look for name that generated 0FEH552TRKV2I9QUNQ8KQ23MFH2IJGAK

.dir-locals.el

@@ -1,71 +0,0 @@
-;;; Directory Local Variables
-;;; For more information see (info "(emacs) Directory Variables")
-
-((c-mode .
-  ((eval .
-	 (set (make-local-variable 'directory-of-current-dir-locals-file)
-	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
-	      )
-	 )
-   (eval .
-	 (set (make-local-variable 'include-directories)
-	      (list
-
-	       ;; top directory
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "./"))
-
-	       ;; current directory
-	       (expand-file-name (concat default-directory "./"))
-
-	       ;; libisc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/pthreads/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/include"))
-
-	       ;; libdns
-
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns/include"))
-
-	       ;; libisccc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
-
-	       ;; libisccfg
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
-
-	       ;; libns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/ns/include"))
-
-	       ;; libirs
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/irs/include"))
-
-	       ;; libbind9
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
-
-	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
-	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/include")
-	       )
-	      )
-	 )
-
-   (eval setq flycheck-clang-include-path include-directories)
-   (eval setq flycheck-cppcheck-include-path include-directories)
-   (eval setq flycheck-clang-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   )
-  ))

.gitattributes

@@ -1,2 +1,3 @@
 *.sln.in eol=crlf
-*.vcxproj.* eol=crlf
+*.vcxproj.in eol=crlf
+*.vcxproj.filters.in eol=crlf

.gitignore

@@ -1,58 +1,36 @@
-*-symtbl.c
-*.a
-*.gcda
-*.gcno
-*.la
-*.lo
-*.o
-*.orig
-*.plist/ # ccc-analyzer store its results in .plist directories
+Makefile
+config.log
+config.h
+config.cache
+config.status
+libtool
+/isc-config.sh
+/configure.lineno
+autom4te.cache/
 *.rej
+*.orig
+*.o
+*.lo
 *.so
+*.a
+*.la
+*.gcno
+*.gcda
 *_test
-*~
+*-symtbl.c
+timestamp
+ans.run
+named.run
+named.memstats
+gen.dSYM/
 .ccache/
-.cproject
 .deps/
 .dirstamp
 .libs/
+# ccc-analyzer store its results in .plist directories
+*.plist/
+*~
 .project
+.cproject
 .settings
-/aclocal.m4
-/ar-lib
-/autom4te.cache/
-/bind.keys.h
-/compile
-/config.cache
-/config.guess
-/config.h
-/config.h.in
-/config.log
-/config.status
-/config.sub
-/configure
-/configure.lineno
-/depcomp
-/install-sh
-/isc-config.sh
-/libltdl/*
-/libtool
-/ltmain.sh
-/m4/libtool.m4
-/m4/ltargz.m4
-/m4/ltdl.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
-/missing
-/py-compile
-/stamp-h1
-/test-driver
-Makefile
-ans.run
-gen.dSYM/
-kyua.log
-named.memstats
-named.run
-timestamp
+kyua.log

.gitlab-ci.yml

@@ -1,9 +1,7 @@
 variables:
-  # Not normally needed, but may be if some script uses `apt-get install`.
   DEBIAN_FRONTEND: noninteractive
-  # Locale settings do not affect the build, but might affect tests.
   LC_ALL: C
-
+  DOCKER_DRIVER: overlay2
   CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/images/bind9
   CCACHE_DIR: "/ccache"
   SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
@@ -14,111 +12,129 @@ stages:
   - test
   - push
 
-### Runner Tag Templates
-
-.linux-amd64: &linux_amd64
-  tags:
-    - linux
-    - amd64
-
-.linux-i386: &linux_i386
-  tags:
-    - linux
-    - i386
-
-### Docker Image Templates
-
-# CentOS
-
 .centos-centos6-amd64: &centos_centos6_amd64_image
   image: "$CI_REGISTRY_IMAGE:centos-centos6-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .centos-centos7-amd64: &centos_centos7_amd64_image
   image: "$CI_REGISTRY_IMAGE:centos-centos7-amd64"
-  <<: *linux_amd64
-
-# Debian
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .debian-jessie-amd64: &debian_jessie_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-jessie-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .debian-jessie-i386: &debian_jessie_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-jessie-i386"
-  <<: *linux_i386
+  tags:
+    - linux
+    - docker
+    - i386
 
 .debian-stretch-amd64: &debian_stretch_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-stretch-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
-.debian-stretch-i386: &debian_stretch_i386_image
+.debian-stretch-i386:: &debian_stretch_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-stretch-i386"
-  <<: *linux_i386
+  tags:
+    - linux
+    - docker
+    - i386
+
+.debian-buster-amd64: &debian_buster_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.debian-buster-i386:: &debian_buster_i386_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-i386"
+  tags:
+    - linux
+    - docker
+    - i386
 
 .debian-sid-amd64: &debian_sid_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .debian-sid-i386: &debian_sid_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-sid-i386"
-  <<: *linux_i386
+  tags:
+    - linux
+    - docker
+    - i386
 
-# Fedora
+.ubuntu-trusty-amd64: &ubuntu_trusty_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-trusty-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
 
-.fedora-29-amd64: &fedora_29_amd64_image
-  image: "$CI_REGISTRY_IMAGE:fedora-29-amd64"
-  <<: *linux_amd64
-
-# Ubuntu
+.ubuntu-trusty-i386: &ubuntu_trusty_i386_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-trusty-i386"
+  tags:
+    - linux
+    - docker
+    - i386
 
 .ubuntu-xenial-amd64: &ubuntu_xenial_amd64_image
   image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-amd64"
-  <<: *linux_amd64
+  tags:
+    - linux
+    - docker
+    - amd64
 
 .ubuntu-xenial-i386: &ubuntu_xenial_i386_image
   image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-i386"
-  <<: *linux_i386
-
-.ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64"
-  <<: *linux_amd64
-
-.ubuntu-bionic-i386: &ubuntu_bionic_i386_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-i386"
-  <<: *linux_i386
-
-### Job Templates
-
-.default-triggering-rules: &default_triggering_rules
-  only:
-    - merge_requests
-    - tags
-    - web
-
-.precheck: &precheck_job
-  <<: *default_triggering_rules
-  <<: *debian_sid_amd64_image
-  stage: precheck
+  tags:
+    - linux
+    - docker
+    - i386
 
 .build: &build_job
-  <<: *default_triggering_rules
   stage: build
   before_script:
     - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
+#    - ./autogen.sh
   script:
     - ./configure --enable-developer --with-libtool --disable-static --with-cmocka --prefix=$HOME/.local --without-make-clean $EXTRA_CONFIGURE || cat config.log
-    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
-    - test -z "${RUN_MAKE_INSTALL}" || make install
+    - make -j${PARALLEL_JOBS_BUILD:-1} -k all V=1
   artifacts:
+    paths:
+    - doc/
+    expire_in: '1 hour'
     untracked: true
-    expire_in: "1 hour"
+
+.install_test: &install_test_job
+  stage: test
+  before_script:
+    - mkdir $HOME/.local
+  script:
+    - make install
 
 .system_test: &system_test_job
-  <<: *default_triggering_rules
   stage: test
-  retry: 2
   before_script:
+    - rm -rf .ccache
     - bash -x bin/tests/system/ifconfig.sh up
     - bash -x util/prepare-softhsm2.sh
   script:
@@ -126,11 +142,10 @@ stages:
     - test -s bin/tests/system/systests.output
   artifacts:
     untracked: true
-    expire_in: "1 week"
+    expire_in: '1 week'
     when: on_failure
 
 .unit_test: &unit_test_job
-  <<: *default_triggering_rules
   stage: test
   before_script:
     - export KYUA_RESULT="$CI_PROJECT_DIR/kyua.results"
@@ -141,24 +156,17 @@ stages:
     - kyua report-html --force --results-file kyua.results --results-filter "" --output kyua_html
   artifacts:
     paths:
-      - kyua.log
-      - kyua.results
-      - kyua_html/
-    expire_in: "1 week"
+    - kyua.log
+    - kyua.results
+    - kyua_html/
+    expire_in: '1 week'
     when: on_failure
 
-### Job Definitions
-
-# Jobs in the precheck stage
-
-misc:sid:amd64:
-  <<: *precheck_job
+precheck:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  stage: precheck
   script:
-    - sh util/check-ans-prereq.sh
     - sh util/checklibs.sh > checklibs.out
-    - sh util/tabify-changes < CHANGES > CHANGES.tmp
-    - diff -urNap CHANGES CHANGES.tmp
-    - rm CHANGES.tmp
     - perl util/check-changes CHANGES
     - perl -w util/merge_copyrights
     - diff -urNap util/copyrights util/newcopyrights
@@ -167,39 +175,27 @@ misc:sid:amd64:
     - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
     - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'`
     - xmllint --noout --nonet --html `git ls-files '*.html'`
-    - sh util/check-win32util-configure
   artifacts:
     paths:
-      - util/newcopyrights
-      - checklibs.out
-    expire_in: "1 week"
+    - util/newcopyrights
+    - checklibs.out
+    expire_in: '1 week'
     when: on_failure
 
-🐞:sid:amd64:
-  <<: *precheck_job
-  script: util/check-cocci
-
-# Jobs for doc builds on Debian Sid (amd64)
-
-docs:sid:amd64:
+docs:debian:sid:amd64:
   <<: *debian_sid_amd64_image
-  stage: build
+  stage: test
+  dependencies:
+    - build:debian:sid:amd64
   script:
-    - ./configure || cat config.log
     - make -C doc/misc docbook
     - make -C doc/arm Bv9ARM.html
   artifacts:
     paths:
-      - doc/arm/
-    expire_in: "1 month"
-  only:
-    - merge_requests
-    - tags
-    - web
-    - master@isc-projects/bind9
-    - /^v9_[1-9][0-9]$/@isc-projects/bind9
+    - doc/arm/
+    expire_in: '1 month'
 
-push:docs:sid:amd64:
+push:docs:
   <<: *debian_sid_amd64_image
   stage: push
   dependencies: []
@@ -207,11 +203,33 @@ push:docs:sid:amd64:
     - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=master $GITLAB_PAGES_DOCS_TRIGGER_URL
   only:
     - master@isc-projects/bind9
-    - /^v9_[1-9][0-9]$/@isc-projects/bind9
+    - /^v9_.*$/@isc-projects/bind9
 
-# Jobs for regular GCC builds on CentOS 6 (amd64)
+#build:debian:jessie:amd64:
+#  <<: *debian_jessie_amd64_image
+#  <<: *build_job
+#
+#build:debian:jessie:i386:
+#  <<: *debian_jessie_i386_image
+#  <<: *build_job
+#
+#build:debian:stretch:amd64:
+#  <<: *debian_stretch_amd64_image
+#  <<: *build_job
+#
+#build:debian:buster:i386:
+#  <<: *debian_buster_i386_image
+#  <<: *build_job
+#
+#build:ubuntu:trusty:amd64:
+#  <<: *ubuntu_trusty_amd64_image
+#  <<: *build_job
+#
+#build:ubuntu:xenial:i386:
+#  <<: *ubuntu_xenial_i386_image
+#  <<: *build_job
 
-gcc:centos6:amd64:
+build:centos:centos6:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
@@ -219,21 +237,7 @@ gcc:centos6:amd64:
   <<: *centos_centos6_amd64_image
   <<: *build_job
 
-system:gcc:centos6:amd64:
-  <<: *centos_centos6_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:centos6:amd64
-
-unit:gcc:centos6:amd64:
-  <<: *centos_centos6_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:centos6:amd64
-
-# Jobs for regular GCC builds on CentOS 7 (amd64)
-
-gcc:centos7:amd64:
+build:centos:centos7:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
@@ -241,174 +245,37 @@ gcc:centos7:amd64:
   <<: *centos_centos7_amd64_image
   <<: *build_job
 
-system:gcc:centos7:amd64:
-  <<: *centos_centos7_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:centos7:amd64
+build:clang:debian:stretch:amd64:
+  variables:
+    CC: clang
+    CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
+  <<: *debian_stretch_amd64_image
+  <<: *build_job
 
-unit:gcc:centos7:amd64:
-  <<: *centos_centos7_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:centos7:amd64
-
-# Jobs for regular GCC builds on Debian 8 Jessie (amd64)
-
-gcc:jessie:amd64:
+build:debian:jessie:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--without-cmocka --with-python"
+    EXTRA_CONFIGURE: --without-cmocka
   <<: *debian_jessie_amd64_image
   <<: *build_job
 
-system:gcc:jessie:amd64:
-  <<: *debian_jessie_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:jessie:amd64
-
-unit:gcc:jessie:amd64:
-  <<: *debian_jessie_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:jessie:amd64
-
-# Jobs for regular GCC builds on Debian 9 Stretch (amd64)
-
-gcc:stretch:amd64:
+build:debian:stretch:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
   <<: *debian_stretch_amd64_image
   <<: *build_job
 
-system:gcc:stretch:amd64:
-  <<: *debian_stretch_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:stretch:amd64
-
-unit:gcc:stretch:amd64:
-  <<: *debian_stretch_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:stretch:amd64
-
-# Jobs for regular GCC builds on Debian Sid (amd64)
-
-gcc:sid:amd64:
+build:debian:sid:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--with-libidn2"
-    RUN_MAKE_INSTALL: 1
   <<: *debian_sid_amd64_image
   <<: *build_job
 
-system:gcc:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:sid:amd64
-
-unit:gcc:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:sid:amd64
-
-# Jobs for regular GCC builds on Debian Sid (i386)
-
-gcc:sid:i386:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2 --without-python"
-  <<: *debian_sid_i386_image
-  <<: *build_job
-
-system:gcc:sid:i386:
-  <<: *debian_sid_i386_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:sid:i386
-
-unit:gcc:sid:i386:
-  <<: *debian_sid_i386_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:sid:i386
-
-# Jobs for regular GCC builds on Fedora 29 (amd64)
-
-gcc:fedora29:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *fedora_29_amd64_image
-  <<: *build_job
-
-system:gcc:fedora29:amd64:
-  <<: *fedora_29_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:fedora29:amd64
-
-unit:gcc:fedora29:amd64:
-  <<: *fedora_29_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:fedora29:amd64
-
-# Jobs for regular GCC builds on Ubuntu 16.04 Xenial Xerus (amd64)
-
-gcc:xenial:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-  <<: *ubuntu_xenial_amd64_image
-  <<: *build_job
-
-system:gcc:xenial:amd64:
-  <<: *ubuntu_xenial_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:xenial:amd64
-
-unit:gcc:xenial:amd64:
-  <<: *ubuntu_xenial_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:xenial:amd64
-
-# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64)
-
-gcc:bionic:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *ubuntu_bionic_amd64_image
-  <<: *build_job
-
-system:gcc:bionic:amd64:
-  <<: *ubuntu_bionic_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:bionic:amd64
-
-unit:gcc:bionic:amd64:
-  <<: *ubuntu_bionic_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:bionic:amd64
-
-# Jobs for GCC builds with ASAN enabled on Debian Sid (amd64)
-
-asan:sid:amd64:
+build:asan:debian:sid:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
@@ -417,47 +284,118 @@ asan:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *build_job
 
-system:asan:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - asan:sid:amd64
-
-unit:asan:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - asan:sid:amd64
-
-# Jobs for Clang builds on Debian Stretch (amd64)
-
-clang:stretch:amd64:
+build:clang:debian:stretch:i386:
   variables:
     CC: clang
     CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
-    EXTRA_CONFIGURE: "--with-python=python3"
-  <<: *debian_stretch_amd64_image
-  <<: *build_job
-
-unit:clang:stretch:amd64:
-  <<: *debian_stretch_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - clang:stretch:amd64
-
-# Jobs for Clang builds on Debian Stretch (i386)
-
-clang:stretch:i386:
-  variables:
-    CC: clang
-    CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
-    EXTRA_CONFIGURE: "--with-python=python2"
   <<: *debian_stretch_i386_image
   <<: *build_job
 
-# Jobs for PKCS#11-enabled GCC builds on Debian Sid (amd64)
+build:debian:sid:i386:
+  variables:
+    CC: gcc
+    CFLAGS: "-Wall -Wextra -O2 -g"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *debian_sid_i386_image
+  <<: *build_job
 
-pkcs11:sid:amd64:
+unittest:centos:centos6:amd64:
+  <<: *centos_centos6_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:centos:centos6:amd64
+
+unittest:centos:centos7:amd64:
+  <<: *centos_centos7_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:centos:centos7:amd64
+
+unittest:debian:jessie:amd64:
+  <<: *debian_jessie_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:jessie:amd64
+
+unittest:debian:stretch:amd64:
+  <<: *debian_stretch_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:stretch:amd64
+
+unittest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:sid:amd64
+
+unittest:asan:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:asan:debian:sid:amd64
+
+unittest:clang:debian:stretch:amd64:
+  <<: *debian_stretch_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:clang:debian:stretch:amd64
+
+unittest:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:sid:i386
+
+systemtest:centos:centos6:amd64:
+  <<: *centos_centos6_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:centos:centos6:amd64
+
+systemtest:centos:centos7:amd64:
+  <<: *centos_centos7_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:centos:centos7:amd64
+
+systemtest:debian:jessie:amd64:
+  <<: *debian_jessie_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:jessie:amd64
+
+systemtest:debian:stretch:amd64:
+  <<: *debian_stretch_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:stretch:amd64
+
+systemtest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:sid:amd64
+
+systemtest:asan:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:asan:debian:sid:amd64
+
+systemtest:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:sid:i386
+
+install:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *install_test_job
+  dependencies:
+    - build:debian:sid:amd64
+
+pkcs11:build:debian:sid:amd64:
   variables:
     CC: gcc
     CFLAGS: "-Wall -Wextra -O2 -g"
@@ -465,14 +403,34 @@ pkcs11:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *build_job
 
-system:pkcs11:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - pkcs11:sid:amd64
-
-unit:pkcs11:sid:amd64:
+pkcs11:unittest:debian:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *unit_test_job
   dependencies:
-    - pkcs11:sid:amd64
+    - pkcs11:build:debian:sid:amd64
+
+pkcs11:systemtest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - pkcs11:build:debian:sid:amd64
+
+noassert:build:debian:sid:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "-Wall -Wextra -O2 -g -DISC_CHECK_NONE=1"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *debian_sid_amd64_image
+  <<: *build_job
+
+noassert:unittest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - noassert:build:debian:sid:amd64
+
+noassert:systemtest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - noassert:build:debian:sid:amd64

.gitlab/issue_templates/release.md

@@ -1,21 +1,19 @@
 ## Release Checklist
 
- - [ ] (Manager) Check for the presence of a milestone for the release:
+ - [ ] (Manager) Check for the presence of a milestone for the release.
     - If there is a milestone, are all the issues for the milestone resolved? (other than this checklist).
  - [ ] (Manager) Inform Support/Marketing of impending release (and give estimated release dates).
- - (SwEng) Prepare the sources for tarball generation:
-   - [ ] Check perflab to ensure there has been no unexplained drop in performance for the version being released.
+ - (SwEng) Prepare the sources for tarball generation.
    - [ ] Ensure that there are no outstanding merge requests in the private repository (subscription version only).
    - [ ] Update API files for libraries with new version information.
    - [ ] Change software version and library versions in configure.in (new major release only).
+   - [ ] Ensure Kyua and ATF files are correct.
    - [ ] Rebuild configure using autoconf on docs.isc.org.
    - [ ] Update CHANGES.
    - [ ] Update CHANGES.SE (subscription branch only).
    - [ ] Update "version".
    - [ ] Update "readme.md".
-   - Check the release notes are correct:
-     - [ ] Compare content with merge requests for the release.
-     - [ ] Check formatting.
+   - [ ] Ensure the release notes are correct for this release (content, formatting, etc.).
    - [ ] Build documentation on docs.isc.org.
    - [ ] Commit changes and make sure the gitlab-ci tests are passing.
    - [ ] Push the changes and tag ("alphatag" is an optional string such as "b1", "rc1" etc.). (```git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]```)
@@ -26,19 +24,9 @@
  - [ ] (QA) Request the signature on the tarballs.
  - [ ] (QA) Check signatures on tarballs.
  - [ ] (QA) Tell Support to handle notification of release.
- - [ ] (Manager) Inform Marketing of the release
- - [ ] (Manager) Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
+ - [ ] (Support) Make tarballs and signatures available to download.
+ - [ ] (Manager) Update [https://wiki.isc.org/bin/view/Main/BindReleaseDates](BIND release dates page) when public announcement has been made.
+ - [ ] (Manager) Inform marketing of the release
 
  - [ ] (SwEng) Update DEB and RPM packages
  - [ ] (SwEng) Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`)
-
-## Support
- - [ ] Make tarballs and signatures available to download.
- - [ ] Write release email to bind9-announce.
- - [ ] Write email to bind9-users (if a major release).
- - [ ] Update tickets in case of waiting support customers.
-
-## Marketing
- - [ ] Post short note to Twitter.
- - [ ] Update [Wikipedia entry for BIND](http://en.wikipedia.org/wiki/BIND).
- - [ ] Write blog article (if a major release).

CHANGES

@@ -1,453 +1,3 @@
-	--- 9.15.0 released ---
-
-5233.	[bug]		Negative trust anchors did not work with "forward only;"
-			to validating resolvers. [GL #997]
-
-5232.	[placeholder]
-
-5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
-			[GL #960]
-
-5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
-			generating DS and CDS records. [GL #1015]
-
-5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
-
-5228.	[func]		If trusted-keys and managed-keys were configured
-			simultaneously for the same name, the key could
-			not be be rolled automatically. This is now
-			a fatal configuration error. [GL #868]
-
-5227.	[placeholder]
-
-5226.	[placeholder]
-
-5225.	[func]		Allow dig to print out AAAA record fully expanded.
-			with +[no]expandaaaa. [GL #765]
-
-5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
-
-5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
-			the hash table. [GL #1005]
-
-5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
-
-5221.	[test]		Enable parallel execution of system tests on
-			Windows. [GL !4101]
-
-5220.	[cleanup]	Refactor the isc_stat structure to take advantage
-			of stdatomic. [GL !1493]
-
-5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
-			trigger a crash when returning an instance object
-			to the memory pool. [GL #982]
-
-5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
-
-5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
-
-5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
-			when doing qname minimization. [GL #992]
-
-5215.	[bug]		Change #5124 was incomplete; named could still
-			return FORMERR instead of SERVFAIL in some cases.
-			[GL #990]
-
-5214.	[bug]		win32: named now removes its lock file upon shutdown.
-			[GL #979]
-
-5213.	[bug]		win32: Eliminated a race which allowed named.exe running
-			as a service to be killed prematurely during shutdown.
-			[GL #978]
-
-5212.	[placeholder]
-
-5211.	[bug]		Allow out-of-zone additional data to be included
-			in authoritative responses if recursion is allowed
-			and "minimal-responses" is disabled.  This behavior
-			was inadvertently removed in change #4605. [GL #817]
-
-5210.	[bug]		When dnstap is enabled and recursion is not
-			available, incoming queries are now logged
-			as "auth". Previously, this depended on whether
-			recursion was requested by the client, not on
-			whether recursion was available. [GL #963]
-
-5209.	[bug]		When update-check-ksk is true, add_sigs was not
-			considering offline keys, leaving record sets signed
-			with the incorrect type key. [GL #763]
-
-5208.	[test]		Run valid rdata wire encodings through totext+fromtext
-			and tofmttext+fromtext methods to check these methods.
-			[GL #899]
-
-5207.	[test]		Check delv and dig TTL values. [GL #965]
-
-5206.	[bug]		Delv could print out bad TTLs. [GL #965]
-
-5205.	[bug]		Enforce that a DS hash exists. [GL #899]
-
-5204.	[test]		Check that dns_rdata_fromtext() produces a record that
-			will be accepted by dns_rdata_fromwire(). [GL #852]
-
-5203.	[bug]		Enforce whether key rdata exists or not in KEY,
-			DNSKEY, CDNSKEY and RKEY. [GL #899]
-
-5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
-
-5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
-
-5200.	[security]	tcp-clients settings could be exceeded in some cases,
-			which could lead to exhaustion of file descriptors.
-			(CVE-2018-5743) [GL #615]
-
-5199.	[security]	In certain configurations, named could crash
-			if nxdomain-redirect was in use and a redirected
-			query resulted in an NXDOMAIN from the cache.
-			(CVE-2019-6467) [GL #880]
-
-5198.	[bug]		If a fetch context was being shut down and, at the same
-			time, we returned from qname minimization, an INSIST
-			could be hit. [GL #966]
-
-5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
-			records. Similarly on multiple OPT and multiple TSIG
-			records. [GL #920]
-
-5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
-
-5195.	[bug]		"allow-update" and "allow-update-forwarding" were
-			treated as configuration errors if used at the
-			options or view level. [GL #913]
-
-5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
-
-5193.	[bug]		EID and NIMLOC failed to do multi-line output
-			correctly. [GL #899]
-
-5192.	[placeholder]
-
-5191.	[placeholder]
-
-5190.	[bug]		Ignore trust anchors using disabled algorithms.
-			[GL #806]
-
-5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
-
-5188.	[func]		The "dnssec-enable" option is deprecated and no
-			longer has any effect; DNSSEC responses are
-			always enabled. [GL #866]
-
-5187.	[test]		Set time zone before running any tests in dnstap_test.
-			[GL #940]
-
-5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
-
-5185.	[placeholder]
-
-5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
-
-5183.	[bug]		Reinitialize ECS data before reusing client
-			structures. [GL #881]
-
-5182.	[bug]		Fix a high-load race/crash in handling of
-			isc_socket_close() in resolver. [GL #834]
-
-5181.	[func]		Add a mechanism for a DLZ module to signal that
-			the view's allow-transfer ACL should be used to
-			determine whether transfers are allowed. [GL #803]
-
-5180.	[bug]		delv now honors the operating system's preferred
-			ephemeral port range. [GL #925]
-
-5179.	[cleanup]	Replace some vague type declarations with the more
-			specific dns_secalg_t and dns_dsdigest_t.
-			Thanks to Tony Finch. [GL !1498]
-
-5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
-			errors when writing files. [GL #902]
-
-5177.	[func]		Add the ability to specify in named.conf whether a
-			response-policy zone's SOA record should be added
-			to the additional section (add-soa yes/no). [GL #865]
-
-5176.	[tests]		Remove a dependency on libxml in statschannel system
-			test. [GL #926]
-
-5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
-			dnssec-coverage and dnssec-checkds when using
-			python3. [GL #882]
-
-5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
-
-5173.	[bug]		Fixed a race in socket code that could occur when
-			accept, send, or recv were called from an event
-			loop but the socket had been closed by another
-			thread. [RT #874]
-
-5172.	[bug]		nsupdate now honors the operating system's preferred
-			ephemeral port range. [GL #905]
-
-5171.	[func]		named plugins are now installed into a separate
-			directory.  Supplying a filename (a string without path
-			separators) in a "plugin" configuration stanza now
-			causes named to look for that plugin in that directory.
-			[GL #878]
-
-5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
-
-5169.	[bug]		The presence of certain types in an otherwise
-			empty node could cause a crash while processing a
-			type ANY query. [GL #901]
-
-5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
-			keep previous version of the database if RPZ fails to
-			load. [GL #813]
-
-5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
-			redirect name. [GL #892]
-
-5166.	[placeholder]
-
-5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
-			[GL #428]
-
-5164.	[bug]		Correct errno to result translation in dlz filesystem
-			modules. [GL #884]
-
-5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
-
-5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
-			[GL !1518]
-
-5161.	[bug]		Do not require the SEP bit to be set for mirror zone
-			trust anchors. [GL #873]
-
-5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
-			fixed a compilation bug affecting several DLZ
-			modules. [GL #872]
-
-5159.	[bug]		dnssec-coverage was incorrectly ignoring
-			names specified on the command line without
-			trailing dots. [GL !1478]
-
-5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
-
-5157.	[bug]		Nslookup now errors out if there are extra command
-			line arguments. [GL #207]
-
-5156.	[doc]		Extended and refined the section of the ARM describing
-			mirror zones. [GL #774]
-
-5155.	[func]		"named -V" now outputs the default paths to
-			named.conf, rndc.conf, bind.keys, and other
-			files used or created by named and other tools, so
-			that the correct paths to these files can quickly be
-			determined regardless of the configure settings
-			used when BIND was built. [GL #859]
-
-5154.	[bug]		dig: process_opt could be called twice on the same
-			message leading to a assertion failure. [GL #860]
-
-5153.	[func]		Zone transfer statistics (size, number of records, and
-			number of messages) are now logged for outgoing
-			transfers as well as incoming ones. [GL #513]
-
-5152.	[func]		Improved logging of DNSSEC key events:
-			- Zone signing and DNSKEY maintenance events are
-			  now logged to the "dnssec" category
-			- Messages are now logged when DNSSEC keys are
-			  published, activated, inactivated, deleted,
-			  or revoked.
-			[GL #714]
-
-5151.	[func]		Options that have been been marked as obsolete in
-			named.conf for a very long time are now fatal
-			configuration errors. [GL #358]
-
-5150.	[cleanup]	Remove the ability to compile BIND with assertions
-			disabled. [GL #735]
-
-5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
-			indicating how long the data will be retained in the
-			cache for emergency use. [GL #101]
-
-5148.	[bug]		named did not sign the TKEY response. [GL #821]
-
-5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
-			handle key events close to 'now'. [GL #848]
-
-5146.	[placeholder]
-
-5145.	[func]		Use atomics instead of locked variables for isc_quota
-			and isc_counter. [GL !1389]
-
-5144.	[bug]		dig now returns a non-zero exit code when a TCP
-			connection is prematurely closed by a peer more than
-			once for the same lookup.  [GL #820]
-
-5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
-			key files for zone names ending in ".". [GL #560]
-
-5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
-			"--disable-rpz-nsdname" options. "nsip-enable"
-			and "nsdname-enable" both now default to yes,
-			regardless of compile-time settings. [GL #824]
-
-5141.	[security]	Zone transfer controls for writable DLZ zones were
-			not effective as the allowzonexfr method was not being
-			called for such zones. (CVE-2019-6465) [GL #790]
-
-5140.	[bug]		Don't immediately mark existing keys as inactive and
-			deleted when running dnssec-keymgr for the first
-			time. [GL #117]
-
-5139.	[bug]		If possible, don't use forwarders when priming.
-			This ensures we can get root server IP addresses
-			from priming query response glue, which may not
-			be present if the forwarding server is returning
-			minimal responses. [GL #752]
-
-5138.	[bug]		Under some circumstances named could hit an assertion
-			failure when doing qname minimization when using
-			forwarders. [GL #797]
-
-5137.	[func]		named now logs messages whenever a mirror zone becomes
-			usable or unusable for resolution purposes. [GL #818]
-
-5136.	[cleanup]	Check in named-checkconf that allow-update and
-			allow-update-forwarding are not set at the
-			view/options level; fix documentation. [GL #512]
-
-5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
-
-5134.	[bug]		win32: WSAStartup was not called before getservbyname
-			was called. [GL #590]
-
-5133.	[bug]		'rndc managed-keys' didn't handle class and view
-			correctly and failed to add new lines between each
-			view. [GL !1327]
-
-5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
-			[GL !1323]
-
-5131.	[cleanup]	Address Coverity warnings. [GL #801]
-
-5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
-
-5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
-			splitting the query string. [GL #798]
-
-5128.	[bug]		Refreshkeytime was not being updated for managed
-			keys zones. [GL #784]
-
-5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
-			regions. [GL #807]
-
-5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
-			fields when reading master files. [GL #807]
-
-5125.	[bug]		Allow for up to 100 records or 64k of data when caching
-			a negative response. [GL #804]
-
-5124.	[bug]		Named could incorrectly return FORMERR rather than
-			SERVFAIL. [GL #804]
-
-5123.	[bug]		dig could hang indefinitely after encountering an error
-			before creating a TCP socket. [GL #692]
-
-5122.	[bug]		In a "forward first;" configuration, a forwarder
-			timeout did not prevent that forwarder from being
-			queried again after falling back to full recursive
-			resolution. [GL #315]
-
-5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
-			matching zone names. [GL !1299]
-
-5120.	[placeholder]
-
-5119.	[placeholder]
-
-5118.	[security]	Named could crash if it is managing a key with
-			`managed-keys` and the authoritative zone is rolling
-			the key to an unsupported algorithm. (CVE-2018-5745)
-			[GL #780]
-
-5117.	[placeholder]
-
-5116.	[bug]		Named/named-checkconf triggered a assertion when
-			a mirror zone's name is bad. [GL #778]
-
-5115.	[bug]		Allow unsupported algorithms in zone when not used for
-			signing with dnssec-signzone. [GL #783]
-
-5114.	[func]		Include a 'reconfig/reload in progress' status line
-			in rndc status, use it in tests.
-
-5113.	[port]		Fixed a Windows build error.
-
-5112.	[bug]		Named/named-checkconf could dump core if there was
-			a missing masters clause and a bad notify clause.
-			[GL #779]
-
-5111.	[bug]		Occluded DNSKEY records could make it into the
-			delegating NSEC/NSEC3 bitmap. [GL #742]
-
-5110.	[security]	Named leaked memory if there were multiple Key Tag
-			EDNS options present. (CVE-2018-5744) [GL #772]
-
-5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
-
-	--- 9.13.5 released ---
-
-5108.	[bug]		Named could fail to determine bottom of zone when
-			removing out of date keys leading to invalid NSEC
-			and NSEC3 records being added to the zone. [GL #771]
-
-5107.	[bug]		'host -U' did not work. [GL #769]
-
-5106.	[experimental]	A new "plugin" mechanism has been added to allow
-			extension of query processing functionality through
-			the use of dynamically loadable libraries. A
-			"filter-aaaa.so" plugin has been implemented,
-			replacing the filter-aaaa feature that was formerly
-			implemented as a native part of BIND.
-
-			The "filter-aaaa", "filter-aaaa-on-v4" and
-			"filter-aaaa-on-v6" options can no longer be
-			configured using native named.conf syntax. However,
-			loading the filter-aaaa.so plugin and setting its
-			parameters provides identical functionality.
-
-			Note that the plugin API is a work in progress and
-			is likely to evolve as further plugins are
-			implemented. [GL #15]
-
-5105.	[bug]		Fix a race between process_fd and socketclose in
-			unix socket code. [GL #744]
-
-5104.	[cleanup]	Log clearer informational message when a catz zone
-			is overridden by a zone in named.conf.
-			Thanks to Tony Finch. [GL !1157]
-
-5103.	[bug]		Add missing design by contract tests to dns_catz*.
-			[GL #748]
-
-5102.	[bug]		dnssec-coverage failed to use the default TTL when
-			checking KSK deletion times leading to a exception.
-			[GL #585]
-
-5101.	[bug]		Fix default installation path for Python modules and
-			remove the dnspython dependency accidentally introduced
-			by change 4970. [GL #730]
-
-5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
-
-5099.	[func]		Failed mutex and conditional creations are always
-			fatal. [GL #674]
-
-	--- 9.13.4 released ---
-
 5098.	[func]		Failed memory allocations are now fatal. [GL #674]
 
 5097.	[cleanup]	Remove embedded ATF unit testing framework
@@ -474,8 +24,8 @@
 5091.	[func]		Two new global and per-view options min-cache-ttl
 			and min-ncache-ttl [GL #613]
 
-5090.	[bug]		dig and mdig failed to properly pre-parse dash value
-			pairs when value was a separate argument and started
+5090.	[bug]		dig and mdig failed to properly preparse dash value
+			pairs when value was a seperate argument and started
 			with a dash. [GL #584]
 
 5089.	[bug]		Restore localhost fallback in dig and host which is
@@ -541,7 +91,7 @@
 5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
 			behavior for auto-reallocated buffers. [GL #644]
 
-5071.	[bug]		Comparison of NXT records was broken. [GL #631]
+5071.	[bug]		Comparision of NXT records was broken. [GL #631]
 
 5070.	[bug]		Record types which support a empty rdata field were
 			not handling the empty rdata field case. [GL #638]
@@ -560,7 +110,7 @@
 
 5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
 
-5064.	[test]		Initialize TZ environment variable before calling
+5064.	[test]		Initalize TZ environment variable before calling
 			dns_test_begin in dnstap_test. [GL #624]
 
 5063.	[test]		In statschannel test try a few times before failing
@@ -786,7 +336,7 @@
 5001.	[bug]		Fix refcount errors on error paths. [GL !563]
 
 5000.	[bug]		named_server_servestale() could leave the server in
-			exclusive mode if an error occurred. [GL #441]
+			exclusive mode if an error occured. [GL #441]
 
 4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
 			[GL #261]

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this

HISTORY

@@ -1,79 +1,5 @@
 Functional enhancements from prior major releases of BIND 9
 
-BIND 9.14
-
-BIND 9.14 (a stable branch based on the 9.13 development branch) includes
-a number of changes from BIND 9.12 and earlier releases. New features
-include:
-
-  * A new "plugin" mechanism has been added to allow query functionality
-    to be extended using dynamically loadable libraries. The "filter-aaaa"
-    feature has been removed from named and is now implemented as a
-    plugin.
-  * Socket and task code has been refactored to improve performance.
-  * QNAME minimization, as described in RFC 7816, is now supported.
-  * "Root key sentinel" support, enabling validating resolvers to indicate
-    via a special query which trust anchors are configured for the root
-    zone.
-  * Secondary zones can now be configured as "mirror" zones; their
-    contents are transferred in as with traditional slave zones, but are
-    subject to DNSSEC validation and are not treated as authoritative data
-    when answering. This makes it easier to configure a local copy of the
-    root zone as described in RFC 7706.
-  * The "validate-except" option allows configuration of domains below
-    which DNSSEC validation should not be performed.
-  * The default value of "dnssec-validation" is now "auto".
-  * IDNA2008 is now supported when linking with libidn2.
-  * "named -V" now outputs the default paths for files used by named and
-    other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See https://dnsflagday.net for more details.
-
-Cryptographic support has been modernized. BIND now uses the best
-available pseudo-random number generator for the platform on which it's
-built. Very old versions of OpenSSL are no longer supported. Cryptography
-is now mandatory: building BIND without DNSSEC is no longer supported.
-
-Special code to support certain legacy operating systems has also been
-removed; see the file PLATFORMS.md for details of supported platforms. In
-addition to OpenSSL, BIND now requires support for IPv6, threads, and
-standard atomic operations provided by the C compiler.
-
-BIND 9.12
-
-BIND 9.12 includes a number of changes from BIND 9.11 and earlier
-releases. New features include:
-
-  * named and related libraries have been substantially refactored for
-    improved query performance -- particularly on delegation heavy zones
-    -- and for improved readability, maintainability, and testability.
-  * Code implementing the name server query processing logic has been
-    moved into a new libns library, for easier testing and use in tools
-    other than named.
-  * Cached, validated NSEC and other records can now be used to synthesize
-    NXDOMAIN responses.
-  * The DNS Response Policy Service API (DNSRPS) is now supported.
-  * Setting 'max-journal-size default' now limits the size of journal
-    files to twice the size of the zone.
-  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
-    message.
-  * dnstap output files can now be configured to roll automatically when
-    reaching a given size.
-  * Log file timestamps can now also be formatted in ISO 8601 (local) or
-    ISO 8601 (UTC) formats.
-  * Logging channels and dnstap output files can now be configured to use
-    a timestamp as the suffix when rolling to a new file.
-  * 'named-checkconf -l' lists zones found in named.conf.
-  * Added support for the EDNS Padding and Keepalive options.
-  * 'new-zones-directory' option sets the location where the configuration
-    data for zones added by rndc addzone is stored.
-  * The default key algorithm in rndc-confgen is now hmac-sha256.
-  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
-    default without a configure option.
-  * The obsolete isc-hmac-fixup command has been removed.
-
 BIND 9.11
 
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier

HISTORY.md

@@ -10,81 +10,6 @@
 -->
 ### Functional enhancements from prior major releases of BIND 9
 
-#### BIND 9.14
-
-BIND 9.14 (a stable branch based on the 9.13 development branch)
-includes a number of changes from BIND 9.12 and earlier releases.
-New features include:
-
-* A new "plugin" mechanism has been added to allow query functionality
-  to be extended using dynamically loadable libraries. The "filter-aaaa"
-  feature has been removed from named and is now implemented as a plugin.
-* Socket and task code has been refactored to improve performance.
-* QNAME minimization, as described in RFC 7816, is now supported.
-* "Root key sentinel" support, enabling validating resolvers to indicate
-  via a special query which trust anchors are configured for the root zone.
-* Secondary zones can now be configured as "mirror" zones; their contents
-  are transferred in as with traditional slave zones, but are subject to
-  DNSSEC validation and are not treated as authoritative data when
-  answering. This makes it easier to configure a local copy of the root
-  zone as described in RFC 7706.
-* The "validate-except" option allows configuration of domains below which
-  DNSSEC validation should not be performed.
-* The default value of "dnssec-validation" is now "auto".
-* IDNA2008 is now supported when linking with `libidn2`.
-* "named -V" now outputs the default paths for files used by named
-  and other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
-for more details.
-
-Cryptographic support has been modernized. BIND now uses the
-best available pseudo-random number generator for the platform on which
-it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory: building BIND without DNSSEC is no
-longer supported.
-
-Special code to support certain legacy operating systems has also
-been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
-of supported platforms. In addition to OpenSSL, BIND now requires
-support for IPv6, threads, and standard atomic operations provided
-by the C compiler.
-
-#### BIND 9.12
-
-BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
-New features include:
-
-* `named` and related libraries have been substantially refactored for
-  improved query performance -- particularly on delegation heavy zones --
-  and for improved readability, maintainability, and testability.
-* Code implementing the name server query processing logic has been moved
-  into a new `libns` library, for easier testing and use in tools other
-  than `named`.
-* Cached, validated NSEC and other records can now be used to synthesize
-  NXDOMAIN responses.
-* The DNS Response Policy Service API (DNSRPS) is now supported.
-* Setting `'max-journal-size default'` now limits the size of journal files
-  to twice the size of the zone.
-* `dnstap-read -x` prints a hex dump of the wire format of each logged
-  DNS message.
-* `dnstap` output files can now be configured to roll automatically when
-  reaching a given size.
-* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
-  8601 (UTC) formats.
-* Logging channels and `dnstap` output files can now be configured to use a
-  timestamp as the suffix when rolling to a new file.
-* `'named-checkconf -l'` lists zones found in `named.conf`.
-* Added support for the EDNS Padding and Keepalive options.
-* 'new-zones-directory' option sets the location where the configuration
-  data for zones added by rndc addzone is stored.
-* The default key algorithm in `rndc-confgen` is now hmac-sha256.
-* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
-  by default without a configure option.
-* The obsolete `isc-hmac-fixup` command has been removed.
-
 #### BIND 9.11
 
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier

PLATFORMS

@@ -13,86 +13,49 @@ offer support on a "best effort" basis for some.
 
 Regularly tested platforms
 
-As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
-following systems:
+As of May 2018, BIND 9.13 is tested on the following systems:
 
-  * Debian 8, 9, 10
+  * Debian 8, 9
   * Ubuntu 16.04, 18.04
-  * Fedora 28, 29
-  * Red Hat Enterprise Linux / CentOS 6, 7
-  * FreeBSD 11.x
-  * OpenBSD 6.2, 6.3
+  * Fedora 27, 28
+  * Red Hat/CentOS 6, 7
+  * FreeBSD 10.x, 11.x
+  * OpenBSD 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully
 supported.
 
 Best effort
 
-The following are platforms on which BIND is known to build and run. ISC
-makes every effort to fix bugs on these platforms, but may be unable to do
-so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
+The following are platforms on which BIND is known to build and run, but
+on which it is not routinely tested. ISC makes every effort to fix bugs on
+these platforms, but may be unable to do so quickly due to lack of
+hardware, less familiarity on the part of engineering staff, and other
+constraints.
 
-  * Windows Server 2012 R2, 2016 / x64
   * Windows 10 / x64
+  * Windows Server 2012 R2, 2016 / x64
   * macOS 10.12+
-  * Solaris 11
-  * FreeBSD 10.x, 12.0+
-  * OpenBSD 6.4+
+  * Solaris 10
+  * FreeBSD 12+
+  * OpenBSD 6.2
   * NetBSD
-  * Other Linux distributions still supported by their vendors, such as:
+  * Older or less popular Linux distributions still supported by their
+    vendors, such as:
       + Ubuntu 14.04, 18.10+
       + Gentoo
-      + Arch Linux
+      + ArchLinux
       + Alpine Linux
-  * OpenWRT/LEDE 17.01+
+  * OpenWRT/LEDE 17.0
   * Other CPU architectures (mips, mipsel, sparc, ...)
 
 Unsupported platforms
 
-These are platforms on which BIND 9.15 is known not to build or run:
+These are platforms on which BIND is known not to build or run:
 
   * Platforms without at least OpenSSL 1.0.2
   * Windows 10 / x86
   * Windows Server 2012 and older
-  * Solaris 10 and older
   * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
   * Platforms that don't support atomic operations (via compiler or
     library)
-  * Linux without NPTL (Native POSIX Thread Library)
-
-Platform quirks
-
-ARM
-
-If the compilation ends with following error:
-
-Error: selected processor does not support `yield' in ARM mode
-
-You will need to set -march compiler option to native, so the compiler
-recognizes yield assembler instruction. The proper way to set -march=
-native would be to put it into CFLAGS, e.g. run ./configure like this:
-CFLAGS="-march=native -Os -g" ./configure plus your usual options.
-
-If that doesn't work, you can enforce the minimum CPU and FPU (taken from
-Debian armhf documentation):
-
-  * The lowest worthwhile CPU implementation is Armv7-A, therefore the
-    recommended build option is -march=armv7-a.
-
-  * FPU should be set at VFPv3-D16 as they represent the minimum
-    specification of the processors to support here, therefore the
-    recommended build option is -mfpu=vfpv3-d16.
-
-The configure command should look like this:
-
-CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
-
-NetBSD 6 i386
-
-The i386 build of NetBSD requires the libatomic library, available from
-the gcc5-libs package. Because this library is in a non-standard path, its
-location must be specified in the configure command line:
-
-LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure

PLATFORMS.md

@@ -23,49 +23,47 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
-following systems:
+As of May 2018, BIND 9.13 is tested on the following systems:
 
-* Debian 8, 9, 10
+* Debian 8, 9
 * Ubuntu 16.04, 18.04
-* Fedora 28, 29
-* Red Hat Enterprise Linux / CentOS 6, 7
-* FreeBSD 11.x
-* OpenBSD 6.2, 6.3
+* Fedora 27, 28
+* Red Hat/CentOS 6, 7
+* FreeBSD 10.x, 11.x
+* OpenBSD 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
 
 ### Best effort
 
-The following are platforms on which BIND is known to build and run.
-ISC makes every effort to fix bugs on these platforms, but may be unable to
-do so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
+The following are platforms on which BIND is known to build and run,
+but on which it is not routinely tested. ISC makes every effort to fix bugs
+on these platforms, but may be unable to do so quickly due to lack of
+hardware, less familiarity on the part of engineering staff, and other
+constraints.
 
-* Windows Server 2012 R2, 2016 / x64
 * Windows 10 / x64
+* Windows Server 2012 R2, 2016 / x64
 * macOS 10.12+
-* Solaris 11
-* FreeBSD 10.x, 12.0+
-* OpenBSD 6.4+
+* Solaris 10
+* FreeBSD 12+
+* OpenBSD 6.2
 * NetBSD
-* Other Linux distributions still supported by their vendors, such as:
+* Older or less popular Linux distributions still supported by their vendors, such as:
     * Ubuntu 14.04, 18.10+
     * Gentoo
-    * Arch Linux
+    * ArchLinux
     * Alpine Linux
-* OpenWRT/LEDE 17.01+
+* OpenWRT/LEDE 17.0
 * Other CPU architectures (mips, mipsel, sparc, ...)
 
 ## Unsupported platforms
 
-These are platforms on which BIND 9.15 is known *not* to build or run:
+These are platforms on which BIND is known *not* to build or run:
 
 * Platforms without at least OpenSSL 1.0.2
 * Windows 10 / x86
 * Windows Server 2012 and older
-* Solaris 10 and older
 * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
 * Platforms that don't support atomic operations (via compiler or library)
 * Linux without NPTL (Native POSIX Thread Library)
@@ -91,22 +89,12 @@ armhf documentation):
 * The lowest worthwhile CPU implementation is Armv7-A, therefore the recommended
   build option is `-march=armv7-a`.
 
-* FPU should be set at VFPv3-D16 as they represent the minimum specification of
+* FPU should be set at VFPv3-D16 as they represent the miminum specification of
   the processors to support here, therefore the recommended build option is
   `-mfpu=vfpv3-d16`.
 
-The `configure` command should look like this:
+The configure command should look like this:
 
 ```
 CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
 ```
-
-### NetBSD 6 i386
-
-The i386 build of NetBSD requires the `libatomic` library, available from
-the `gcc5-libs` package.  Because this library is in a non-standard path,
-its location must be specified in the `configure` command line:
-
-```
-LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
-```

README

@@ -5,15 +5,14 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.15 features
+ 4. BIND 9.13 features
  5. Building BIND
  6. macOS
- 7. Dependencies
- 8. Compile-time options
- 9. Automated testing
-10. Documentation
-11. Change log
-12. Acknowledgments
+ 7. Compile-time options
+ 8. Automated testing
+ 9. Documentation
+10. Change log
+11. Acknowledgments
 
 Introduction
 
@@ -100,10 +99,38 @@ If you prefer, you may also submit code by opening a GitLab Issue and
 including your patch as an attachment, preferably generated by git
 format-patch.
 
-BIND 9.15 features
+BIND 9.13 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.14 and earlier releases.
+BIND 9.13 is the newest development branch of BIND 9. It includes a number
+of changes from BIND 9.12 and earlier releases. New features include:
+
+  * QNAME minimization, as described in RFC 7816, is now supported.
+  * "Root key sentinel" support, enabling validating resolvers to indicate
+    via a special query which trust anchors are configured for the root
+    zone.
+  * Secondary zones can now be configured as "mirror" zones; their
+    contents are transferred in as with traditional slave zones, but are
+    subject to DNSSEC validation and are not treated as authoritative data
+    when answering. This makes it easier to configure a local copy of the
+    root zone as described in RFC 7706.
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
+  * The default value of "dnssec-validation" is now "auto".
+  * IDNA2008 is now supported when linking with libidn2.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is now longer supported.
+
+Special code to support certain legacy operating systems has also been
+removed; see the file PLATFORMS.md for details of supported platforms. In
+addition to OpenSSL, BIND now requires support for IPv6, threads, and
+standard atomic operations provided by the C compiler.
 
 Building BIND
 
@@ -162,21 +189,30 @@ if you have Xcode already installed you can run "xcode-select --install".
 This will add /usr/include to the system and install the compiler and
 other tools so that they can be easily found.
 
-Dependencies
-
-Portions of BIND that are written in Python, including dnssec-keymgr,
-dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-'argparse' and 'ply' modules to be available. 'argparse' is a standard
-module as of Python 2.7 and Python 3.2. 'ply' is available from https://
-pypi.python.org/pypi/ply.
-
 Compile-time options
 
 To see a full list of configuration options, run configure --help.
 
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
 To build shared libraries, specify --with-libtool on the configure command
 line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto
 support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
 installed. If the OpenSSL library is installed in a nonstandard location,
@@ -208,18 +244,17 @@ github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev
 or libcap-devel module. Process capability support can also be disabled by
 configuring with --disable-linux-caps.
 
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+'argparse' and 'ply' modules to be available. 'argparse' is a standard
+module as of Python 2.7 and Python 3.2. 'ply' is available from https://
+pypi.python.org/pypi/ply.
+
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB. This can be done by using
 --enable-largefile on the configure command line.
@@ -229,10 +264,6 @@ specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
 command line. By default, fixed rrset-order is disabled to reduce memory
 footprint.
 
-The --enable-querytrace option causes named to log every step of
-processing every query. This should only be enabled when debugging,
-because it has a significant negative impact on query performance.
-
 make install will install named and the various BIND 9 libraries. By
 default, installation is into /usr/local, but this can be changed with the
 --prefix option when running configure.

README.md

@@ -15,10 +15,9 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
-1. [BIND 9.15 features](#features)
+1. [BIND 9.13 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
-1. [Dependencies](#dependencies)
 1. [Compile-time options](#opts)
 1. [Automated testing](#testing)
 1. [Documentation](#doc)
@@ -117,10 +116,41 @@ If you prefer, you may also submit code by opening a
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="features"/> BIND 9.15 features
+### <a name="features"/> BIND 9.13 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.14 and earlier releases.
+BIND 9.13 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.12 and earlier releases.  New features
+include:
+
+* QNAME minimization, as described in RFC 7816, is now supported.
+* "Root key sentinel" support, enabling validating resolvers to indicate
+  via a special query which trust anchors are configured for the root zone.
+* Secondary zones can now be configured as "mirror" zones; their contents
+  are transferred in as with traditional slave zones, but are subject to
+  DNSSEC validation and are not treated as authoritative data when
+  answering. This makes it easier to configure a local copy of the root
+  zone as described in RFC 7706.
+* The "validate-except" option allows configuration of domains below which
+  DNSSEC validation should not be performed.
+* The default value of "dnssec-validation" is now "auto".
+* IDNA2008 is now supported when linking with `libidn2`.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
+for more details.
+
+Cryptographic support has been modernized. BIND now uses the
+best available pseudo-random number generator for the platform on which
+it's built. Very old versions of OpenSSL are no longer supported.
+Cryptography is now mandatory: building BIND without DNSSEC is now
+longer supported.
+
+Special code to support certain legacy operating systems has also
+been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
+of supported platforms. In addition to OpenSSL, BIND now requires
+support for IPv6, threads, and standard atomic operations provided
+by the C compiler.
 
 ### <a name="build"/> Building BIND
 
@@ -173,21 +203,31 @@ or if you have Xcode already installed you can run "xcode-select --install".
 This will add /usr/include to the system and install the compiler and other
 tools so that they can be easily found.
 
-### <a name="dependencies"/> Dependencies
-
-Portions of BIND that are written in Python, including
-`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
-system tests, require the 'argparse' and 'ply' modules to be available.
-'argparse' is a standard module as of Python 2.7 and Python 3.2.
-'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
 
 #### <a name="opts"/> Compile-time options
 
 To see a full list of configuration options, run `configure --help`.
 
+On most platforms, BIND 9 is built with multithreading support, allowing it
+to take advantage of multiple CPUs.  You can configure this by specifying
+`--enable-threads` or `--disable-threads` on the `configure` command line.
+The default is to enable threads, except on some older operating systems on
+which threads are known to have had problems in the past.  (Note: Prior to
+BIND 9.10, the default was to disable threads on Linux systems; this has
+now been reversed.  On Linux systems, the threaded build is known to change
+BIND's behavior with respect to file permissions; it may be necessary to
+specify a user with the -u option when running `named`.)
+
 To build shared libraries, specify `--with-libtool` on the `configure`
 command line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying
+`--with-tuning=large` on the `configure` command line. This can improve
+performance on big servers, but will consume more memory and may degrade
+performance on smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto support.
 To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
@@ -222,18 +262,17 @@ and libprotobuf-c
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
 and BIND must be configured with `--enable-dnstap`.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying
-`--with-tuning=large` on the `configure` command line. This can improve
-performance on big servers, but will consume more memory and may degrade
-performance on smaller systems.
-
 On Linux, process capabilities are managed in user space using
 the `libcap` library, which can be installed on most Linux systems via
 the `libcap-dev` or `libcap-devel` module. Process capability support can
 also be disabled by configuring with `--disable-linux-caps`.
 
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' and 'ply' modules to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2.
+'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
+
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB.  This can be done by using
 `--enable-largefile` on the `configure` command line.
@@ -243,10 +282,6 @@ specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
 configure command line.  By default, fixed rrset-order is disabled to
 reduce memory footprint.
 
-The `--enable-querytrace` option causes `named` to log every step of
-processing every query. This should only be enabled when debugging, because
-it has a significant negative impact on query performance.
-
 `make install` will install `named` and the various BIND 9 libraries.  By
 default, installation is into /usr/local, but this can be changed with the
 `--prefix` option when running `configure`.

bin/Makefile.in

@@ -12,7 +12,7 @@ VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
 TARGETS =
 
 @BIND9_MAKE_RULES@

bin/check/Makefile.in

@@ -66,7 +66,7 @@ named-checkzone.@O@: named-checkzone.c
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
 	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
-	export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	export LIBS0="${NSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \

bin/check/check-tool.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdio.h>
 #include <inttypes.h>

bin/check/named-checkconf.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
@@ -79,13 +79,6 @@ When loading a zonefile read the journal if it exists\&.
 List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
 .RE
 .PP
-\-c
-.RS 4
-Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
-\fBplugin\fR
-statements to be ignored\&.
-.RE
-.PP
 \-p
 .RS 4
 Print out the
@@ -143,5 +136,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkconf.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -44,8 +46,6 @@
 
 static const char *program = "named-checkconf";
 
-static bool loadplugins = true;
-
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -61,7 +61,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-chjlvz] [-p [-x]] [-t directory] "
+	fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }
@@ -562,7 +562,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "cdhjlm:t:pvxz"
+#define CMDLINE_FLAGS "dhjlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -587,10 +587,6 @@ main(int argc, char **argv) {
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
-		case 'c':
-			loadplugins = false;
-			break;
-
 		case 'd':
 			debug++;
 			break;
@@ -681,10 +677,9 @@ main(int argc, char **argv) {
 	    ISC_R_SUCCESS)
 		exit(1);
 
-	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
 		exit_status = 1;
-	}
 
 	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
 		result = load_zones_fromconfig(config, mctx, list_zones);

bin/check/named-checkconf.docbook

@@ -40,7 +40,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -53,7 +52,7 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>named-checkconf</command>
-      <arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-hjlvz</option></arg>
       <arg choice="opt" rep="norepeat"><option>-p</option>
 	<arg choice="opt" rep="norepeat"><option>-x</option>
       </arg></arg>
@@ -115,17 +114,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-c</term>
-        <listitem>
-          <para>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <command>plugin</command> statements to be ignored.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-p</term>
         <listitem>

bin/check/named-checkconf.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,7 +33,7 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">named-checkconf</code> 
-       [<code class="option">-chjlvz</code>]
+       [<code class="option">-hjlvz</code>]
        [<code class="option">-p</code>
 	 [<code class="option">-x</code>
       ]]
@@ -88,14 +88,6 @@
             (e.g. master or slave).
           </p>
         </dd>
-<dt><span class="term">-c</span></dt>
-<dd>
-          <p>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
-          </p>
-        </dd>
 <dt><span class="term">-p</span></dt>
 <dd>
           <p>

bin/check/named-checkzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkzone.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
 #include <inttypes.h>

bin/check/named-checkzone.docbook

@@ -43,7 +43,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/check/named-checkzone.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/check/win32/checkconf.vcxproj.in

@@ -62,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -90,7 +89,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checkconf.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/check/win32/checktool.vcxproj.in

@@ -65,7 +65,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -89,7 +88,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checktool.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/check/win32/checkzone.vcxproj.in

@@ -62,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -96,7 +95,6 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checkzone.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -144,5 +144,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.c

@@ -17,6 +17,8 @@
  * and the corresponding key and update-policy statements in named.conf.
  */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>

bin/confgen/ddns-confgen.docbook

@@ -37,7 +37,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/keygen.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdlib.h>
 #include <stdarg.h>
 

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -206,5 +206,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.c

@@ -20,6 +20,8 @@
  * controls statement altogether.
  */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>

bin/confgen/rndc-confgen.docbook

@@ -44,7 +44,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/rndc-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/unix/os.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <confgen/os.h>
 
 #include <fcntl.h>

bin/confgen/util.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>

bin/confgen/win32/confgentool.vcxproj.in

@@ -60,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -85,7 +84,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/confgentool.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -62,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -96,7 +95,6 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/ddnsconfgen.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/win32/os.c

@@ -9,6 +9,9 @@
  * information regarding copyright ownership.
  */
 
+
+#include <config.h>
+
 #include <confgen/os.h>
 
 #include <fcntl.h>

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -62,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -90,7 +89,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/rndcconfgen.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/delv/delv.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -437,5 +437,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/delv/delv.c

@@ -9,6 +9,7 @@
  * information regarding copyright ownership.
  */
 
+#include <config.h>
 #include <bind.keys.h>
 
 #ifndef WIN32
@@ -742,8 +743,8 @@ setup_dnsseckeys(dns_client_t *client) {
 
 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
 		isc_buffer_add(&b, sizeof(anchortext) - 1);
-		result = cfg_parse_buffer(parser, &b, NULL, 0,
-					  &cfg_type_bindkeys, 0, &bindkeys);
+		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
+					  &bindkeys);
 		if (result != ISC_R_SUCCESS)
 			fatal("Unable to parse built-in keys");
 	}

bin/delv/delv.docbook

@@ -39,7 +39,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/delv/delv.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/delv/win32/delv.vcxproj.in

@@ -60,8 +60,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -88,8 +87,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>

bin/delv/win32/delv.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/dig.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -74,9 +74,7 @@ will perform an NS query for "\&." (the root)\&.
 It is possible to set per\-user defaults for
 \fBdig\fR
 via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
-\fB\-r\fR
-option disables this feature, for scripts that need predictable behaviour\&.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
 .PP
 The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
 \fB\-t\fR
@@ -176,6 +174,11 @@ reads a list of lookup requests to process from the given
 using the command\-line interface\&.
 .RE
 .PP
+\-i
+.RS 4
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
+.RE
+.PP
 \-k \fIkeyfile\fR
 .RS 4
 Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
@@ -205,12 +208,6 @@ The domain name to query\&. This is useful to distinguish the
 from other arguments\&.
 .RE
 .PP
-\-r
-.RS 4
-Do not read options from
-${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
-.RE
-.PP
 \-t \fItype\fR
 .RS 4
 The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
@@ -249,7 +246,9 @@ arguments\&.
 \fBdig\fR
 automatically performs a lookup for a name like
 94\&.2\&.0\&.192\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
+\fB\-i\fR
+option)\&.
 .RE
 .PP
 \-y \fI[hmac:]\fR\fIkeyname:secret\fR
@@ -450,11 +449,6 @@ clears the EDNS options to be sent\&.
 Send an EDNS Expire option\&.
 .RE
 .PP
-\fB+[no]expandaaaa\fR
-.RS 4
-When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
-.RE
-.PP
 \fB+[no]fail\fR
 .RS 4
 Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
@@ -474,16 +468,12 @@ option is enabled\&. If short form answers are requested, the default is not to
 .PP
 \fB+[no]idnin\fR
 .RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
 .RE
 .PP
 \fB+[no]idnout\fR
 .RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
 .RE
 .PP
 \fB+[no]ignore\fR
@@ -805,10 +795,7 @@ has been built with IDN (internationalized domain name) support, it can accept a
 appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
 \fI+noidnin\fR
 and
-\fI+noidnout\fR
-or define the
-\fBIDN_DISABLE\fR
-environment variable\&.
+\fI+noidnout\fR\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -829,5 +816,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/dig.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -187,7 +189,6 @@ help(void) {
 "                 +[no]ednsnegotiation (Set EDNS version negotiation)\n"
 "                 +ednsopt=###[:value] (Send specified EDNS option)\n"
 "                 +noednsopt          (Clear list of +ednsopt options)\n"
-"                 +[no]expandaaaa     (Expand AAAA records)\n"
 "                 +[no]expire         (Request time to expire)\n"
 "                 +[no]fail           (Don't try next server on SERVFAIL)\n"
 "                 +[no]header-only    (Send query without a question section)\n"
@@ -474,8 +475,6 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 		styleflags |= DNS_STYLEFLAG_NO_CLASS;
 	if (query->lookup->nocrypto)
 		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-	if (query->lookup->expandaaaa)
-		styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
 	if (query->lookup->multiline) {
 		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
 		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
@@ -1037,24 +1036,8 @@ plus_option(char *option, bool is_batchfile,
 			}
 			break;
 		case 'x':
-			switch (cmd[2]) {
-			case 'p':
-				switch(cmd[3]) {
-				case 'a':
-					FULLCHECK("expandaaaa");
-					lookup->expandaaaa = state;
-					break;
-				case 'i':
-					FULLCHECK("expire");
-					lookup->expire = state;
-					break;
-				default:
-					goto invalid_option;
-				}
-				break;
-			default:
-				goto invalid_option;
-			}
+			FULLCHECK("expire");
+			lookup->expire = state;
 			break;
 		default:
 			goto invalid_option;

bin/dig/dig.docbook

@@ -52,7 +52,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -747,16 +746,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]expandaaaa</option></term>
-	  <listitem>
-	    <para>
-	      When printing AAAA record print all zero nibbles rather
-	      than the default RFC 5952 preferred presentation format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]fail</option></term>
 	  <listitem>

bin/dig/dig.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -106,10 +106,9 @@
 
     <p>
       It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
-      <code class="filename">${HOME}/.digrc</code>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <code class="option">-r</code> option disables this feature, for
-      scripts that need predictable behaviour.
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </p>
 
     <p>
@@ -228,6 +227,14 @@
 	    <span class="command"><strong>dig</strong></span> using the command-line interface.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </p>
+	</dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
 <dd>
 	  <p>
@@ -267,13 +274,6 @@
 	    the <em class="parameter"><code>name</code></em> from other arguments.
 	  </p>
 	</dd>
-<dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
-	    Do not read options from <code class="filename">${HOME}/.digrc</code>.
-	    This is useful for scripts that need predictable behaviour.
-	  </p>
-	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
@@ -324,7 +324,8 @@
 	    <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <code class="option">-i</code>
+	    option).
 	  </p>
 	</dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
@@ -598,13 +599,6 @@
 	      Send an EDNS Expire option.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
-<dd>
-	    <p>
-	      When printing AAAA record print all zero nibbles rather
-	      than the default RFC 5952 preferred presentation format.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd>
 	    <p>
@@ -637,13 +631,7 @@
 	    <p>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
@@ -651,13 +639,7 @@
 	    <p>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
@@ -1079,9 +1061,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <em class="parameter"><code>+noidnin</code></em> and
-      <em class="parameter"><code>+noidnout</code></em> or define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-
+      <em class="parameter"><code>+noidnout</code></em>.
     </p>
   </div>
 

bin/dig/dighost.c

@@ -19,6 +19,8 @@
  * functions in most applications.
  */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -621,7 +623,6 @@ make_empty_lookup(void) {
 	looknew->nocrypto = false;
 	looknew->ttlunits = false;
 	looknew->ttlunits = false;
-	looknew->expandaaaa = false;
 	looknew->qr = false;
 #ifdef HAVE_LIBIDN2
 	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
@@ -770,7 +771,6 @@ clone_lookup(dig_lookup_t *lookold, bool servers) {
 	looknew->use_usec = lookold->use_usec;
 	looknew->nocrypto = lookold->nocrypto;
 	looknew->ttlunits = lookold->ttlunits;
-	looknew->expandaaaa = lookold->expandaaaa;
 	looknew->qr = lookold->qr;
 	looknew->idnin = lookold->idnin;
 	looknew->idnout = lookold->idnout;
@@ -1390,7 +1390,8 @@ setup_libs(void) {
 	isc_mempool_setfreemax(commctx, 6);
 	isc_mempool_setfillcount(commctx, 2);
 
-	isc_mutex_init(&lookup_lock);
+	result = isc_mutex_init(&lookup_lock);
+	check_result(result, "isc_mutex_init");
 }
 
 typedef struct dig_ednsoptname {
@@ -1411,8 +1412,6 @@ dig_ednsoptname_t optnames[] = {
 	{ 12, "PAD" },		/* shorthand */
 	{ 13, "CHAIN" },	/* RFC 7901 */
 	{ 14, "KEY-TAG" },	/* RFC 8145 */
-	{ 16, "CLIENT-TAG" },	/* draft-bellis-dnsop-edns-tags */
-	{ 17, "SERVER-TAG" },	/* draft-bellis-dnsop-edns-tags */
 	{ 26946, "DEVICEID" },	/* Brian Hartvigsen */
 };
 
@@ -2732,6 +2731,27 @@ send_tcp_connect(dig_query_t *query) {
 		return;
 	}
 
+	if (specified_source &&
+	    (isc_sockaddr_pf(&query->sockaddr) !=
+	     isc_sockaddr_pf(&bind_address))) {
+		printf(";; Skipping server %s, incompatible "
+		       "address family\n", query->servname);
+		query->waiting_connect = false;
+		if (ISC_LINK_LINKED(query, link))
+			next = ISC_LIST_NEXT(query, link);
+		else
+			next = NULL;
+		l = query->lookup;
+		clear_query(query);
+		if (next == NULL) {
+			printf(";; No acceptable nameservers\n");
+			check_next_lookup(l);
+			return;
+		}
+		send_tcp_connect(next);
+		return;
+	}
+
 	INSIST(query->sock == NULL);
 
 	if (keep != NULL && isc_sockaddr_equal(&keepaddr, &query->sockaddr)) {
@@ -2882,36 +2902,6 @@ send_udp(dig_query_t *query) {
 	sendcount++;
 }
 
-/*%
- * If there are more servers available for querying within 'lookup', initiate a
- * TCP or UDP query to the next available server and return true; otherwise,
- * return false.
- */
-static bool
-try_next_server(dig_lookup_t *lookup) {
-	dig_query_t *current_query, *next_query;
-
-	current_query = lookup->current_query;
-	if (current_query == NULL || !ISC_LINK_LINKED(current_query, link)) {
-		return (false);
-	}
-
-	next_query = ISC_LIST_NEXT(current_query, link);
-	if (next_query == NULL) {
-		return (false);
-	}
-
-	debug("trying next server...");
-
-	if (lookup->tcp_mode) {
-		send_tcp_connect(next_query);
-	} else {
-		send_udp(next_query);
-	}
-
-	return (true);
-}
-
 /*%
  * IO timeout handler, used for both connect and recv timeouts.  If
  * retries are still allowed, either resend the UDP packet or queue a
@@ -2920,7 +2910,7 @@ try_next_server(dig_lookup_t *lookup) {
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event) {
 	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL;
+	dig_query_t *query = NULL, *cq;
 
 	UNUSED(task);
 	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@@ -2940,14 +2930,18 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	if (try_next_server(l)) {
-		if (l->tcp_mode) {
-			if (query->sock != NULL) {
+	if ((query != NULL) && (query->lookup->current_query != NULL) &&
+	    ISC_LINK_LINKED(query->lookup->current_query, link) &&
+	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
+		debug("trying next server...");
+		cq = query->lookup->current_query;
+		if (!l->tcp_mode)
+			send_udp(ISC_LIST_NEXT(cq, link));
+		else {
+			if (query->sock != NULL)
 				isc_socket_cancel(query->sock, NULL,
 						  ISC_SOCKCANCEL_ALL);
-			} else {
-				clear_query(query);
-			}
+			send_tcp_connect(ISC_LIST_NEXT(cq, link));
 		}
 		UNLOCK_LOOKUP;
 		return;
@@ -2993,27 +2987,6 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*%
- * Called when a peer closes a TCP socket prematurely.
- */
-static void
-requeue_or_update_exitcode(dig_lookup_t *lookup) {
-	if (lookup->eoferr == 0U) {
-		/*
-		 * Peer closed the connection prematurely for the first time
-		 * for this lookup.  Try again, keeping track of this failure.
-		 */
-		dig_lookup_t *requeued_lookup = requeue_lookup(lookup, true);
-		requeued_lookup->eoferr++;
-	} else {
-		/*
-		 * Peer closed the connection prematurely and it happened
-		 * previously for this lookup.  Indicate an error.
-		 */
-		exitcode = 9;
-	}
-}
-
 /*%
  * Event handler for the TCP recv which gets the length header of TCP
  * packets.  Start the next recv of length bytes.
@@ -3025,7 +2998,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	isc_region_t r;
 	isc_result_t result;
 	dig_query_t *query = NULL;
-	dig_lookup_t *l;
+	dig_lookup_t *l, *n;
 	uint16_t length;
 
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
@@ -3064,8 +3037,9 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		sockcount--;
 		debug("sockcount=%d", sockcount);
 		INSIST(sockcount >= 0);
-		if (sevent->result == ISC_R_EOF) {
-			requeue_or_update_exitcode(l);
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, true);
+			n->eoferr++;
 		}
 		isc_event_free(&event);
 		clear_query(query);
@@ -3424,7 +3398,7 @@ process_cookie(dig_lookup_t *l, dns_message_t *msg,
 	}
 
 	INSIST(msg->cc_ok == 0 && msg->cc_bad == 0);
-	if (len >= 8 && optlen >= 8U) {
+	if (optlen >= len && optlen >= 8U) {
 		if (isc_safe_memequal(isc_buffer_current(optbuf), sent, 8)) {
 			msg->cc_ok = 1;
 		} else {
@@ -3511,7 +3485,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	dig_lookup_t *n, *l;
 	bool docancel = false;
 	bool match = true;
-	bool done_process_opt = false;
 	unsigned int parseflags;
 	dns_messageid_t id;
 	unsigned int msgflags;
@@ -3567,8 +3540,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			debug("sockcount=%d", sockcount);
 			INSIST(sockcount >= 0);
 		}
-		if (sevent->result == ISC_R_EOF) {
-			requeue_or_update_exitcode(l);
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, true);
+			n->eoferr++;
 		}
 		isc_event_free(&event);
 		clear_query(query);
@@ -3805,7 +3779,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			UNLOCK_LOOKUP;
 			return;
 		}
-		done_process_opt = true;
 	}
 	if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
 	    (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
@@ -3895,17 +3868,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-	if (!done_process_opt) {
-		if (l->cookie != NULL) {
-			if (msg->opt == NULL) {
-				printf(";; expected opt record in response\n");
-			} else {
-				process_opt(l, msg);
-			}
-		} else if (l->sendcookie && msg->opt != NULL) {
+	if (l->cookie != NULL) {
+		if (msg->opt == NULL)
+			printf(";; expected opt record in response\n");
+		else
 			process_opt(l, msg);
-		}
-	}
+	} else if (l->sendcookie && msg->opt != NULL)
+		process_opt(l, msg);
 	if (!l->doing_xfr || l->xfr_q == query) {
 		if (msg->rcode == dns_rcode_nxdomain &&
 		    (l->origin != NULL || l->need_search)) {
@@ -4230,7 +4199,7 @@ destroy_libs(void) {
 	}
 
 	UNLOCK_LOOKUP;
-	isc_mutex_destroy(&lookup_lock);
+	DESTROYLOCK(&lookup_lock);
 	debug("Removing log context");
 	isc_log_destroy(&lctx);
 

bin/dig/host.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -112,6 +112,11 @@ Print debugging traces\&. Equivalent to the
 verbose option\&.
 .RE
 .PP
+\-i
+.RS 4
+Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
+.RE
+.PP
 \-l
 .RS 4
 List zone: The
@@ -252,7 +257,7 @@ If
 \fBhost\fR
 has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
 \fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
 \fBIDN_DISABLE\fR
 environment variable\&. The IDN support is disabled if the variable is set when
 \fBhost\fR
@@ -269,5 +274,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/host.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -149,7 +151,6 @@ show_usage(void) {
 "       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
-"       -U enables UDP mode\n"
 "       -v enables verbose output\n"
 "       -V print version number and exit\n"
 "       -w specifies to wait forever for a reply\n"
@@ -623,29 +624,28 @@ pre_parse_args(int argc, char **argv) {
 		case 'a': break;
 		case 'A': break;
 		case 'c': break;
-		case 'C': break;
 		case 'd': break;
-		case 'D':
-			if (debugging)
-				debugtiming = true;
-			debugging = true;
-			break;
 		case 'i': break;
 		case 'l': break;
 		case 'n': break;
-		case 'N': break;
 		case 'r': break;
-		case 'R': break;
 		case 's': break;
 		case 't': break;
-		case 'T': break;
-		case 'U': break;
 		case 'v': break;
 		case 'V':
 			  version();
 			  exit(0);
 			  break;
 		case 'w': break;
+		case 'C': break;
+		case 'D':
+			if (debugging)
+				debugtiming = true;
+			debugging = true;
+			break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
 		case 'W': break;
 		default:
 			show_usage();

bin/dig/host.docbook

@@ -47,7 +47,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dig/host.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -138,6 +138,15 @@
 	    Equivalent to the <code class="option">-v</code> verbose option.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </p>
+	</dd>
 <dt><span class="term">-l</span></dt>
 <dd>
 	  <p>
@@ -302,7 +311,7 @@
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
+      If you'd like to turn off the IDN support for some reason, defines
       the <code class="envar">IDN_DISABLE</code> environment variable.
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.

bin/dig/include/dig/dig.h

@@ -140,7 +140,6 @@ struct dig_lookup {
 		ttlunits,
 		idnin,
 		idnout,
-		expandaaaa,
 		qr;
 	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];

bin/dig/nslookup.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -277,17 +277,6 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
 .PP
 \fBnslookup\fR
 returns with an exit status of 1 if any query failed, and 0 otherwise\&.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBnslookup\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBnslookup\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBnslookup\fR
-runs or when the standard output is not a tty\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -301,5 +290,5 @@ runs or when the standard output is not a tty\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/nslookup.c

@@ -9,6 +9,8 @@
  * information regarding copyright ownership.
  */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -877,29 +879,12 @@ get_next_command(void) {
 	isc_mem_free(mctx, buf);
 }
 
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-    fprintf(stderr, "Usage:\n");
-    fprintf(stderr,
-"   nslookup [-opt ...]             # interactive mode using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] - server    # interactive mode using 'server'\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host        # just look up 'host' using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host server # just look up 'host' using 'server'\n");
-    exit(1);
-}
-
 static void
 parse_args(int argc, char **argv) {
 	bool have_lookup = false;
 
 	usesearch = true;
-	for (argc--, argv++; argc > 0 && argv[0] != NULL; argc--, argv++) {
+	for (argc--, argv++; argc > 0; argc--, argv++) {
 		debug("main parsing %s", argv[0]);
 		if (argv[0][0] == '-') {
 			if (strncasecmp(argv[0], "-ver", 4) == 0) {
@@ -915,9 +900,6 @@ parse_args(int argc, char **argv) {
 				in_use = true;
 				addlookup(argv[0]);
 			} else {
-				if (argv[1] != NULL) {
-					usage();
-				}
 				set_nameserver(argv[0]);
 				check_ra = false;
 			}

bin/dig/nslookup.docbook

@@ -71,7 +71,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dig/nslookup.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -362,31 +362,14 @@ nslookup -query=hinfo  -timeout=10
   </div>
 
   <div class="refsection">
-<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
-      If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
-      a tty.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>FILES</h2>
+<a name="id-1.11"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/resolv.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.13"></a><h2>SEE ALSO</h2>
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
         <span class="refentrytitle">dig</span>(1)

bin/dig/win32/dig.vcxproj.in

@@ -60,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -88,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/dig.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/dighost.vcxproj.in

@@ -60,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -86,7 +85,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/dighost.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/host.vcxproj.in

@@ -60,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -88,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/host.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/nslookup.vcxproj.in

@@ -60,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -88,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/nslookup.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dnssec/dnssec-cds.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
 .sp
 The
 \fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
 .RE
 .PP
 \-c \fIclass\fR
@@ -293,5 +293,5 @@ RFC 7344\&.
 .RE
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-cds.c

@@ -16,6 +16,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <inttypes.h>
 #include <stdbool.h>
@@ -59,7 +61,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-cds";
+int verbose;
 
 /*
  * Infrastructure
@@ -75,6 +82,12 @@ static dns_fixedname_t fixed;
 static dns_name_t *name = NULL;
 static dns_rdataclass_t rdclass = dns_rdataclass_in;
 
+/*
+ * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
+ * from -a arguments. The size of the array is an arbitrary limit.
+ */
+static uint8_t dtype[8];
+
 static const char *startstr  = NULL;	/* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
 static dns_rdata_rrsig_t oldestsig;	/* for recording inception time */
@@ -116,7 +129,7 @@ static int nkey; /* number of child zone DNSKEY records */
 typedef struct keyinfo {
 	dns_rdata_t rdata;
 	dst_key_t *dst;
-	dns_secalg_t algo;
+	uint8_t algo;
 	dns_keytag_t tag;
 } keyinfo_t;
 
@@ -469,6 +482,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		dns_rdata_ds_t ds;
 		dns_rdata_t dsrdata = DNS_RDATA_INIT;
 		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+		dns_rdatatype_t keytype;
 		bool c;
 
 		dns_rdataset_current(dsset, &dsrdata);
@@ -479,8 +493,12 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 			continue;
 		}
 
+		/* allow for both DNSKEY and CDNSKEY */
+		keytype = ki->rdata.type;
+		ki->rdata.type = dns_rdatatype_dnskey;
 		result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
 					   dsbuf, &newdsrdata);
+		ki->rdata.type = keytype;
 		if (result != ISC_R_SUCCESS) {
 			vbprintf(3, "dns_ds_buildrdata("
 				 "keytag=%d, algo=%d, digest=%d): %s\n",
@@ -555,7 +573,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 		ki->algo = dnskey.algorithm;
 
 		dns_rdata_toregion(keyrdata, &r);
-		ki->tag = dst_region_computeid(&r);
+		ki->tag = dst_region_computeid(&r, ki->algo);
 
 		ki->dst = NULL;
 		if (!match_key_dsset(ki, dsset, strictness)) {
@@ -601,12 +619,12 @@ free_keytable(keyinfo_t **keytable_p) {
  * otherwise the key algorithm. This is used by the signature coverage
  * check functions below.
  */
-static dns_secalg_t *
+static uint8_t *
 matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	      dns_rdataset_t *sigset)
 {
 	isc_result_t result;
-	dns_secalg_t *algo;
+	uint8_t *algo;
 	int i;
 
 	algo = isc_mem_get(mctx, nkey);
@@ -689,7 +707,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
  * fetched from the child zone, any working signature is enough.
  */
 static bool
-signed_loose(dns_secalg_t *algo) {
+signed_loose(uint8_t *algo) {
 	bool ok = false;
 	int i;
 	for (i = 0; i < nkey; i++) {
@@ -708,7 +726,7 @@ signed_loose(dns_secalg_t *algo) {
  * RRset.
  */
 static bool
-signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
+signed_strict(dns_rdataset_t *dsset, uint8_t *algo) {
 	isc_result_t result;
 	bool all_ok = true;
 
@@ -808,6 +826,7 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 				return (ISC_R_NOSPACE);
 			}
 
+			cdnskey->type = dns_rdatatype_dnskey;
 			rdata = rdata_get();
 			result = dns_ds_buildrdata(name, cdnskey, dtype[i],
 						   r.base, rdata);
@@ -825,6 +844,34 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * For sorting the digest types so that DS records generated
+ * from CDNSKEY records are in canonical order.
+ */
+static int
+cmp_dtype(const void *ap, const void *bp) {
+	int a = *(const uint8_t *)ap;
+	int b = *(const uint8_t *)bp;
+	return (a - b);
+}
+
+static void
+add_dtype(const char *dn) {
+	uint8_t dt;
+	unsigned i, n;
+
+	dt = strtodsdigest(dn);
+	n = sizeof(dtype)/sizeof(dtype[0]);
+	for (i = 0; i < n; i++) {
+		if (dtype[i] == 0 || dtype[i] == dt) {
+			dtype[i] = dt;
+			qsort(dtype, i+1, 1, cmp_dtype);
+			return;
+		}
+	}
+	fatal("too many -a digest type arguments");
+}
+
 static void
 make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		uint32_t ttl, dns_rdataset_t *rdset)
@@ -895,7 +942,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 	dns_rdata_t *arrdata;
 	dns_rdata_ds_t *ds;
 	dns_keytag_t key_tag;
-	dns_secalg_t algorithm;
+	uint8_t algorithm;
 	bool match;
 	int i, j, n, d;
 
@@ -1113,7 +1160,7 @@ main(int argc, char *argv[]) {
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
+			add_dtype(isc_commandline_argument);
 			break;
 		case 'c':
 			rdclass = strtoclass(isc_commandline_argument);

bin/dnssec/dnssec-cds.docbook

@@ -40,7 +40,6 @@
     <copyright>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -144,9 +143,9 @@
 	    record. This option has no effect when using CDS records.
           </para>
           <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <replaceable>algorithm</replaceable> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </para>
         </listitem>

bin/dnssec/dnssec-cds.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -129,9 +129,9 @@
 	    record. This option has no effect when using CDS records.
           </p>
           <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </p>
         </dd>

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,12 +10,12 @@
 .\"     Title: dnssec-dsfromkey
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-05-08
+.\"      Date: 2012-05-02
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -39,103 +39,61 @@
 dnssec-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
+\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
 .SH "DESCRIPTION"
 .PP
-The
 \fBdnssec\-dsfromkey\fR
-command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
-\fB\-l\fR
-option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
-\fB\-C\fR
-it outputs CDS (Child DS) RRs\&.
-.PP
-The input keys can be specified in a number of ways:
-.PP
-By default,
-\fBdnssec\-dsfromkey\fR
-reads a key file named like
-Knnnn\&.+aaa+iiiii\&.key, as generated by
-\fBdnssec\-keygen\fR\&.
-.PP
-With the
-\fB\-f \fR\fB\fIfile\fR\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
-.PP
-With the
-\fB\-s\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads a
-keyset\-
-file, as generated by
-\fBdnssec\-keygen\fR\fB\-C\fR\&.
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
 .SH "OPTIONS"
 .PP
 \-1
 .RS 4
-An abbreviation for
-\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
 .RE
 .PP
 \-2
 .RS 4
-An abbreviation for
-\fB\-a SHA\-256\fR\&.
+Use SHA\-256 as the digest algorithm\&.
 .RE
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
-.sp
-The
-\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
-.RE
-.PP
-\-A
-.RS 4
-Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
-\fB\-f\fR
-zone file mode\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class (default is IN)\&. Useful only in
-\fB\-s\fR
-keyset or
-\fB\-f\fR
-zone file mode\&.
+Select the digest algorithm\&. The value of
+\fBalgorithm\fR
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&.
 .RE
 .PP
 \-C
 .RS 4
-Generate CDS records rather than DS records\&. This is mutually exclusive with the
-\fB\-l\fR
-option for generating DLV records\&.
+Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
+.RE
+.PP
+\-T \fITTL\fR
+.RS 4
+Specifies the TTL of the DS records\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Look for key files (or, in keyset mode,
+keyset\-
+files) in
+\fBdirectory\fR\&.
 .RE
 .PP
 \-f \fIfile\fR
 .RS 4
-Zone file mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name of a zone whose master file can be read from
+Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
 \fBfile\fR\&. If the zone name is the same as
 \fBfile\fR, then it may be omitted\&.
 .sp
 If
-\fIfile\fR
-is
+\fBfile\fR
+is set to
 "\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
 \fBdig\fR
 command as input, as in:
@@ -143,41 +101,26 @@ command as input, as in:
 \fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
 .RE
 .PP
-\-h
+\-A
 .RS 4
-Prints usage information\&.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Look for key files or
-keyset\-
-files in
-\fBdirectory\fR\&.
+Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
 .RE
 .PP
 \-l \fIdomain\fR
 .RS 4
 Generate a DLV set instead of a DS set\&. The specified
-\fIdomain\fR
-is appended to the name for each record in the set\&. This is mutually exclusive with the
-\fB\-C\fR
-option for generating CDS records\&.
+\fBdomain\fR
+is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
 .RE
 .PP
 \-s
 .RS 4
-Keyset mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name used to locate a
-keyset\-
-file\&.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
 .RE
 .PP
-\-T \fITTL\fR
+\-c \fIclass\fR
 .RS 4
-Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
+Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
 .RE
 .PP
 \-v \fIlevel\fR
@@ -185,6 +128,11 @@ Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
 Sets the debugging level\&.
 .RE
 .PP
+\-h
+.RS 4
+Prints usage information\&.
+.RE
+.PP
 \-V
 .RS 4
 Prints version information\&.
@@ -193,16 +141,16 @@ Prints version information\&.
 .PP
 To build the SHA\-256 DS RR from the
 \fBKexample\&.com\&.+003+26160\fR
-keyfile name, you can issue the following command:
+keyfile name, the following command would be issued:
 .PP
 \fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
 .PP
 The command would print something like:
 .PP
-\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
 .SH "FILES"
 .PP
-The keyfile can be designated by the key identification
+The keyfile can be designed by the key identification
 Knnnn\&.+aaa+iiiii
 or the full file name
 Knnnn\&.+aaa+iiiii\&.key
@@ -222,20 +170,13 @@ A keyfile error can give a "file not found" even if the file exists\&.
 \fBdnssec-keygen\fR(8),
 \fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 3658
-(DS RRs),
-RFC 4431
-(DLV RRs),
-RFC 4509
-(SHA\-256 for DS RRs),
-RFC 6605
-(SHA\-384 for DS RRs),
-RFC 7344
-(CDS and CDNSKEY RRs)\&.
+RFC 3658,
+RFC 4431\&.
+RFC 4509\&.
 .SH "AUTHOR"
 .PP
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -47,7 +49,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-dsfromkey";
+int verbose;
 
 static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
@@ -228,7 +235,7 @@ logkey(dns_rdata_t *rdata)
 }
 
 static void
-emit(dns_dsdigest_t dt, bool showall, char *lookaside,
+emit(unsigned int dtype, bool showall, char *lookaside,
      bool cds, dns_rdata_t *rdata)
 {
 	isc_result_t result;
@@ -254,7 +261,7 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside,
 	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
 		return;
 
-	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
+	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
 	if (result != ISC_R_SUCCESS)
 		fatal("can't build record");
 
@@ -305,45 +312,36 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside,
 	printf("%.*s\n", (int)r.length, r.base);
 }
 
-static void
-emits(bool showall, char *lookaside, bool cds, dns_rdata_t *rdata) {
-	unsigned i, n;
-
-	n = sizeof(dtype)/sizeof(dtype[0]);
-	for (i = 0; i < n; i++) {
-		if (dtype[i] != 0) {
-			emit(dtype[i], showall, lookaside, cds, rdata);
-		}
-	}
-}
-
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
-	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
-	fprintf(stderr, "    %s [-h|-V]\n\n", program);
+	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-K dir] [-c class] -s dnsname\n\n",
+		program);
+	fprintf(stderr, "    %s options -f zonefile (as zone name)\n\n", program);
+	fprintf(stderr, "    %s options -f zonefile zonename\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Options:\n"
-"    -1: digest algorithm SHA-1\n"
-"    -2: digest algorithm SHA-256\n"
-"    -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)\n"
-"    -A: include all keys in DS set, not just KSKs (-f only)\n"
-"    -c class: rdata class for DS set (default IN) (-f or -s only)\n"
-"    -C: print CDS records\n"
-"    -f zonefile: read keys from a zone file\n"
-"    -h: print help information\n"
-"    -K directory: where to find key or keyset files\n"
-"    -l zone: print DLV records in the given lookaside zone\n"
-"    -s: read keys from keyset-<dnsname> file\n"
-"    -T: TTL of output records (omitted by default)\n"
-"    -v level: verbosity\n"
-"    -V: print version information\n");
-	fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "    -K <directory>: directory in which to find "
+			"key file or keyset file\n");
+	fprintf(stderr, "    -a algorithm: digest algorithm "
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
+	fprintf(stderr, "    -1: use SHA-1\n");
+	fprintf(stderr, "    -2: use SHA-256\n");
+	fprintf(stderr, "    -C: print CDS record\n");
+	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
+	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
+	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
+	fprintf(stderr, "    -T TTL\n");
+	fprintf(stderr, "    -f file: read keyset from zone file\n");
+	fprintf(stderr, "    -A: when used with -f, "
+			"include all keys in DS set, not just KSKs\n");
+	fprintf(stderr, "Output: DS or DLV RRs\n");
 
 	exit (-1);
 }
@@ -355,9 +353,11 @@ main(int argc, char **argv) {
 	char		*lookaside = NULL;
 	char		*endp;
 	int		ch;
-	bool		cds = false;
-	bool		usekeyset = false;
-	bool		showall = false;
+	unsigned int	dtype = DNS_DSDIGEST_SHA1;
+	bool	cds = false;
+	bool	both = true;
+	bool	usekeyset = false;
+	bool	showall = false;
 	isc_result_t	result;
 	isc_log_t	*log = NULL;
 	dns_rdataset_t	rdataset;
@@ -365,14 +365,12 @@ main(int argc, char **argv) {
 
 	dns_rdata_init(&rdata);
 
-	if (argc == 1) {
+	if (argc == 1)
 		usage();
-	}
 
 	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
-	}
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -385,16 +383,19 @@ main(int argc, char **argv) {
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case '1':
-			add_dtype(DNS_DSDIGEST_SHA1);
+			dtype = DNS_DSDIGEST_SHA1;
+			both = false;
 			break;
 		case '2':
-			add_dtype(DNS_DSDIGEST_SHA256);
+			dtype = DNS_DSDIGEST_SHA256;
+			both = false;
 			break;
 		case 'A':
 			showall = true;
 			break;
 		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
+			dtype = strtodsdigest(isc_commandline_argument);
+			both = false;
 			break;
 		case 'C':
 			if (lookaside != NULL)
@@ -462,32 +463,22 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
-	if (usekeyset && filename != NULL) {
+	if (usekeyset && filename != NULL)
 		fatal("cannot use both -s and -f");
-	}
 
 	/* When not using -f, -A is implicit */
-	if (filename == NULL) {
+	if (filename == NULL)
 		showall = true;
-	}
 
-	/* Default digest type if none specified. */
-	if (dtype[0] == 0) {
-		dtype[0] = DNS_DSDIGEST_SHA256;
-	}
-
-	if (argc < isc_commandline_index + 1 && filename == NULL) {
+	if (argc < isc_commandline_index + 1 && filename == NULL)
 		fatal("the key file name was not specified");
-	}
-	if (argc > isc_commandline_index + 1) {
+	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
-	}
 
 	result = dst_lib_init(mctx, NULL);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(result));
-	}
 
 	setup_logging(mctx, &log);
 
@@ -497,38 +488,38 @@ main(int argc, char **argv) {
 		if (argc < isc_commandline_index + 1 && filename != NULL) {
 			/* using zone name as the zone file name */
 			namestr = filename;
-		} else {
+		} else
 			namestr = argv[isc_commandline_index];
-		}
 
 		result = initname(namestr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("could not initialize name %s", namestr);
-		}
 
-		if (usekeyset) {
+		if (usekeyset)
 			result = loadkeyset(dir, &rdataset);
-		} else {
+		else
 			result = loadset(filename, &rdataset);
-		}
 
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("could not load DNSKEY set: %s\n",
 			      isc_result_totext(result));
-		}
 
 		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
+		     result = dns_rdataset_next(&rdataset)) {
 			dns_rdata_init(&rdata);
 			dns_rdataset_current(&rdataset, &rdata);
 
-			if (verbose > 2) {
+			if (verbose > 2)
 				logkey(&rdata);
-			}
 
-			emits(showall, lookaside, cds, &rdata);
+			if (both) {
+				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
+				     cds, &rdata);
+				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
+				     cds, &rdata);
+			} else
+				emit(dtype, showall, lookaside, cds, &rdata);
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -536,25 +527,28 @@ main(int argc, char **argv) {
 		loadkey(argv[isc_commandline_index], key_buf,
 			DST_KEY_MAXSIZE, &rdata);
 
-		emits(showall, lookaside, cds, &rdata);
+		if (both) {
+			emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
+			     &rdata);
+			emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
+			     &rdata);
+		} else
+			emit(dtype, showall, lookaside, cds, &rdata);
 	}
 
-	if (dns_rdataset_isassociated(&rdataset)) {
+	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
-	}
 	cleanup_logging(&log);
 	dst_lib_destroy();
 	dns_name_destroy();
-	if (verbose > 10) {
+	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
-	}
 	isc_mem_destroy(&mctx);
 
 	fflush(stdout);
 	if (ferror(stdout)) {
 		fprintf(stderr, "write error\n");
 		return (1);
-	} else {
+	} else
 		return (0);
-	}
 }

bin/dnssec/dnssec-dsfromkey.docbook

@@ -12,7 +12,7 @@
 <!-- Converted by db4-upgrade version 1.0 -->
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
   <info>
-    <date>2019-05-08</date>
+    <date>2012-05-02</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -41,7 +41,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -49,110 +48,56 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="req" rep="norepeat">keyfile</arg>
     </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req" rep="norepeat">-s</arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg choice="req" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
+   </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain" rep="norepeat"><option>-h</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-V</option></arg>
-      </group>
-    </cmdsynopsis>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+   </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsection><info><title>DESCRIPTION</title></info>
 
-    <para>
-      The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
-      Signer) resource records (RRs) and other similarly-constructed RRs:
-      with the <option>-l</option> option it outputs DLV (DNSSEC Lookaside
-      Validation) RRs; or with the <option>-C</option> it outputs CDS (Child
-      DS) RRs.
+    <para><command>dnssec-dsfromkey</command>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </para>
-
-    <para>
-      The input keys can be specified in a number of ways:
-    </para>
-
-    <para>
-      By default, <command>dnssec-dsfromkey</command> reads a key file
-      named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
-      by <command>dnssec-keygen</command>.
-    </para>
-
-    <para>
-      With the <option>-f <replaceable>file</replaceable></option>
-      option, <command>dnssec-dsfromkey</command> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </para>
-
-    <para>
-      With the <option>-s</option>
-      option, <command>dnssec-dsfromkey</command> reads
-      a <filename>keyset-</filename> file, as generated
-      by <command>dnssec-keygen</command> <option>-C</option>.
-    </para>
-
   </refsection>
 
   <refsection><info><title>OPTIONS</title></info>
 
+
     <variablelist>
       <varlistentry>
 	<term>-1</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-1</option>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -161,7 +106,7 @@
 	<term>-2</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-256</option>.
+	    Use SHA-256 as the digest algorithm.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -170,51 +115,40 @@
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </para>
-          <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Select the digest algorithm. The value of
+	    <option>algorithm</option> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </para>
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <option>-f</option> zone file mode.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <option>-s</option> keyset or <option>-f</option>
-	    zone file mode.
-	  </para>
-	  </listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Generate CDS records rather than DS records. This is mutually
-	    exclusive with the <option>-l</option> option for generating DLV
-	    records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the TTL of the DS records.
+	  </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Look for key files (or, in keyset mode,
+	    <filename>keyset-</filename> files) in
+	    <option>directory</option>.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -223,14 +157,13 @@
 	<term>-f <replaceable class="parameter">file</replaceable></term>
 	<listitem>
 	  <para>
-	    Zone file mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <option>file</option>.  If the zone name is the same as
 	    <option>file</option>, then it may be omitted.
 	  </para>
 	  <para>
-	    If <replaceable>file</replaceable> is <literal>"-"</literal>, then
+	    If <option>file</option> is set to <literal>"-"</literal>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <command>dig</command>
 	    command as input, as in:
@@ -242,33 +175,26 @@
       </varlistentry>
 
       <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints usage information.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-K <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	    Look for key files or <filename>keyset-</filename> files in
-	    <option>directory</option>.
-	  </para>
-	</listitem>
+        <term>-A</term>
+        <listitem>
+          <para>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
 	<term>-l <replaceable class="parameter">domain</replaceable></term>
 	<listitem>
 	  <para>
-	    Generate a DLV set instead of a DS set. The specified
-	    <replaceable>domain</replaceable> is appended to the name for each
+	    Generate a DLV set instead of a DS set.  The specified
+	    <option>domain</option> is appended to the name for each
 	    record in the set.
-	    This is mutually exclusive with the <option>-C</option> option
-	    for generating CDS records.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -277,18 +203,18 @@
 	<term>-s</term>
 	<listitem>
 	  <para>
-	    Keyset mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is the DNS
-	    domain name used to locate a <filename>keyset-</filename> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
 	<listitem>
 	  <para>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </para>
 	  </listitem>
       </varlistentry>
@@ -302,6 +228,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints usage information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-V</term>
 	<listitem>
@@ -318,22 +253,21 @@
     <para>
       To build the SHA-256 DS RR from the
       <userinput>Kexample.com.+003+26160</userinput>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </para>
     <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
     </para>
     <para>
       The command would print something like:
     </para>
-    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
+    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
     </para>
-
   </refsection>
 
   <refsection><info><title>FILES</title></info>
 
     <para>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <filename>Knnnn.+aaa+iiiii</filename> or the full file name
       <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
       <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
@@ -361,11 +295,9 @@
 	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 3658</citetitle> (DS RRs),
-      <citetitle>RFC 4431</citetitle> (DLV RRs),
-      <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
-      <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
-      <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
+      <citetitle>RFC 3658</citetitle>,
+      <citetitle>RFC 4431</citetitle>.
+      <citetitle>RFC 4509</citetitle>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-dsfromkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,171 +33,105 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        {keyfile}
     </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        {-s}
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-s</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+       [<code class="option">-A</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
        {dnsname}
-    </p></div>
+   </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
+       [<code class="option">-h</code>]
+       [<code class="option">-V</code>]
+   </p></div>
   </div>
 
   <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 
-    <p>
-      The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
-      Signer) resource records (RRs) and other similarly-constructed RRs:
-      with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
-      Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
-      DS) RRs.
+    <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </p>
-
-    <p>
-      The input keys can be specified in a number of ways:
-    </p>
-
-    <p>
-      By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
-      named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span>.
-    </p>
-
-    <p>
-      With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </p>
-
-    <p>
-      With the <code class="option">-s</code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
-      a <code class="filename">keyset-</code> file, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
-    </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
 
+
     <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-1</code>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </p>
 	</dd>
 <dt><span class="term">-2</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-256</code>.
+	    Use SHA-256 as the digest algorithm.
 	  </p>
 	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </p>
-          <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Select the digest algorithm. The value of
+	    <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </p>
 	</dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-          <p>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
-	    zone file mode.
-	  </p>
-	  </dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Generate CDS records rather than DS records. This is mutually
-	    exclusive with the <code class="option">-l</code> option for generating DLV
-	    records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </p>
+	</dd>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the TTL of the DS records.
+	  </p>
+	  </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Look for key files (or, in keyset mode,
+	    <code class="filename">keyset-</code> files) in
+	    <code class="option">directory</code>.
 	  </p>
 	</dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
 	  <p>
-	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <code class="option">file</code>.  If the zone name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
 	  <p>
-	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
+	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <span class="command"><strong>dig</strong></span>
 	    command as input, as in:
@@ -206,41 +140,37 @@
 	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
 	  </p>
 	</dd>
-<dt><span class="term">-h</span></dt>
+<dt><span class="term">-A</span></dt>
 <dd>
-	  <p>
-	    Prints usage information.
-	  </p>
-	</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
-	    Look for key files or <code class="filename">keyset-</code> files in
-	    <code class="option">directory</code>.
-	  </p>
-	</dd>
+          <p>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </p>
+        </dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd>
 	  <p>
-	    Generate a DLV set instead of a DS set. The specified
-	    <em class="replaceable"><code>domain</code></em> is appended to the name for each
+	    Generate a DLV set instead of a DS set.  The specified
+	    <code class="option">domain</code> is appended to the name for each
 	    record in the set.
-	    This is mutually exclusive with the <code class="option">-C</code> option
-	    for generating CDS records.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </p>
 	</dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 	  <p>
-	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
-	    domain name used to locate a <code class="filename">keyset-</code> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </p>
 	</dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd>
 	  <p>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </p>
 	  </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -249,6 +179,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints usage information.
+	  </p>
+	</dd>
 <dt><span class="term">-V</span></dt>
 <dd>
 	  <p>
@@ -264,23 +200,22 @@
     <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </p>
     <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       The command would print something like:
     </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
     </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
 
     <p>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
@@ -310,11 +245,9 @@
 	<span class="refentrytitle">dnssec-signzone</span>(8)
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em> (DS RRs),
-      <em class="citetitle">RFC 4431</em> (DLV RRs),
-      <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
-      <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
-      <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
+      <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4431</em>.
+      <em class="citetitle">RFC 4509</em>.
     </p>
   </div>
 

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -134,5 +134,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
 
@@ -46,7 +48,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-importkey";
+int verbose;
 
 static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;

bin/dnssec/dnssec-importkey.docbook

@@ -38,7 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-importkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
 .RS 4
 Selects the cryptographic algorithm\&. The value of
 \fBalgorithm\fR
-must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -63,9 +63,9 @@ option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
 \fB\-3\fR
 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
 .sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
-option, then NSEC3RSASHA1 will be used instead\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 As of BIND 9\&.12\&.0, this option is mandatory except when using the
 \fB\-S\fR
@@ -307,5 +307,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keyfromlabel.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <ctype.h>
 #include <inttypes.h>
 #include <stdbool.h>
@@ -46,6 +48,7 @@
 #define MAX_RSA 4096 /* should be long enough... */
 
 const char *program = "dnssec-keyfromlabel";
+int verbose;
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -61,7 +64,7 @@ usage(void) {
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -a algorithm: \n"
-			"        DH | RSASHA1 |\n"
+			"        RSA | RSAMD5 | DH | RSASHA1 |\n"
 			"        NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
@@ -379,14 +382,22 @@ main(int argc, char **argv) {
 			fatal("no algorithm specified");
 		}
 
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
+		if (strcasecmp(algname, "RSA") == 0) {
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS)
+				fatal("unknown algorithm %s", algname);
+			if (alg == DST_ALG_DH)
+				options |= DST_TYPE_KEY;
 		}
 
 		if (use_nsec3) {
@@ -628,10 +639,10 @@ main(int argc, char **argv) {
 
 		if (setdel)
 			dst_key_settime(key, DST_TIME_DELETE, deltime);
-		if (setsyncadd)
-			dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
-		if (setsyncdel)
-			dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+	if (setsyncadd)
+		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
+	if (setsyncdel)
+		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
 
 	} else {
 		if (setpub || setact || setrev || setinact ||

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -43,7 +43,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -106,7 +105,7 @@
 	<listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
-	    <option>algorithm</option> must be one of RSASHA1,
+	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
 	    NSEC3RSASHA1, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </para>

bin/dnssec/dnssec-keyfromlabel.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -89,8 +89,8 @@
 <dd>
 	  <p>
 	    Selects the cryptographic algorithm.  The value of
-	    <code class="option">algorithm</code> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </p>
 	  <p>
@@ -103,9 +103,9 @@
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </p>
 	  <p>
 	    As of BIND 9.12.0, this option is mandatory except when using

bin/dnssec/dnssec-keygen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 dnssec-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -58,24 +58,17 @@ may be preferable to direct use of
 \fBdnssec\-keygen\fR\&.
 .SH "OPTIONS"
 .PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
-\fBdnssec\-keygen \-3a RSASHA1\fR
-specifies the NSEC3RSASHA1 algorithm\&.
-.RE
-.PP
 \-a \fIalgorithm\fR
 .RS 4
 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
 \fB\-T KEY\fR
 option as well\&.
 .sp
-These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
 \fB\-3\fR
-option, then NSEC3RSASHA1 will be used instead\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
 .sp
 This parameter
 \fImust\fR
@@ -90,15 +83,29 @@ to generate TSIG keys\&.
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
 .sp
 If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
 \fB\-f KSK\fR) default to 2048 bits\&.
 .RE
 .PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
 \-C
 .RS 4
-Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any metadata\&. By default,
 \fBdnssec\-keygen\fR
 will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
 \fB\-C\fR
@@ -143,6 +150,11 @@ Prints a short summary of the options and arguments to
 Sets the directory in which the key files are to be written\&.
 .RE
 .PP
+\-k
+.RS 4
+Deprecated in favor of \-T KEY\&.
+.RE
+.PP
 \-L \fIttl\fR
 .RS 4
 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@@ -152,17 +164,9 @@ none
 is the same as leaving it unset\&.
 .RE
 .PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key, for use with
-\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
 .RE
 .PP
 \-q
@@ -189,25 +193,27 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
 Specifies the resource record type to use for the key\&.
 \fBrrtype\fR
 must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
+Specifying any TSIG algorithm (HMAC\-* or DH) with
+\fB\-a\fR
+forces this option to KEY\&.
 .RE
 .PP
 \-t \fItype\fR
 .RS 4
-Indicates the use of the key, for use with
-\fB\-T KEY\fR\&.
+Indicates the use of the key\&.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
 .RE
 .PP
-\-V
-.RS 4
-Prints version information\&.
-.RE
-.PP
 \-v \fIlevel\fR
 .RS 4
 Sets the debugging level\&.
 .RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
 .SH "TIMING OPTIONS"
 .PP
 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@@ -308,39 +314,34 @@ contains the private key\&.
 .PP
 The
 \&.key
-file contains a DNSKEY or KEY record\&. When a zone is being signed by
-\fBnamed\fR
-or
-\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
-\&.key
-file can be inserted into a zone file manually or with a
-\fB$INCLUDE\fR
-statement\&.
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
 .PP
 The
 \&.private
 file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
+.PP
+Both
+\&.key
+and
+\&.private
+files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
-To generate an ECDSAP256SHA256 zone\-signing key for the zone
-\fBexample\&.com\fR, issue the command:
+To generate a 768\-bit DSA key for the domain
+\fBexample\&.com\fR, the following command would be issued:
 .PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
 .PP
 The command would print a string of the form:
 .PP
-\fBKexample\&.com\&.+013+26160\fR
+\fBKexample\&.com\&.+003+26160\fR
 .PP
 In this example,
 \fBdnssec\-keygen\fR
 creates the files
-Kexample\&.com\&.+013+26160\&.key
+Kexample\&.com\&.+003+26160\&.key
 and
-Kexample\&.com\&.+013+26160\&.private\&.
-.PP
-To generate a matching key\-signing key, issue the command:
-.PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
+Kexample\&.com\&.+003+26160\&.private\&.
 .SH "SEE ALSO"
 .PP
 \fBdnssec-signzone\fR(8),
@@ -353,5 +354,5 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keygen.c

@@ -25,6 +25,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <ctype.h>
 #include <inttypes.h>
 #include <stdbool.h>
@@ -61,6 +63,7 @@
 #define MAX_RSA 4096 /* should be long enough... */
 
 const char *program = "dnssec-keygen";
+int verbose;
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -76,12 +79,14 @@ usage(void) {
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K <directory>: write keys into directory\n");
 	fprintf(stderr, "    -a <algorithm>:\n");
-	fprintf(stderr, "        RSASHA1 | NSEC3RSASHA1 |\n");
+	fprintf(stderr, "        RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
+				" |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        ED25519 | ED448 | DH\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -b <key size in bits>:\n");
+	fprintf(stderr, "        RSAMD5:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
@@ -238,7 +243,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:L:m:n:P:p:qR:r:S:s:T:t:" \
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:" \
 		      "v:V"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
@@ -319,6 +324,11 @@ main(int argc, char **argv) {
 				fatal("cannot open directory %s: %s",
 				      directory, isc_result_totext(ret));
 			break;
+		case 'k':
+			fatal("The -k option has been deprecated.\n"
+			      "To generate a key-signing key, use -f KSK.\n"
+			      "To generate a key with TYPE=KEY, use -T KEY.\n");
+			break;
 		case 'L':
 			ttl = strtottl(isc_commandline_argument);
 			setttl = true;
@@ -498,14 +508,23 @@ main(int argc, char **argv) {
 			fatal("no algorithm specified");
 		}
 
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS) {
-			fatal("unknown algorithm %s", algname);
-		}
-		if (alg == DST_ALG_DH) {
-			options |= DST_TYPE_KEY;
+		if (strcasecmp(algname, "RSA") == 0) {
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS) {
+				fatal("unknown algorithm %s", algname);
+			}
+			if (alg == DST_ALG_DH) {
+				options |= DST_TYPE_KEY;
+			}
 		}
 
 		if (!dst_algorithm_supported(alg)) {
@@ -679,6 +698,7 @@ main(int argc, char **argv) {
 	}
 
 	switch (alg) {
+	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:
@@ -760,6 +780,7 @@ main(int argc, char **argv) {
 	}
 
 	switch(alg) {
+	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
 	case DNS_KEYALG_RSASHA256:

bin/dnssec/dnssec-keygen.docbook

@@ -50,7 +50,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -58,10 +57,11 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-keygen</command>
-      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-C</option></arg>
       <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -76,7 +76,6 @@
       <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-k</option></arg>
       <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -87,6 +86,7 @@
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-V</option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
       <arg choice="req" rep="norepeat">name</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -117,26 +117,12 @@
 
 
     <variablelist>
-
-      <varlistentry>
-	<term>-3</term>
-	<listitem>
-	  <para>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used with an algorithm that has both
-	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
-	    specifies the NSEC3RSASHA1 algorithm.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
-	    of <option>algorithm</option> must be one of RSASHA1,
+	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
 	    NSEC3RSASHA1, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
@@ -170,9 +156,11 @@
 	  <para>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
-	    128 and 4096 bits.  Elliptic curve algorithms don't need this
-	    parameter.
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  DSA keys must be between 512 and 1024
+	    bits and an exact multiple of 64.  HMAC keys must be
+	    between 1 and 512 bits. Elliptic curve algorithms don't need
+	    this parameter.
 	  </para>
 	  <para>
 	    If the key size is not specified, some algorithms have
@@ -184,16 +172,43 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-n <replaceable class="parameter">nametype</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the owner type of the key.  The value of
+	    <option>nametype</option> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-3</term>
+	<listitem>
+	  <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Compatibility mode: generates an old-style key, without any
-	    timing metadata. By default, <command>dnssec-keygen</command>
-	    will include the key's creation date in the metadata stored with
-	    the private key, and other dates may be set there as well
-	    (publication date, activation date, etc). Keys that include this
-	    data may be incompatible with older versions of BIND; the
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <command>dnssec-keygen</command>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
 	    <option>-C</option> option suppresses them.
 	  </para>
 	</listitem>
@@ -277,6 +292,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-k</term>
+	<listitem>
+	  <para>
+	    Deprecated in favor of -T KEY.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-L <replaceable class="parameter">ttl</replaceable></term>
 	<listitem>
@@ -293,28 +317,14 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-n <replaceable class="parameter">nametype</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the owner type of the key.  The value of
-	    <option>nametype</option> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    with a host (KEY)), USER (for a key associated with a
-	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-p <replaceable class="parameter">protocol</replaceable></term>
 	<listitem>
 	  <para>
-	    Sets the protocol value for the generated key, for use
-	    with <option>-T KEY</option>. The protocol is a number between 0
-	    and 255. The default is 3 (DNSSEC). Other possible values for
-	    this argument are listed in RFC 2535 and its successors.
+	    Sets the protocol value for the generated key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -372,6 +382,10 @@
 	    <option>rrtype</option> must be either DNSKEY or KEY.  The
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
 	    overridden to KEY for use with SIG(0).
+	  <para>
+	  </para>
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
+	    <option>-a</option> forces this option to KEY.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -380,20 +394,10 @@
 	<term>-t <replaceable class="parameter">type</replaceable></term>
 	<listitem>
 	  <para>
-	    Indicates the use of the key, for use with <option>-T
-	    KEY</option>. <option>type</option> must be one of AUTHCONF,
-	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
-	    refers to the ability to authenticate data, and CONF the ability
-	    to encrypt data.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-V</term>
-	<listitem>
-	  <para>
-	    Prints version information.
+	    Indicates the use of the key.  <option>type</option> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -407,6 +411,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
     </variablelist>
   </refsection>
 
@@ -571,12 +584,10 @@
       key.
     </para>
     <para>
-      The <filename>.key</filename> file contains a DNSKEY or KEY record.
-      When a zone is being signed by <command>named</command>
-      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
-      records are included automatically. In other cases,
-      the <filename>.key</filename> file can be inserted into a zone file
-      manually or with a <userinput>$INCLUDE</userinput> statement.
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </para>
     <para>
       The <filename>.private</filename> file contains
@@ -584,33 +595,32 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </para>
+    <para>
+      Both <filename>.key</filename> and <filename>.private</filename>
+      files are generated for symmetric cryptography algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </para>
   </refsection>
 
   <refsection><info><title>EXAMPLE</title></info>
 
     <para>
-      To generate an ECDSAP256SHA256 zone-signing key for the zone
-      <userinput>example.com</userinput>, issue the command:
+      To generate a 768-bit DSA key for the domain
+      <userinput>example.com</userinput>, the following command would be
+      issued:
     </para>
-    <para>
-      <userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
+    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
     </para>
     <para>
       The command would print a string of the form:
     </para>
-    <para><userinput>Kexample.com.+013+26160</userinput>
+    <para><userinput>Kexample.com.+003+26160</userinput>
     </para>
     <para>
       In this example, <command>dnssec-keygen</command> creates
-      the files <filename>Kexample.com.+013+26160.key</filename>
+      the files <filename>Kexample.com.+003+26160.key</filename>
       and
-      <filename>Kexample.com.+013+26160.private</filename>.
-    </para>
-    <para>
-      To generate a matching key-signing key, issue the command:
-    </para>
-    <para>
-      <userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
+      <filename>Kexample.com.+003+26160.private</filename>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-keygen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,10 +33,11 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-keygen</code> 
-       [<code class="option">-3</code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
        [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-3</code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-C</code>]
        [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
        [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
@@ -51,7 +52,6 @@
        [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        [<code class="option">-k</code>]
        [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
        [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
@@ -62,6 +62,7 @@
        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
        [<code class="option">-V</code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-z</code>]
        {name}
     </p></div>
   </div>
@@ -94,22 +95,12 @@
 
 
     <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-	    If this option is used with an algorithm that has both
-	    NSEC and NSEC3 versions, then the NSEC3 version will be
-	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
-	    specifies the NSEC3RSASHA1 algorithm.
-	  </p>
-	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
-	    of <code class="option">algorithm</code> must be one of RSASHA1,
-	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <code class="option">-T KEY</code>
@@ -118,9 +109,9 @@
 	  <p>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
 	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
-	    will be used instead.
+	    or NSEC3DSA will be used instead.
 	  </p>
 	  <p>
 	    This parameter <span class="emphasis"><em>must</em></span> be specified except
@@ -139,9 +130,11 @@
 	  <p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
-	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
-	    128 and 4096 bits.  Elliptic curve algorithms don't need this
-	    parameter.
+	    between 1024 and 2048 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  DSA keys must be between 512 and 1024
+	    bits and an exact multiple of 64.  HMAC keys must be
+	    between 1 and 512 bits. Elliptic curve algorithms don't need
+	    this parameter.
 	  </p>
 	  <p>
 	    If the key size is not specified, some algorithms have
@@ -151,15 +144,36 @@
 	    <code class="option">-f KSK</code>) default to 2048 bits.
 	  </p>
 	</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the owner type of the key.  The value of
+	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </p>
+	</dd>
+<dt><span class="term">-3</span></dt>
+<dd>
+	  <p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </p>
+	</dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Compatibility mode: generates an old-style key, without any
-	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
-	    will include the key's creation date in the metadata stored with
-	    the private key, and other dates may be set there as well
-	    (publication date, activation date, etc). Keys that include this
-	    data may be incompatible with older versions of BIND; the
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
 	  </p>
 	</dd>
@@ -220,6 +234,12 @@
 	    Sets the directory in which the key files are to be written.
 	  </p>
 	</dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+	  <p>
+	    Deprecated in favor of -T KEY.
+	  </p>
+	</dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd>
 	  <p>
@@ -233,24 +253,13 @@
 	    or <code class="literal">none</code> is the same as leaving it unset.
 	  </p>
 	</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the owner type of the key.  The value of
-	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
-	    with a host (KEY)), USER (for a key associated with a
-	    user(KEY)) or OTHER (DNSKEY).  These values are case
-	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </p>
-	</dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd>
 	  <p>
-	    Sets the protocol value for the generated key, for use
-	    with <code class="option">-T KEY</code>. The protocol is a number between 0
-	    and 255. The default is 3 (DNSSEC). Other possible values for
-	    this argument are listed in RFC 2535 and its successors.
+	    Sets the protocol value for the generated key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
 	  </p>
 	</dd>
 <dt><span class="term">-q</span></dt>
@@ -297,21 +306,20 @@
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
 	    overridden to KEY for use with SIG(0).
 	  </p>
+<p>
+	  </p>
+<p>
+	    Specifying any TSIG algorithm (HMAC-* or DH) with
+	    <code class="option">-a</code> forces this option to KEY.
+	  </p>
 	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
-	    Indicates the use of the key, for use with <code class="option">-T
-	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
-	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
-	    refers to the ability to authenticate data, and CONF the ability
-	    to encrypt data.
-	  </p>
-	</dd>
-<dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
-	    Prints version information.
+	    Indicates the use of the key.  <code class="option">type</code> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
 	  </p>
 	</dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -320,6 +328,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
 </dl></div>
   </div>
 
@@ -462,12 +476,10 @@
       key.
     </p>
     <p>
-      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
-      When a zone is being signed by <span class="command"><strong>named</strong></span>
-      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
-      records are included automatically. In other cases,
-      the <code class="filename">.key</code> file can be inserted into a zone file
-      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </p>
     <p>
       The <code class="filename">.private</code> file contains
@@ -475,34 +487,33 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
+    <p>
+      Both <code class="filename">.key</code> and <code class="filename">.private</code>
+      files are generated for symmetric cryptography algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </p>
   </div>
 
   <div class="refsection">
 <a name="id-1.11"></a><h2>EXAMPLE</h2>
 
     <p>
-      To generate an ECDSAP256SHA256 zone-signing key for the zone
-      <strong class="userinput"><code>example.com</code></strong>, issue the command:
+      To generate a 768-bit DSA key for the domain
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
     </p>
-    <p>
-      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
+    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
     <p>
       The command would print a string of the form:
     </p>
-    <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
+    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
-      the files <code class="filename">Kexample.com.+013+26160.key</code>
+      the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
-      <code class="filename">Kexample.com.+013+26160.private</code>.
-    </p>
-    <p>
-      To generate a matching key-signing key, issue the command:
-    </p>
-    <p>
-      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
+      <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
   </div>
 

bin/dnssec/dnssec-revoke.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -99,5 +99,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-revoke.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -37,6 +39,7 @@
 #include "dnssectool.h"
 
 const char *program = "dnssec-revoke";
+int verbose;
 
 static isc_mem_t	*mctx = NULL;
 
@@ -54,13 +57,13 @@ usage(void) {
 #else
 	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
 #endif
-	fprintf(stderr, "    -f:           force overwrite\n");
-	fprintf(stderr, "    -h:           help\n");
+	fprintf(stderr, "    -f:	   force overwrite\n");
 	fprintf(stderr, "    -K directory: use directory for key files\n");
-	fprintf(stderr, "    -r:           remove old keyfiles after "
+	fprintf(stderr, "    -h:	   help\n");
+	fprintf(stderr, "    -r:	   remove old keyfiles after "
 					   "creating revoked version\n");
-	fprintf(stderr, "    -v level:     set level of verbosity\n");
-	fprintf(stderr, "    -V:           print version information\n");
+	fprintf(stderr, "    -v level:	   set level of verbosity\n");
+	fprintf(stderr, "    -V: print version information\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
 			     "K<name>+<alg>+<new id>.private\n");
@@ -236,7 +239,7 @@ main(int argc, char **argv) {
 		 * Remove old key file, if told to (and if
 		 * it isn't the same as the new file)
 		 */
-		if (removefile) {
+		if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) {
 			isc_buffer_init(&buf, oldname, sizeof(oldname));
 			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
 			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);

bin/dnssec/dnssec-revoke.docbook

@@ -38,7 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-revoke.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this