lookup->rdtypeset ||
 			    lookup->rdtype != dns_rdatatype_axfr)
 				lookup->rdtype = dns_rdatatype_any;
 			list_type = dns_rdatatype_any;
-			list_addresses = false;
-			lookup->rdtypeset = true;
-			short_form = false;
-			default_lookups = false;
+			list_addresses = ISC_FALSE;
+			lookup->rdtypeset = ISC_TRUE;
+			short_form = ISC_FALSE;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'i':
-			/* deprecated */
+			lookup->ip6_int = ISC_TRUE;
 			break;
 		case 'n':
 			/* deprecated */
@@ -789,23 +786,23 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 				tries = 2;
 			break;
 		case 'T':
-			lookup->tcp_mode = true;
-			lookup->tcp_mode_set = true;
+			lookup->tcp_mode = ISC_TRUE;
+			lookup->tcp_mode_set = ISC_TRUE;
 			break;
 		case 'U':
-			lookup->tcp_mode = false;
-			lookup->tcp_mode_set = true;
+			lookup->tcp_mode = ISC_FALSE;
+			lookup->tcp_mode_set = ISC_TRUE;
 			break;
 		case 'C':
 			debug("showing all SOAs");
 			lookup->rdtype = dns_rdatatype_ns;
-			lookup->rdtypeset = true;
+			lookup->rdtypeset = ISC_TRUE;
 			lookup->rdclass = dns_rdataclass_in;
-			lookup->rdclassset = true;
-			lookup->ns_search_only = true;
-			lookup->trace_root = true;
-			lookup->identify_previous_line = true;
-			default_lookups = false;
+			lookup->rdclassset = ISC_TRUE;
+			lookup->ns_search_only = ISC_TRUE;
+			lookup->trace_root = ISC_TRUE;
+			lookup->identify_previous_line = ISC_TRUE;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'N':
 			debug("setting NDOTS to %s",
@@ -822,7 +819,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			/* Handled by pre_parse_args(). */
 			break;
 		case 's':
-			lookup->servfail_stops = true;
+			lookup->servfail_stops = ISC_TRUE;
 			break;
 		}
 	}
@@ -837,22 +834,22 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 	if (argc > isc_commandline_index + 1) {
 		set_nameserver(argv[isc_commandline_index+1]);
 		debug("server is %s", argv[isc_commandline_index+1]);
-		listed_server = true;
+		listed_server = ISC_TRUE;
 	} else
-		check_ra = true;
+		check_ra = ISC_TRUE;
 
-	lookup->pending = false;
-	if (get_reverse(store, sizeof(store), hostname, true)
-	    == ISC_R_SUCCESS) {
+	lookup->pending = ISC_FALSE;
+	if (get_reverse(store, sizeof(store), hostname,
+			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
-		lookup->rdtypeset = true;
-		default_lookups = false;
+		lookup->rdtypeset = ISC_TRUE;
+		default_lookups = ISC_FALSE;
 	} else {
 		strlcpy(lookup->textname, hostname, sizeof(lookup->textname));
-		usesearch = true;
+		usesearch = ISC_TRUE;
 	}
-	lookup->new_search = true;
+	lookup->new_search = ISC_TRUE;
 	ISC_LIST_APPEND(lookup_list, lookup, link);
 }
 
@@ -881,7 +878,7 @@ main(int argc, char **argv) {
 	check_result(result, "isc_app_start");
 	setup_libs();
 	setup_system(ipv4only, ipv6only);
-	parse_args(false, argc, argv);
+	parse_args(ISC_FALSE, argc, argv);
 	if (keyfile[0] != 0)
 		setup_file_key();
 	else if (keysecret[0] != 0)

bin/dig/host.docbook

@@ -47,7 +47,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -180,6 +179,18 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-l</term>
 	<listitem>
@@ -378,7 +389,7 @@
       <command>host</command> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
+      If you'd like to turn off the IDN support for some reason, defines
       the <envar>IDN_DISABLE</envar> environment variable.
       The IDN support is disabled if the variable is set when
       <command>host</command> runs.

bin/dig/host.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -138,6 +138,15 @@
 	    Equivalent to the <code class="option">-v</code> verbose option.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </p>
+	</dd>
 <dt><span class="term">-l</span></dt>
 <dd>
 	  <p>
@@ -302,7 +311,7 @@
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
+      If you'd like to turn off the IDN support for some reason, defines
       the <code class="envar">IDN_DISABLE</code> environment variable.
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.

bin/dig/include/dig/dig.h

@@ -14,19 +14,16 @@
 
 /*! \file */
 
-#include <inttypes.h>
-#include <stdbool.h>
-
 #include <dns/rdatalist.h>
 
 #include <dst/dst.h>
 
+#include <isc/boolean.h>
 #include <isc/buffer.h>
 #include <isc/bufferlist.h>
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/list.h>
-#include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/sockaddr.h>
@@ -82,14 +79,9 @@ typedef struct dig_server dig_server_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
-#define DIG_QUERY_MAGIC		ISC_MAGIC('D','i','g','q')
-
-#define DIG_VALID_QUERY(x)	ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
-
-
 /*% The dig_lookup structure */
 struct dig_lookup {
-	bool
+	isc_boolean_t
 		pending, /*%< Pending a successful answer */
 		waiting_connect,
 		doing_xfr,
@@ -109,6 +101,7 @@ struct dig_lookup {
 		trace_root, /*% initial query for either +trace or +nssearch */
 		tcp_mode,
 		tcp_mode_set,
+		ip6_int,
 		comments,
 		stats,
 		section_question,
@@ -146,8 +139,8 @@ struct dig_lookup {
 	dns_rdatatype_t rdtype;
 	dns_rdatatype_t qrdtype;
 	dns_rdataclass_t rdclass;
-	bool rdtypeset;
-	bool rdclassset;
+	isc_boolean_t rdtypeset;
+	isc_boolean_t rdclassset;
 	char name_space[BUFSIZE];
 	char oname_space[BUFSIZE];
 	isc_buffer_t namebuf;
@@ -165,17 +158,17 @@ struct dig_lookup {
 	dig_serverlist_t my_server_list;
 	dig_searchlist_t *origin;
 	dig_query_t *xfr_q;
-	uint32_t retries;
+	isc_uint32_t retries;
 	int nsfound;
-	uint16_t udpsize;
-	int16_t edns;
-	int16_t padding;
-	uint32_t ixfr_serial;
+	isc_uint16_t udpsize;
+	isc_int16_t edns;
+	isc_int16_t padding;
+	isc_uint32_t ixfr_serial;
 	isc_buffer_t rdatabuf;
 	char rdatastore[MXNAME];
 	dst_context_t *tsigctx;
 	isc_buffer_t *querysig;
-	uint32_t msgcounter;
+	isc_uint32_t msgcounter;
 	dns_fixedname_t fdomain;
 	isc_sockaddr_t *ecs_addr;
 	char *cookie;
@@ -190,9 +183,8 @@ struct dig_lookup {
 
 /*% The dig_query structure */
 struct dig_query {
-	unsigned int magic;
 	dig_lookup_t *lookup;
-	bool waiting_connect,
+	isc_boolean_t waiting_connect,
 		pending_free,
 		waiting_senddone,
 		first_pass,
@@ -202,26 +194,30 @@ struct dig_query {
 		recv_made,
 		warn_id,
 		timedout;
-	uint32_t first_rr_serial;
-	uint32_t second_rr_serial;
-	uint32_t msg_count;
-	uint32_t rr_count;
-	bool ixfr_axfr;
+	isc_uint32_t first_rr_serial;
+	isc_uint32_t second_rr_serial;
+	isc_uint32_t msg_count;
+	isc_uint32_t rr_count;
+	isc_boolean_t ixfr_axfr;
 	char *servname;
 	char *userarg;
+	isc_bufferlist_t sendlist,
+		recvlist,
+		lengthlist;
 	isc_buffer_t recvbuf,
 		lengthbuf,
-		tmpsendbuf,
-		sendbuf;
-	char *recvspace, *tmpsendspace,
-		lengthspace[4];
+		slbuf;
+	char *recvspace,
+		lengthspace[4],
+		slspace[4];
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
 	ISC_LINK(dig_query_t) clink;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
 	isc_time_t time_recv;
-	uint64_t byte_count;
+	isc_uint64_t byte_count;
+	isc_buffer_t sendbuf;
 	isc_timer_t *timer;
 };
 
@@ -248,7 +244,7 @@ extern dig_serverlist_t server_list;
 extern dig_searchlistlist_t search_list;
 extern unsigned int extrabytes;
 
-extern bool check_ra, have_ipv4, have_ipv6, specified_source,
+extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
 	usesearch, showsearch;
 extern in_port_t port;
 extern unsigned int timeout;
@@ -264,17 +260,17 @@ extern char keysecret[MXNAME];
 extern const dns_name_t *hmacname;
 extern unsigned int digestbits;
 extern dns_tsigkey_t *tsigkey;
-extern bool validated;
+extern isc_boolean_t validated;
 extern isc_taskmgr_t *taskmgr;
 extern isc_task_t *global_task;
-extern bool free_now;
-extern bool debugging, debugtiming, memdebugging;
-extern bool keep_open;
+extern isc_boolean_t free_now;
+extern isc_boolean_t debugging, debugtiming, memdebugging;
+extern isc_boolean_t keep_open;
 
 extern char *progname;
 extern int tries;
 extern int fatalexit;
-extern bool verbose;
+extern isc_boolean_t verbose;
 
 /*
  * Routines in dighost.c.
@@ -286,7 +282,8 @@ int
 getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
 
 isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict);
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
+	    isc_boolean_t strict);
 
 ISC_PLATFORM_NORETURN_PRE void
 fatal(const char *format, ...)
@@ -305,7 +302,7 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 void
 check_result(isc_result_t result, const char *msg);
 
-bool
+isc_boolean_t
 setup_lookup(dig_lookup_t *lookup);
 
 void
@@ -327,14 +324,14 @@ void
 setup_libs(void);
 
 void
-setup_system(bool ipv4only, bool ipv6only);
+setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only);
 
 isc_result_t
-parse_uint(uint32_t *uip, const char *value, uint32_t max,
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
 	   const char *desc);
 
 isc_result_t
-parse_xint(uint32_t *uip, const char *value, uint32_t max,
+parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
 	   const char *desc);
 
 isc_result_t
@@ -344,13 +341,13 @@ void
 parse_hmac(const char *hmacstr);
 
 dig_lookup_t *
-requeue_lookup(dig_lookup_t *lookold, bool servers);
+requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
 
 dig_lookup_t *
 make_empty_lookup(void);
 
 dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, bool servers);
+clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
 
 dig_server_t *
 make_server(const char *servname, const char *userarg);
@@ -379,7 +376,7 @@ set_search_domain(char *domain);
  * then assigned to the appropriate function pointer
  */
 extern isc_result_t
-(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, bool headers);
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
 /*%<
  * Print the final result of the lookup.
  */
@@ -421,7 +418,7 @@ dig_setup(int argc, char **argv);
  * Call to supply new parameters for the next lookup
  */
 void
-dig_query_setup(bool, bool, int argc, char **argv);
+dig_query_setup(isc_boolean_t, isc_boolean_t, int argc, char **argv);
 
 /*%<
  * set the main application event cycle running

bin/dig/nslookup.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -277,17 +277,6 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
 .PP
 \fBnslookup\fR
 returns with an exit status of 1 if any query failed, and 0 otherwise\&.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBnslookup\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBnslookup\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBnslookup\fR
-runs or when the standard output is not a tty\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -301,5 +290,5 @@ runs or when the standard output is not a tty\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/nslookup.c

@@ -11,8 +11,6 @@
 
 #include <config.h>
 
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <unistd.h>
 
@@ -55,18 +53,18 @@
 #endif
 #endif
 
-static bool short_form = true,
-	tcpmode = false, tcpmode_set = false,
-	identify = false, stats = true,
-	comments = true, section_question = true,
-	section_answer = true, section_authority = true,
-	section_additional = true, recurse = true,
-	aaonly = false, nofail = true,
-	default_lookups = true, a_noanswer = false;
+static isc_boolean_t short_form = ISC_TRUE,
+	tcpmode = ISC_FALSE, tcpmode_set = ISC_FALSE,
+	identify = ISC_FALSE, stats = ISC_TRUE,
+	comments = ISC_TRUE, section_question = ISC_TRUE,
+	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
+	section_additional = ISC_TRUE, recurse = ISC_TRUE,
+	aaonly = ISC_FALSE, nofail = ISC_TRUE,
+	default_lookups = ISC_TRUE, a_noanswer = ISC_FALSE;
 
-static bool interactive;
+static isc_boolean_t interactive;
 
-static bool in_use = false;
+static isc_boolean_t in_use = ISC_FALSE;
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
 static isc_event_t *global_event = NULL;
@@ -215,7 +213,7 @@ printrdata(dns_rdata_t *rdata) {
 	isc_result_t result;
 	isc_buffer_t *b = NULL;
 	unsigned int size = 1024;
-	bool done = false;
+	isc_boolean_t done = ISC_FALSE;
 
 	if (rdata->type < N_KNOWN_RRTYPES)
 		printf("%s", rtypetext[rdata->type]);
@@ -230,7 +228,7 @@ printrdata(dns_rdata_t *rdata) {
 		if (result == ISC_R_SUCCESS) {
 			printf("%.*s\n", (int)isc_buffer_usedlength(b),
 			       (char *)isc_buffer_base(b));
-			done = true;
+			done = ISC_TRUE;
 		} else if (result != ISC_R_NOSPACE)
 			check_result(result, "dns_rdata_totext");
 		isc_buffer_free(&b);
@@ -239,7 +237,7 @@ printrdata(dns_rdata_t *rdata) {
 }
 
 static isc_result_t
-printsection(dig_query_t *query, dns_message_t *msg, bool headers,
+printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
 	     dns_section_t section) {
 	isc_result_t result, loopresult;
 	dns_name_t *name;
@@ -306,7 +304,7 @@ printsection(dig_query_t *query, dns_message_t *msg, bool headers,
 }
 
 static isc_result_t
-detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
+detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
 	     dns_section_t section) {
 	isc_result_t result, loopresult;
 	dns_name_t *name;
@@ -431,7 +429,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
 	/* I've we've gotten this far, we've reached a server. */
@@ -450,10 +448,10 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	if (!short_form) {
 		puts("------------");
 		/*		detailheader(query, msg);*/
-		detailsection(query, msg, true, DNS_SECTION_QUESTION);
-		detailsection(query, msg, true, DNS_SECTION_ANSWER);
-		detailsection(query, msg, true, DNS_SECTION_AUTHORITY);
-		detailsection(query, msg, true, DNS_SECTION_ADDITIONAL);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_QUESTION);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_ANSWER);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_AUTHORITY);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_ADDITIONAL);
 		puts("------------");
 	}
 
@@ -481,12 +479,12 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 		dns_name_copy(query->lookup->name, name, NULL);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
-		lookup = clone_lookup(query->lookup, false);
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
 			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
 			lookup->rdtype = dns_rdatatype_aaaa;
-			lookup->rdtypeset = true;
+			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
 			lookup->retries = tries;
 			ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -500,7 +498,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 		printsection(query, msg, headers, DNS_SECTION_ANSWER);
 	else {
 		if (default_lookups && query->lookup->rdtype == dns_rdatatype_a)
-			a_noanswer = true;
+			a_noanswer = ISC_TRUE;
 
 		else if (!default_lookups ||
 			 (query->lookup->rdtype == dns_rdatatype_aaaa &&
@@ -522,7 +520,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 }
 
 static void
-show_settings(bool full, bool serv_only) {
+show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
 	dig_server_t *srv;
 	isc_sockaddr_t sockaddr;
 	dig_searchlist_t *listent;
@@ -567,7 +565,7 @@ show_settings(bool full, bool serv_only) {
 	printf("\n");
 }
 
-static bool
+static isc_boolean_t
 testtype(char *typetext) {
 	isc_result_t result;
 	isc_textregion_t tr;
@@ -577,14 +575,14 @@ testtype(char *typetext) {
 	tr.length = strlen(typetext);
 	result = dns_rdatatype_fromtext(&rdtype, &tr);
 	if (result == ISC_R_SUCCESS)
-		return (true);
+		return (ISC_TRUE);
 	else {
 		printf("unknown query type: %s\n", typetext);
-		return (false);
+		return (ISC_FALSE);
 	}
 }
 
-static bool
+static isc_boolean_t
 testclass(char *typetext) {
 	isc_result_t result;
 	isc_textregion_t tr;
@@ -594,24 +592,24 @@ testclass(char *typetext) {
 	tr.length = strlen(typetext);
 	result = dns_rdataclass_fromtext(&rdclass, &tr);
 	if (result == ISC_R_SUCCESS)
-		return (true);
+		return (ISC_TRUE);
 	else {
 		printf("unknown query class: %s\n", typetext);
-		return (false);
+		return (ISC_FALSE);
 	}
 }
 
 static void
 set_port(const char *value) {
-	uint32_t n;
+	isc_uint32_t n;
 	isc_result_t result = parse_uint(&n, value, 65535, "port");
 	if (result == ISC_R_SUCCESS)
-		port = (uint16_t) n;
+		port = (isc_uint16_t) n;
 }
 
 static void
 set_timeout(const char *value) {
-	uint32_t n;
+	isc_uint32_t n;
 	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
 	if (result == ISC_R_SUCCESS)
 		timeout = n;
@@ -619,7 +617,7 @@ set_timeout(const char *value) {
 
 static void
 set_tries(const char *value) {
-	uint32_t n;
+	isc_uint32_t n;
 	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
 	if (result == ISC_R_SUCCESS)
 		tries = n;
@@ -627,7 +625,7 @@ set_tries(const char *value) {
 
 static void
 set_ndots(const char *value) {
-	uint32_t n;
+	isc_uint32_t n;
 	isc_result_t result = parse_uint(&n, value, 128, "ndots");
 	if (result == ISC_R_SUCCESS)
 		ndots = n;
@@ -646,7 +644,7 @@ setoption(char *opt) {
 	((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
 
 	if (CHECKOPT("all", 3)) {
-		show_settings(true, false);
+		show_settings(ISC_TRUE, ISC_FALSE);
 	} else if (strncasecmp(opt, "class=", 6) == 0) {
 		if (testclass(&opt[6]))
 			strlcpy(defclass, &opt[6], sizeof(defclass));
@@ -656,41 +654,41 @@ setoption(char *opt) {
 	} else if (strncasecmp(opt, "type=", 5) == 0) {
 		if (testtype(&opt[5])) {
 			strlcpy(deftype, &opt[5], sizeof(deftype));
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 		}
 	} else if (strncasecmp(opt, "ty=", 3) == 0) {
 		if (testtype(&opt[3])) {
 			strlcpy(deftype, &opt[3], sizeof(deftype));
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 		}
 	} else if (strncasecmp(opt, "querytype=", 10) == 0) {
 		if (testtype(&opt[10])) {
 			strlcpy(deftype, &opt[10], sizeof(deftype));
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 		}
 	} else if (strncasecmp(opt, "query=", 6) == 0) {
 		if (testtype(&opt[6])) {
 			strlcpy(deftype, &opt[6], sizeof(deftype));
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 		}
 	} else if (strncasecmp(opt, "qu=", 3) == 0) {
 		if (testtype(&opt[3])) {
 			strlcpy(deftype, &opt[3], sizeof(deftype));
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 		}
 	} else if (strncasecmp(opt, "q=", 2) == 0) {
 		if (testtype(&opt[2])) {
 			strlcpy(deftype, &opt[2], sizeof(deftype));
-			default_lookups = false;
+			default_lookups = ISC_FALSE;
 		}
 	} else if (strncasecmp(opt, "domain=", 7) == 0) {
 		strlcpy(domainopt, &opt[7], sizeof(domainopt));
 		set_search_domain(domainopt);
-		usesearch = true;
+		usesearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "do=", 3) == 0) {
 		strlcpy(domainopt, &opt[3], sizeof(domainopt));
 		set_search_domain(domainopt);
-		usesearch = true;
+		usesearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "port=", 5) == 0) {
 		set_port(&opt[5]);
 	} else if (strncasecmp(opt, "po=", 3) == 0) {
@@ -700,43 +698,43 @@ setoption(char *opt) {
 	} else if (strncasecmp(opt, "t=", 2) == 0) {
 		set_timeout(&opt[2]);
 	} else if (CHECKOPT("recurse", 3)) {
-		recurse = true;
+		recurse = ISC_TRUE;
 	} else if (CHECKOPT("norecurse", 5)) {
-		recurse = false;
+		recurse = ISC_FALSE;
 	} else if (strncasecmp(opt, "retry=", 6) == 0) {
 		set_tries(&opt[6]);
 	} else if (strncasecmp(opt, "ret=", 4) == 0) {
 		set_tries(&opt[4]);
 	} else if (CHECKOPT("defname", 3)) {
-		usesearch = true;
+		usesearch = ISC_TRUE;
 	} else if (CHECKOPT("nodefname", 5)) {
-		usesearch = false;
+		usesearch = ISC_FALSE;
 	} else if (CHECKOPT("vc", 2)) {
-		tcpmode = true;
-		tcpmode_set = true;
+		tcpmode = ISC_TRUE;
+		tcpmode_set = ISC_TRUE;
 	} else if (CHECKOPT("novc", 4)) {
-		tcpmode = false;
-		tcpmode_set = true;
+		tcpmode = ISC_FALSE;
+		tcpmode_set = ISC_TRUE;
 	} else if (CHECKOPT("debug", 3)) {
-		short_form = false;
-		showsearch = true;
+		short_form = ISC_FALSE;
+		showsearch = ISC_TRUE;
 	} else if (CHECKOPT("nodebug", 5)) {
-		short_form = true;
-		showsearch = false;
+		short_form = ISC_TRUE;
+		showsearch = ISC_FALSE;
 	} else if (CHECKOPT("d2", 2)) {
-		debugging = true;
+		debugging = ISC_TRUE;
 	} else if (CHECKOPT("nod2", 4)) {
-		debugging = false;
+		debugging = ISC_FALSE;
 	} else if (CHECKOPT("search", 3)) {
-		usesearch = true;
+		usesearch = ISC_TRUE;
 	} else if (CHECKOPT("nosearch", 5)) {
-		usesearch = false;
+		usesearch = ISC_FALSE;
 	} else if (CHECKOPT("sil", 3)) {
-		/* deprecation_msg = false; */
+		/* deprecation_msg = ISC_FALSE; */
 	} else if (CHECKOPT("fail", 3)) {
-		nofail=false;
+		nofail=ISC_FALSE;
 	} else if (CHECKOPT("nofail", 5)) {
-		nofail=true;
+		nofail=ISC_TRUE;
 	} else if (strncasecmp(opt, "ndots=", 6) == 0) {
 		set_ndots(&opt[6]);
 	} else {
@@ -755,7 +753,7 @@ addlookup(char *opt) {
 
 	debug("addlookup()");
 
-	a_noanswer = false;
+	a_noanswer = ISC_FALSE;
 
 	tr.base = deftype;
 	tr.length = strlen(deftype);
@@ -772,21 +770,21 @@ addlookup(char *opt) {
 		rdclass = dns_rdataclass_in;
 	}
 	lookup = make_empty_lookup();
-	if (get_reverse(store, sizeof(store), opt, true)
+	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE)
 	    == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
-		lookup->rdtypeset = true;
+		lookup->rdtypeset = ISC_TRUE;
 	} else {
 		strlcpy(lookup->textname, opt, sizeof(lookup->textname));
 		lookup->rdtype = rdtype;
-		lookup->rdtypeset = true;
+		lookup->rdtypeset = ISC_TRUE;
 	}
 	lookup->rdclass = rdclass;
-	lookup->rdclassset = true;
-	lookup->trace = false;
+	lookup->rdclassset = ISC_TRUE;
+	lookup->trace = ISC_FALSE;
 	lookup->trace_root = lookup->trace;
-	lookup->ns_search_only = false;
+	lookup->ns_search_only = ISC_FALSE;
 	lookup->identify = identify;
 	lookup->recurse = recurse;
 	lookup->aaonly = aaonly;
@@ -794,7 +792,7 @@ addlookup(char *opt) {
 	lookup->udpsize = 0;
 	lookup->comments = comments;
 	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set)
-		lookup->tcp_mode = true;
+		lookup->tcp_mode = ISC_TRUE;
 	else
 		lookup->tcp_mode = tcpmode;
 	lookup->stats = stats;
@@ -802,9 +800,9 @@ addlookup(char *opt) {
 	lookup->section_answer = section_answer;
 	lookup->section_authority = section_authority;
 	lookup->section_additional = section_additional;
-	lookup->new_search = true;
+	lookup->new_search = ISC_TRUE;
 	if (nofail)
-		lookup->servfail_stops = false;
+		lookup->servfail_stops = ISC_FALSE;
 	ISC_LIST_INIT(lookup->q);
 	ISC_LINK_INIT(lookup, link);
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -828,11 +826,11 @@ do_next_command(char *input) {
 		 (strcasecmp(ptr, "lserver") == 0)) {
 		isc_app_block();
 		set_nameserver(arg);
-		check_ra = false;
+		check_ra = ISC_FALSE;
 		isc_app_unblock();
-		show_settings(true, true);
+		show_settings(ISC_TRUE, ISC_TRUE);
 	} else if (strcasecmp(ptr, "exit") == 0) {
-		in_use = false;
+		in_use = ISC_FALSE;
 	} else if (strcasecmp(ptr, "help") == 0 ||
 		   strcasecmp(ptr, "?") == 0) {
 		printf("The '%s' command is not yet implemented.\n", ptr);
@@ -869,7 +867,7 @@ get_next_command(void) {
 		ptr = fgets(buf, COMMSIZE, stdin);
 	isc_app_unblock();
 	if (ptr == NULL) {
-		in_use = false;
+		in_use = ISC_FALSE;
 	} else
 		do_next_command(ptr);
 #ifdef HAVE_READLINE
@@ -879,29 +877,12 @@ get_next_command(void) {
 	isc_mem_free(mctx, buf);
 }
 
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-    fprintf(stderr, "Usage:\n");
-    fprintf(stderr,
-"   nslookup [-opt ...]             # interactive mode using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] - server    # interactive mode using 'server'\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host        # just look up 'host' using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host server # just look up 'host' using 'server'\n");
-    exit(1);
-}
-
 static void
 parse_args(int argc, char **argv) {
-	bool have_lookup = false;
+	isc_boolean_t have_lookup = ISC_FALSE;
 
-	usesearch = true;
-	for (argc--, argv++; argc > 0 && argv[0] != NULL; argc--, argv++) {
+	usesearch = ISC_TRUE;
+	for (argc--, argv++; argc > 0; argc--, argv++) {
 		debug("main parsing %s", argv[0]);
 		if (argv[0][0] == '-') {
 			if (strncasecmp(argv[0], "-ver", 4) == 0) {
@@ -910,18 +891,15 @@ parse_args(int argc, char **argv) {
 			} else if (argv[0][1] != 0) {
 				setoption(&argv[0][1]);
 			} else
-				have_lookup = true;
+				have_lookup = ISC_TRUE;
 		} else {
 			if (!have_lookup) {
-				have_lookup = true;
-				in_use = true;
+				have_lookup = ISC_TRUE;
+				in_use = ISC_TRUE;
 				addlookup(argv[0]);
 			} else {
-				if (argv[1] != NULL) {
-					usage();
-				}
 				set_nameserver(argv[0]);
-				check_ra = false;
+				check_ra = ISC_FALSE;
 			}
 		}
 	}
@@ -943,6 +921,12 @@ flush_lookup_list(void) {
 						  ISC_SOCKCANCEL_ALL);
 				isc_socket_detach(&q->sock);
 			}
+			if (ISC_LINK_LINKED(&q->recvbuf, link))
+				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
+						 link);
+			if (ISC_LINK_LINKED(&q->lengthbuf, link))
+				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
+						 link);
 			isc_buffer_invalidate(&q->recvbuf);
 			isc_buffer_invalidate(&q->lengthbuf);
 			qp = q;
@@ -986,13 +970,13 @@ int
 main(int argc, char **argv) {
 	isc_result_t result;
 
-	interactive = isatty(0);
+	interactive = ISC_TF(isatty(0));
 
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
-	check_ra = true;
+	check_ra = ISC_TRUE;
 
 	/* setup dighost callbacks */
 	dighost_printmessage = printmessage;
@@ -1006,7 +990,7 @@ main(int argc, char **argv) {
 	setup_libs();
 	progname = argv[0];
 
-	setup_system(false, false);
+	setup_system(ISC_FALSE, ISC_FALSE);
 	parse_args(argc, argv);
 	if (keyfile[0] != 0)
 		setup_file_key();
@@ -1020,7 +1004,7 @@ main(int argc, char **argv) {
 	else
 		result = isc_app_onrun(mctx, global_task, getinput, NULL);
 	check_result(result, "isc_app_onrun");
-	in_use = !in_use;
+	in_use = ISC_TF(!in_use);
 
 	(void)isc_app_run();
 

bin/dig/nslookup.docbook

@@ -71,7 +71,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -479,22 +478,6 @@ nslookup -query=hinfo  -timeout=10
     </para>
   </refsection>
 
-  <refsection><info><title>IDN SUPPORT</title></info>
-
-    <para>
-      If <command>nslookup</command> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <command>nslookup</command> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <envar>IDN_DISABLE</envar> environment variable.
-      The IDN support is disabled if the variable is set when
-      <command>nslookup</command> runs or when the standard output is not
-      a tty.
-    </para>
-  </refsection>
-
   <refsection><info><title>FILES</title></info>
 
     <para><filename>/etc/resolv.conf</filename>

bin/dig/nslookup.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -362,31 +362,14 @@ nslookup -query=hinfo  -timeout=10
   </div>
 
   <div class="refsection">
-<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
-      If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
-      a tty.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>FILES</h2>
+<a name="id-1.11"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/resolv.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.13"></a><h2>SEE ALSO</h2>
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
         <span class="refentrytitle">dig</span>(1)

bin/dig/win32/dig.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -68,7 +68,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -79,7 +79,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -98,7 +98,7 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

bin/dig/win32/dighost.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -77,7 +77,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>

bin/dig/win32/host.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -68,7 +68,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -79,7 +79,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -98,7 +98,7 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

bin/dig/win32/nslookup.vcxproj.in

@@ -53,7 +53,7 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -68,7 +68,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -79,7 +79,7 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <StringPooling>true</StringPooling>
@@ -98,7 +98,7 @@
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
       <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

bin/dnssec/Makefile.in

@@ -15,14 +15,15 @@ VERSION=@BIND9_VERSION@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =	-DVERSION=\"${VERSION}\"
+CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+		-DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
@@ -115,12 +116,12 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
 install:: ${TARGETS} installdirs
-	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
 
 uninstall::
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
-	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
+	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
 
 clean distclean::
 	rm -f ${TARGETS}

bin/dnssec/dnssec-cds.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
 .sp
 The
 \fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
 .RE
 .PP
 \-c \fIclass\fR
@@ -293,5 +293,5 @@ RFC 7344\&.
 .RE
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-cds.c

@@ -19,8 +19,6 @@
 #include <config.h>
 
 #include <errno.h>
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 
 #include <isc/buffer.h>
@@ -55,14 +53,14 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
-#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
 #endif
 
 const char *program = "dnssec-cds";
@@ -86,7 +84,7 @@ static dns_rdataclass_t rdclass = dns_rdataclass_in;
  * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
  * from -a arguments. The size of the array is an arbitrary limit.
  */
-static dns_dsdigest_t dtype[8];
+static isc_uint8_t dtype[8];
 
 static const char *startstr  = NULL;	/* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
@@ -129,7 +127,7 @@ static int nkey; /* number of child zone DNSKEY records */
 typedef struct keyinfo {
 	dns_rdata_t rdata;
 	dst_key_t *dst;
-	dns_secalg_t algo;
+	isc_uint8_t algo;
 	dns_keytag_t tag;
 } keyinfo_t;
 
@@ -163,8 +161,8 @@ verbose_time(int level, const char *msg, isc_stdtime_t time) {
 	if (verbose < 3) {
 		vbprintf(level, "%s %s\n", msg, timestr);
 	} else {
-		vbprintf(level, "%s %s (%" PRIu32 ")\n",
-			 msg, timestr, time);
+		vbprintf(level, "%s %s (%lld)\n",
+			 msg, timestr, (long long)time);
 	}
 }
 
@@ -260,7 +258,7 @@ load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) {
 		      isc_result_totext(result));
 	}
 
-	result = dns_db_findnode(*dbp, name, false, nodep);
+	result = dns_db_findnode(*dbp, name, ISC_FALSE, nodep);
 	if (result != ISC_R_SUCCESS) {
 		fatal("can't find %s node in %s", namestr, filename);
 	}
@@ -314,7 +312,7 @@ get_dsset_name(char *filename, size_t size,
 		}
 		isc_buffer_putstr(&buf, prefix);
 
-		result = dns_name_tofilenametext(name, false, &buf);
+		result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
 		check_result(result, "dns_name_tofilenametext()");
 		if (isc_buffer_availablelength(&buf) == 0) {
 			fatal("%s: pathname too long", path);
@@ -402,7 +400,7 @@ formatset(dns_rdataset_t *rdataset) {
 
 static void
 write_parent_set(const char *path, const char *inplace,
-		 bool nsupdate, dns_rdataset_t *rdataset)
+		 isc_boolean_t nsupdate, dns_rdataset_t *rdataset)
 {
 	isc_result_t result;
 	isc_buffer_t *buf = NULL;
@@ -469,7 +467,7 @@ typedef enum { LOOSE, TIGHT } strictness_t;
 /*
  * Find out if any (C)DS record matches a particular (C)DNSKEY.
  */
-static bool
+static isc_boolean_t
 match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 {
 	isc_result_t result;
@@ -482,7 +480,8 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		dns_rdata_ds_t ds;
 		dns_rdata_t dsrdata = DNS_RDATA_INIT;
 		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-		bool c;
+		dns_rdatatype_t keytype;
+		isc_boolean_t c;
 
 		dns_rdataset_current(dsset, &dsrdata);
 		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
@@ -492,8 +491,12 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 			continue;
 		}
 
+		/* allow for both DNSKEY and CDNSKEY */
+		keytype = ki->rdata.type;
+		ki->rdata.type = dns_rdatatype_dnskey;
 		result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
 					   dsbuf, &newdsrdata);
+		ki->rdata.type = keytype;
 		if (result != ISC_R_SUCCESS) {
 			vbprintf(3, "dns_ds_buildrdata("
 				 "keytag=%d, algo=%d, digest=%d): %s\n",
@@ -508,13 +511,13 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 			vbprintf(1, "found matching %s %d %d %d\n",
 				 c ? "CDS" : "DS",
 				 ds.key_tag, ds.algorithm, ds.digest_type);
-			return (true);
+			return (ISC_TRUE);
 		} else if (strictness == TIGHT) {
 			vbprintf(0, "key does not match %s %d %d %d "
 				"when it looks like it should\n",
 				 c ? "CDS" : "DS",
 				 ds.key_tag, ds.algorithm, ds.digest_type);
-			return (false);
+			return (ISC_FALSE);
 		}
 	}
 
@@ -525,7 +528,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		 ? "CDNSKEY" : "DNSKEY",
 		 ki->tag, ki->algo);
 
-	return (false);
+	return (ISC_FALSE);
 }
 
 /*
@@ -568,7 +571,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 		ki->algo = dnskey.algorithm;
 
 		dns_rdata_toregion(keyrdata, &r);
-		ki->tag = dst_region_computeid(&r);
+		ki->tag = dst_region_computeid(&r, ki->algo);
 
 		ki->dst = NULL;
 		if (!match_key_dsset(ki, dsset, strictness)) {
@@ -614,12 +617,12 @@ free_keytable(keyinfo_t **keytable_p) {
  * otherwise the key algorithm. This is used by the signature coverage
  * check functions below.
  */
-static dns_secalg_t *
+static isc_uint8_t *
 matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	      dns_rdataset_t *sigset)
 {
 	isc_result_t result;
-	dns_secalg_t *algo;
+	isc_uint8_t *algo;
 	int i;
 
 	algo = isc_mem_get(mctx, nkey);
@@ -665,7 +668,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 			}
 
 			result = dns_dnssec_verify(name, rdataset, ki->dst,
-						   false, 0, mctx,
+						   ISC_FALSE, 0, mctx,
 						   &sigrdata, NULL);
 
 			if (result != ISC_R_SUCCESS &&
@@ -701,13 +704,13 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
  * Consume the result of matching_sigs(). When checking records
  * fetched from the child zone, any working signature is enough.
  */
-static bool
-signed_loose(dns_secalg_t *algo) {
-	bool ok = false;
+static isc_boolean_t
+signed_loose(isc_uint8_t *algo) {
+	isc_boolean_t ok = ISC_FALSE;
 	int i;
 	for (i = 0; i < nkey; i++) {
 		if (algo[i] != 0) {
-			ok = true;
+			ok = ISC_TRUE;
 		}
 	}
 	isc_mem_put(mctx, algo, nkey);
@@ -720,10 +723,10 @@ signed_loose(dns_secalg_t *algo) {
  * key algorithm in the DS RRset must have a signature in the DNSKEY
  * RRset.
  */
-static bool
-signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
+static isc_boolean_t
+signed_strict(dns_rdataset_t *dsset, isc_uint8_t *algo) {
 	isc_result_t result;
-	bool all_ok = true;
+	isc_boolean_t all_ok = ISC_TRUE;
 
 	for (result = dns_rdataset_first(dsset);
 	     result == ISC_R_SUCCESS;
@@ -731,23 +734,23 @@ signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
 	{
 		dns_rdata_t dsrdata = DNS_RDATA_INIT;
 		dns_rdata_ds_t ds;
-		bool ds_ok;
+		isc_boolean_t ds_ok;
 		int i;
 
 		dns_rdataset_current(dsset, &dsrdata);
 		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
 		check_result(result, "dns_rdata_tostruct(DS)");
 
-		ds_ok = false;
+		ds_ok = ISC_FALSE;
 		for (i = 0; i < nkey; i++) {
 			if (algo[i] == ds.algorithm) {
-				ds_ok = true;
+				ds_ok = ISC_TRUE;
 			}
 		}
 		if (!ds_ok) {
 			vbprintf(0, "missing signature for algorithm %d "
 				 "(key %d)\n", ds.algorithm, ds.key_tag);
-			all_ok = false;
+			all_ok = ISC_FALSE;
 		}
 	}
 
@@ -821,6 +824,7 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 				return (ISC_R_NOSPACE);
 			}
 
+			cdnskey->type = dns_rdatatype_dnskey;
 			rdata = rdata_get();
 			result = dns_ds_buildrdata(name, cdnskey, dtype[i],
 						   r.base, rdata);
@@ -844,14 +848,14 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
  */
 static int
 cmp_dtype(const void *ap, const void *bp) {
-	int a = *(const dns_dsdigest_t *)ap;
-	int b = *(const dns_dsdigest_t *)bp;
+	int a = *(const isc_uint8_t *)ap;
+	int b = *(const isc_uint8_t *)bp;
 	return (a - b);
 }
 
 static void
 add_dtype(const char *dn) {
-	dns_dsdigest_t dt;
+	isc_uint8_t dt;
 	unsigned i, n;
 
 	dt = strtodsdigest(dn);
@@ -868,7 +872,7 @@ add_dtype(const char *dn) {
 
 static void
 make_new_ds_set(ds_maker_func_t *ds_from_rdata,
-		uint32_t ttl, dns_rdataset_t *rdset)
+		isc_uint32_t ttl, dns_rdataset_t *rdset)
 {
 	unsigned int size = 16;
 	for (;;) {
@@ -930,14 +934,14 @@ rdata_cmp(const void *rdata1, const void *rdata2) {
  * Ensure that every key identified by the DS RRset has the same set of
  * digest types.
  */
-static bool
+static isc_boolean_t
 consistent_digests(dns_rdataset_t *dsset) {
 	isc_result_t result;
 	dns_rdata_t *arrdata;
 	dns_rdata_ds_t *ds;
 	dns_keytag_t key_tag;
-	dns_secalg_t algorithm;
-	bool match;
+	isc_uint8_t algorithm;
+	isc_boolean_t match;
 	int i, j, n, d;
 
 	/*
@@ -991,7 +995,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 	/*
 	 * Check subsequent keys match the first one
 	 */
-	match = true;
+	match = ISC_TRUE;
 	while (i < n) {
 		key_tag = ds[i].key_tag;
 		algorithm = ds[i].algorithm;
@@ -1000,7 +1004,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 			    ds[i+j].algorithm != algorithm ||
 			    ds[i+j].digest_type != ds[j].digest_type)
 			{
-				match = false;
+				match = ISC_FALSE;
 			}
 		}
 		i += d;
@@ -1035,7 +1039,7 @@ print_diff(const char *cmd, dns_rdataset_t *rdataset) {
 }
 
 static void
-update_diff(const char *cmd, uint32_t ttl,
+update_diff(const char *cmd, isc_uint32_t ttl,
 	    dns_rdataset_t *addset, dns_rdataset_t *delset)
 {
 	isc_result_t result;
@@ -1043,7 +1047,7 @@ update_diff(const char *cmd, uint32_t ttl,
 	dns_dbnode_t *node;
 	dns_dbversion_t *ver;
 	dns_rdataset_t diffset;
-	uint32_t save;
+	isc_uint32_t save;
 
 	db = NULL;
 	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
@@ -1055,7 +1059,7 @@ update_diff(const char *cmd, uint32_t ttl,
 	check_result(result, "dns_db_newversion()");
 
 	node = NULL;
-	result = dns_db_findnode(db, name, true, &node);
+	result = dns_db_findnode(db, name, ISC_TRUE, &node);
 	check_result(result, "dns_db_findnode()");
 
 	dns_rdataset_init(&diffset);
@@ -1079,12 +1083,12 @@ update_diff(const char *cmd, uint32_t ttl,
 	}
 
 	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &ver, false);
+	dns_db_closeversion(db, &ver, ISC_FALSE);
 	dns_db_detach(&db);
 }
 
 static void
-nsdiff(uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
+nsdiff(isc_uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
 	if (ttl == 0) {
 		vbprintf(1, "warning: no TTL in nsupdate script\n");
 	}
@@ -1111,7 +1115,7 @@ usage(void) {
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
-"    -a <algorithm>     digest algorithm (SHA-1 / SHA-256 / SHA-384)\n"
+"    -a <algorithm>     digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n"
 "    -c <class>         of domain (default IN)\n"
 "    -D                 prefer CDNSKEY records instead of CDS\n"
 "    -d <file|dir>      where to find parent dsset- file\n"
@@ -1132,9 +1136,9 @@ main(int argc, char *argv[]) {
 	const char *ds_path = NULL;
 	const char *inplace = NULL;
 	isc_result_t result;
-	bool prefer_cdnskey = false;
-	bool nsupdate = false;
-	uint32_t ttl = 0;
+	isc_boolean_t prefer_cdnskey = ISC_FALSE;
+	isc_boolean_t nsupdate = ISC_FALSE;
+	isc_uint32_t ttl = 0;
 	int ch;
 	char *endp;
 
@@ -1143,12 +1147,12 @@ main(int argc, char *argv[]) {
 		fatal("out of memory");
 	}
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 #define OPTIONS "a:c:Dd:f:i:ms:T:uv:V"
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
@@ -1160,7 +1164,7 @@ main(int argc, char *argv[]) {
 			rdclass = strtoclass(isc_commandline_argument);
 			break;
 		case 'D':
-			prefer_cdnskey = true;
+			prefer_cdnskey = ISC_TRUE;
 			break;
 		case 'd':
 			ds_path = isc_commandline_argument;
@@ -1193,7 +1197,7 @@ main(int argc, char *argv[]) {
 			ttl = strtottl(isc_commandline_argument);
 			break;
 		case 'u':
-			nsupdate = true;
+			nsupdate = ISC_TRUE;
 			break;
 		case 'V':
 			/* Does not return. */

bin/dnssec/dnssec-cds.docbook

@@ -40,7 +40,6 @@
     <copyright>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -144,9 +143,9 @@
 	    record. This option has no effect when using CDS records.
           </para>
           <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <replaceable>algorithm</replaceable> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </para>
         </listitem>

bin/dnssec/dnssec-cds.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -129,9 +129,9 @@
 	    record. This option has no effect when using CDS records.
           </p>
           <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </p>
         </dd>

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,103 +39,61 @@
 dnssec-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
+\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
 .SH "DESCRIPTION"
 .PP
-The
 \fBdnssec\-dsfromkey\fR
-command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
-\fB\-l\fR
-option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
-\fB\-C\fR
-it outputs CDS (Child DS) RRs\&.
-.PP
-The input keys can be specified in a number of ways:
-.PP
-By default,
-\fBdnssec\-dsfromkey\fR
-reads a key file named like
-Knnnn\&.+aaa+iiiii\&.key, as generated by
-\fBdnssec\-keygen\fR\&.
-.PP
-With the
-\fB\-f \fR\fB\fIfile\fR\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
-.PP
-With the
-\fB\-s\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads a
-keyset\-
-file, as generated by
-\fBdnssec\-keygen\fR\fB\-C\fR\&.
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
 .SH "OPTIONS"
 .PP
 \-1
 .RS 4
-An abbreviation for
-\fB\-a SHA1\fR
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
 .RE
 .PP
 \-2
 .RS 4
-An abbreviation for
-\fB\-a SHA\-256\fR
+Use SHA\-256 as the digest algorithm\&.
 .RE
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
-.sp
-The
-\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
-.RE
-.PP
-\-A
-.RS 4
-Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
-\fB\-f\fR
-zone file mode\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class (default is IN)\&. Useful only in
-\fB\-s\fR
-keyset or
-\fB\-f\fR
-zone file mode\&.
+Select the digest algorithm\&. The value of
+\fBalgorithm\fR
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
 .RE
 .PP
 \-C
 .RS 4
-Generate CDS records rather than DS records\&. This is mutually exclusive with the
-\fB\-l\fR
-option for generating DLV records\&.
+Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
+.RE
+.PP
+\-T \fITTL\fR
+.RS 4
+Specifies the TTL of the DS records\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Look for key files (or, in keyset mode,
+keyset\-
+files) in
+\fBdirectory\fR\&.
 .RE
 .PP
 \-f \fIfile\fR
 .RS 4
-Zone file mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name of a zone whose master file can be read from
+Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
 \fBfile\fR\&. If the zone name is the same as
 \fBfile\fR, then it may be omitted\&.
 .sp
 If
-\fIfile\fR
-is
+\fBfile\fR
+is set to
 "\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
 \fBdig\fR
 command as input, as in:
@@ -143,41 +101,26 @@ command as input, as in:
 \fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
 .RE
 .PP
-\-h
+\-A
 .RS 4
-Prints usage information\&.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Look for key files or
-keyset\-
-files in
-\fBdirectory\fR\&.
+Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
 .RE
 .PP
 \-l \fIdomain\fR
 .RS 4
 Generate a DLV set instead of a DS set\&. The specified
-\fIdomain\fR
-is appended to the name for each record in the set\&. This is mutually exclusive with the
-\fB\-C\fR
-option for generating CDS records\&.
+\fBdomain\fR
+is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
 .RE
 .PP
 \-s
 .RS 4
-Keyset mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name used to locate a
-keyset\-
-file\&.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
 .RE
 .PP
-\-T \fITTL\fR
+\-c \fIclass\fR
 .RS 4
-Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
+Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
 .RE
 .PP
 \-v \fIlevel\fR
@@ -185,6 +128,11 @@ Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
 Sets the debugging level\&.
 .RE
 .PP
+\-h
+.RS 4
+Prints usage information\&.
+.RE
+.PP
 \-V
 .RS 4
 Prints version information\&.
@@ -193,16 +141,16 @@ Prints version information\&.
 .PP
 To build the SHA\-256 DS RR from the
 \fBKexample\&.com\&.+003+26160\fR
-keyfile name, you can issue the following command:
+keyfile name, the following command would be issued:
 .PP
 \fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
 .PP
 The command would print something like:
 .PP
-\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
 .SH "FILES"
 .PP
-The keyfile can be designated by the key identification
+The keyfile can be designed by the key identification
 Knnnn\&.+aaa+iiiii
 or the full file name
 Knnnn\&.+aaa+iiiii\&.key
@@ -222,20 +170,13 @@ A keyfile error can give a "file not found" even if the file exists\&.
 \fBdnssec-keygen\fR(8),
 \fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 3658
-(DS RRs),
-RFC 4431
-(DLV RRs),
-RFC 4509
-(SHA\-256 for DS RRs),
-RFC 6605
-(SHA\-384 for DS RRs),
-RFC 7344
-(CDS and CDNSKEY RRs)\&.
+RFC 3658,
+RFC 4431\&.
+RFC 4509\&.
 .SH "AUTHOR"
 .PP
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.c

@@ -13,8 +13,6 @@
 
 #include <config.h>
 
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 
 #include <isc/buffer.h>
@@ -43,14 +41,14 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
-#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
 #endif
 
 const char *program = "dnssec-dsfromkey";
@@ -60,8 +58,8 @@ static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
 static dns_name_t	*name = NULL;
 static isc_mem_t	*mctx = NULL;
-static uint32_t	ttl;
-static bool	emitttl = false;
+static isc_uint32_t	ttl;
+static isc_boolean_t	emitttl = ISC_FALSE;
 
 static isc_result_t
 initname(char *setname) {
@@ -120,7 +118,7 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 			      isc_result_totext(result));
 	}
 
-	result = dns_db_findnode(db, name, false, &node);
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		fatal("can't find %s node in %s", setname, filename);
 
@@ -161,7 +159,7 @@ loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
 		return (ISC_R_NOSPACE);
 	isc_buffer_putstr(&buf, "keyset-");
 
-	result = dns_name_tofilenametext(name, false, &buf);
+	result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
 	check_result(result, "dns_name_tofilenametext()");
 	if (isc_buffer_availablelength(&buf) == 0)
 		return (ISC_R_NOSPACE);
@@ -235,8 +233,8 @@ logkey(dns_rdata_t *rdata)
 }
 
 static void
-emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
-     bool cds, dns_rdata_t *rdata)
+emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
+     isc_boolean_t cds, dns_rdata_t *rdata)
 {
 	isc_result_t result;
 	unsigned char buf[DNS_DS_BUFFERSIZE];
@@ -265,7 +263,7 @@ emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
 	if (result != ISC_R_SUCCESS)
 		fatal("can't build record");
 
-	result = dns_name_totext(name, false, &nameb);
+	result = dns_name_totext(name, ISC_FALSE, &nameb);
 	if (result != ISC_R_SUCCESS)
 		fatal("can't print name");
 
@@ -318,27 +316,30 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
-	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
-	fprintf(stderr, "    %s [-h|-V]\n\n", program);
+	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-K dir] [-c class] -s dnsname\n\n",
+		program);
+	fprintf(stderr, "    %s options -f zonefile (as zone name)\n\n", program);
+	fprintf(stderr, "    %s options -f zonefile zonename\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Options:\n"
-"    -1: digest algorithm SHA-1\n"
-"    -2: digest algorithm SHA-256\n"
-"    -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)\n"
-"    -A: include all keys in DS set, not just KSKs (-f only)\n"
-"    -c class: rdata class for DS set (default IN) (-f or -s only)\n"
-"    -C: print CDS records\n"
-"    -f zonefile: read keys from a zone file\n"
-"    -h: print help information\n"
-"    -K directory: where to find key or keyset files\n"
-"    -l zone: print DLV records in the given lookaside zone\n"
-"    -s: read keys from keyset-<dnsname> file\n"
-"    -T: TTL of output records (omitted by default)\n"
-"    -v level: verbosity\n"
-"    -V: print version information\n");
-	fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "    -K <directory>: directory in which to find "
+			"key file or keyset file\n");
+	fprintf(stderr, "    -a algorithm: digest algorithm "
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
+	fprintf(stderr, "    -1: use SHA-1\n");
+	fprintf(stderr, "    -2: use SHA-256\n");
+	fprintf(stderr, "    -C: print CDS record\n");
+	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
+	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
+	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
+	fprintf(stderr, "    -T TTL\n");
+	fprintf(stderr, "    -f file: read keyset from zone file\n");
+	fprintf(stderr, "    -A: when used with -f, "
+			"include all keys in DS set, not just KSKs\n");
+	fprintf(stderr, "Output: DS or DLV RRs\n");
 
 	exit (-1);
 }
@@ -350,11 +351,11 @@ main(int argc, char **argv) {
 	char		*lookaside = NULL;
 	char		*endp;
 	int		ch;
-	dns_dsdigest_t	dtype = DNS_DSDIGEST_SHA1;
-	bool	cds = false;
-	bool	both = true;
-	bool	usekeyset = false;
-	bool	showall = false;
+	unsigned int	dtype = DNS_DSDIGEST_SHA1;
+	isc_boolean_t	cds = ISC_FALSE;
+	isc_boolean_t	both = ISC_TRUE;
+	isc_boolean_t	usekeyset = ISC_FALSE;
+	isc_boolean_t	showall = ISC_FALSE;
 	isc_result_t	result;
 	isc_log_t	*log = NULL;
 	dns_rdataset_t	rdataset;
@@ -369,36 +370,36 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 #define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case '1':
 			dtype = DNS_DSDIGEST_SHA1;
-			both = false;
+			both = ISC_FALSE;
 			break;
 		case '2':
 			dtype = DNS_DSDIGEST_SHA256;
-			both = false;
+			both = ISC_FALSE;
 			break;
 		case 'A':
-			showall = true;
+			showall = ISC_TRUE;
 			break;
 		case 'a':
 			dtype = strtodsdigest(isc_commandline_argument);
-			both = false;
+			both = ISC_FALSE;
 			break;
 		case 'C':
 			if (lookaside != NULL)
 				fatal("lookaside and CDS are mutually"
 				      " exclusive");
-			cds = true;
+			cds = ISC_TRUE;
 			break;
 		case 'c':
 			classname = isc_commandline_argument;
@@ -424,10 +425,10 @@ main(int argc, char **argv) {
 				fatal("lookaside must be a non-empty string");
 			break;
 		case 's':
-			usekeyset = true;
+			usekeyset = ISC_TRUE;
 			break;
 		case 'T':
-			emitttl = true;
+			emitttl = ISC_TRUE;
 			ttl = strtottl(isc_commandline_argument);
 			break;
 		case 'v':
@@ -465,7 +466,7 @@ main(int argc, char **argv) {
 
 	/* When not using -f, -A is implicit */
 	if (filename == NULL)
-		showall = true;
+		showall = ISC_TRUE;
 
 	if (argc < isc_commandline_index + 1 && filename == NULL)
 		fatal("the key file name was not specified");

bin/dnssec/dnssec-dsfromkey.docbook

@@ -41,7 +41,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -49,108 +48,56 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="req" rep="norepeat">keyfile</arg>
     </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req" rep="norepeat">-s</arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg choice="req" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
+   </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain" rep="norepeat"><option>-h</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-V</option></arg>
-      </group>
-    </cmdsynopsis>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+   </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsection><info><title>DESCRIPTION</title></info>
 
-    <para>
-      The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
-      Signer) resource records (RRs) and other similarly-constructed RRs:
-      with the <option>-l</option> option it outputs DLV (DNSSEC Lookaside
-      Validation) RRs; or with the <option>-C</option> it outputs CDS (Child
-      DS) RRs.
+    <para><command>dnssec-dsfromkey</command>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </para>
-
-    <para>
-      The input keys can be specified in a number of ways:
-    </para>
-
-    <para>
-      By default, <command>dnssec-dsfromkey</command> reads a key file
-      named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
-      by <command>dnssec-keygen</command>.
-    </para>
-
-    <para>
-      With the <option>-f <replaceable>file</replaceable></option>
-      option, <command>dnssec-dsfromkey</command> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </para>
-
-    <para>
-      With the <option>-s</option>
-      option, <command>dnssec-dsfromkey</command> reads
-      a <filename>keyset-</filename> file, as generated
-      by <command>dnssec-keygen</command> <option>-C</option>.
-    </para>
-
   </refsection>
 
   <refsection><info><title>OPTIONS</title></info>
 
+
     <variablelist>
       <varlistentry>
 	<term>-1</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA1</option>
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -159,7 +106,7 @@
 	<term>-2</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-256</option>
+	    Use SHA-256 as the digest algorithm.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -168,49 +115,40 @@
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </para>
-          <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
+	    Select the digest algorithm. The value of
+	    <option>algorithm</option> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </para>
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <option>-f</option> zone file mode.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <option>-s</option> keyset or <option>-f</option>
-	    zone file mode.
-	  </para>
-	  </listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Generate CDS records rather than DS records. This is mutually
-	    exclusive with the <option>-l</option> option for generating DLV
-	    records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the TTL of the DS records.
+	  </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Look for key files (or, in keyset mode,
+	    <filename>keyset-</filename> files) in
+	    <option>directory</option>.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -219,14 +157,13 @@
 	<term>-f <replaceable class="parameter">file</replaceable></term>
 	<listitem>
 	  <para>
-	    Zone file mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <option>file</option>.  If the zone name is the same as
 	    <option>file</option>, then it may be omitted.
 	  </para>
 	  <para>
-	    If <replaceable>file</replaceable> is <literal>"-"</literal>, then
+	    If <option>file</option> is set to <literal>"-"</literal>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <command>dig</command>
 	    command as input, as in:
@@ -238,33 +175,26 @@
       </varlistentry>
 
       <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints usage information.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-K <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	    Look for key files or <filename>keyset-</filename> files in
-	    <option>directory</option>.
-	  </para>
-	</listitem>
+        <term>-A</term>
+        <listitem>
+          <para>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>-l <replaceable class="parameter">domain</replaceable></term>
 	<listitem>
 	  <para>
-	    Generate a DLV set instead of a DS set. The specified
-	    <replaceable>domain</replaceable> is appended to the name for each
+	    Generate a DLV set instead of a DS set.  The specified
+	    <option>domain</option> is appended to the name for each
 	    record in the set.
-	    This is mutually exclusive with the <option>-C</option> option
-	    for generating CDS records.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -273,18 +203,18 @@
 	<term>-s</term>
 	<listitem>
 	  <para>
-	    Keyset mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is the DNS
-	    domain name used to locate a <filename>keyset-</filename> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
 	<listitem>
 	  <para>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </para>
 	  </listitem>
       </varlistentry>
@@ -298,6 +228,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints usage information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-V</term>
 	<listitem>
@@ -314,22 +253,21 @@
     <para>
       To build the SHA-256 DS RR from the
       <userinput>Kexample.com.+003+26160</userinput>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </para>
     <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
     </para>
     <para>
       The command would print something like:
     </para>
-    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
+    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
     </para>
-
   </refsection>
 
   <refsection><info><title>FILES</title></info>
 
     <para>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <filename>Knnnn.+aaa+iiiii</filename> or the full file name
       <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
       <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
@@ -357,11 +295,9 @@
 	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 3658</citetitle> (DS RRs),
-      <citetitle>RFC 4431</citetitle> (DLV RRs),
-      <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
-      <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
-      <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
+      <citetitle>RFC 3658</citetitle>,
+      <citetitle>RFC 4431</citetitle>.
+      <citetitle>RFC 4509</citetitle>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-dsfromkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,167 +33,105 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        {keyfile}
     </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        {-s}
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-s</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+       [<code class="option">-A</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
        {dnsname}
-    </p></div>
+   </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
+       [<code class="option">-h</code>]
+       [<code class="option">-V</code>]
+   </p></div>
   </div>
 
   <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 
-    <p>
-      The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
-      Signer) resource records (RRs) and other similarly-constructed RRs:
-      with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
-      Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
-      DS) RRs.
+    <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </p>
-
-    <p>
-      The input keys can be specified in a number of ways:
-    </p>
-
-    <p>
-      By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
-      named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span>.
-    </p>
-
-    <p>
-      With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </p>
-
-    <p>
-      With the <code class="option">-s</code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
-      a <code class="filename">keyset-</code> file, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
-    </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
 
+
     <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA1</code>
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </p>
 	</dd>
 <dt><span class="term">-2</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-256</code>
+	    Use SHA-256 as the digest algorithm.
 	  </p>
 	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </p>
-          <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
+	    Select the digest algorithm. The value of
+	    <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </p>
 	</dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-          <p>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
-	    zone file mode.
-	  </p>
-	  </dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Generate CDS records rather than DS records. This is mutually
-	    exclusive with the <code class="option">-l</code> option for generating DLV
-	    records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </p>
+	</dd>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the TTL of the DS records.
+	  </p>
+	  </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Look for key files (or, in keyset mode,
+	    <code class="filename">keyset-</code> files) in
+	    <code class="option">directory</code>.
 	  </p>
 	</dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
 	  <p>
-	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <code class="option">file</code>.  If the zone name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
 	  <p>
-	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
+	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <span class="command"><strong>dig</strong></span>
 	    command as input, as in:
@@ -202,41 +140,37 @@
 	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
 	  </p>
 	</dd>
-<dt><span class="term">-h</span></dt>
+<dt><span class="term">-A</span></dt>
 <dd>
-	  <p>
-	    Prints usage information.
-	  </p>
-	</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
-	    Look for key files or <code class="filename">keyset-</code> files in
-	    <code class="option">directory</code>.
-	  </p>
-	</dd>
+          <p>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </p>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd>
 	  <p>
-	    Generate a DLV set instead of a DS set. The specified
-	    <em class="replaceable"><code>domain</code></em> is appended to the name for each
+	    Generate a DLV set instead of a DS set.  The specified
+	    <code class="option">domain</code> is appended to the name for each
 	    record in the set.
-	    This is mutually exclusive with the <code class="option">-C</code> option
-	    for generating CDS records.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </p>
 	</dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 	  <p>
-	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
-	    domain name used to locate a <code class="filename">keyset-</code> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </p>
 	</dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd>
 	  <p>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </p>
 	  </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -245,6 +179,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints usage information.
+	  </p>
+	</dd>
 <dt><span class="term">-V</span></dt>
 <dd>
 	  <p>
@@ -260,23 +200,22 @@
     <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </p>
     <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       The command would print something like:
     </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
     </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
 
     <p>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
@@ -306,11 +245,9 @@
 	<span class="refentrytitle">dnssec-signzone</span>(8)
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em> (DS RRs),
-      <em class="citetitle">RFC 4431</em> (DLV RRs),
-      <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
-      <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
-      <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
+      <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4431</em>.
+      <em class="citetitle">RFC 4509</em>.
     </p>
   </div>
 

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -134,5 +134,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.c

@@ -13,7 +13,6 @@
 
 #include <config.h>
 
-#include <stdbool.h>
 #include <stdlib.h>
 
 #include <isc/buffer.h>
@@ -42,14 +41,14 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
-#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
 #endif
 
 const char *program = "dnssec-importkey";
@@ -59,13 +58,13 @@ static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
 static dns_name_t	*name = NULL;
 static isc_mem_t	*mctx = NULL;
-static bool	setpub = false, setdel = false;
-static bool	setttl = false;
+static isc_boolean_t	setpub = ISC_FALSE, setdel = ISC_FALSE;
+static isc_boolean_t	setttl = ISC_FALSE;
 static isc_stdtime_t	pub = 0, del = 0;
 static dns_ttl_t	ttl = 0;
 static isc_stdtime_t	syncadd = 0, syncdel = 0;
-static bool	setsyncadd = false;
-static bool	setsyncdel = false;
+static isc_boolean_t	setsyncadd = ISC_FALSE;
+static isc_boolean_t	setsyncdel = ISC_FALSE;
 
 static isc_result_t
 initname(char *setname) {
@@ -125,7 +124,7 @@ loadset(const char *filename, dns_rdataset_t *rdataset) {
 			      isc_result_totext(result));
 	}
 
-	result = dns_db_findnode(db, name, false, &node);
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		fatal("can't find %s node in %s", setname, filename);
 
@@ -227,7 +226,7 @@ emit(const char *dir, dns_rdata_t *rdata) {
 		dst_key_free(&tmp);
 	}
 
-	dst_key_setexternal(key, true);
+	dst_key_setexternal(key, ISC_TRUE);
 	if (setpub)
 		dst_key_settime(key, DST_TIME_PUBLISH, pub);
 	if (setdel)
@@ -311,12 +310,12 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 #define CMDLINE_FLAGS "D:f:hK:L:P:v:V"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
@@ -347,7 +346,7 @@ main(int argc, char **argv) {
 			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
+			setttl = ISC_TRUE;
 			break;
 		case 'P':
 			/* -Psync ? */

bin/dnssec/dnssec-importkey.docbook

@@ -38,7 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-importkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
 .RS 4
 Selects the cryptographic algorithm\&. The value of
 \fBalgorithm\fR
-must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -63,9 +63,9 @@ option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
 \fB\-3\fR
 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
 .sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
-option, then NSEC3RSASHA1 will be used instead\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 As of BIND 9\&.12\&.0, this option is mandatory except when using the
 \fB\-S\fR
@@ -307,5 +307,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keyfromlabel.c

@@ -14,8 +14,6 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 
 #include <isc/buffer.h>
@@ -39,7 +37,7 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
@@ -64,16 +62,19 @@ usage(void) {
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -a algorithm: \n"
-			"        DH | RSASHA1 |\n"
-			"        NSEC3RSASHA1 |\n"
-			"        RSASHA256 | RSASHA512 |\n"
+			"        RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
+			"        NSEC3DSA | NSEC3RSASHA1 |\n"
+			"        RSASHA256 | RSASHA512 | ECCGOST |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 	fprintf(stderr, "    -E <engine>:\n");
-#if USE_PKCS11
+#if HAVE_PKCS11
 	fprintf(stderr, "        path to PKCS#11 provider library "
 				"(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+	fprintf(stderr, "        name of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
 #endif
@@ -123,15 +124,19 @@ main(int argc, char **argv) {
 	const char	*directory = NULL;
 	const char	*predecessor = NULL;
 	dst_key_t	*prevkey = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = PKCS11_ENGINE;
+#else
 	const char	*engine = NULL;
+#endif
 	char		*classname = NULL;
 	char		*endp;
 	dst_key_t	*key = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
-	uint16_t	flags = 0, kskflag = 0, revflag = 0;
+	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
-	bool	oldstyle = false;
+	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch;
 	int		protocol = -1, signatory = 0;
@@ -148,32 +153,32 @@ main(int argc, char **argv) {
 	isc_stdtime_t	inactive = 0, deltime = 0;
 	isc_stdtime_t	now;
 	int		prepub = -1;
-	bool	setpub = false, setact = false;
-	bool	setrev = false, setinact = false;
-	bool	setdel = false, setttl = false;
-	bool	unsetpub = false, unsetact = false;
-	bool	unsetrev = false, unsetinact = false;
-	bool	unsetdel = false;
-	bool	genonly = false;
-	bool	use_nsec3 = false;
-	bool   avoid_collisions = true;
-	bool	exact;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	use_nsec3 = ISC_FALSE;
+	isc_boolean_t   avoid_collisions = ISC_TRUE;
+	isc_boolean_t	exact;
 	unsigned char	c;
 	isc_stdtime_t	syncadd = 0, syncdel = 0;
-	bool	unsetsyncadd = false, setsyncadd = false;
-	bool	unsetsyncdel = false, setsyncdel = false;
+	isc_boolean_t	unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE;
+	isc_boolean_t	unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	isc_stdtime_get(&now);
 
@@ -181,13 +186,13 @@ main(int argc, char **argv) {
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 	    switch (ch) {
 		case '3':
-			use_nsec3 = true;
+			use_nsec3 = ISC_TRUE;
 			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
 		case 'C':
-			oldstyle = true;
+			oldstyle = ISC_TRUE;
 			break;
 		case 'c':
 			classname = isc_commandline_argument;
@@ -217,7 +222,7 @@ main(int argc, char **argv) {
 			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
+			setttl = ISC_TRUE;
 			break;
 		case 'l':
 			label = isc_mem_strdup(mctx, isc_commandline_argument);
@@ -240,10 +245,10 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			break;
 		case 'y':
-			avoid_collisions = false;
+			avoid_collisions = ISC_FALSE;
 			break;
 		case 'G':
-			genonly = true;
+			genonly = ISC_TRUE;
 			break;
 		case 'P':
 			/* -Psync ? */
@@ -382,24 +387,47 @@ main(int argc, char **argv) {
 			fatal("no algorithm specified");
 		}
 
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
+		if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+#else
+			fprintf(stderr,
+				"The use of RSA (RSAMD5) was disabled\n");
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else if (strcasecmp(algname, "RSAMD5") == 0) {
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
+#endif
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS)
+				fatal("unknown algorithm %s", algname);
+			if (alg == DST_ALG_DH)
+				options |= DST_TYPE_KEY;
 		}
 
 		if (use_nsec3) {
 			switch (alg) {
+			case DST_ALG_DSA:
+				alg = DST_ALG_NSEC3DSA;
+				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
+			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
+			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -432,14 +460,14 @@ main(int argc, char **argv) {
 				      "prepublication interval.");
 
 			if (!setpub && !setact) {
-				setpub = setact = true;
+				setpub = setact = ISC_TRUE;
 				publish = now;
 				activate = now + prepub;
 			} else if (setpub && !setact) {
-				setact = true;
+				setact = ISC_TRUE;
 				activate = publish + prepub;
 			} else if (setact && !setpub) {
-				setpub = true;
+				setpub = ISC_TRUE;
 				publish = activate - prepub;
 			}
 
@@ -485,6 +513,11 @@ main(int argc, char **argv) {
 		alg = dst_key_alg(prevkey);
 		flags = dst_key_flags(prevkey);
 
+#ifdef PK11_MD5_DISABLE
+		if (alg == DST_ALG_RSAMD5)
+			fatal("Key %s uses disabled RSAMD5", predecessor);
+#endif
+
 		dst_key_format(prevkey, keystr, sizeof(keystr));
 		dst_key_getprivateformat(prevkey, &major, &minor);
 		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
@@ -522,7 +555,7 @@ main(int argc, char **argv) {
 					"You can use dnssec-settime -D to "
 					"change this.\n", program, keystr);
 
-		setpub = setact = true;
+		setpub = setact = ISC_TRUE;
 	}
 
 	if (nametype == NULL) {
@@ -574,7 +607,7 @@ main(int argc, char **argv) {
 
 	/* associate the key */
 	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
-#if USE_PKCS11
+#if HAVE_PKCS11
 				"pkcs11",
 #else
 				engine,
@@ -631,10 +664,10 @@ main(int argc, char **argv) {
 
 		if (setdel)
 			dst_key_settime(key, DST_TIME_DELETE, deltime);
-		if (setsyncadd)
-			dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-		if (setsyncdel)
-			dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+	if (setsyncadd)
+		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
+	if (setsyncdel)
+		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
 
 	} else {
 		if (setpub || setact || setrev || setinact ||

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -43,7 +43,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -106,8 +105,8 @@
 	<listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
-	    <option>algorithm</option> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </para>
 	  <para>
@@ -120,9 +119,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </para>
 	  <para>
 	    As of BIND 9.12.0, this option is mandatory except when using

bin/dnssec/dnssec-keyfromlabel.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -89,8 +89,8 @@
 <dd>
 	  <p>
 	    Selects the cryptographic algorithm.  The value of
-	    <code class="option">algorithm</code> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </p>
 	  <p>
@@ -103,9 +103,9 @@
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </p>
 	  <p>
 	    As of BIND 9.12.0, this option is mandatory except when using

bin/dnssec/dnssec-keygen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 dnssec-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -58,24 +58,17 @@ may be preferable to direct use of
 \fBdnssec\-keygen\fR\&.
 .SH "OPTIONS"
 .PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
-\fBdnssec\-keygen \-3a RSASHA1\fR
-specifies the NSEC3RSASHA1 algorithm\&.
-.RE
-.PP
 \-a \fIalgorithm\fR
 .RS 4
 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
 \fB\-T KEY\fR
 option as well\&.
 .sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
-option, then NSEC3RSASHA1 will be used instead\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 This parameter
 \fImust\fR
@@ -90,15 +83,29 @@ to generate TSIG keys\&.
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
 .sp
 If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
 \fB\-f KSK\fR) default to 2048 bits\&.
 .RE
 .PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
 \-C
 .RS 4
-Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any metadata\&. By default,
 \fBdnssec\-keygen\fR
 will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
 \fB\-C\fR
@@ -143,6 +150,11 @@ Prints a short summary of the options and arguments to
 Sets the directory in which the key files are to be written\&.
 .RE
 .PP
+\-k
+.RS 4
+Deprecated in favor of \-T KEY\&.
+.RE
+.PP
 \-L \fIttl\fR
 .RS 4
 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@@ -152,17 +164,9 @@ none
 is the same as leaving it unset\&.
 .RE
 .PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key, for use with
-\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
 .RE
 .PP
 \-q
@@ -189,25 +193,27 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
 Specifies the resource record type to use for the key\&.
 \fBrrtype\fR
 must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
+Specifying any TSIG algorithm (HMAC\-* or DH) with
+\fB\-a\fR
+forces this option to KEY\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-Indicates the use of the key, for use with
-\fB\-T KEY\fR\&.
+Indicates the use of the key\&.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
 .RE
 .PP
-\-V
-.RS 4
-Prints version information\&.
-.RE
-.PP
 \-v \fIlevel\fR
 .RS 4
 Sets the debugging level\&.
 .RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
 .SH "TIMING OPTIONS"
 .PP
 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@@ -308,39 +314,34 @@ contains the private key\&.
 .PP
 The
 \&.key
-file contains a DNSKEY or KEY record\&. When a zone is being signed by
-\fBnamed\fR
-or
-\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
-\&.key
-file can be inserted into a zone file manually or with a
-\fB$INCLUDE\fR
-statement\&.
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
 .PP
 The
 \&.private
 file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
+.PP
+Both
+\&.key
+and
+\&.private
+files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
-To generate an ECDSAP256SHA256 zone\-signing key for the zone
-\fBexample\&.com\fR, issue the command:
+To generate a 768\-bit DSA key for the domain
+\fBexample\&.com\fR, the following command would be issued:
 .PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
 .PP
 The command would print a string of the form:
 .PP
-\fBKexample\&.com\&.+013+26160\fR
+\fBKexample\&.com\&.+003+26160\fR
 .PP
 In this example,
 \fBdnssec\-keygen\fR
 creates the files
-Kexample\&.com\&.+013+26160\&.key
+Kexample\&.com\&.+003+26160\&.key
 and
-Kexample\&.com\&.+013+26160\&.private\&.
-.PP
-To generate a matching key\-signing key, issue the command:
-.PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
+Kexample\&.com\&.+003+26160\&.private\&.
 .SH "SEE ALSO"
 .PP
 \fBdnssec-signzone\fR(8),
@@ -353,5 +354,5 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keygen.c

@@ -28,8 +28,6 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <unistd.h>
 
@@ -54,7 +52,7 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
@@ -79,17 +77,23 @@ usage(void) {
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K <directory>: write keys into directory\n");
 	fprintf(stderr, "    -a <algorithm>:\n");
-	fprintf(stderr, "        RSASHA1 | NSEC3RSASHA1 |\n");
-	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
+	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
+				" | NSEC3DSA |\n");
+	fprintf(stderr, "        RSASHA256 | RSASHA512 | ECCGOST |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        ED25519 | ED448 | DH\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
+	fprintf(stderr, "        RSAMD5:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
+	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
+	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
+				"by 64\n");
+	fprintf(stderr, "        ECCGOST:\tignored\n");
 	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
 	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
 	fprintf(stderr, "        ED25519:\tignored\n");
@@ -102,9 +106,12 @@ usage(void) {
 	fprintf(stderr, "    -c <class>: (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -E <engine>:\n");
-#if USE_PKCS11
+#if HAVE_PKCS11
 	fprintf(stderr, "        path to PKCS#11 provider library "
 				"(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+	fprintf(stderr, "        name of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
 #endif
@@ -155,6 +162,11 @@ usage(void) {
 	exit (-1);
 }
 
+static isc_boolean_t
+dsa_size_ok(int size) {
+	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
 static void
 progress(int p)
 {
@@ -189,10 +201,10 @@ main(int argc, char **argv) {
 	dst_key_t	*key = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
-	uint16_t	flags = 0, kskflag = 0, revflag = 0;
+	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
-	bool	conflict = false, null_key = false;
-	bool	oldstyle = false;
+	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
+	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch, generator = 0, param = 0;
 	int		protocol = -1, size = -1, signatory = 0;
@@ -204,44 +216,48 @@ main(int argc, char **argv) {
 	dst_key_t	*prevkey = NULL;
 	isc_buffer_t	buf;
 	isc_log_t	*log = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = PKCS11_ENGINE;
+#else
 	const char	*engine = NULL;
+#endif
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
 	dns_ttl_t	ttl = 0;
-	bool	use_nsec3 = false;
+	isc_boolean_t	use_nsec3 = ISC_FALSE;
 	isc_stdtime_t	publish = 0, activate = 0, revokekey = 0;
 	isc_stdtime_t	inactive = 0, deltime = 0;
 	isc_stdtime_t	now;
 	int		prepub = -1;
-	bool	setpub = false, setact = false;
-	bool	setrev = false, setinact = false;
-	bool	setdel = false, setttl = false;
-	bool	unsetpub = false, unsetact = false;
-	bool	unsetrev = false, unsetinact = false;
-	bool	unsetdel = false;
-	bool	genonly = false;
-	bool	quiet = false;
-	bool	show_progress = false;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	quiet = ISC_FALSE;
+	isc_boolean_t	show_progress = ISC_FALSE;
 	unsigned char	c;
 	isc_stdtime_t	syncadd = 0, syncdel = 0;
-	bool	setsyncadd = false;
-	bool	setsyncdel = false;
+	isc_boolean_t	setsyncadd = ISC_FALSE;
+	isc_boolean_t	setsyncdel = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:L:m:n:P:p:qR:r:S:s:T:t:" \
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:" \
 		      "v:V"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
@@ -261,7 +277,7 @@ main(int argc, char **argv) {
 			break;
 		}
 	}
-	isc_commandline_reset = true;
+	isc_commandline_reset = ISC_TRUE;
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
@@ -270,7 +286,7 @@ main(int argc, char **argv) {
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 	    switch (ch) {
 		case '3':
-			use_nsec3 = true;
+			use_nsec3 = ISC_TRUE;
 			break;
 		case 'a':
 			algname = isc_commandline_argument;
@@ -281,7 +297,7 @@ main(int argc, char **argv) {
 				fatal("-b requires a non-negative number");
 			break;
 		case 'C':
-			oldstyle = true;
+			oldstyle = ISC_TRUE;
 			break;
 		case 'c':
 			classname = isc_commandline_argument;
@@ -297,7 +313,7 @@ main(int argc, char **argv) {
 		case 'e':
 			fprintf(stderr,
 				"phased-out option -e "
-				"(was 'use (RSA) large exponent')\n");
+				"(was 'use (RSA) large exponent)\n");
 			break;
 		case 'f':
 			c = (unsigned char)(isc_commandline_argument[0]);
@@ -322,9 +338,14 @@ main(int argc, char **argv) {
 				fatal("cannot open directory %s: %s",
 				      directory, isc_result_totext(ret));
 			break;
+		case 'k':
+			fatal("The -k option has been deprecated.\n"
+			      "To generate a key-signing key, use -f KSK.\n"
+			      "To generate a key with TYPE=KEY, use -T KEY.\n");
+			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
+			setttl = ISC_TRUE;
 			break;
 		case 'n':
 			nametype = isc_commandline_argument;
@@ -338,7 +359,7 @@ main(int argc, char **argv) {
 				      "[0..255]");
 			break;
 		case 'q':
-			quiet = true;
+			quiet = ISC_TRUE;
 			break;
 		case 'r':
 			fatal("The -r option has been deprecated.\n"
@@ -375,7 +396,7 @@ main(int argc, char **argv) {
 			/* already the default */
 			break;
 		case 'G':
-			genonly = true;
+			genonly = ISC_TRUE;
 			break;
 		case 'P':
 			/* -Psync ? */
@@ -469,7 +490,7 @@ main(int argc, char **argv) {
 	}
 
 	if (!isatty(0))
-		quiet = true;
+		quiet = ISC_TRUE;
 
 	ret = dst_lib_init(mctx, engine);
 	if (ret != ISC_R_SUCCESS)
@@ -501,28 +522,57 @@ main(int argc, char **argv) {
 			fatal("no algorithm specified");
 		}
 
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
+		if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			INSIST(freeit == NULL);
+			return (1);
+#else
+			fprintf(stderr,
+				"The use of RSA (RSAMD5) was disabled\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else if (strcasecmp(algname, "RSAMD5") == 0) {
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
+			INSIST(freeit == NULL);
+			return (1);
+#endif
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS) {
+				fatal("unknown algorithm %s", algname);
+			}
+			if (alg == DST_ALG_DH) {
+				options |= DST_TYPE_KEY;
+			}
 		}
 
+#ifdef PK11_MD5_DISABLE
+		INSIST((alg != DNS_KEYALG_RSAMD5));
+#endif
+
 		if (!dst_algorithm_supported(alg)) {
 			fatal("unsupported algorithm: %d", alg);
 		}
 
 		if (use_nsec3) {
 			switch (alg) {
+			case DST_ALG_DSA:
+				alg = DST_ALG_NSEC3DSA;
+				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
+			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
+			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -568,6 +618,7 @@ main(int argc, char **argv) {
 							" to %d\n", size);
 				}
 				break;
+			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -585,14 +636,14 @@ main(int argc, char **argv) {
 				      "prepublication interval.");
 
 			if (!setpub && !setact) {
-				setpub = setact = true;
+				setpub = setact = ISC_TRUE;
 				publish = now;
 				activate = now + prepub;
 			} else if (setpub && !setact) {
-				setact = true;
+				setact = ISC_TRUE;
 				activate = publish + prepub;
 			} else if (setact && !setpub) {
-				setpub = true;
+				setpub = ISC_TRUE;
 				publish = activate - prepub;
 			}
 
@@ -678,10 +729,11 @@ main(int argc, char **argv) {
 					"You can use dnssec-settime -D to "
 					"change this.\n", program, keystr);
 
-		setpub = setact = true;
+		setpub = setact = ISC_TRUE;
 	}
 
 	switch (alg) {
+	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
@@ -696,6 +748,14 @@ main(int argc, char **argv) {
 		if (size != 0 && (size < 128 || size > 4096))
 			fatal("DH key size %d out of range", size);
 		break;
+	case DNS_KEYALG_DSA:
+	case DNS_KEYALG_NSEC3DSA:
+		if (size != 0 && !dsa_size_ok(size))
+			fatal("invalid DSS key size: %d", size);
+		break;
+	case DST_ALG_ECCGOST:
+		size = 256;
+		break;
 	case DST_ALG_ECDSA256:
 		size = 256;
 		break;
@@ -763,32 +823,36 @@ main(int argc, char **argv) {
 	}
 
 	switch(alg) {
+	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
 	case DNS_KEYALG_RSASHA512:
-		show_progress = true;
+		show_progress = ISC_TRUE;
 		break;
 
 	case DNS_KEYALG_DH:
 		param = generator;
 		break;
 
+	case DNS_KEYALG_DSA:
+	case DNS_KEYALG_NSEC3DSA:
+	case DST_ALG_ECCGOST:
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
 	case DST_ALG_ED25519:
 	case DST_ALG_ED448:
-		show_progress = true;
+		show_progress = ISC_TRUE;
 		break;
 	}
 
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-		null_key = true;
+		null_key = ISC_TRUE;
 
 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
 	do {
-		conflict = false;
+		conflict = ISC_FALSE;
 
 		if (!quiet && show_progress) {
 			fprintf(stderr, "Generating key pair.");
@@ -909,7 +973,7 @@ main(int argc, char **argv) {
 		 * or another key being revoked.
 		 */
 		if (key_collision(key, name, directory, mctx, NULL)) {
-			conflict = true;
+			conflict = ISC_TRUE;
 			if (null_key) {
 				dst_key_free(&key);
 				break;
@@ -930,7 +994,7 @@ main(int argc, char **argv) {
 
 			dst_key_free(&key);
 		}
-	} while (conflict == true);
+	} while (conflict == ISC_TRUE);
 
 	if (conflict)
 		fatal("cannot generate a null key due to possible key ID "

bin/dnssec/dnssec-keygen.docbook

@@ -50,7 +50,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -58,10 +57,11 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-keygen</command>
-      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-C</option></arg>
       <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -76,7 +76,6 @@
       <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-k</option></arg>
       <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -87,6 +86,7 @@
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-V</option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
       <arg choice="req" rep="norepeat">name</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -117,27 +117,13 @@
 
 
     <variablelist>
-
-      <varlistentry>
-	<term>-3</term>
-	<listitem>
-	  <para>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used with an algorithm that has both
-	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
-	    specifies the NSEC3RSASHA1 algorithm.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
-	    of <option>algorithm</option> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <option>-T KEY</option>
@@ -146,9 +132,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </para>
 	  <para>
 	    This parameter <emphasis>must</emphasis> be specified except
@@ -170,9 +156,11 @@
 	  <para>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
-	    128 and 4096 bits.  Elliptic curve algorithms don't need this
-	    parameter.
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  DSA keys must be between 512 and 1024
+	    bits and an exact multiple of 64.  HMAC keys must be
+	    between 1 and 512 bits. Elliptic curve algorithms don't need
+	    this parameter.
 	  </para>
 	  <para>
 	    If the key size is not specified, some algorithms have
@@ -184,16 +172,43 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-n <replaceable class="parameter">nametype</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the owner type of the key.  The value of
+	    <option>nametype</option> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-3</term>
+	<listitem>
+	  <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Compatibility mode: generates an old-style key, without any
-	    timing metadata. By default, <command>dnssec-keygen</command>
-	    will include the key's creation date in the metadata stored with
-	    the private key, and other dates may be set there as well
-	    (publication date, activation date, etc). Keys that include this
-	    data may be incompatible with older versions of BIND; the
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <command>dnssec-keygen</command>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
 	    <option>-C</option> option suppresses them.
 	  </para>
 	</listitem>
@@ -277,6 +292,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-k</term>
+	<listitem>
+	  <para>
+	    Deprecated in favor of -T KEY.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-L <replaceable class="parameter">ttl</replaceable></term>
 	<listitem>
@@ -293,28 +317,14 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-n <replaceable class="parameter">nametype</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the owner type of the key.  The value of
-	    <option>nametype</option> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    with a host (KEY)), USER (for a key associated with a
-	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-p <replaceable class="parameter">protocol</replaceable></term>
 	<listitem>
 	  <para>
-	    Sets the protocol value for the generated key, for use
-	    with <option>-T KEY</option>. The protocol is a number between 0
-	    and 255. The default is 3 (DNSSEC). Other possible values for
-	    this argument are listed in RFC 2535 and its successors.
+	    Sets the protocol value for the generated key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -372,6 +382,10 @@
 	    <option>rrtype</option> must be either DNSKEY or KEY.  The
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
 	    overridden to KEY for use with SIG(0).
+	  <para>
+	  </para>
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
+	    <option>-a</option> forces this option to KEY.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -380,20 +394,10 @@
 	<term>-t <replaceable class="parameter">type</replaceable></term>
 	<listitem>
 	  <para>
-	    Indicates the use of the key, for use with <option>-T
-	    KEY</option>. <option>type</option> must be one of AUTHCONF,
-	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
-	    refers to the ability to authenticate data, and CONF the ability
-	    to encrypt data.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-	<listitem>
-	  <para>
-	    Prints version information.
+	    Indicates the use of the key.  <option>type</option> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -407,6 +411,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
     </variablelist>
   </refsection>
 
@@ -571,12 +584,10 @@
       key.
     </para>
     <para>
-      The <filename>.key</filename> file contains a DNSKEY or KEY record.
-      When a zone is being signed by <command>named</command>
-      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
-      records are included automatically. In other cases,
-      the <filename>.key</filename> file can be inserted into a zone file
-      manually or with a <userinput>$INCLUDE</userinput> statement.
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </para>
     <para>
       The <filename>.private</filename> file contains
@@ -584,33 +595,32 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </para>
+    <para>
+      Both <filename>.key</filename> and <filename>.private</filename>
+      files are generated for symmetric cryptography algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </para>
   </refsection>
 
   <refsection><info><title>EXAMPLE</title></info>
 
     <para>
-      To generate an ECDSAP256SHA256 zone-signing key for the zone
-      <userinput>example.com</userinput>, issue the command:
+      To generate a 768-bit DSA key for the domain
+      <userinput>example.com</userinput>, the following command would be
+      issued:
     </para>
-    <para>
-      <userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
+    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
     </para>
     <para>
       The command would print a string of the form:
     </para>
-    <para><userinput>Kexample.com.+013+26160</userinput>
+    <para><userinput>Kexample.com.+003+26160</userinput>
     </para>
     <para>
       In this example, <command>dnssec-keygen</command> creates
-      the files <filename>Kexample.com.+013+26160.key</filename>
+      the files <filename>Kexample.com.+003+26160.key</filename>
       and
-      <filename>Kexample.com.+013+26160.private</filename>.
-    </para>
-    <para>
-      To generate a matching key-signing key, issue the command:
-    </para>
-    <para>
-      <userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
+      <filename>Kexample.com.+003+26160.private</filename>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-keygen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,10 +33,11 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-keygen</code> 
-       [<code class="option">-3</code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
        [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-3</code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-C</code>]
        [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
        [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
@@ -51,7 +52,6 @@
        [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        [<code class="option">-k</code>]
        [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
        [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
@@ -62,6 +62,7 @@
        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
        [<code class="option">-V</code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-z</code>]
        {name}
     </p></div>
   </div>
@@ -94,22 +95,12 @@
 
 
     <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used with an algorithm that has both
-	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
-	    specifies the NSEC3RSASHA1 algorithm.
-	  </p>
-	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
-	    of <code class="option">algorithm</code> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <code class="option">-T KEY</code>
@@ -118,9 +109,9 @@
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </p>
 	  <p>
 	    This parameter <span class="emphasis"><em>must</em></span> be specified except
@@ -139,9 +130,11 @@
 	  <p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
-	    128 and 4096 bits.  Elliptic curve algorithms don't need this
-	    parameter.
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  DSA keys must be between 512 and 1024
+	    bits and an exact multiple of 64.  HMAC keys must be
+	    between 1 and 512 bits. Elliptic curve algorithms don't need
+	    this parameter.
 	  </p>
 	  <p>
 	    If the key size is not specified, some algorithms have
@@ -151,15 +144,36 @@
 	    <code class="option">-f KSK</code>) default to 2048 bits.
 	  </p>
 	</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the owner type of the key.  The value of
+	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </p>
+	</dd>
+<dt><span class="term">-3</span></dt>
+<dd>
+	  <p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </p>
+	</dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Compatibility mode: generates an old-style key, without any
-	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
-	    will include the key's creation date in the metadata stored with
-	    the private key, and other dates may be set there as well
-	    (publication date, activation date, etc). Keys that include this
-	    data may be incompatible with older versions of BIND; the
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
 	  </p>
 	</dd>
@@ -220,6 +234,12 @@
 	    Sets the directory in which the key files are to be written.
 	  </p>
 	</dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+	  <p>
+	    Deprecated in favor of -T KEY.
+	  </p>
+	</dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd>
 	  <p>
@@ -233,24 +253,13 @@
 	    or <code class="literal">none</code> is the same as leaving it unset.
 	  </p>
 	</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the owner type of the key.  The value of
-	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    with a host (KEY)), USER (for a key associated with a
-	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </p>
-	</dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd>
 	  <p>
-	    Sets the protocol value for the generated key, for use
-	    with <code class="option">-T KEY</code>. The protocol is a number between 0
-	    and 255. The default is 3 (DNSSEC). Other possible values for
-	    this argument are listed in RFC 2535 and its successors.
+	    Sets the protocol value for the generated key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
 	  </p>
 	</dd>
 <dt><span class="term">-q</span></dt>
@@ -297,21 +306,20 @@
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
 	    overridden to KEY for use with SIG(0).
 	  </p>
+<p>
+	  </p>
+<p>
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
+	    <code class="option">-a</code> forces this option to KEY.
+	  </p>
 	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
-	    Indicates the use of the key, for use with <code class="option">-T
-	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
-	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
-	    refers to the ability to authenticate data, and CONF the ability
-	    to encrypt data.
-	  </p>
-	</dd>
-<dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
-	    Prints version information.
+	    Indicates the use of the key.  <code class="option">type</code> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
 	  </p>
 	</dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -320,6 +328,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
 </dl></div>
   </div>
 
@@ -462,12 +476,10 @@
       key.
     </p>
     <p>
-      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
-      When a zone is being signed by <span class="command"><strong>named</strong></span>
-      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
-      records are included automatically. In other cases,
-      the <code class="filename">.key</code> file can be inserted into a zone file
-      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </p>
     <p>
       The <code class="filename">.private</code> file contains
@@ -475,34 +487,33 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
+    <p>
+      Both <code class="filename">.key</code> and <code class="filename">.private</code>
+      files are generated for symmetric cryptography algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </p>
   </div>
 
   <div class="refsection">
 <a name="id-1.11"></a><h2>EXAMPLE</h2>
 
     <p>
-      To generate an ECDSAP256SHA256 zone-signing key for the zone
-      <strong class="userinput"><code>example.com</code></strong>, issue the command:
+      To generate a 768-bit DSA key for the domain
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
     </p>
-    <p>
-      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
+    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
     <p>
       The command would print a string of the form:
     </p>
-    <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
+    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
-      the files <code class="filename">Kexample.com.+013+26160.key</code>
+      the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
-      <code class="filename">Kexample.com.+013+26160.private</code>.
-    </p>
-    <p>
-      To generate a matching key-signing key, issue the command:
-    </p>
-    <p>
-      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
+      <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
   </div>
 

bin/dnssec/dnssec-revoke.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -99,5 +99,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-revoke.c

@@ -13,8 +13,6 @@
 
 #include <config.h>
 
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <unistd.h>
 
@@ -32,7 +30,7 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
@@ -51,19 +49,22 @@ usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-#if USE_PKCS11
+#if HAVE_PKCS11
 	fprintf(stderr, "    -E engine:    specify PKCS#11 provider "
 					"(default: %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+	fprintf(stderr, "    -E engine:    specify OpenSSL engine "
+					   "(default \"pkcs11\")\n");
 #else
 	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
 #endif
-	fprintf(stderr, "    -f:           force overwrite\n");
-	fprintf(stderr, "    -h:           help\n");
+	fprintf(stderr, "    -f:	   force overwrite\n");
 	fprintf(stderr, "    -K directory: use directory for key files\n");
-	fprintf(stderr, "    -r:           remove old keyfiles after "
+	fprintf(stderr, "    -h:	   help\n");
+	fprintf(stderr, "    -r:	   remove old keyfiles after "
 					   "creating revoked version\n");
-	fprintf(stderr, "    -v level:     set level of verbosity\n");
-	fprintf(stderr, "    -V:           print version information\n");
+	fprintf(stderr, "    -v level:	   set level of verbosity\n");
+	fprintf(stderr, "    -V: print version information\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
 			     "K<name>+<alg>+<new id>.private\n");
@@ -74,7 +75,11 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	isc_result_t result;
+#ifdef USE_PKCS11
+	const char *engine = PKCS11_ENGINE;
+#else
 	const char *engine = NULL;
+#endif
 	char const *filename = NULL;
 	char *dir = NULL;
 	char newname[1024], oldname[1024];
@@ -82,11 +87,11 @@ main(int argc, char **argv) {
 	char *endp;
 	int ch;
 	dst_key_t *key = NULL;
-	uint32_t flags;
+	isc_uint32_t flags;
 	isc_buffer_t buf;
-	bool force = false;
-	bool removefile = false;
-	bool id = false;
+	isc_boolean_t force = ISC_FALSE;
+	isc_boolean_t removefile = ISC_FALSE;
+	isc_boolean_t id = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -100,7 +105,7 @@ main(int argc, char **argv) {
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
 		switch (ch) {
@@ -108,7 +113,7 @@ main(int argc, char **argv) {
 			engine = isc_commandline_argument;
 			break;
 		    case 'f':
-			force = true;
+			force = ISC_TRUE;
 			break;
 		    case 'K':
 			/*
@@ -122,10 +127,10 @@ main(int argc, char **argv) {
 			}
 			break;
 		    case 'r':
-			removefile = true;
+			removefile = ISC_TRUE;
 			break;
 		    case 'R':
-			id = true;
+			id = ISC_TRUE;
 			break;
 		    case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -239,7 +244,7 @@ main(int argc, char **argv) {
 		 * Remove old key file, if told to (and if
 		 * it isn't the same as the new file)
 		 */
-		if (removefile) {
+		if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) {
 			isc_buffer_init(&buf, oldname, sizeof(oldname));
 			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
 			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);

bin/dnssec/dnssec-revoke.docbook

@@ -38,7 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-revoke.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-settime.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -200,5 +200,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-settime.c

@@ -13,8 +13,6 @@
 
 #include <config.h>
 
-#include <inttypes.h>
-#include <stdbool.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <errno.h>
@@ -35,7 +33,7 @@
 
 #include <dst/dst.h>
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 #include <pk11/result.h>
 #endif
 
@@ -55,7 +53,7 @@ usage(void) {
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "General options:\n");
-#if USE_PKCS11
+#if HAVE_PKCS11
 	fprintf(stderr, "    -E engine:          specify PKCS#11 provider "
 					"(default: %s)\n", PK11_LIB_LOCATION);
 #elif defined(USE_PKCS11)
@@ -104,7 +102,7 @@ usage(void) {
 }
 
 static void
-printtime(dst_key_t *key, int type, const char *tag, bool epoch,
+printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
 	  FILE *stream)
 {
 	isc_result_t result;
@@ -129,7 +127,11 @@ printtime(dst_key_t *key, int type, const char *tag, bool epoch,
 int
 main(int argc, char **argv) {
 	isc_result_t	result;
+#ifdef USE_PKCS11
+	const char	*engine = PKCS11_ENGINE;
+#else
 	const char	*engine = NULL;
+#endif
 	const char 	*filename = NULL;
 	char		*directory = NULL;
 	char		newname[1024];
@@ -143,29 +145,29 @@ main(int argc, char **argv) {
 	dns_name_t	*name = NULL;
 	dns_secalg_t 	alg = 0;
 	unsigned int 	size = 0;
-	uint16_t	flags = 0;
+	isc_uint16_t	flags = 0;
 	int		prepub = -1;
 	dns_ttl_t	ttl = 0;
 	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
 	isc_stdtime_t	prevact = 0, previnact = 0, prevdel = 0;
-	bool	setpub = false, setact = false;
-	bool	setrev = false, setinact = false;
-	bool	setdel = false, setttl = false;
-	bool	unsetpub = false, unsetact = false;
-	bool	unsetrev = false, unsetinact = false;
-	bool	unsetdel = false;
-	bool	printcreate = false, printpub = false;
-	bool	printact = false,  printrev = false;
-	bool	printinact = false, printdel = false;
-	bool	force = false;
-	bool   epoch = false;
-	bool   changed = false;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
+	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
+	isc_boolean_t	printinact = ISC_FALSE, printdel = ISC_FALSE;
+	isc_boolean_t	force = ISC_FALSE;
+	isc_boolean_t   epoch = ISC_FALSE;
+	isc_boolean_t   changed = ISC_FALSE;
 	isc_log_t       *log = NULL;
 	isc_stdtime_t	syncadd = 0, syncdel = 0;
-	bool	unsetsyncadd = false, setsyncadd = false;
-	bool	unsetsyncdel = false, setsyncdel = false;
-	bool	printsyncadd = false, printsyncdel = false;
+	isc_boolean_t	unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE;
+	isc_boolean_t	unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE;
+	isc_boolean_t	printsyncadd = ISC_FALSE, printsyncdel = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -176,12 +178,12 @@ main(int argc, char **argv) {
 
 	setup_logging(mctx, &log);
 
-#if USE_PKCS11
+#if HAVE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
 
-	isc_commandline_errprint = false;
+	isc_commandline_errprint = ISC_FALSE;
 
 	isc_stdtime_get(&now);
 
@@ -192,51 +194,51 @@ main(int argc, char **argv) {
 			engine = isc_commandline_argument;
 			break;
 		case 'f':
-			force = true;
+			force = ISC_TRUE;
 			break;
 		case 'p':
 			p = isc_commandline_argument;
 			if (!strcasecmp(p, "all")) {
-				printcreate = true;
-				printpub = true;
-				printact = true;
-				printrev = true;
-				printinact = true;
-				printdel = true;
-				printsyncadd = true;
-				printsyncdel = true;
+				printcreate = ISC_TRUE;
+				printpub = ISC_TRUE;
+				printact = ISC_TRUE;
+				printrev = ISC_TRUE;
+				printinact = ISC_TRUE;
+				printdel = ISC_TRUE;
+				printsyncadd = ISC_TRUE;
+				printsyncdel = ISC_TRUE;
 				break;
 			}
 
 			do {
 				switch (*p++) {
 				case 'C':
-					printcreate = true;
+					printcreate = ISC_TRUE;
 					break;
 				case 'P':
 					if (!strncmp(p, "sync", 4)) {
 						p += 4;
-						printsyncadd = true;
+						printsyncadd = ISC_TRUE;
 						break;
 					}
-					printpub = true;
+					printpub = ISC_TRUE;
 					break;
 				case 'A':
-					printact = true;
+					printact = ISC_TRUE;
 					break;
 				case 'R':
-					printrev = true;
+					printrev = ISC_TRUE;
 					break;
 				case 'I':
-					printinact = true;
+					printinact = ISC_TRUE;
 					break;
 				case 'D':
 					if (!strncmp(p, "sync", 4)) {
 						p += 4;
-						printsyncdel = true;
+						printsyncdel = ISC_TRUE;
 						break;
 					}
-					printdel = true;
+					printdel = ISC_TRUE;
 					break;
 				case ' ':
 					break;
@@ -247,7 +249,7 @@ main(int argc, char **argv) {
 			} while (*p != '\0');
 			break;
 		case 'u':
-			epoch = true;
+			epoch = ISC_TRUE;
 			break;
 		case 'K':
 			/*
@@ -263,7 +265,7 @@ main(int argc, char **argv) {
 			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
-			setttl = true;
+			setttl = ISC_TRUE;
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -277,7 +279,7 @@ main(int argc, char **argv) {
 					fatal("-P sync specified more than "
 					      "once");
 
-				changed = true;
+				changed = ISC_TRUE;
 				syncadd = strtotime(isc_commandline_argument,
 						   now, now, &setsyncadd);
 				unsetsyncadd = !setsyncadd;
@@ -287,7 +289,7 @@ main(int argc, char **argv) {
 			if (setpub || unsetpub)
 				fatal("-P specified more than once");
 
-			changed = true;
+			changed = ISC_TRUE;
 			pub = strtotime(isc_commandline_argument,
 					now, now, &setpub);
 			unsetpub = !setpub;
@@ -296,7 +298,7 @@ main(int argc, char **argv) {
 			if (setact || unsetact)
 				fatal("-A specified more than once");
 
-			changed = true;
+			changed = ISC_TRUE;
 			act = strtotime(isc_commandline_argument,
 					now, now, &setact);
 			unsetact = !setact;
@@ -305,7 +307,7 @@ main(int argc, char **argv) {
 			if (setrev || unsetrev)
 				fatal("-R specified more than once");
 
-			changed = true;
+			changed = ISC_TRUE;
 			rev = strtotime(isc_commandline_argument,
 					now, now, &setrev);
 			unsetrev = !setrev;
@@ -314,7 +316,7 @@ main(int argc, char **argv) {
 			if (setinact || unsetinact)
 				fatal("-I specified more than once");
 
-			changed = true;
+			changed = ISC_TRUE;
 			inact = strtotime(isc_commandline_argument,
 					now, now, &setinact);
 			unsetinact = !setinact;
@@ -326,7 +328,7 @@ main(int argc, char **argv) {
 					fatal("-D sync specified more than "
 					      "once");
 
-				changed = true;
+				changed = ISC_TRUE;
 				syncdel = strtotime(isc_commandline_argument,
 						   now, now, &setsyncdel);
 				unsetsyncdel = !setsyncdel;
@@ -337,7 +339,7 @@ main(int argc, char **argv) {
 			if (setdel || unsetdel)
 				fatal("-D specified more than once");
 
-			changed = true;
+			changed = ISC_TRUE;
 			del = strtotime(isc_commandline_argument,
 					now, now, &setdel);
 			unsetdel = !setdel;
@@ -448,7 +450,7 @@ main(int argc, char **argv) {
 					"before it is scheduled to be "
 					"inactive.\n", program);
 
-		changed = setpub = setact = true;
+		changed = setpub = setact = ISC_TRUE;
 	} else {
 		if (prepub < 0)
 			prepub = 0;
@@ -460,10 +462,10 @@ main(int argc, char **argv) {
 				      "prepublication interval.");
 
 			if (setpub && !setact) {
-				setact = true;
+				setact = ISC_TRUE;
 				act = pub + prepub;
 			} else if (setact && !setpub) {
-				setpub = true;
+				setpub = ISC_TRUE;
 				pub = act - prepub;
 			}
 
@@ -594,11 +596,11 @@ main(int argc, char **argv) {
 	if (force && !changed) {
 		dst_key_settime(key, DST_TIME_PUBLISH, now);
 		dst_key_settime(key, DST_TIME_ACTIVATE, now);
-		changed = true;
+		changed = ISC_TRUE;
 	}
 
 	if (!changed && setttl)
-		changed = true;
+		changed = ISC_TRUE;
 
 	/*
 	 * Print out time values, if -p was used.