This commit was manufactured by cvs2git to create tag 'v9_2_3rc4'.

CHANGES

@@ -1,17 +1,3 @@
-1650.	[bug]		dig, nslookup: flush standard out after each command.
-
-1649.	[bug]		Silence "unexpected non-minimal diff" message.
-			[RT #11206]
-
-1646.	[bug]		win32: logging file versions didn't work with
-			non-UNC filenames.  [RT#11486]
-
-1644.	[bug]		Update the journal modification time after a
-			sucessfull refresh query. [RT #11436]
-
-1643.	[bug]		dns_db_closeversion() could leak memory / node
-			references. [RT #11163]
-
 
 	--- 9.2.4rc4 released ---
 

FAQ

@@ -332,20 +332,3 @@ the serial query rate.
 
 	serial-query-rate 5; // default 20
 
-
-Q: Why are my logs in GMT (UTC).
-
-A: You are running chrooted (-t) and have not supplied local timzone
-information in the chroot area.
-
-	FreeBSD: /etc/localtime
-	Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
-	OSF: /etc/zoneinfo/localtime
-
-	See also tzset(3) and zic(8).
-
-
-Q: I get the error message "named: capset failed: Operation not permitted"
-when starting named.
-
-A: The capset module has not been loaded into the kernel.  See insmod(8).

README

@@ -331,9 +331,9 @@ Bug Reports and Mailing Lists
 	mailing list.  Compilation questions should be sent to the
 	BIND 9 Users mailing list.
 
-	To join the BIND Users mailing list, send mail to
+	To join the BIND 9 Users mailing list, send mail to
 
-		bind-users-request@isc.org
+		bind9-users-request@isc.org
  
 	archives of which can be found via
 

bin/check/named-checkconf.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.11.2.2 2004/06/03 05:21:07 marka Exp $
+.\" $Id: named-checkconf.8,v 1.11.2.1 2004/03/15 04:44:37 marka Exp $
 .\"
 .TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" ""
 .SH NAME
@@ -49,4 +49,4 @@ errors were detected and 0 otherwise.
 \fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/check/named-checkconf.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.docbook,v 1.3.2.3 2004/06/03 02:25:54 marka Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.3.2.2 2004/03/09 06:09:09 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -111,7 +111,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/check/named-checkconf.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.html,v 1.5.2.3 2004/06/03 05:21:08 marka Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.5.2.2 2004/03/15 04:44:37 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -188,7 +188,7 @@ NAME="AEN56"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/check/named-checkzone.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.11.2.3 2004/06/03 05:21:08 marka Exp $
+.\" $Id: named-checkzone.8,v 1.11.2.2 2004/03/15 04:44:37 marka Exp $
 .\"
 .TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" ""
 .SH NAME
@@ -62,4 +62,4 @@ errors were detected and 0 otherwise.
 \fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/check/named-checkzone.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.3.2.4 2004/06/03 02:25:55 marka Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.3.2.3 2004/03/09 06:09:09 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -151,7 +151,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/check/named-checkzone.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.html,v 1.5.2.4 2004/06/03 05:21:08 marka Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.5.2.3 2004/03/15 04:44:37 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -229,7 +229,7 @@ NAME="AEN80"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/dig/dig.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.157.2.16 2004/06/07 03:59:08 marka Exp $ */
+/* $Id: dig.c,v 1.157.2.15 2004/03/09 06:09:12 marka Exp $ */
 
 #include <config.h>
 #include <stdlib.h>
@@ -1330,7 +1330,6 @@ dighost_shutdown(void) {
 		return;
 	}
 
-	fflush(stdout);
 	if (feof(batchfp)) {
 		batchname = NULL;
 		isc_app_shutdown();

bin/dig/nslookup.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.7 2004/06/07 03:59:08 marka Exp $ */
+/* $Id: nslookup.c,v 1.90.2.6 2004/03/09 06:09:13 marka Exp $ */
 
 #include <config.h>
 
@@ -703,7 +703,6 @@ get_next_command(void) {
 	char *ptr, *arg;
 	char *input;
 
-	fflush(stdout);
 	buf = isc_mem_allocate(mctx, COMMSIZE);
 	if (buf == NULL)
 		fatal("memory allocation failure");

bin/dnssec/dnssec-keygen.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.19.2.2 2004/06/03 05:21:09 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.19.2.1 2004/03/15 04:44:38 marka Exp $
 .\"
 .TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -165,4 +165,4 @@ the files \fIKexample.com.+003+26160.key\fR and
 \fIRFC 2539\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/dnssec/dnssec-keygen.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.3.2.2 2004/06/03 02:25:50 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.3.2.1 2004/03/09 06:09:15 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -314,7 +314,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/dnssec/dnssec-keygen.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.html,v 1.5.2.3 2004/06/03 05:21:10 marka Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.5.2.2 2004/03/15 04:44:39 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -567,7 +567,7 @@ NAME="AEN177"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/dnssec/dnssec-makekeyset.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.16.2.4 2004/06/03 05:21:10 marka Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.16.2.3 2004/03/15 04:44:39 marka Exp $
 .\"
 .TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -110,4 +110,4 @@ the keys and signatures securely.
 \fIRFC 2535\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/dnssec/dnssec-makekeyset.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.5 2004/06/03 02:25:50 marka Exp $ -->
+<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.4 2004/03/09 06:09:15 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -220,7 +220,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/dnssec/dnssec-makekeyset.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-makekeyset.html,v 1.4.2.4 2004/06/03 05:21:11 marka Exp $ -->
+<!-- $Id: dnssec-makekeyset.html,v 1.4.2.3 2004/03/15 04:44:39 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -399,7 +399,7 @@ NAME="AEN123"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/dnssec/dnssec-signkey.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.18.2.3 2004/06/03 05:21:11 marka Exp $
+.\" $Id: dnssec-signkey.8,v 1.18.2.2 2004/03/15 04:44:39 marka Exp $
 .\"
 .TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -105,4 +105,4 @@ signatures by the \fB.com\fR keys.
 \fBdnssec-signzone\fR(8).
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/dnssec/dnssec-signkey.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signkey.docbook,v 1.2.2.4 2004/06/03 02:25:51 marka Exp $ -->
+<!-- $Id: dnssec-signkey.docbook,v 1.2.2.3 2004/03/09 06:09:15 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -224,7 +224,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/dnssec/dnssec-signkey.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signkey.html,v 1.4.2.3 2004/06/03 05:21:11 marka Exp $ -->
+<!-- $Id: dnssec-signkey.html,v 1.4.2.2 2004/03/15 04:44:39 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -399,7 +399,7 @@ NAME="AEN128"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/dnssec/dnssec-signzone.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.4 2004/06/03 05:21:12 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.23.2.3 2004/03/15 04:44:39 marka Exp $
 .\"
 .TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -152,4 +152,4 @@ should be referenced in a zone statement in a
 \fIRFC 2535\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/dnssec/dnssec-signzone.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.2.2.5 2004/06/03 02:25:51 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.2.2.4 2004/03/09 06:09:16 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -312,7 +312,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/dnssec/dnssec-signzone.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.html,v 1.4.2.4 2004/06/03 05:21:12 marka Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.4.2.3 2004/03/15 04:44:40 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -548,7 +548,7 @@ NAME="AEN179"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/named/builtin.c

@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: builtin.c,v 1.5 2004/03/05 04:57:46 marka Exp $ */
+
+/*
+ * The built-in "version", "hostname", "id" and "authors" databases.
+ */
+
+#include <config.h>
+
+#include <string.h>
+#include <stdio.h>
+
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/sdb.h>
+#include <dns/result.h>
+
+#include <named/builtin.h>
+#include <named/globals.h>
+#include <named/server.h>
+#include <named/os.h>
+
+typedef struct builtin builtin_t;
+
+static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
+
+/*
+ * We can't use function pointers as the db_data directly
+ * because ANSI C does not guarantee that function pointers
+ * can safely be cast to void pointers and back.
+ */
+
+struct builtin {
+	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
+};
+
+static builtin_t version_builtin = { do_version_lookup };
+static builtin_t hostname_builtin = { do_hostname_lookup };
+static builtin_t authors_builtin = { do_authors_lookup };
+static builtin_t id_builtin = { do_id_lookup };
+
+static dns_sdbimplementation_t *builtin_impl;
+
+static isc_result_t
+builtin_lookup(const char *zone, const char *name, void *dbdata,
+	       dns_sdblookup_t *lookup)
+{
+	builtin_t *b = (builtin_t *) dbdata;
+
+	UNUSED(zone);
+
+	if (strcmp(name, "@") == 0)
+		return (b->do_lookup(lookup));
+	else
+		return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+put_txt(dns_sdblookup_t *lookup, const char *text) {
+	unsigned char buf[256];
+	unsigned int len = strlen(text);
+	if (len > 255)
+		len = 255; /* Silently truncate */
+	buf[0] = len;
+	memcpy(&buf[1], text, len);
+	return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
+}
+
+static isc_result_t
+do_version_lookup(dns_sdblookup_t *lookup) {
+	if (ns_g_server->version_set) {	
+		if (ns_g_server->version == NULL)
+			return (ISC_R_SUCCESS);
+		else
+			return (put_txt(lookup, ns_g_server->version));
+	} else {
+		return (put_txt(lookup, ns_g_version));
+	}
+}
+
+static isc_result_t
+do_hostname_lookup(dns_sdblookup_t *lookup) {
+	if (ns_g_server->hostname_set) {
+		if (ns_g_server->hostname == NULL)
+			return (ISC_R_SUCCESS);
+		else
+			return (put_txt(lookup, ns_g_server->hostname));
+	} else {
+		char buf[256];
+		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (put_txt(lookup, buf));
+	}
+}
+
+static isc_result_t
+do_authors_lookup(dns_sdblookup_t *lookup) {
+	isc_result_t result;
+	const char **p;
+	static const char *authors[] = {
+		"Mark Andrews",
+		"James Brister",
+		"Ben Cottrell",
+		"Michael Graff",
+		"Andreas Gustafsson",
+		"Bob Halley",
+		"David Lawrence",
+		"Danny Mayer",
+		"Damien Neil",
+		"Matt Nelson",
+		"Michael Sawyer",
+		"Brian Wellington",
+		NULL
+	};
+
+	/*
+	 * If a version string is specified, disable the authors.bind zone.
+	 */
+	if (ns_g_server->version_set)
+		return (ISC_R_SUCCESS);
+
+	for (p = authors; *p != NULL; p++) {
+		result = put_txt(lookup, *p);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_id_lookup(dns_sdblookup_t *lookup) {
+
+	if (ns_g_server->server_usehostname) {
+		char buf[256];
+		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (put_txt(lookup, buf));
+	}
+
+	if (ns_g_server->server_id == NULL)
+		return (ISC_R_SUCCESS);
+	else
+		return (put_txt(lookup, ns_g_server->server_id));
+}
+
+static isc_result_t
+builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
+	isc_result_t result;
+
+	UNUSED(zone);
+	UNUSED(dbdata);
+
+	result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	result = dns_sdb_putrr(lookup, "ns", 0, "@");
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+builtin_create(const char *zone, int argc, char **argv,
+	       void *driverdata, void **dbdata)
+{
+	UNUSED(zone);
+	UNUSED(driverdata);
+	if (argc != 1)
+		return (DNS_R_SYNTAX);
+	if (strcmp(argv[0], "version") == 0)
+		*dbdata = &version_builtin;
+	else if (strcmp(argv[0], "hostname") == 0)
+		*dbdata = &hostname_builtin;
+	else if (strcmp(argv[0], "authors") == 0)
+		*dbdata = &authors_builtin;
+	else if (strcmp(argv[0], "id") == 0)
+		*dbdata = &id_builtin;
+	else
+		return (ISC_R_NOTIMPLEMENTED);
+	return (ISC_R_SUCCESS);
+}
+
+static dns_sdbmethods_t builtin_methods = {
+	builtin_lookup,
+	builtin_authority,
+	NULL,		/* allnodes */
+	builtin_create,
+	NULL		/* destroy */
+};
+
+isc_result_t
+ns_builtin_init(void) {
+	RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
+				       DNS_SDBFLAG_RELATIVEOWNER |
+				       DNS_SDBFLAG_RELATIVERDATA,
+				       ns_g_mctx, &builtin_impl)
+		      == ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_builtin_deinit(void) {
+	dns_sdb_unregister(&builtin_impl);
+}

bin/named/include/named/builtin.h

@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: builtin.h,v 1.2 2004/03/05 04:57:55 marka Exp $ */
+
+#ifndef NAMED_BUILTIN_H
+#define NAMED_BUILTIN_H 1
+
+#include <isc/types.h>
+
+isc_result_t ns_builtin_init(void);
+
+void ns_builtin_deinit(void);
+
+#endif /* NAMED_BUILTIN_H */

bin/named/lwresd.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.13.2.2 2004/06/03 05:21:13 marka Exp $
+.\" $Id: lwresd.8,v 1.13.2.1 2004/03/15 04:44:40 marka Exp $
 .\"
 .TH "LWRESD" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -137,4 +137,4 @@ The default process-id file.
 \fBresolver\fR(5).
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/named/lwresd.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.docbook,v 1.6.2.2 2004/06/03 02:25:52 marka Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.6.2.1 2004/03/09 06:09:19 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -286,7 +286,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
+	<corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/named/lwresd.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.html,v 1.4.2.3 2004/06/03 05:21:13 marka Exp $ -->
+<!-- $Id: lwresd.html,v 1.4.2.2 2004/03/15 04:44:40 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -533,7 +533,7 @@ NAME="AEN162"
 ><H2
 >AUTHOR</H2
 ><P
->	Internet Systems Consortium
+>	Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/named/named.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.17.2.2 2004/06/03 05:21:13 marka Exp $
+.\" $Id: named.8,v 1.17.2.1 2004/03/15 04:44:40 marka Exp $
 .\"
 .TH "NAMED" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -164,4 +164,4 @@ The default process-id file.
 \fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/named/named.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.5.2.2 2004/06/03 02:25:52 marka Exp $ -->
+<!-- $Id: named.docbook,v 1.5.2.1 2004/03/09 06:09:19 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -333,7 +333,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
+	<corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/named/named.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.html,v 1.4.2.3 2004/06/03 05:21:14 marka Exp $ -->
+<!-- $Id: named.html,v 1.4.2.2 2004/03/15 04:44:40 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -625,7 +625,7 @@ NAME="AEN182"
 ><H2
 >AUTHOR</H2
 ><P
->	Internet Systems Consortium
+>	Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.88.2.10 2004/06/04 03:45:15 marka Exp $ */
+/* $Id: update.c,v 1.88.2.9 2004/05/12 06:39:11 marka Exp $ */
 
 #include <config.h>
 
@@ -1027,16 +1027,14 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	isc_result_t result = ISC_R_SUCCESS;	
 	add_rr_prepare_ctx_t *ctx = data;
 	dns_difftuple_t *tuple = NULL;
-	isc_boolean_t equal;
 
 	/*
 	 * If the update RR is a "duplicate" of the update RR,
 	 * the update should be silently ignored.
 	 */
-	equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0);
-	if (equal && rr->ttl == ctx->update_rr_ttl) {
+	if (dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0 &&
+	    rr->ttl == ctx->update_rr_ttl) {
 		ctx->ignore_add = ISC_TRUE;
-		return (ISC_R_SUCCESS);
 	}
 
 	/*
@@ -1064,14 +1062,12 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 					   &rr->rdata,
 					   &tuple));
 		dns_diff_append(&ctx->del_diff, &tuple);
-		if (!equal) {
-			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
-						   DNS_DIFFOP_ADD, ctx->name,
-						   ctx->update_rr_ttl,
-						   &rr->rdata,
-						   &tuple));
-			dns_diff_append(&ctx->add_diff, &tuple);
-		}
+		CHECK(dns_difftuple_create(ctx->add_diff.mctx,
+					   DNS_DIFFOP_ADD, ctx->name,
+					   ctx->update_rr_ttl,
+					   &rr->rdata,
+					   &tuple));
+		dns_diff_append(&ctx->add_diff, &tuple);
 	}
  failure:
 	return (result);

bin/rndc/rndc-confgen.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.3.2.8 2004/06/03 05:21:14 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.3.2.7 2004/03/09 06:09:26 marka Exp $
 .\"
 .TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" ""
 .SH NAME
@@ -127,4 +127,4 @@ run
 \fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/rndc/rndc-confgen.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.docbook,v 1.3.2.3 2004/06/03 02:25:54 marka Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.3.2.2 2004/03/09 06:09:26 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -249,7 +249,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/rndc/rndc-confgen.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.html,v 1.3.2.8 2004/06/03 05:21:15 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.3.2.7 2004/03/09 06:09:26 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -540,7 +540,7 @@ NAME="AEN167"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/rndc/rndc.8

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.24.2.2 2004/06/03 05:21:15 marka Exp $
+.\" $Id: rndc.8,v 1.24.2.1 2004/03/15 04:44:41 marka Exp $
 .\"
 .TH "RNDC" "8" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -115,4 +115,4 @@ Several error messages could be clearer.
 \fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/rndc/rndc.conf.5

@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.21.2.2 2004/06/03 05:21:15 marka Exp $
+.\" $Id: rndc.conf.5,v 1.21.2.1 2004/03/15 04:44:41 marka Exp $
 .\"
 .TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" ""
 .SH NAME
@@ -139,4 +139,4 @@ BIND 9 Administrator Reference Manual for details.
 \fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
+Internet Software Consortium

bin/rndc/rndc.conf.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.conf.docbook,v 1.4.2.2 2004/06/03 02:25:53 marka Exp $ -->
+<!-- $Id: rndc.conf.docbook,v 1.4.2.1 2004/03/09 06:09:27 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -196,7 +196,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/rndc/rndc.conf.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.conf.html,v 1.5.2.3 2004/06/03 05:21:16 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.5.2.2 2004/03/15 04:44:41 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -373,7 +373,7 @@ NAME="AEN91"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/rndc/rndc.docbook

@@ -16,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.docbook,v 1.7.2.2 2004/06/03 02:25:53 marka Exp $ -->
+<!-- $Id: rndc.docbook,v 1.7.2.1 2004/03/09 06:09:27 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -214,7 +214,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 

bin/rndc/rndc.html

@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.html,v 1.7.2.3 2004/06/03 05:21:16 marka Exp $ -->
+<!-- $Id: rndc.html,v 1.7.2.2 2004/03/15 04:44:42 marka Exp $ -->
 
 <HTML
 ><HEAD
@@ -416,7 +416,7 @@ NAME="AEN118"
 ><H2
 >AUTHOR</H2
 ><P
->        Internet Systems Consortium
+>        Internet Software Consortium
     </P
 ></DIV
 ></BODY

bin/tests/nsecify.c

@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsecify.c,v 1.3 2004/03/05 04:58:39 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/nsec.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+
+static isc_mem_t *mctx = NULL;
+
+static inline void
+fatal(const char *message) {
+	fprintf(stderr, "%s\n", message);
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, const char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s: %s\n", message,
+			isc_result_totext(result));
+		exit(1);
+	}
+}
+
+static inline isc_boolean_t
+active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter;
+	isc_boolean_t active = ISC_FALSE;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec)
+			active = ISC_TRUE;
+		dns_rdataset_disassociate(&rdataset);
+		if (!active)
+			result = dns_rdatasetiter_next(rdsiter);
+		else
+			result = ISC_R_NOMORE;
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed");
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	if (!active) {
+		/*
+		 * Make sure there is no NSEC record for this node.
+		 */
+		result = dns_db_deleterdataset(db, node, version,
+					       dns_rdatatype_nsec, 0);
+		if (result == DNS_R_UNCHANGED)
+			result = ISC_R_SUCCESS;
+		check_result(result, "dns_db_deleterdataset");
+	}
+
+	return (active);
+}
+
+static inline isc_result_t
+next_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
+	    dns_name_t *name, dns_dbnode_t **nodep)
+{
+	isc_result_t result;
+	isc_boolean_t active;
+
+	do {
+		active = ISC_FALSE;
+		result = dns_dbiterator_current(dbiter, nodep, name);
+		if (result == ISC_R_SUCCESS) {
+			active = active_node(db, version, *nodep);
+			if (!active) {
+				dns_db_detachnode(db, nodep);
+				result = dns_dbiterator_next(dbiter);
+			}
+		}
+	} while (result == ISC_R_SUCCESS && !active);
+
+	return (result);
+}
+
+static void
+nsecify(char *filename) {
+	isc_result_t result;
+	dns_db_t *db;
+	dns_dbversion_t *wversion;
+	dns_dbnode_t *node, *nextnode;
+	char *origintext;
+	dns_fixedname_t fname, fnextname;
+	dns_name_t *name, *nextname, *target;
+	isc_buffer_t b;
+	size_t len;
+	dns_dbiterator_t *dbiter;
+	char newfilename[1024];
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&fnextname);
+	nextname = dns_fixedname_name(&fnextname);
+
+	origintext = strrchr(filename, '/');
+	if (origintext == NULL)
+		origintext = filename;
+	else
+		origintext++;	/* Skip '/'. */
+	len = strlen(origintext);
+	isc_buffer_init(&b, origintext, len);
+	isc_buffer_add(&b, len);
+	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	check_result(result, "dns_name_fromtext()");
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	check_result(result, "dns_db_create()");
+	result = dns_db_load(db, filename);
+	if (result == DNS_R_SEENINCLUDE)
+		result = ISC_R_SUCCESS;
+	check_result(result, "dns_db_load()");
+	wversion = NULL;
+	result = dns_db_newversion(db, &wversion);
+	check_result(result, "dns_db_newversion()");
+	dbiter = NULL;
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+	result = dns_dbiterator_first(dbiter);
+	node = NULL;
+	result = next_active(db, wversion, dbiter, name, &node);
+	while (result == ISC_R_SUCCESS) {
+		nextnode = NULL;
+		result = dns_dbiterator_next(dbiter);
+		if (result == ISC_R_SUCCESS)
+			result = next_active(db, wversion, dbiter, nextname,
+					     &nextnode);
+		if (result == ISC_R_SUCCESS)
+			target = nextname;
+		else if (result == ISC_R_NOMORE)
+			target = dns_db_origin(db);
+		else {
+			target = NULL;	/* Make compiler happy. */
+			fatal("db iteration failed");
+		}
+		dns_nsec_build(db, wversion, node, target, 3600); /* XXX BEW */
+		dns_db_detachnode(db, &node);
+		node = nextnode;
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("db iteration failed");
+	dns_dbiterator_destroy(&dbiter);
+	/*
+	 * XXXRTH  For now, we don't increment the SOA serial.
+	 */
+	dns_db_closeversion(db, &wversion, ISC_TRUE);
+	len = strlen(filename);
+	if (len + 4 + 1 > sizeof(newfilename))
+		fatal("filename too long");
+	sprintf(newfilename, "%s.new", filename);
+	result = dns_db_dump(db, NULL, newfilename);
+	check_result(result, "dns_db_dump");
+	dns_db_detach(&db);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i;
+	isc_result_t result;
+
+	dns_result_register();
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create()");
+
+	argc--;
+	argv++;
+
+	for (i = 0; i < argc; i++)
+		nsecify(argv[i]);
+
+	/* isc_mem_stats(mctx, stdout); */
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}

bin/tests/system/checknames/clean.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.3 2004/03/05 04:59:26 marka Exp $
+
+rm -f dig.out.ns?.test*
+rm -f nsupdate.out.test*
+rm -f ns1/*.example.db
+rm -f ns1/*.update.db
+rm -f ns1/*.update.db.jnl

bin/tests/system/checknames/ns1/fail.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: fail.example.db.in,v 1.3 2004/03/05 04:59:37 marka Exp $
+
+$TTL 300
+@	SOA ns1.fail.example. hostmaster.fail.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.fail.example.
+ns1.fail.example. A 10.53.0.1
+xx_xx.fail.example. A 127.0.0.1

bin/tests/system/checknames/ns1/fail.update.db.in

@@ -0,0 +1,21 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: fail.update.db.in,v 1.3 2004/03/05 04:59:37 marka Exp $
+
+$TTL 300
+@	SOA ns1.fail.update. hostmaster.fail.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.fail.update.
+ns1.fail.update. A 10.53.0.1

bin/tests/system/checknames/ns1/ignore.example.db.in

@@ -0,0 +1,23 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ignore.example.db.in,v 1.3 2004/03/05 04:59:37 marka Exp $
+
+$TTL 300
+@	SOA ns1.ignore.example. hostmaster.ignore.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.ignore.example.
+ns1.ignore.example. A 10.53.0.1
+yy_yy.ignore.example. A 10.53.0.1
+mx.ignore.example. MX 10 zz_zz.ignore.example.

bin/tests/system/checknames/ns1/ignore.update.db.in

@@ -0,0 +1,21 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ignore.update.db.in,v 1.3 2004/03/05 04:59:38 marka Exp $
+
+$TTL 300
+@	SOA ns1.ignore.update. hostmaster.ignore.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.ignore.update.
+ns1.ignore.update. A 10.53.0.1

bin/tests/system/checknames/ns1/named.conf

@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.4 2004/03/05 04:59:38 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+        query-source address 10.53.0.1;
+        notify-source 10.53.0.1;
+        transfer-source 10.53.0.1;
+        port 5300;
+        pid-file "named.pid";
+        listen-on { 10.53.0.1; };
+        listen-on-v6 { none; };
+        recursion no;
+        notify yes;
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "ignore.example" {
+	type master;
+	file "ignore.example.db";
+	check-names ignore;
+};
+
+zone "warn.example" {
+	type master;
+	file "warn.example.db";
+	check-names warn;
+};
+
+zone "fail.example" {
+	type master;
+	file "fail.example.db";
+	check-names fail;
+};
+
+zone "ignore.update" {
+	type master;
+	file "ignore.update.db";
+	allow-update { any; };
+	check-names ignore;
+};
+
+zone "warn.update" {
+	type master;
+	file "warn.update.db";
+	allow-update { any; };
+	check-names warn;
+};
+
+zone "fail.update" {
+	type master;
+	file "fail.update.db";
+	allow-update { any; };
+	check-names fail;
+};

bin/tests/system/checknames/ns1/root.db

@@ -0,0 +1,35 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.3 2004/03/05 04:59:38 marka Exp $
+
+$TTL 300
+@	SOA ns1. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.
+ns1. A 10.53.0.1
+;
+ignore.example. NS ns1.ignore.example.
+ns1.ignore.example. A 10.53.0.1
+warn.example. NS ns1.warn.example.
+ns1.warn.example. A 10.53.0.1
+fail.example. NS ns1.fail.example.
+ns1.fail.example. A 10.53.0.1
+;
+ignore.update. NS ns1.ignore.update.
+ns1.ignore.update. A 10.53.0.1
+warn.update. NS ns1.warn.update.
+ns1.warn.update. A 10.53.0.1
+fail.update. NS ns1.fail.update.
+ns1.fail.update. A 10.53.0.1

bin/tests/system/checknames/ns1/warn.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: warn.example.db.in,v 1.3 2004/03/05 04:59:38 marka Exp $
+
+$TTL 300
+@	SOA ns1.warn.example. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.warn.example.
+ns1.warn.example. A 10.53.0.1
+xx_xx.warn.example. A 10.53.0.1

bin/tests/system/checknames/ns1/warn.update.db.in

@@ -0,0 +1,21 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: warn.update.db.in,v 1.3 2004/03/05 04:59:38 marka Exp $
+
+$TTL 300
+@	SOA ns1.warn.update. hostmaster.warn.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.warn.update.
+ns1.warn.update. A 10.53.0.1

bin/tests/system/checknames/ns2/named.conf

@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.4 2004/03/05 04:59:41 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+        query-source address 10.53.0.2;
+        notify-source 10.53.0.2;
+        transfer-source 10.53.0.2;
+        port 5300;
+        pid-file "named.pid";
+        listen-on { 10.53.0.2; };
+        listen-on-v6 { none; };
+        recursion yes;
+	check-names response warn;
+        notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};

bin/tests/system/checknames/ns2/root.hints

@@ -0,0 +1,19 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hints,v 1.3 2004/03/05 04:59:41 marka Exp $
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1

bin/tests/system/checknames/ns3/named.conf

@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.4 2004/03/05 04:59:45 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+        query-source address 10.53.0.3;
+        notify-source 10.53.0.3;
+        transfer-source 10.53.0.3;
+        port 5300;
+        pid-file "named.pid";
+        listen-on { 10.53.0.3; };
+        listen-on-v6 { none; };
+        recursion yes;
+	check-names response fail;
+        notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};

bin/tests/system/checknames/ns3/root.hints

@@ -0,0 +1,19 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hints,v 1.3 2004/03/05 04:59:45 marka Exp $
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1

bin/tests/system/checknames/setup.sh

@@ -0,0 +1,23 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.3 2004/03/05 04:59:26 marka Exp $
+
+cp ns1/ignore.example.db.in ns1/ignore.example.db
+cp ns1/warn.example.db.in ns1/warn.example.db
+cp ns1/fail.example.db.in ns1/fail.example.db
+
+cp ns1/ignore.update.db.in ns1/ignore.update.db
+cp ns1/warn.update.db.in ns1/warn.update.db
+cp ns1/fail.update.db.in ns1/fail.update.db

bin/tests/system/checknames/tests.sh

@@ -0,0 +1,134 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.3 2004/03/05 04:59:26 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
+
+# Entry should exist.
+echo "I: check for failure from on zone load for 'check-names fail;' ($n)"
+ret=0
+$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1
+grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist.
+echo "I: check for warnings from on zone load for 'check-names warn;' ($n)"
+ret=0
+grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should not exist.
+echo "I: check for warnings from on zone load for 'check-names ignore;' ($n)"
+ret=1
+grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo "I: check that 'check-names response warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
+grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo "I: check that 'check-names response (owner) fails;' works ($n)"
+ret=0
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1
+grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo "I: check that 'check-names response (rdata) fails;' works ($n)"
+ret=0
+$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1
+grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo "I: check that updates to 'check-names fail;' are rejected ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END> nsupdate.out.test$n 2>&1 || not=0
+server 10.53.0.1 5300
+update add xxx_xxx.fail.update. 600 A 10.10.10.1
+send
+END
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
+grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo "I: check that updates to 'check-names warn;' succeed and are logged ($n)"
+ret=0
+$NSUPDATE -d <<END> nsupdate.out.test$n  2>&1|| ret=1
+server 10.53.0.1 5300
+update add xxx_xxx.warn.update. 600 A 10.10.10.1
+send
+END
+$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo "I: check that updates to 'check-names ignore;' succeed and are not logged ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END> nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 5300
+update add xxx_xxx.ignore.update. 600 A 10.10.10.1
+send
+END
+grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+exit $status

bin/tests/system/dlv/clean.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2 2004/05/14 04:58:18 marka Exp $
+
+rm -f random.data
+rm -f ns*/named.run
+rm -f ns3/K*
+rm -f ns3/*.db
+rm -f ns3/*.signed
+rm -f ns3/dlvset-*
+rm -f ns3/dsset-*
+rm -f ns3/keyset-*
+rm -f ns3/trusted.conf ns5/trusted.conf

bin/tests/system/dlv/ns1/named.conf

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:20 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-enable no;
+};
+
+zone "." { type master; file "root.db"; };
+zone "rootservers.utld" { type master; file "rootservers.utld.db"; };

bin/tests/system/dlv/ns1/root.db

@@ -0,0 +1,24 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2 2004/05/14 04:58:20 marka Exp $
+
+$TTL	120
+@		SOA	ns.rootservers.utld hostmaster.ns.rootservers.utld (
+			1 3600 1200 604800 60 )
+@		NS	ns.rootservers.utld
+ns		A	10.53.0.1
+;
+utld		NS	ns.utld
+ns.utld		A	10.53.0.2

bin/tests/system/dlv/ns1/rootservers.utld.db

@@ -0,0 +1,20 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rootservers.utld.db,v 1.2 2004/05/14 04:58:20 marka Exp $
+
+$TTL	120
+@	SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@	NS	ns
+ns	A	10.53.0.1

bin/tests/system/dlv/ns2/hints

@@ -0,0 +1,18 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2004/05/14 04:58:21 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1

bin/tests/system/dlv/ns2/named.conf

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:21 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-enable no;
+};
+
+zone "." { type hint; file "hints"; };
+zone "utld" { type master; file "utld.db"; };

bin/tests/system/dlv/ns2/utld.db

@@ -0,0 +1,56 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: utld.db,v 1.2 2004/05/14 04:58:21 marka Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.2
+;
+rootservers	NS	ns.rootservers
+ns.rootservers	A	10.53.0.1
+;
+dlv		NS	ns.dlv
+ns.dlv		A	10.53.0.3
+;
+child1		NS	ns.child1
+ns.child1	A	10.53.0.3
+;
+child2		NS	ns.child2
+ns.child2	A	10.53.0.4
+;
+child3		NS	ns.child3
+ns.child3	A	10.53.0.3
+;
+child4		NS	ns.child4
+ns.child4	A	10.53.0.3
+;
+child5		NS	ns.child5
+ns.child5	A	10.53.0.3
+;
+child6		NS	ns.child6
+ns.child6	A	10.53.0.4
+;
+child7		NS	ns.child7
+ns.child7	A	10.53.0.3
+;
+child8		NS	ns.child8
+ns.child8	A	10.53.0.3
+;
+child9		NS	ns.child9
+ns.child9	A	10.53.0.3
+;
+child10		NS	ns.child10
+ns.child10	A	10.53.0.3

bin/tests/system/dlv/ns3/child.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db.in,v 1.2 2004/05/14 04:58:21 marka Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.3
+foo		TXT	foo
+bar		TXT	bar

bin/tests/system/dlv/ns3/dlv.db.in

@@ -0,0 +1,20 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dlv.db.in,v 1.2 2004/05/14 04:58:22 marka Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.3

bin/tests/system/dlv/ns3/hints

@@ -0,0 +1,18 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2004/05/14 04:58:22 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1

bin/tests/system/dlv/ns3/named.conf

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:22 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-enable yes;
+};
+
+zone "." { type hint; file "hints"; };
+zone "dlv.utld" { type master; file "dlv.signed"; };
+zone "child1.utld" { type master; file "child1.signed"; };	// dlv
+zone "child3.utld" { type master; file "child3.signed"; };	// dlv
+zone "child4.utld" { type master; file "child4.signed"; };	// dlv
+zone "child5.utld" { type master; file "child5.signed"; };	// dlv
+zone "child7.utld" { type master; file "child7.signed"; };	// no dlv
+zone "child8.utld" { type master; file "child8.signed"; };	// no dlv
+zone "child9.utld" { type master; file "child9.signed"; };	// dlv
+zone "child10.utld" { type master; file "child.db.in"; }; 	// dlv unsigned

bin/tests/system/dlv/ns3/sign.sh

@@ -0,0 +1,174 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2 2004/05/14 04:58:22 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+dlvsets=
+
+zone=child1.utld.
+infile=child.db.in
+zonefile=child1.utld.db
+outfile=child1.signed
+dlvzone=dlv.utld.
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 
+echo "I: signed $zone"
+
+
+zone=child3.utld.
+infile=child.db.in
+zonefile=child3.utld.db
+outfile=child3.signed
+dlvzone=dlv.utld.
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+zone=child4.utld.
+infile=child.db.in
+zonefile=child4.utld.db
+outfile=child4.signed
+dlvzone=dlv.utld.
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+zone=child5.utld.
+infile=child.db.in
+zonefile=child5.utld.db
+outfile=child5.signed
+dlvzone=dlv.utld.
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+zone=child7.utld.
+infile=child.db.in
+zonefile=child7.utld.db
+outfile=child7.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+zone=child8.utld.
+infile=child.db.in
+zonefile=child8.utld.db
+outfile=child8.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+zone=child9.utld.
+infile=child.db.in
+zonefile=child9.utld.db
+outfile=child9.signed
+dlvzone=dlv.utld.
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+zone=child10.utld.
+infile=child.db.in
+zonefile=child10.utld.db
+outfile=child10.signed
+dlvzone=dlv.utld.
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+zone=dlv.utld.
+infile=dlv.db.in
+zonefile=dlv.utld.db
+outfile=dlv.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+echo "I: signed $zone"
+
+
+cat $keyname2.key | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns5

bin/tests/system/dlv/ns4/child.db

@@ -0,0 +1,41 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db,v 1.2 2004/05/14 04:58:22 marka Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.3
+;
+rootservers	NS	ns.rootservers
+ns.rootservers	A	10.53.0.1
+;
+child1		NS	ns.child1
+ns.child1	A	10.53.0.3
+;
+child2		NS	ns.child2
+ns.child2	A	10.53.0.4
+;
+child3		NS	ns.child3
+ns.child3	A	10.53.0.3
+;
+child4		NS	ns.child4
+ns.child4	A	10.53.0.3
+;
+child5		NS	ns.child5
+ns.child5	A	10.53.0.3
+;
+child6		NS	ns.child5
+ns.child6	A	10.53.0.4

bin/tests/system/dlv/ns4/hints

@@ -0,0 +1,18 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2004/05/14 04:58:23 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1

bin/tests/system/dlv/ns4/named.conf

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-enable no;
+};
+
+zone "." { type hint; file "hints"; };
+zone "child2.utld" { type master; file "child.db"; };
+zone "child6.utld" { type master; file "child.db"; };

bin/tests/system/dlv/ns5/hints

@@ -0,0 +1,18 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2004/05/14 04:58:23 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1

bin/tests/system/dlv/ns5/named.conf

@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */
+
+/*
+ * Choose a keyname that is unlikely to clash with any real key names.
+ * This allows it to be added to the system's rndc.conf with minimal
+ * likelyhood of collision.
+ *
+ * e.g.
+ *	key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+ *		algorithm hmac-md5;
+ *		secret "34f88008d07deabbe65bd01f1d233d47";
+ *	}; 
+ *
+ *	server "10.53.0.5" {
+ *	 	key cc64b3d1db63fc88d7cb5d2f9f57d258;
+ *		port 5353;
+ *	};
+ *
+ *	rndc -s 10.53.0.5 <command>
+ */
+
+key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+	algorithm hmac-md5;
+	secret "34f88008d07deabbe65bd01f1d233d47";
+};
+
+controls {
+	inet 10.53.0.5 port 5353 allow { any; }
+		keys { cc64b3d1db63fc88d7cb5d2f9f57d258; };
+};
+
+include "trusted.conf";
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-enable yes;
+	dnssec-lookaside "dlv.utld";
+};
+
+zone "." { type hint; file "hints"; };

bin/tests/system/dlv/ns5/rndc.conf

@@ -0,0 +1,13 @@
+/*
+ * Copyright.
+ */
+
+key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+	algorithm hmac-md5;
+	secret "34f88008d07deabbe65bd01f1d233d47";
+}; 
+ 
+options {
+	default-server 10.53.0.5;
+	default-port 5353;
+};

bin/tests/system/dlv/setup.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2 2004/05/14 04:58:19 marka Exp $
+
+../../genrandom 400 random.data
+
+(cd ns3 && sh -e sign.sh)

bin/tests/system/dlv/tests.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2 2004/05/14 04:58:19 marka Exp $
+
+exit 0

bin/tests/system/dnssec/dnssec_update_test.pl

@@ -0,0 +1,105 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+#
+# DNSSEC Dynamic update test suite.
+#
+# Usage:
+#
+#   perl update_test.pl [-s server] [-p port] zone
+#
+# The server defaults to 127.0.0.1.
+# The port defaults to 53.
+#
+# Installation notes:
+#
+# This program uses the Net::DNS::Resolver module.
+# You can install it by saying
+#
+#    perl -MCPAN -e "install Net::DNS"
+#
+# $Id: dnssec_update_test.pl,v 1.3 2004/03/05 05:00:09 marka Exp $
+#
+
+use Getopt::Std;
+use Net::DNS;
+use Net::DNS::Update;
+use Net::DNS::Resolver;
+
+$opt_s = "127.0.0.1";
+$opt_p = 53;
+
+getopt('s:p:');
+
+$res = new Net::DNS::Resolver;
+$res->nameservers($opt_s);
+$res->port($opt_p);
+$res->defnames(0); # Do not append default domain.
+
+@ARGV == 1 or die
+    "usage: perl update_test.pl [-s server] [-p port] zone\n";
+
+$zone = shift @ARGV;
+
+my $failures = 0;
+
+sub assert {
+    my ($cond, $explanation) = @_;
+    if (!$cond) {
+	print "I:Test Failed: $explanation ***\n";
+	$failures++
+    }
+}
+
+sub test {
+    my ($expected, @records) = @_;
+
+    my $update = new Net::DNS::Update("$zone");
+
+    foreach $rec (@records) {
+	$update->push(@$rec);
+    }
+
+    $reply = $res->send($update);
+
+    # Did it work?
+    if (defined $reply) {
+	my $rcode = $reply->header->rcode;
+        assert($rcode eq $expected, "expected $expected, got $rcode");
+    } else {
+	print "I:Update failed: ", $res->errorstring, "\n";
+    }
+}
+
+sub section {
+    my ($msg) = @_;
+    print "I:$msg\n";
+}
+
+section("Add a name");
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
+
+section("Delete the name");
+test("NOERROR", ["update", rr_del("a.$zone")]);
+
+if ($failures) {
+    print "I:$failures tests failed.\n";
+} else {
+    print "I:All tests successful.\n";
+}
+
+exit $failures;

bin/tests/system/dnssec/ns2/dlv.db.in

@@ -0,0 +1,27 @@
+; Copyright (C) 2000-2002  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+; DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+; IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+; INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+; FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dlv.db.in,v 1.2 2004/03/16 05:52:15 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2

bin/tests/system/dnssec/ns2/dst.example.db.in

@@ -0,0 +1,26 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dst.example.db.in,v 1.2 2004/03/05 05:00:15 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2.example.
+a			A	10.0.0.1

bin/tests/system/dnssec/ns2/rfc2335.example.db

@@ -0,0 +1,103 @@
+; File written on Fri Apr 30 12:19:15 2004
+; dnssec_signzone version 9.2.4rc3
+rfc2335.example.	300	IN SOA	mname1. . (
+					2000042407 ; serial
+					20         ; refresh (20 seconds)
+					20         ; retry (20 seconds)
+					1814400    ; expire (3 weeks)
+					3600       ; minimum (1 hour)
+					)
+			300	SIG	SOA 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er
+					GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ
+					+Lv+FDHXTs/dQg== )
+			300	NS	ns.rfc2335.example.
+			300	SIG	NS 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7
+					MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES
+					vVxNThqOx7LFzg== )
+			300	KEY	256 3 1 (
+					AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV
+					Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W
+					y8mj+ofcoW1FurcZ
+					) ; key id = 47799
+			300	NXT	a.rfc2335.example. NS SOA SIG KEY NXT
+			300	SIG	NXT 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7
+					oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q
+					UbZkSTVe2N8Nyg== )
+a.rfc2335.example.	300	IN A	10.0.0.1
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ
+					UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i
+					nRt19/ZxO6Z1KA== )
+			300	NXT	b.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op
+					bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy
+					kTc5T5gfic33kA== )
+b.rfc2335.example.	300	IN A	10.0.0.2
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL
+					8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN
+					BDMVBA5NMKpwAA== )
+			300	NXT	d.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR
+					gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb
+					oTJr5zswDAtCEw== )
+d.rfc2335.example.	300	IN A	10.0.0.4
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt
+					+D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT
+					hSjtCh5M1b2f6g== )
+			300	NXT	ns.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN
+					+cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt
+					UHZEJa8ZjNvv4g== )
+ns.rfc2335.example.	300	IN A	10.53.0.3
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh
+					qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G
+					I39aG7G1bObXdA== )
+			300	NXT	x.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y
+					e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6
+					5bRxtWq0GI7zlg== )
+x.rfc2335.example.	300	IN CNAME a.rfc2335.example.
+			300	SIG	CNAME 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl
+					kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK
+					SdabLWw0n6uQEA== )
+			300	NXT	z.rfc2335.example. CNAME SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O
+					vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l
+					z9HUTyaeS0eWyw== )
+z.rfc2335.example.	300	IN A	10.0.0.26
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3
+					X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY
+					jwmjC6elwkzB7A== )
+			300	NXT	rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO
+					/hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui
+					m2E28A5gnmWqPw== )

bin/tests/system/dnssec/ns3/dynamic.example.db.in

@@ -0,0 +1,31 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2002  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dynamic.example.db.in,v 1.3 2004/03/05 05:00:20 marka Exp $
+
+; This has the NS and glue at the apex because testing RT #2399
+; requires we have only one name in the zone at a certain point
+; during the test.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	@
+@			A	10.53.0.3

bin/tests/system/dnssec/ns3/keyless.example.db.in

@@ -0,0 +1,29 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2001, 2002  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: keyless.example.db.in,v 1.3 2004/03/05 05:00:20 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a.b			A	10.0.0.1

bin/tests/system/dnssec/ns6/named.conf

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.6 2004/03/10 02:19:54 marka Exp $ */
+
+// NS6
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	disable-algorithms . { DSA; };
+	dnssec-enable yes;
+	dnssec-lookaside dlv;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";

bin/tests/system/genzone.sh

@@ -0,0 +1,267 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: genzone.sh,v 1.6 2004/03/05 04:59:12 marka Exp $
+
+#
+# Set up a test zone
+#
+# Usage: genzone.sh master-server-number slave-server-number...
+#
+# e.g., "genzone.sh 2 3 4" means ns2 is the master and ns3, ns4
+# are slaves.
+#
+
+master="$1"
+
+cat <<EOF
+\$TTL 3600
+
+@		86400	IN SOA	ns${master} hostmaster (
+					1397051952 ; "SER0"
+					5
+					5
+					1814400
+					3600 )
+EOF
+
+for n
+do
+	cat <<EOF
+@			NS	ns${n}
+ns${n}			A	10.53.0.${n}
+EOF
+done
+
+cat <<\EOF
+
+; type 1
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+
+; type 2
+; see NS records at top of file
+
+; type 3
+; md01			MD	madname
+; 			MD	.
+
+; type 4
+; mf01			MF	madname
+; mf01			MF	.
+
+; type 5
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+
+; type 6
+; see SOA record at top of file
+
+; type 7
+mb01			MG	madname
+mb02			MG	.
+
+; type 8
+mg01			MG	mgmname
+mg02			MG	.
+
+; type 9
+mr01			MR	mrname
+mr02			MR	.
+
+; type 10
+; NULL RRs are not allowed in master files per RFC1035.
+;null01			NULL
+
+; type 11
+wks01			WKS	10.0.0.1 tcp telnet ftp 0 1 2
+wks02			WKS	10.0.0.1 udp domain 0 1 2
+wks03			WKS	10.0.0.2 tcp 65535
+
+; type 12
+ptr01			PTR	@
+
+; type 13
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	PC NetBSD
+
+; type 14
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. . 
+
+; type 15
+mx01			MX	10 mail
+mx02			MX	10 .
+
+; type 16
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	foo
+txt04			TXT	foo bar
+txt05			TXT	"foo bar"
+txt06			TXT	"foo\032bar"
+txt07			TXT	foo\032bar
+txt08			TXT	"foo\010bar"
+txt09			TXT	foo\010bar
+txt10			TXT	foo\ bar
+txt11			TXT	"\"foo\""
+txt12			TXT	\"foo\"
+
+; type 17
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. . 
+
+; type 18
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+
+; type 19
+x2501			X25	123456789
+;x2502			X25	"123456789"
+
+; type 20
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	isdn-address
+isdn04			ISDN	isdn-address subaddress
+
+; type 21
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+
+; type 22
+nsap01			NSAP	(
+	0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00 )
+nsap02			NSAP	(
+	0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00. )
+;nsap03			NSAP	0x
+
+; type 23
+nsap-ptr01		NSAP-PTR foo.
+nsap-ptr01		NSAP-PTR .
+
+; type 24
+;sig01			SIG	NXT 1 3 ( 3600 20000102030405
+;				19961211100908 2143 foo.nil. 
+;				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+;				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+;				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+
+; type 25
+;key01			KEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+;				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+;				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+;				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 26
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+
+; type 27
+gpos01			GPOS    -22.6882 116.8652 250.0
+gpos02			GPOS    "" "" ""
+
+; type 29
+loc01			LOC	60 9 N 24 39 E 10 20 2000 20
+loc02			LOC 	60 09 00.000 N 24 39 00.000 E 10.00m 20.00m (
+				  2000.00m 20.00m )
+
+; type 30
+;nxt01			NXT	a.secure.nil. ( NS SOA MX RRSIG KEY LOC NXT )
+;nxt02			NXT	. NXT NSAP-PTR
+;nxt03			NXT	. 1
+;nxt04			NXT	. 127
+
+; type 33
+srv01			SRV 0 0 0 .
+srv02			SRV 65535 65535 65535  old-slow-box
+
+; type 35
+naptr01			NAPTR   0 0 "" "" "" . 
+naptr02			NAPTR   65535 65535 blurgh blorf blegh foo.
+naptr02			NAPTR   65535 65535 "blurgh" "blorf" "blegh" foo.
+
+; type 36
+kx01			KX	10 kdc
+kx02			KX	10 .
+
+; type 37
+cert01			CERT	65534 65535 254 ( 
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+; type 38
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601			A6	64 ::ffff:ffff:ffff:ffff foo.
+a601			A6	127 ::1 foo.
+a601			A6	128 .
+
+; type 39
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+
+; type 41
+; OPT is a meta-type and should never occur in master files.
+
+; type 46
+rrsig01			RRSIG	NSEC 1 3 ( 3600 20000102030405
+				19961211100908 2143 foo.nil. 
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+
+; type 47
+nsec01			NSEC	a.secure.nil. ( NS SOA MX RRSIG DNSKEY LOC NSEC )
+nsec02			NSEC	. NSEC NSAP-PTR
+nsec03			NSEC	. TYPE1
+nsec04			NSEC	. TYPE127
+
+; type 48
+dnskey01		DNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 249
+; TKEY is a meta-type and should never occur in master files.
+; The text representation is not specified in the draft.
+; This example was written based on the bind9 RR parsing code.
+;tkey01			TKEY	928321914 928321915 (
+;				255		; algorithm
+;				65535 		; mode
+;				0		; error
+;				3 		; key size
+;				aaaa		; key data
+;				3 		; other size
+;				bbbb		; other data
+;				)
+;; A TKEY with empty "other data"
+;tkey02			TKEY	928321914 928321915 (
+;				255		; algorithm
+;				65535 		; mode
+;				0		; error
+;				3 		; key size
+;				aaaa		; key data
+;				0 		; other size
+;						; other data
+;				)
+
+; type 255
+; TSIG is a meta-type and should never occur in master files.
+EOF

bin/tests/system/xfer/dig1.good

@@ -0,0 +1,80 @@
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+a01.example.		3600	IN	A	0.0.0.0
+a02.example.		3600	IN	A	255.255.255.255
+a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
+a601.example.		3600	IN	A6	127 ::1 foo.
+a601.example.		3600	IN	A6	128  .
+afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
+afsdb02.example.	3600	IN	AFSDB	65535 .
+cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.	3600	IN	CNAME	cname-target.
+cname02.example.	3600	IN	CNAME	cname-target.example.
+cname03.example.	3600	IN	CNAME	.
+dname01.example.	3600	IN	DNAME	dname-target.
+dname02.example.	3600	IN	DNAME	dname-target.example.
+dname03.example.	3600	IN	DNAME	.
+gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.		3600	IN	GPOS	"" "" ""
+hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+isdn01.example.		3600	IN	ISDN	"isdn-address"
+isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.		3600	IN	ISDN	"isdn-address"
+isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+kx01.example.		3600	IN	KX	10 kdc.example.
+kx02.example.		3600	IN	KX	10 .
+loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01.example.		3600	IN	MG	madname.example.
+mb02.example.		3600	IN	MG	.
+mg01.example.		3600	IN	MG	mgmname.example.
+mg02.example.		3600	IN	MG	.
+minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
+minfo02.example.	3600	IN	MINFO	. .
+mr01.example.		3600	IN	MR	mrname.example.
+mr02.example.		3600	IN	MR	.
+mx01.example.		3600	IN	MX	10 mail.example.
+mx02.example.		3600	IN	MX	10 .
+naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
+nsec03.example.		3600	IN	NSEC	. A
+nsec04.example.		3600	IN	NSEC	. TYPE127
+ptr01.example.		3600	IN	PTR	example.
+px01.example.		3600	IN	PX	65535 foo. bar.
+px02.example.		3600	IN	PX	65535 . .
+rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
+rp02.example.		3600	IN	RP	. .
+rt01.example.		3600	IN	RT	0 intermediate-host.example.
+rt02.example.		3600	IN	RT	65535 .
+rrsig01.example.		3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+srv01.example.		3600	IN	SRV	0 0 0 .
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
+txt01.example.		3600	IN	TXT	"foo"
+txt02.example.		3600	IN	TXT	"foo" "bar"
+txt03.example.		3600	IN	TXT	"foo"
+txt04.example.		3600	IN	TXT	"foo" "bar"
+txt05.example.		3600	IN	TXT	"foo bar"
+txt06.example.		3600	IN	TXT	"foo bar"
+txt07.example.		3600	IN	TXT	"foo bar"
+txt08.example.		3600	IN	TXT	"foo\010bar"
+txt09.example.		3600	IN	TXT	"foo\010bar"
+txt10.example.		3600	IN	TXT	"foo bar"
+txt11.example.		3600	IN	TXT	"\"foo\""
+txt12.example.		3600	IN	TXT	"\"foo\""
+wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.		3600	IN	X25	"123456789"
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600

bin/tests/system/xfer/dig2.good

@@ -0,0 +1,80 @@
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+a01.example.		3600	IN	A	0.0.0.1
+a02.example.		3600	IN	A	255.255.255.255
+a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
+a601.example.		3600	IN	A6	127 ::1 foo.
+a601.example.		3600	IN	A6	128  .
+afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
+afsdb02.example.	3600	IN	AFSDB	65535 .
+cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.	3600	IN	CNAME	cname-target.
+cname02.example.	3600	IN	CNAME	cname-target.example.
+cname03.example.	3600	IN	CNAME	.
+dname01.example.	3600	IN	DNAME	dname-target.
+dname02.example.	3600	IN	DNAME	dname-target.example.
+dname03.example.	3600	IN	DNAME	.
+gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.		3600	IN	GPOS	"" "" ""
+hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+isdn01.example.		3600	IN	ISDN	"isdn-address"
+isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.		3600	IN	ISDN	"isdn-address"
+isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+kx01.example.		3600	IN	KX	10 kdc.example.
+kx02.example.		3600	IN	KX	10 .
+loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01.example.		3600	IN	MG	madname.example.
+mb02.example.		3600	IN	MG	.
+mg01.example.		3600	IN	MG	mgmname.example.
+mg02.example.		3600	IN	MG	.
+minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
+minfo02.example.	3600	IN	MINFO	. .
+mr01.example.		3600	IN	MR	mrname.example.
+mr02.example.		3600	IN	MR	.
+mx01.example.		3600	IN	MX	10 mail.example.
+mx02.example.		3600	IN	MX	10 .
+naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
+nsec03.example.		3600	IN	NSEC	. A
+nsec04.example.		3600	IN	NSEC	. TYPE127
+ptr01.example.		3600	IN	PTR	example.
+px01.example.		3600	IN	PX	65535 foo. bar.
+px02.example.		3600	IN	PX	65535 . .
+rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
+rp02.example.		3600	IN	RP	. .
+rt01.example.		3600	IN	RT	0 intermediate-host.example.
+rt02.example.		3600	IN	RT	65535 .
+rrsig01.example.	3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+srv01.example.		3600	IN	SRV	0 0 0 .
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
+txt01.example.		3600	IN	TXT	"foo"
+txt02.example.		3600	IN	TXT	"foo" "bar"
+txt03.example.		3600	IN	TXT	"foo"
+txt04.example.		3600	IN	TXT	"foo" "bar"
+txt05.example.		3600	IN	TXT	"foo bar"
+txt06.example.		3600	IN	TXT	"foo bar"
+txt07.example.		3600	IN	TXT	"foo bar"
+txt08.example.		3600	IN	TXT	"foo\010bar"
+txt09.example.		3600	IN	TXT	"foo\010bar"
+txt10.example.		3600	IN	TXT	"foo bar"
+txt11.example.		3600	IN	TXT	"\"foo\""
+txt12.example.		3600	IN	TXT	"\"foo\""
+wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.		3600	IN	X25	"123456789"
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600

bin/tests/system/xfer/setup.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.3 2004/03/05 05:03:55 marka Exp $
+
+sh ../genzone.sh 2 3 >ns2/example.db
+sh ../genzone.sh 2 3 >ns2/tsigzone.db

bin/win32/BINDInstall/AccountInfo.cpp

@@ -0,0 +1,438 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: AccountInfo.cpp,v 1.6 2004/03/05 05:04:16 marka Exp $ */
+
+#ifndef UNICODE
+#define UNICODE
+#endif /* UNICODE */
+
+#include "stdafx.h"
+
+#include <windows.h>
+#include <lm.h>
+#include <ntsecapi.h>
+
+#include <isc/ntgroups.h>
+#include <isc/result.h>
+#include "AccountInfo.h"
+
+#define MAX_NAME_LENGTH 256
+
+NTSTATUS
+OpenPolicy(
+    LPWSTR ServerName,		/* machine to open policy on (Unicode) */
+    DWORD DesiredAccess,	/* desired access to policy */
+    PLSA_HANDLE PolicyHandle	/* resultant policy handle */
+    );
+
+BOOL
+GetAccountSid(
+    LPTSTR SystemName,		/* where to lookup account */
+    LPTSTR AccountName,		/* account of interest */
+    PSID *Sid			/* resultant buffer containing SID */
+    );
+
+NTSTATUS
+SetPrivilegeOnAccount(
+    LSA_HANDLE PolicyHandle,	/* open policy handle */
+    PSID AccountSid,		/* SID to grant privilege to */
+    LPWSTR PrivilegeName,	/* privilege to grant (Unicode) */
+    BOOL bEnable		/* enable or disable */
+    );
+
+NTSTATUS
+GetPrivilegesOnAccount(
+    LSA_HANDLE PolicyHandle,	/* open policy handle */
+    PSID AccountSid,		/* SID to grant privilege to */
+    wchar_t **PrivList,		/* Ptr to List of Privileges found */
+    unsigned int *PrivCount	/* total number of Privileges in list */
+    );
+
+NTSTATUS
+AddPrivilegeToAcccount(
+    LPTSTR AccountName,		/* Name of the account */
+    LPWSTR PrivilegeName	/* Privilege to Add */
+    );
+
+void
+InitLsaString(
+    PLSA_UNICODE_STRING LsaString,	/* destination */
+    LPWSTR String			/* source (Unicode) */
+    );
+
+void
+DisplayNtStatus(
+    LPSTR szAPI,		/* pointer to function name (ANSI) */
+    NTSTATUS Status		/* NTSTATUS error value */
+    );
+
+void
+DisplayWinError(
+    LPSTR szAPI,		/* pointer to function name (ANSI) */
+    DWORD WinError		/* DWORD WinError */
+    );
+
+#ifndef STATUS_SUCCESS
+#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
+#endif
+
+/*
+ * Note that this code only retrieves the list of privileges of the
+ * requested account or group. However, all accounts belong to the
+ * Everyone group even though that group is not returned by the
+ * calls to get the groups to which that account belongs.
+ * The Everyone group has two privileges associated with it:
+ * SeChangeNotifyPrivilege and SeNetworkLogonRight
+ * It is not advisable to disable or remove these privileges
+ * from the group nor can the account be removed from the Everyone
+ * group
+ * The None group has no privileges associated with it and is the group
+ * to which an account belongs if it is associated with no group.
+ */
+
+int
+GetAccountPrivileges(char *name, wchar_t **PrivList, unsigned int *PrivCount,
+		     char **Accounts, unsigned int *totalAccounts,
+		     int maxAccounts) 
+{
+	LSA_HANDLE PolicyHandle;
+	TCHAR AccountName[256];		/* static account name buffer */
+	PSID pSid;
+	unsigned int i;
+	NTSTATUS Status;
+	isc_result_t istatus;
+	int iRetVal = RTN_ERROR;	/* assume error from main */
+
+	/*
+	 * Open the policy on the target machine.
+	 */
+	if ((Status = OpenPolicy(NULL,
+				 POLICY_LOOKUP_NAMES,
+				 &PolicyHandle)) != STATUS_SUCCESS)
+		return (RTN_ERROR);
+
+	/*
+	 * Let's see if the account exists. Return if not
+	 */
+	wsprintf(AccountName, TEXT("%hS"), name);
+	if (!GetAccountSid(NULL, AccountName, &pSid))
+		return (RTN_NOACCOUNT);
+	/*
+	 * Find out what groups the account belongs to
+	 */
+	istatus = isc_ntsecurity_getaccountgroups(name, Accounts, maxAccounts,
+						  totalAccounts);
+	if (istatus == ISC_R_NOMEMORY)
+		return (RTN_NOMEMORY);
+	else if (istatus != ISC_R_SUCCESS)
+		return (RTN_ERROR);
+
+	Accounts[*totalAccounts] = name; /* Add the account to the list */
+	(*totalAccounts)++;
+
+	/*
+	 * Loop through each Account to get the list of privileges
+	 */
+	for (i = 0; i < *totalAccounts; i++) {
+		wsprintf(AccountName, TEXT("%hS"), Accounts[i]);
+		 /* Obtain the SID of the user/group. */
+		if (!GetAccountSid(NULL, AccountName, &pSid))
+			continue;	/* Try the next one */
+		/* Get the Privileges allocated to this SID */ 
+	        if ((Status = GetPrivilegesOnAccount(PolicyHandle, pSid,
+			PrivList, PrivCount)) == STATUS_SUCCESS)
+		{
+			iRetVal=RTN_OK;
+			if (pSid != NULL)
+				HeapFree(GetProcessHeap(), 0, pSid);
+		} else {
+			if (pSid != NULL)
+				HeapFree(GetProcessHeap(), 0, pSid);
+			continue;	/* Try the next one */
+		}
+	}
+	/*
+	 * Close the policy handle.
+	 */
+	LsaClose(PolicyHandle);
+
+	(*totalAccounts)--;	/* Correct for the number of groups */
+	return iRetVal;
+}
+
+BOOL
+CreateServiceAccount(char *name, char *password) {
+	NTSTATUS retstat;
+	USER_INFO_1 ui;
+	DWORD dwLevel = 1;
+	DWORD dwError = 0;
+	NET_API_STATUS nStatus;
+
+	unsigned int namelen = strlen(name);
+	unsigned int passwdlen = strlen(password);
+	wchar_t AccountName[MAX_NAME_LENGTH];
+	wchar_t AccountPassword[MAX_NAME_LENGTH];
+
+	mbstowcs(AccountName, name, namelen + 1);
+	mbstowcs(AccountPassword, password, passwdlen + 1);
+
+	/*
+	 * Set up the USER_INFO_1 structure.
+	 * USER_PRIV_USER: name is required here when creating an account 
+	 * rather than an administrator or a guest.
+	 */
+
+	ui.usri1_name = (LPWSTR) &AccountName;
+	ui.usri1_password = (LPWSTR) &AccountPassword;
+	ui.usri1_priv = USER_PRIV_USER;
+	ui.usri1_home_dir = NULL;
+	ui.usri1_comment = L"ISC BIND Service Account";
+	ui.usri1_flags = UF_PASSWD_CANT_CHANGE | UF_DONT_EXPIRE_PASSWD |
+			 UF_SCRIPT;
+	ui.usri1_script_path = NULL;
+	/*
+	 * Call the NetUserAdd function, specifying level 1.
+	 */
+	nStatus = NetUserAdd(NULL, dwLevel, (LPBYTE)&ui, &dwError);
+
+	if (nStatus != NERR_Success)
+		return (FALSE);
+
+	retstat = AddPrivilegeToAcccount(name, SE_SERVICE_LOGON_PRIV);
+	return (TRUE);
+}
+
+NTSTATUS
+AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) {
+	LSA_HANDLE PolicyHandle;
+	TCHAR AccountName[256];		/* static account name buffer */
+	PSID pSid;
+	NTSTATUS Status;
+	unsigned long err;
+
+	/*
+	 * Open the policy on the target machine.
+	 */
+	if ((Status = OpenPolicy(NULL, POLICY_ALL_ACCESS, &PolicyHandle))
+		!= STATUS_SUCCESS)
+		return (RTN_ERROR);
+
+	/*
+	 * Let's see if the account exists. Return if not
+	 */
+	wsprintf(AccountName, TEXT("%hS"), name);
+	if (!GetAccountSid(NULL, AccountName, &pSid))
+		return (RTN_NOACCOUNT);
+
+        err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle,
+		pSid, PrivilegeName, TRUE));
+
+	LsaClose(PolicyHandle);
+	if (err == ERROR_SUCCESS)
+		return (RTN_OK);
+	else
+		return (err);
+}
+
+void
+InitLsaString(PLSA_UNICODE_STRING LsaString, LPWSTR String){
+	DWORD StringLength;
+
+	if (String == NULL) {
+		LsaString->Buffer = NULL;
+		LsaString->Length = 0;
+		LsaString->MaximumLength = 0;
+		return;
+	}
+
+	StringLength = wcslen(String);
+	LsaString->Buffer = String;
+	LsaString->Length = (USHORT) StringLength * sizeof(WCHAR);
+	LsaString->MaximumLength = (USHORT)(StringLength+1) * sizeof(WCHAR);
+}
+
+NTSTATUS
+OpenPolicy(LPWSTR ServerName, DWORD DesiredAccess, PLSA_HANDLE PolicyHandle){
+	LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+	LSA_UNICODE_STRING ServerString;
+	PLSA_UNICODE_STRING Server = NULL;
+
+	/*
+	 * Always initialize the object attributes to all zeroes.
+	 */
+	ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
+
+	if (ServerName != NULL) {
+		/*
+		 * Make a LSA_UNICODE_STRING out of the LPWSTR passed in
+		 */
+		InitLsaString(&ServerString, ServerName);
+		Server = &ServerString;
+	}
+
+	/*
+	 * Attempt to open the policy.
+	 */
+	return (LsaOpenPolicy(Server, &ObjectAttributes, DesiredAccess,
+		PolicyHandle));
+}
+
+BOOL
+GetAccountSid(LPTSTR SystemName, LPTSTR AccountName, PSID *Sid) {
+	LPTSTR ReferencedDomain = NULL;
+	DWORD cbSid = 128;    /* initial allocation attempt */
+	DWORD cbReferencedDomain = 16; /* initial allocation size */
+	SID_NAME_USE peUse;
+	BOOL bSuccess = FALSE; /* assume this function will fail */
+
+	__try {
+		/*
+		 * initial memory allocations
+		 */
+		if ((*Sid = HeapAlloc(GetProcessHeap(), 0, cbSid)) == NULL)
+			__leave;
+
+		if ((ReferencedDomain = (LPTSTR) HeapAlloc(GetProcessHeap(), 0,
+				       cbReferencedDomain)) == NULL) __leave;
+
+		/*
+		 * Obtain the SID of the specified account on the specified system.
+		 */
+		while (!LookupAccountName(SystemName, AccountName, *Sid, &cbSid,
+					  ReferencedDomain, &cbReferencedDomain,
+					  &peUse))
+		{
+			if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
+				/* reallocate memory */
+				if ((*Sid = HeapReAlloc(GetProcessHeap(), 0,
+					*Sid, cbSid)) == NULL) __leave;
+
+				if ((ReferencedDomain= (LPTSTR) HeapReAlloc(
+					GetProcessHeap(), 0, ReferencedDomain,
+					cbReferencedDomain)) == NULL)
+				__leave;
+			}
+			else 
+				__leave;
+		}
+		bSuccess = TRUE;
+	} /* finally */
+	__finally {
+
+		/* Cleanup and indicate failure, if appropriate. */
+
+		HeapFree(GetProcessHeap(), 0, ReferencedDomain);
+
+		if (!bSuccess) {
+			if (*Sid != NULL) {
+				HeapFree(GetProcessHeap(), 0, *Sid);
+				*Sid = NULL;
+			}
+		}
+
+	}
+
+	return (bSuccess);
+}
+
+NTSTATUS
+SetPrivilegeOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid,
+		      LPWSTR PrivilegeName, BOOL bEnable)
+{
+	LSA_UNICODE_STRING PrivilegeString;
+
+	/* Create a LSA_UNICODE_STRING for the privilege name. */
+	InitLsaString(&PrivilegeString, PrivilegeName);
+
+	/* grant or revoke the privilege, accordingly */
+	if (bEnable)
+		return (LsaAddAccountRights(PolicyHandle, AccountSid,
+			&PrivilegeString, 1));
+	else
+		return (LsaRemoveAccountRights(PolicyHandle, AccountSid,
+			FALSE, &PrivilegeString, 1));
+}
+
+NTSTATUS
+GetPrivilegesOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid,
+		       wchar_t **PrivList, unsigned int *PrivCount) 
+{
+	NTSTATUS Status;
+	LSA_UNICODE_STRING *UserRights;
+	ULONG CountOfRights;
+	unsigned int retlen = 0;
+	DWORD i, j;
+	int found;
+
+	Status = LsaEnumerateAccountRights(PolicyHandle, AccountSid,
+		&UserRights, &CountOfRights);
+	/* Only continue if there is something */
+	if (UserRights == NULL || Status != STATUS_SUCCESS)
+		return (Status);
+
+	for (i = 0; i < CountOfRights; i++) {
+		found = -1;
+		retlen = UserRights[i].Length/sizeof(wchar_t);
+		for (j = 0; j < *PrivCount; j++) {
+			found = wcsncmp(PrivList[j], UserRights[i].Buffer,
+					retlen);
+			if (found == 0)
+				break;
+		}
+		if (found != 0) {
+			PrivList[*PrivCount] = 
+			    (wchar_t *)malloc(UserRights[i].MaximumLength);
+			if (PrivList[*PrivCount] == NULL)
+				return (RTN_NOMEMORY);
+
+			wcsncpy(PrivList[*PrivCount], UserRights[i].Buffer,
+				retlen);
+			PrivList[*PrivCount][retlen] = L'\0';
+			(*PrivCount)++;
+		}
+
+	}
+
+	return (Status);
+}
+
+void
+DisplayNtStatus(LPSTR szAPI, NTSTATUS Status) {
+	/* Convert the NTSTATUS to Winerror. Then call DisplayWinError(). */
+	DisplayWinError(szAPI, LsaNtStatusToWinError(Status));
+}
+
+void
+DisplayWinError(LPSTR szAPI, DWORD WinError) {
+	LPSTR MessageBuffer;
+	DWORD dwBufferLength;
+
+	if (dwBufferLength=FormatMessageA(
+		FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
+		NULL, WinError, GetUserDefaultLangID(),
+		(LPSTR) &MessageBuffer, 0, NULL)){
+		DWORD dwBytesWritten; /* unused */
+
+		/* Output message string on stderr. */
+		WriteFile(GetStdHandle(STD_ERROR_HANDLE), MessageBuffer,
+			  dwBufferLength, &dwBytesWritten, NULL);
+
+		/* Free the buffer allocated by the system. */
+		LocalFree(MessageBuffer);
+	}
+}

bin/win32/BINDInstall/AccountInfo.h

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: AccountInfo.h,v 1.4 2004/03/05 05:04:16 marka Exp $ */
+
+
+#define RTN_OK		0
+#define RTN_NOACCOUNT	1
+#define RTN_NOMEMORY	2
+#define RTN_ERROR	10
+
+#define SE_SERVICE_LOGON_PRIV	L"SeServiceLogonRight"
+
+/*
+ * This routine retrieves the list of all Privileges associated with
+ * a given account as well as the groups to which it beongs
+ */
+int
+GetAccountPrivileges(
+	char *name,			/* Name of Account */
+	wchar_t **PrivList,		/* List of Privileges returned */
+	unsigned int *PrivCount,	/* Count of Privileges returned */
+	char **Groups,		/* List of Groups to which account belongs */
+	unsigned int *totalGroups,	/* Count of Groups returned */
+	int maxGroups		/* Maximum number of Groups to return */
+	);
+
+/*
+ * This routine creates an account with the given name which has just
+ * the logon service privilege and no membership of any groups,
+ * i.e. it's part of the None group.
+ */
+BOOL
+CreateServiceAccount(char *name, char *password);

contrib/queryperf/missing/addrinfo.h

@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef HAVE_GETADDRINFO
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_MAX		14
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#define	AI_PASSIVE	0x00000001 /* get address to use bind() */
+#define	AI_CANONNAME	0x00000002 /* fill ai_canonname */
+#define	AI_NUMERICHOST	0x00000004 /* prevent name resolution */
+/* valid flags for addrinfo */
+#define	AI_MASK		(AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST)
+
+#define	AI_ALL		0x00000100 /* IPv6 and IPv4-mapped (with AI_V4MAPPED) */
+#define	AI_V4MAPPED_CFG	0x00000200 /* accept IPv4-mapped if kernel supports */
+#define	AI_ADDRCONFIG	0x00000400 /* only if any address is assigned */
+#define	AI_V4MAPPED	0x00000800 /* accept IPv4-mapped IPv6 address */
+/* special recommended flags for getipnodebyname */
+#define	AI_DEFAULT	(AI_V4MAPPED_CFG | AI_ADDRCONFIG)
+
+/*
+ * Constants for getnameinfo()
+ */
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for getnameinfo()
+ */
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+
+struct addrinfo {
+	int	ai_flags;	/* AI_PASSIVE, AI_CANONNAME */
+	int	ai_family;	/* PF_xxx */
+	int	ai_socktype;	/* SOCK_xxx */
+	int	ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t	ai_addrlen;	/* length of ai_addr */
+	char	*ai_canonname;	/* canonical name for hostname */
+	struct sockaddr *ai_addr;	/* binary address */
+	struct addrinfo *ai_next;	/* next structure in linked list */
+};
+
+struct sockaddr_storage {
+	u_char __ss_len;
+	u_char __ss_family;
+	u_char fill[126];
+};
+
+extern void freehostent(struct hostent *);
+extern char *gai_strerror(int);
+#endif

contrib/queryperf/missing/getaddrinfo.c

@@ -0,0 +1,632 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <ctype.h>
+#include <unistd.h>
+
+#include "addrinfo.h"
+
+#define SUCCESS 0
+#define ANY 0
+#define YES 1
+#define NO  0
+
+static const char in_addrany[] = { 0, 0, 0, 0 };
+static const char in6_addrany[] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+static const char in_loopback[] = { 127, 0, 0, 1 }; 
+static const char in6_loopback[] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
+};
+
+struct sockinet {
+	u_char	si_len;
+	u_char	si_family;
+	u_short	si_port;
+};
+
+static struct afd {
+	int a_af;
+	int a_addrlen;
+	int a_socklen;
+	int a_off;
+	const char *a_addrany;
+	const char *a_loopback;	
+} afdl [] = {
+#ifdef INET6
+#define N_INET6 0
+	{PF_INET6, sizeof(struct in6_addr),
+	 sizeof(struct sockaddr_in6),
+	 offsetof(struct sockaddr_in6, sin6_addr),
+	 in6_addrany, in6_loopback},
+#define N_INET  1
+#else
+#define N_INET  0
+#endif
+	{PF_INET, sizeof(struct in_addr),
+	 sizeof(struct sockaddr_in),
+	 offsetof(struct sockaddr_in, sin_addr),
+	 in_addrany, in_loopback},
+	{0, 0, 0, 0, NULL, NULL},
+};
+
+#ifdef INET6
+#define PTON_MAX	16
+#else
+#define PTON_MAX	4
+#endif
+
+
+static int get_name(const char *, struct afd *,
+		    struct addrinfo **, char *, struct addrinfo *,
+		    int);
+static int get_addr(const char *, int, struct addrinfo **,
+		    struct addrinfo *, int);
+static int get_addr0(const char *, int, struct addrinfo **,
+		     struct addrinfo *, int);
+static int str_isnumber(const char *);
+	
+static char *ai_errlist[] = {
+	"Success",
+	"Address family for hostname not supported",	/* EAI_ADDRFAMILY */
+	"Temporary failure in name resolution",		/* EAI_AGAIN      */
+	"Invalid value for ai_flags",		       	/* EAI_BADFLAGS   */
+	"Non-recoverable failure in name resolution", 	/* EAI_FAIL       */
+	"ai_family not supported",			/* EAI_FAMILY     */
+	"Memory allocation failure", 			/* EAI_MEMORY     */
+	"No address associated with hostname", 		/* EAI_NODATA     */
+	"hostname nor servname provided, or not known",/* EAI_NONAME     */
+	"servname not supported for ai_socktype",	/* EAI_SERVICE    */
+	"ai_socktype not supported", 			/* EAI_SOCKTYPE   */
+	"System error returned in errno", 		/* EAI_SYSTEM     */
+	"Invalid value for hints",			/* EAI_BADHINTS	  */
+	"Resolved protocol is unknown",			/* EAI_PROTOCOL   */
+	"Unknown error", 				/* EAI_MAX        */
+};
+
+#define GET_CANONNAME(ai, str) \
+if (pai->ai_flags & AI_CANONNAME) {\
+	if (((ai)->ai_canonname = (char *)malloc(strlen(str) + 1)) != NULL) {\
+		strcpy((ai)->ai_canonname, (str));\
+	} else {\
+		error = EAI_MEMORY;\
+		goto free;\
+	}\
+}
+
+#ifdef HAVE_SA_LEN
+#define	SET_AILEN(ai,l) (ai)->ai_addr->sa_len = (ai)->ai_addrlen = (l)
+#else
+#define	SET_AILEN(ai,l) (ai)->ai_addrlen = (l)
+#endif
+
+#define GET_AI(ai, afd, addr, port) {\
+	char *p;\
+	if (((ai) = (struct addrinfo *)malloc(sizeof(struct addrinfo) +\
+					      ((afd)->a_socklen)))\
+	    == NULL) {\
+		error = EAI_MEMORY;\
+		goto free;\
+	}\
+	memcpy(ai, pai, sizeof(struct addrinfo));\
+	(ai)->ai_addr = (struct sockaddr *)((ai) + 1);\
+	memset((ai)->ai_addr, 0, (afd)->a_socklen);\
+	SET_AILEN((ai), (afd)->a_socklen);\
+	(ai)->ai_addr->sa_family = (ai)->ai_family = (afd)->a_af;\
+	((struct sockinet *)(ai)->ai_addr)->si_port = port;\
+	p = (char *)((ai)->ai_addr);\
+	memcpy(p + (afd)->a_off, (addr), (afd)->a_addrlen);\
+}
+
+#define ERR(err) { error = (err); goto bad; }
+
+char *
+gai_strerror(ecode)
+	int ecode;
+{
+	if (ecode < 0 || ecode > EAI_MAX)
+		ecode = EAI_MAX;
+	return ai_errlist[ecode];
+}
+
+void
+freeaddrinfo(ai)
+	struct addrinfo *ai;
+{
+	struct addrinfo *next;
+
+	do {
+		next = ai->ai_next;
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		/* no need to free(ai->ai_addr) */
+		free(ai);
+	} while ((ai = next) != NULL);
+}
+
+static int
+str_isnumber(p)
+	const char *p;
+{
+	char *q = (char *)p;
+	while (*q) {
+		if (! isdigit(*q))
+			return NO;
+		q++;
+	}
+	return YES;
+}
+
+int
+getaddrinfo(hostname, servname, hints, res)
+	const char *hostname, *servname;
+	const struct addrinfo *hints;
+	struct addrinfo **res;
+{
+	struct addrinfo sentinel;
+	struct addrinfo *top = NULL;
+	struct addrinfo *cur;
+	int i, error = 0;
+	char pton[PTON_MAX];
+	struct addrinfo ai;
+	struct addrinfo *pai;
+	u_short port;
+
+	/* initialize file static vars */
+	sentinel.ai_next = NULL;
+	cur = &sentinel;
+	pai = &ai;
+	pai->ai_flags = 0;
+	pai->ai_family = PF_UNSPEC;
+	pai->ai_socktype = ANY;
+	pai->ai_protocol = ANY;
+	pai->ai_addrlen = 0;
+	pai->ai_canonname = NULL;
+	pai->ai_addr = NULL;
+	pai->ai_next = NULL;
+	port = ANY;
+	
+	if (hostname == NULL && servname == NULL)
+		return EAI_NONAME;
+	if (hints) {
+		/* error check for hints */
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next)
+			ERR(EAI_BADHINTS); /* xxx */
+		if (hints->ai_flags & ~AI_MASK)
+			ERR(EAI_BADFLAGS);
+		switch (hints->ai_family) {
+		case PF_UNSPEC:
+		case PF_INET:
+#ifdef INET6
+		case PF_INET6:
+#endif
+			break;
+		default:
+			ERR(EAI_FAMILY);
+		}
+		memcpy(pai, hints, sizeof(*pai));
+		switch (pai->ai_socktype) {
+		case ANY:
+			switch (pai->ai_protocol) {
+			case ANY:
+				break;
+			case IPPROTO_UDP:
+				pai->ai_socktype = SOCK_DGRAM;
+				break;
+			case IPPROTO_TCP:
+				pai->ai_socktype = SOCK_STREAM;
+				break;
+			default:
+				pai->ai_socktype = SOCK_RAW;
+				break;
+			}
+			break;
+		case SOCK_RAW:
+			break;
+		case SOCK_DGRAM:
+			if (pai->ai_protocol != IPPROTO_UDP &&
+			    pai->ai_protocol != ANY)
+				ERR(EAI_BADHINTS);	/*xxx*/
+			pai->ai_protocol = IPPROTO_UDP;
+			break;
+		case SOCK_STREAM:
+			if (pai->ai_protocol != IPPROTO_TCP &&
+			    pai->ai_protocol != ANY)
+				ERR(EAI_BADHINTS);	/*xxx*/
+			pai->ai_protocol = IPPROTO_TCP;
+			break;
+		default:
+			ERR(EAI_SOCKTYPE);
+			break;
+		}
+	}
+
+	/*
+	 * service port
+	 */
+	if (servname) {
+		if (str_isnumber(servname)) {
+			if (pai->ai_socktype == ANY) {
+				/* caller accept *ANY* socktype */
+				pai->ai_socktype = SOCK_DGRAM;
+				pai->ai_protocol = IPPROTO_UDP;
+			}
+			port = htons(atoi(servname));
+		} else {
+			struct servent *sp;
+			char *proto;
+
+			proto = NULL;
+			switch (pai->ai_socktype) {
+			case ANY:
+				proto = NULL;
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			default:
+				fprintf(stderr, "panic!\n");
+				break;
+			}
+			if ((sp = getservbyname(servname, proto)) == NULL)
+				ERR(EAI_SERVICE);
+			port = sp->s_port;
+			if (pai->ai_socktype == ANY) {
+				if (strcmp(sp->s_proto, "udp") == 0) {
+					pai->ai_socktype = SOCK_DGRAM;
+					pai->ai_protocol = IPPROTO_UDP;
+				} else if (strcmp(sp->s_proto, "tcp") == 0) {
+					pai->ai_socktype = SOCK_STREAM;
+					pai->ai_protocol = IPPROTO_TCP;
+				} else
+					ERR(EAI_PROTOCOL);	/*xxx*/
+			}
+		}
+	}
+	
+	/*
+	 * hostname == NULL.
+	 * passive socket -> anyaddr (0.0.0.0 or ::)
+	 * non-passive socket -> localhost (127.0.0.1 or ::1)
+	 */
+	if (hostname == NULL) {
+		struct afd *afd;
+		int s;
+
+		for (afd = &afdl[0]; afd->a_af; afd++) {
+			if (!(pai->ai_family == PF_UNSPEC
+			   || pai->ai_family == afd->a_af)) {
+				continue;
+			}
+
+			/*
+			 * filter out AFs that are not supported by the kernel
+			 * XXX errno?
+			 */
+			s = socket(afd->a_af, SOCK_DGRAM, 0);
+			if (s < 0)
+				continue;
+			close(s);
+
+			if (pai->ai_flags & AI_PASSIVE) {
+				GET_AI(cur->ai_next, afd, afd->a_addrany, port);
+				/* xxx meaningless?
+				 * GET_CANONNAME(cur->ai_next, "anyaddr");
+				 */
+			} else {
+				GET_AI(cur->ai_next, afd, afd->a_loopback,
+					port);
+				/* xxx meaningless?
+				 * GET_CANONNAME(cur->ai_next, "localhost");
+				 */
+			}
+			cur = cur->ai_next;
+		}
+		top = sentinel.ai_next;
+		if (top)
+			goto good;
+		else
+			ERR(EAI_FAMILY);
+	}
+	
+	/* hostname as numeric name */
+	for (i = 0; afdl[i].a_af; i++) {
+		if (inet_pton(afdl[i].a_af, hostname, pton) == 1) {
+			u_long v4a;
+			u_char pfx;
+
+			switch (afdl[i].a_af) {
+			case AF_INET:
+				v4a = ntohl(((struct in_addr *)pton)->s_addr);
+				if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+					pai->ai_flags &= ~AI_CANONNAME;
+				v4a >>= IN_CLASSA_NSHIFT;
+				if (v4a == 0 || v4a == IN_LOOPBACKNET)
+					pai->ai_flags &= ~AI_CANONNAME;
+				break;
+#ifdef INET6
+			case AF_INET6:
+				pfx = ((struct in6_addr *)pton)->s6_addr[0];
+				if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
+					pai->ai_flags &= ~AI_CANONNAME;
+				break;
+#endif
+			}
+			
+			if (pai->ai_family == afdl[i].a_af ||
+			    pai->ai_family == PF_UNSPEC) {
+				if (! (pai->ai_flags & AI_CANONNAME)) {
+					GET_AI(top, &afdl[i], pton, port);
+					goto good;
+				}
+				/*
+				 * if AI_CANONNAME and if reverse lookup
+				 * fail, return ai anyway to pacify
+				 * calling application.
+				 *
+				 * XXX getaddrinfo() is a name->address
+				 * translation function, and it looks strange
+				 * that we do addr->name translation here.
+				 */
+				get_name(pton, &afdl[i], &top, pton, pai, port);
+				goto good;
+			} else 
+				ERR(EAI_FAMILY);	/*xxx*/
+		}
+	}
+
+	if (pai->ai_flags & AI_NUMERICHOST)
+		ERR(EAI_NONAME);
+
+	/* hostname as alphabetical name */
+	error = get_addr(hostname, pai->ai_family, &top, pai, port);
+	if (error == 0) {
+		if (top) {
+ good:
+			*res = top;
+			return SUCCESS;
+		} else
+			error = EAI_FAIL;
+	}
+ free:
+	if (top)
+		freeaddrinfo(top);
+ bad:
+	*res = NULL;
+	return error;
+}
+
+static int
+get_name(addr, afd, res, numaddr, pai, port0)
+	const char *addr;
+	struct afd *afd;
+	struct addrinfo **res;
+	char *numaddr;
+	struct addrinfo *pai;
+	int port0;
+{
+	u_short port = port0 & 0xffff;
+	struct hostent *hp;
+	struct addrinfo *cur;
+	int error = 0;
+	hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af);
+	if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
+		GET_AI(cur, afd, hp->h_addr_list[0], port);
+		GET_CANONNAME(cur, hp->h_name);
+	} else
+		GET_AI(cur, afd, numaddr, port);
+	
+	*res = cur;
+	return SUCCESS;
+ free:
+	if (cur)
+		freeaddrinfo(cur);
+
+ /* bad: */
+	*res = NULL;
+	return error;
+}
+
+static int
+get_addr(hostname, af, res0, pai, port0)
+	const char *hostname;
+	int af;
+	struct addrinfo **res0;
+	struct addrinfo *pai;
+	int port0;
+{
+	int i, error, ekeep;
+	struct addrinfo *cur;
+	struct addrinfo **res;
+	int retry;
+	int s;
+
+	res = res0;
+	ekeep = 0;
+	error = 0;
+	for (i = 0; afdl[i].a_af; i++) {
+		retry = 0;
+		if (af == AF_UNSPEC) {
+			/*
+			 * filter out AFs that are not supported by the kernel
+			 * XXX errno?
+			 */
+			s = socket(afdl[i].a_af, SOCK_DGRAM, 0);
+			if (s < 0)
+				continue;
+			close(s);
+		} else {
+			if (af != afdl[i].a_af)
+				continue;
+		}
+		/* It is WRONG, we need getipnodebyname(). */
+again:
+		error = get_addr0(hostname, afdl[i].a_af, res, pai, port0);
+		switch (error) {
+		case EAI_AGAIN:
+			if (++retry < 3)
+				goto again;
+			/* FALL THROUGH*/
+		default:
+			if (ekeep == 0)
+				ekeep = error;
+			break;
+		}
+		if (*res) {
+			/* make chain of addrs */
+			for (cur = *res;
+			     cur && cur->ai_next;
+			     cur = cur->ai_next)
+				;
+			if (!cur)
+				return EAI_FAIL;
+			res = &cur->ai_next;
+		}
+	}
+
+	/* if we got something, it's okay */
+	if (*res0)
+		return 0;
+
+	return error ? error : ekeep;
+}
+
+static int
+get_addr0(hostname, af, res, pai, port0)
+	const char *hostname;
+	int af;
+	struct addrinfo **res;
+	struct addrinfo *pai;
+	int port0;
+{
+	u_short port = port0 & 0xffff;
+	struct addrinfo sentinel;
+	struct hostent *hp;
+	struct addrinfo *top, *cur;
+	struct afd *afd;
+	int i, error = 0, h_error;
+	char *ap;
+
+	top = NULL;
+	sentinel.ai_next = NULL;
+	cur = &sentinel;
+
+#ifdef HAVE_GETHOSTBYNAME2
+	if (af == AF_UNSPEC) {
+		error = EAI_FAIL;
+		goto bad;
+	}
+	hp = gethostbyname2(hostname, af);
+#else
+	if (af != AF_UNSPEC && af != AF_INET) {
+		error = EAI_FAIL;
+		goto bad;
+	}
+	hp = gethostbyname(hostname);
+#endif
+	h_error = h_errno;
+
+	if (hp == NULL) {
+		switch (h_error) {
+		case HOST_NOT_FOUND:
+		case NO_DATA:
+			error = EAI_NODATA;
+			break;
+		case TRY_AGAIN:
+			error = EAI_AGAIN;
+			break;
+		case NO_RECOVERY:
+		case NETDB_INTERNAL:
+		default:
+			error = EAI_FAIL;
+			break;
+		}
+		goto bad;
+	}
+
+	if ((hp->h_name == NULL) || (hp->h_name[0] == 0) ||
+	    (hp->h_addr_list[0] == NULL))
+		ERR(EAI_FAIL);
+	
+	for (i = 0; (ap = hp->h_addr_list[i]) != NULL; i++) {
+		switch (af) {
+#ifdef INET6
+		case AF_INET6:
+			afd = &afdl[N_INET6];
+			break;
+#endif
+#ifndef INET6
+		default:	/* AF_UNSPEC */
+#endif
+		case AF_INET:
+			afd = &afdl[N_INET];
+			break;
+#ifdef INET6
+		default:	/* AF_UNSPEC */
+			if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)ap)) {
+				ap += sizeof(struct in6_addr) -
+					sizeof(struct in_addr);
+				afd = &afdl[N_INET];
+			} else
+				afd = &afdl[N_INET6];
+			break;
+#endif
+		}
+		GET_AI(cur->ai_next, afd, ap, port);
+		if (cur == &sentinel) {
+			top = cur->ai_next;
+			GET_CANONNAME(top, hp->h_name);
+		}
+		cur = cur->ai_next;
+	}
+	*res = top;
+	return SUCCESS;
+ free:
+	if (top)
+		freeaddrinfo(top);
+ bad:
+	*res = NULL;
+	return error;
+}

contrib/queryperf/missing/getnameinfo.c

@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Issues to be discussed:
+ * - Thread safe-ness must be checked
+ * - Return values.  There seems to be no standard for return value (RFC2553)
+ *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "addrinfo.h"
+
+#define SUCCESS 0
+#define ANY 0
+#define YES 1
+#define NO  0
+
+static struct afd {
+	int a_af;
+	int a_addrlen;
+	int a_socklen;
+	int a_off;
+} afdl [] = {
+#ifdef INET6
+	{PF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6),
+		offsetof(struct sockaddr_in6, sin6_addr)},
+#endif
+	{PF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in),
+		offsetof(struct sockaddr_in, sin_addr)},
+	{0, 0, 0},
+};
+
+struct sockinet {
+	u_char	si_len;
+	u_char	si_family;
+	u_short	si_port;
+};
+
+#define ENI_NOSOCKET 	0
+#define ENI_NOSERVNAME	1
+#define ENI_NOHOSTNAME	2
+#define ENI_MEMORY	3
+#define ENI_SYSTEM	4
+#define ENI_FAMILY	5
+#define ENI_SALEN	6
+
+int
+getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
+	const struct sockaddr *sa;
+	size_t salen;
+	char *host;
+	size_t hostlen;
+	char *serv;
+	size_t servlen;
+	int flags;
+{
+	struct afd *afd;
+	struct servent *sp;
+	struct hostent *hp;
+	u_short port;
+	int family, len, i;
+	char *addr, *p;
+	u_long v4a;
+	int h_error;
+	char numserv[512];
+	char numaddr[512];
+
+	if (sa == NULL)
+		return ENI_NOSOCKET;
+
+#ifdef HAVE_SA_LEN
+	len = sa->sa_len;
+	if (len != salen) return ENI_SALEN;
+#else
+	len = salen;
+#endif
+	
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	return ENI_FAMILY;
+	
+ found:
+	if (len != afd->a_socklen) return ENI_SALEN;
+	
+	port = ((struct sockinet *)sa)->si_port; /* network byte order */
+	addr = (char *)sa + afd->a_off;
+
+	if (serv == NULL || servlen == 0) {
+		/* what we should do? */
+	} else if (flags & NI_NUMERICSERV) {
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if (strlen(numserv) > servlen)
+			return ENI_MEMORY;
+		strcpy(serv, numserv);
+	} else {
+		sp = getservbyport(port, (flags & NI_DGRAM) ? "udp" : "tcp");
+		if (sp) {
+			if (strlen(sp->s_name) > servlen)
+				return ENI_MEMORY;
+			strcpy(serv, sp->s_name);
+		} else
+			return ENI_NOSERVNAME;
+	}
+
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr);
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+			flags |= NI_NUMERICHOST;
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET)
+			flags |= NI_NUMERICHOST;			
+		break;
+#ifdef INET6
+	case AF_INET6:
+	    {
+		struct sockaddr_in6 *sin6;
+		sin6 = (struct sockaddr_in6 *)sa;
+		switch (sin6->sin6_addr.s6_addr[0]) {
+		case 0x00:
+			if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
+				;
+			else if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr))
+				;
+			else
+				flags |= NI_NUMERICHOST;
+			break;
+		default:
+			if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+				flags |= NI_NUMERICHOST;
+			else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
+				flags |= NI_NUMERICHOST;
+			break;
+		}
+	    }
+		break;
+#endif
+	}
+	if (host == NULL || hostlen == 0) {
+		/* what should we do? */
+	} else if (flags & NI_NUMERICHOST) {
+		/* NUMERICHOST and NAMEREQD conflicts with each other */
+		if (flags & NI_NAMEREQD)
+			return ENI_NOHOSTNAME;
+		if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+		    == NULL)
+			return ENI_SYSTEM;
+		if (strlen(numaddr) > hostlen)
+			return ENI_MEMORY;
+		strcpy(host, numaddr);
+	} else {
+#ifdef USE_GETIPNODEBY
+		hp = getipnodebyaddr(addr, afd->a_addrlen, afd->a_af, &h_error);
+#else
+		hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af);
+		h_error = h_errno;
+#endif
+
+		if (hp) {
+			if (flags & NI_NOFQDN) {
+				p = strchr(hp->h_name, '.');
+				if (p) *p = '\0';
+			}
+			if (strlen(hp->h_name) > hostlen) {
+#ifdef USE_GETIPNODEBY
+				freehostent(hp);
+#endif
+				return ENI_MEMORY;
+			}
+			strcpy(host, hp->h_name);
+#ifdef USE_GETIPNODEBY
+			freehostent(hp);
+#endif
+		} else {
+			if (flags & NI_NAMEREQD)
+				return ENI_NOHOSTNAME;
+			if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+			    == NULL)
+				return ENI_NOHOSTNAME;
+			if (strlen(numaddr) > hostlen)
+				return ENI_MEMORY;
+			strcpy(host, numaddr);
+		}
+	}
+	return SUCCESS;
+}

doc/dev/HOW-ADB-WORKS.txt

@@ -0,0 +1,134 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2003  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: HOW-ADB-WORKS.txt,v 1.2 2004/03/05 05:04:50 marka Exp $
+
+Recently, several groups have expressed concern over potential
+denial of service attacks within BIND 9, specifically within the ADB
+(address database.)  This document hopes to provide a more clear
+picture of how the ADB works, and what sort of attacks are less likely
+due to its use.
+
+We will describe two scenarios, one with two CPUs (and therefore two
+worker threads in BIND 9) and one with a single CPU (and therefore one
+worker thread.)  The two CPU scenario scales to N CPUs.
+
+ADB OVERVIEW
+============
+
+The ADB acts as a cache for nameserver lookups.  If BIND 9 wishes to
+contact host ns1.example.com, it looks this name up in the ADB.  It
+will either return a set of addresses (if known) or return a result
+indicating a callback will occur when the data is found.
+
+ADB query, data not found, no fetches pending
+---------------------------------------------
+
+The name is hashed to find the "bucket" the name exists in.  Each
+bucket is a linked list of names.  There are 1009 buckets in the ADB.
+
+Once the bucket is found, it is locked.
+
+The linked list is searched to see if any addresses are known for the
+name.  If no information is found, a new fetch is started to find the
+addresses for this name.
+
+The bucket is unlocked.
+
+At some point, a callback occurs.  The end result is either a set of
+addresses for this name, or failure.
+
+NOTE:  The bucket is NOT locked while the fetch is in progress.
+
+ADB query, no data found, fetches pending
+-----------------------------------------
+
+The name is hashed to find the "bucket" the name exists in.  Each
+bucket is a linked list of names.  There are 1009 buckets in the ADB.
+
+Once the bucket is found, it is locked.
+
+The linked list is searched to see if any addresses are known for the
+name.  If an in-progress fetch is found, we schedule a callback when
+the fetch completes.  This means ONE fetch is in progress for any
+specific name.
+
+The bucket is unlocked.
+
+At some point, a callback occurs.  The end result is either a set of
+addresses for this name, or failure.
+
+NOTE:  The bucket is NOT locked while the fetch is in progress.
+
+ADB query, addresses found
+--------------------------
+
+The name is hashed to find the "bucket" the name exists in.  Each
+bucket is a linked list of names.  There are 1009 buckets in the ADB.
+
+Once the bucket is found, it is locked.
+
+The linked list is searched.  Since addresses are found, they are
+copied (referenced, actually) for the caller.
+
+The bucket is unlocked.
+
+NOTE:  The bucket is NOT locked while the addresses are used by the
+caller.
+
+Summary
+-------
+
+For any single ADB lookup, at most one bucket is locked.  If there are
+10 worker threads, at most 10 buckets will be locked, and at most 9
+CPUs will be waiting for a lock if they all happen to want the same
+bucket.  The wait time is fairly small, however, since it consists of:
+
+	a lock
+	linked list search
+	perhaps starting a fetch
+	perhaps copying addresses
+	an unlock
+
+
+TWO CPUS
+========
+
+When BIND 9 is told to use two worker threads, each runs independently
+of one another until shared data needs to be accessed.  One place this
+occurs is in the ADB.
+
+If both worker threads are trying to look up the same name (or two
+names that hash to the same ADB bucket) one will have to wait for the
+ADB lookup to complete.  Note that the lock is NOT held while the
+actual DNS fetch for the data is performed.
+
+If they are looking up different names (that hash to different
+buckets) each runs independently.
+
+This reduces the two CPU case to (at worse) a single CPU performance.
+
+ONE CPU
+=======
+
+One CPU means one worker thread in operation, so there is no lock
+contention.
+
+N-CPUs
+======
+
+As described above, a N-CPU configuration will at worse fall back to a
+one-CPU scenario while trying to access the same ADB bucket.  However,
+while the packet is decoded, data is retrieved from authority or cache
+data, and while the result is encoded into wire format and transmitted
+to the caller, no ADB locks are held, and other CPUs are free to use
+it.
+
+At worse, all the CPUs but one will be blocking on an ADB lock.
+However, the time it takes to search authority and cache, decode and
+encode a DNS packet is likely larger than the time taken in the ADB
+lock, so the worse case is unlikely to occur in practice.
+
+Also, note that one the data is cached for a given query, the ADB is
+not even used until that cache data expires.

doc/dev/autoconf

@@ -0,0 +1,18 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001, 2002  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: autoconf,v 1.4 2004/03/05 05:04:50 marka Exp $
+
+Here are some hints on how to use autoconf correctly when doing
+BIND 9 development.
+
+Never edit the configure script directly.  Edit configure.in, commit
+the changes, run "autoconf", and commit the new configure.  Doing two
+separate commits ensures that the version numbers embedded in the
+configure script are correct.
+
+Don't edit config.h.in directly.  Instead, run "autoheader".  If it
+complains about missing definitions, add them to acconfig.h, rerun
+autoheader, commit acconfig.h if edited, and commit the generated
+config.h.in.

doc/draft/draft-ietf-dnsext-dns-threats-07.txt

@@ -1,895 +0,0 @@
-
-
-Network Working Group                                          D. Atkins
-draft-ietf-dnsext-dns-threats-07.txt                    IHTFP Consulting
-                                                              R. Austein
-                                                                     ISC
-                                                              April 2004
-
-
-               Threat Analysis of the Domain Name System
-
-
-Status of this document
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC 2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   <http://www.ietf.org/ietf/1id-abstracts.txt>
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   <http://www.ietf.org/shadow.html>
-
-   Distribution of this document is unlimited.  Please send comments to
-   the Namedroppers mailing list <namedroppers@ops.ietf.org>.
-
-Abstract
-
-   Although the DNS Security Extensions (DNSSEC) have been under
-   development for most of the last decade, the IETF has never written
-   down the specific set of threats against which DNSSEC is designed to
-   protect.  Among other drawbacks, this cart-before-the-horse situation
-   has made it difficult to determine whether DNSSEC meets its design
-   goals, since its design goals are not well specified.  This note
-   attempts to document some of the known threats to the DNS, and, in
-   doing so, attempts to measure to what extent (if any) DNSSEC is a
-   useful tool in defending against these threats.
-
-
-
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 1]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-1. Introduction
-
-   The earliest organized work on DNSSEC within the IETF was an open
-   design team meeting organized by members of the DNS working group in
-   November 1993 at the 28th IETF meeting in Houston.  The broad
-   outlines of DNSSEC as we know it today are already clear in Jim
-   Galvin's summary of the results of that meeting [Galvin93]:
-
-   - While some participants in the meeting were interested in
-     protecting against disclosure of DNS data to unauthorized parties,
-     the design team made an explicit decision that "DNS data is
-     `public'", and ruled all threats of data disclosure explicitly out
-     of scope for DNSSEC.
-
-   - While some participants in the meeting were interested in
-     authentication of DNS clients and servers as a basis for access
-     control, this work was also ruled out of scope for DNSSEC per se.
-
-   - Backwards compatibility and co-existence with "insecure DNS" was
-     listed as an explicit requirement.
-
-   - The resulting list of desired security services was
-     1) data integrity, and
-     2) data origin authentication.
-
-   - The design team noted that a digital signature mechanism would
-     support the desired services.
-
-   While a number of detail decisions were yet to be made (and in some
-   cases remade after implementation experience) over the subsequent
-   decade, the basic model and design goals have remained fixed.
-
-   Nowhere, however, does any of the DNSSEC work attempt to specify in
-   any detail the sorts of attacks against which DNSSEC is intended to
-   protect, or the reasons behind the list of desired security services
-   that came out of the Houston meeting.  For that, we have to go back
-   to a paper originally written by Steve Bellovin in 1990 but not
-   published until 1995, for reasons that Bellovin explained in the
-   paper's epilogue [Bellovin95].
-
-   While it may seem a bit strange to publish the threat analysis a
-   decade after starting work on the protocol designed to defend against
-   it, that is nevertheless what this note attempts to do.  Better late
-   than never.
-
-   This note assumes that the reader is familiar with both the DNS and
-   with DNSSEC, and does not attempt to provide a tutorial on either.
-   The DNS documents most relevant to the subject of this note are:
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 2]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   [RFC1034], [RFC1035], section 6.1 of [RFC1123], [RFC2181], [RFC2308],
-   [RFC2671], [RFC2845], [RFC2930], [RFC3007], and [RFC2535].
-
-   For purposes of discussion, this note uses the term "DNSSEC" to refer
-   to the core hierarchical public key and signature mechanism specified
-   in the DNSSEC documents, and refers to TKEY and TSIG as separate
-   mechanisms, even though channel security mechanisms such as TKEY and
-   TSIG are also part of the larger problem of "securing DNS" and thus
-   are often considered part of the overall set of "DNS security
-   extensions".  This is an arbitrary distinction that in part reflects
-   the way in which the protocol has evolved (introduction of a
-   putatively simpler channel security model for certain operations such
-   as zone transfers and dynamic update requests), and perhaps should be
-   changed in a future revision of this note.
-
-2.  Known Threats
-
-   There are several distinct classes of threats to the DNS, most of
-   which are DNS-related instances of more general problems, but a few
-   of which are specific to peculiarities of the DNS protocol.
-
-2.1.  Packet Interception
-
-   Some of the simplest threats against DNS are various forms of packet
-   interception: monkey-in-the-middle attacks, eavesdropping on requests
-   combined with spoofed responses that beat the real response back to
-   the resolver, and so forth.  In any of these scenarios, the attacker
-   can simply tell either party (usually the resolver) whatever it wants
-   that party to believe.  While packet interception attacks are far
-   from unique to DNS, DNS's usual behavior of sending an entire query
-   or response in a single unsigned, unencrypted UDP packet makes these
-   attacks particularly easy for any bad guy with the ability to
-   intercept packets on a shared or transit network.
-
-   To further complicate things, the DNS query the attacker intercepts
-   may just be a means to an end for the attacker: the attacker might
-   even choose to return the correct result in the answer section of a
-   reply message while using other parts of the message to set the stage
-   for something more complicated, for example, a name-based attack (see
-   below).
-
-   While it certainly would be possible to sign DNS messages using a
-   channel security mechanism such as TSIG or IPsec, or even to encrypt
-   them using IPsec, this would not be a very good solution.  First,
-   this approach would impose a fairly high processing cost per DNS
-   message, as well as a very high cost associated with establishing and
-   maintaining bilateral trust relationships between all the parties
-   that might be involved in resolving any particular query.  For
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 3]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   heavily used name servers (such as the servers for the root zone),
-   this cost would almost certainly be prohibitively high.  Even more
-   important, however, is that the underlying trust model in such a
-   design would be wrong, since at best it would only provide a hop-by-
-   hop integrity check on DNS messages and would not provide any sort of
-   end-to-end integrity check between the producer of DNS data (the zone
-   administrator) and the consumer of DNS data (the application that
-   triggered the query).
-
-   By contrast, DNSSEC (when used properly) does provide an end-to-end
-   data integrity check, and is thus a much better solution for this
-   class of problems during basic DNS lookup operations.
-
-   TSIG does have its place in corners of the DNS protocol where there's
-   a specific trust relationship between a particular client and a
-   particular server, such as zone transfer, dynamic update, or a
-   resolver (stub or otherwise) that is not going to check all the
-   DNSSEC signatures itself.
-
-   Note that DNSSEC does not provide any protection against modification
-   of the DNS message header, so any properly paranoid resolver must:
-
-   - Perform all of the DNSSEC signature checking on its own,
-
-   - Use TSIG (or some equivalent mechanism) to ensure the integrity of
-     its communication with whatever name servers it chooses to trust,
-     or
-
-   - Resign itself to the possibility of being attacked via packet
-     interception (and via other techniques discussed below).
-
-2.2.  ID Guessing and Query Prediction
-
-   Since DNS is for the most part used over UDP/IP, it is relatively
-   easy for an attacker to generate packets which will match the
-   transport protocol parameters.  The ID field in the DNS header is
-   only a 16-bit field and the server UDP port associated with DNS is a
-   well-known value, so there are only 2**32 possible combinations of ID
-   and client UDP port for a given client and server.  This is not a
-   particularly large range, and is not sufficient to protect against a
-   brute force search; furthermore, in practice both the client UDP port
-   and the ID can often be predicted from previous traffic, and it is
-   not uncommon for the client port to be a known fixed value as well
-   (due to firewalls or other restrictions), thus frequently reducing
-   the search space to a range smaller than 2**16.
-
-   By itself, ID guessing is not enough to allow an attacker to inject
-   bogus data, but combined with knowledge (or guesses) about QNAMEs and
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 4]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   QTYPEs for which a resolver might be querying, this leaves the
-   resolver only weakly defended against injection of bogus responses.
-
-   Since this attack relies on predicting a resolver's behavior, it's
-   most likely to be successful when the victim is in a known state,
-   whether because the victim rebooted recently, or because the victim's
-   behavior has been influenced by some other action by the attacker, or
-   because the victim is responding (in a predictable way) to some third
-   party action known to the attacker.
-
-   This attack is both more and less difficult for the attacker than the
-   simple interception attack described above: more difficult, because
-   the attack only works when the attacker guesses correctly; less
-   difficult, because the attacker doesn't need to be on a transit or
-   shared network.
-
-   In most other respects, this attack is similar to a packet
-   interception attack.  A resolver that checks DNSSEC signatures will
-   be able to detect the forged response; resolvers that do not
-   themselves perform DNSSEC signature checking should use TSIG or some
-   equivalent mechanism to ensure the integrity of their communication
-   with a recursing name server that does perform DNSSEC signature
-   checking.
-
-2.3.  Name Chaining
-
-   Perhaps the most interesting class of DNS-specific threats are the
-   name chaining attacks.  These are a subset of a larger class of name-
-   based attacks, sometimes called "cache poisoning" attacks.  Most
-   name-based attacks can be at least partially mitigated by the long-
-   standing defense of checking RRs in response messages for relevance
-   to the original query, but such defenses do not catch name chaining
-   attacks.  There are several variations on the basic attack, but what
-   they all have in common is that they all involve DNS RRs whose RDATA
-   portion (right hand side) includes a DNS name (or, in a few cases,
-   something that is not a DNS name but which directly maps to a DNS
-   name).  Any such RR is, at least in principle, a hook that lets an
-   attacker feed bad data into a victim's cache, thus potentially
-   subverting subsequent decisions based on DNS names.
-
-   The worst examples in this class of RRs are CNAME, NS, and DNAME RRs,
-   because they can redirect a victim's query to a location of the
-   attacker's choosing.  RRs like MX and SRV are somewhat less
-   dangerous, but in principle they can also be used to trigger further
-   lookups at a location of the attacker's choosing.  Address RR types
-   such as A or AAAA don't have DNS names in their RDATA, but since the
-   IN-ADDR.ARPA and IP6.ARPA trees are indexed using a DNS encoding of
-   IPv4 and IPv6 addresses, these record types can also be used in a
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 5]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   name chaining attack.
-
-   The general form of a name chaining attack is something like this:
-
-   - Victim issues a query, perhaps at the instigation of the attacker
-     or some third party; in some cases the query itself may be
-     unrelated to the name under attack (that is, the attacker is just
-     using this query as a means to inject false information about some
-     other name).
-
-   - Attacker injects response, whether via packet interception, query
-     guessing, or by being a legitimate name server that's involved at
-     some point in the process of answering the query that the victim
-     issued.
-
-   - Attacker's response includes one or more RRs with DNS names in
-     their RDATA; depending on which particular form this attack takes,
-     the object may be to inject false data associated with those names
-     into the victim's cache via the Additional section of this
-     response, or may be to redirect the next stage of the query to a
-     server of the attacker's choosing (in order to inject more complex
-     lies into the victim's cache than will fit easily into a single
-     response, or in order to place the lies in the Authority or Answer
-     section of a response where they will have a better chance of
-     sneaking past a resolver's defenses).
-
-   Any attacker who can insert resource records into a victim's cache
-   can almost certainly do some kind of damage, so there are cache
-   poisoning attacks which are not name chaining attacks in the sense
-   discussed here.  However, in the case of name chaining attacks, the
-   cause and effect relationship between the initial attack and the
-   eventual result may be significantly more complex than in the other
-   forms of cache poisoning, so name chaining attacks merit special
-   attention.
-
-   The common thread in all of the name chaining attacks is that
-   response messages allow the attacker to introduce arbitrary DNS names
-   of the attacker's choosing and provide further information that the
-   attacker claims is associated with those names; unless the victim has
-   better knowledge of the data associated with those names, the victim
-   is going to have a hard time defending against this class of attacks.
-
-   This class of attack is particularly insidious given that it's quite
-   easy for an attacker to provoke a victim into querying for a
-   particular name of the attacker's choosing, for example, by embedding
-   a link to a 1x1-pixel "web bug" graphic in a piece of Text/HTML mail
-   to the victim.  If the victim's mail reading program attempts to
-   follow such a link, the result will be a DNS query for a name chosen
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 6]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   by the attacker.
-
-   DNSSEC should provide a good defense against most (all?) variations
-   on this class of attack.  By checking signatures, a resolver can
-   determine whether the data associated with a name really was inserted
-   by the delegated authority for that portion of the DNS name space
-   (more precisely, a resolver can determine whether the entity that
-   injected the data had access to an allegedly secret key whose
-   corresponding public key appears at an expected location in the DNS
-   name space with an expected chain of parental signatures that start
-   with a public key of which the resolver has prior knowledge).
-
-   DNSSEC signatures do not cover glue records, so there's still a
-   possibility of a name chaining attack involving glue, but with DNSSEC
-   it is possible to detect the attack by temporarily accepting the glue
-   in order to fetch the signed authoritative version of the same data,
-   then checking the signatures on the authoritative version.
-
-2.4.  Betrayal By Trusted Server
-
-   Another variation on the packet interception attack is the trusted
-   server that turns out not to be so trustworthy, whether by accident
-   or by intent.  Many client machines are only configured with stub
-   resolvers, and use trusted servers to perform all of their DNS
-   queries on their behalf.  In many cases the trusted server is
-   furnished by the user's ISP and advertised to the client via DHCP or
-   PPP options.  Besides accidental betrayal of this trust relationship
-   (via server bugs, successful server break-ins, etc), the server
-   itself may be configured to give back answers that are not what the
-   user would expect (whether in an honest attempt to help the user or
-   to further some other goal such as furthering a business partnership
-   between the ISP and some third party).
-
-   This problem is particularly acute for frequent travelers who carry
-   their own equipment and expect it to work in much the same way no
-   matter which network it's plugged into at any given moment (and no
-   matter what brand of middle boxes a particular hotel chain might have
-   installed when adding network drops in every guest room...).
-
-   While the obvious solution to this problem would be for the client to
-   choose a more trustworthy server, in practice this may not be an
-   option for the client.  In many network environments a client machine
-   has only a limited set of recursive name servers from which to
-   choose, and none of them may be particularly trustworthy.  In extreme
-   cases, port filtering or other forms of packet interception may
-   prevent the client host from being able to run an iterative resolver
-   even if the owner of the client machine is willing and able to do so.
-   Thus, while the initial source of this problem is not a DNS protocol
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 7]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   attack per se, this sort of betrayal is a threat to DNS clients, and
-   simply switching to a different recursive name server is not an
-   adequate defense.
-
-   Viewed strictly from the DNS protocol standpoint, the only difference
-   between this sort of betrayal and a packet interception attack is
-   that in this case the client has voluntarily sent its request to the
-   attacker.  The defense against this is the same as with a packet
-   interception attack: the resolver must either check DNSSEC signatures
-   itself or use TSIG (or equivalent) to authenticate the server that it
-   has chosen to trust.  Note that use of TSIG does not by itself
-   guarantee that a name server is at all trustworthy: all TSIG can do
-   is help a resolver protect its communication with a name server that
-   it has already decided to trust for other reasons.  Protecting a
-   resolver's communication with a server that's giving out bogus
-   answers is not particularly useful.
-
-   Also note that if the stub resolver does not trust the name server
-   that is doing work on its behalf and wants to check the DNSSEC
-   signatures itself, the resolver really does need to have independent
-   knowledge of the DNSSEC public key(s) it needs in order to perform
-   the check (usually the public key for the root zone, but in some
-   cases knowledge of additional keys may also be appropriate).
-
-   It is difficult to escape the conclusion that a properly paranoid
-   resolver must always perform its own signature checking, and that
-   this rule even applies to stub resolvers.
-
-2.5.  Denial of Service
-
-   As with any network service (or, indeed, almost any service of any
-   kind in any domain of discourse), DNS is vulnerable to denial of
-   service attacks.  DNSSEC does not help this, and may in fact make the
-   problem worse for resolvers that check signatures, since checking
-   signatures both increases the processing cost per DNS message and in
-   some cases can also increase the number of messages needed to answer
-   a query.  TSIG (and similar mechanisms) have equivalent problems.
-
-   DNS servers are also at risk of being used as denial of service
-   amplifiers, since DNS response packets tend to be significantly
-   longer than DNS query packets.  Unsurprisingly, DNSSEC doesn't help
-   here either.
-
-2.6.  Authenticated Denial of Domain Names
-
-   Much discussion has taken place over the question of authenticated
-   denial of domain names.  The particular question is whether there is
-   a requirement for authenticating the non-existence of a name.  The
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 8]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   issue is whether the resolver should be able to detect when an
-   attacker removes RRs from a response.
-
-   General paranoia aside, the existence of RR types whose absence
-   causes an action other than immediate failure (such as missing MX and
-   SRV RRs, which fail over to A RRs) constitutes a real threat.
-   Arguably, in some cases, even the immediate failure of a missing RR
-   might be considered a problem.  The question remains: how serious is
-   this threat?  Clearly the threat does exist; general paranoia says
-   that some day it'll be on the front page of some major newspaper,
-   even if we cannot conceive of a plausible scenario involving this
-   attack today.  This implies that some mitigation of this risk is
-   required.
-
-   Note that it's necessary to prove the non-existence of applicable
-   wildcard RRs as part of the authenticated denial mechanism, and that,
-   in a zone that is more than one label deep, such a proof may require
-   proving the non-existence of multiple discrete sets of wildcard RRs.
-
-   DNSSEC does include mechanisms which make it possible to determine
-   which authoritative names exist in a zone, and which authoritative
-   resource record types exist at those names.  The DNSSEC protections
-   do not cover non-authoritative data such as glue records.
-
-2.7.  Wildcards
-
-   Much discussion has taken place over whether and how to provide data
-   integrity and data origin authentication for "wildcard" DNS names.
-   Conceptually, RRs with wildcard names are patterns for synthesizing
-   RRs on the fly according to the matching rules described in section
-   4.3.2 of RFC 1034.  While the rules that control the behavior of
-   wildcard names have a few quirks that can make them a trap for the
-   unwary zone administrator, it's clear that a number of sites make
-   heavy use of wildcard RRs, particularly wildcard MX RRs.
-
-   In order to provide the desired services for wildcard RRs, we need to
-   do two things:
-
-   - We need a way to attest to the existence of the wildcard RR itself
-     (that is, we need to show that the synthesis rule exists), and
-
-   - We need a way to attest to the non-existence of any RRs which, if
-     they existed, would make the wildcard RR irrelevant according to
-     the synthesis rules that govern the way in which wildcard RRs are
-     used (that is, we need to show that the synthesis rule is
-     applicable).
-
-   Note that this makes the wildcard mechanisms dependent upon the
-
-
-
-Atkins & Austein         Expires 9 October 2004                 [Page 9]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   authenticated denial mechanism described in the previous section.
-
-   DNSSEC includes mechanisms along the lines described above, which
-   make it possible for a resolver to verify that a name server applied
-   the wildcard expansion rules correctly when generating an answer.
-
-3.  Weaknesses of DNSSEC
-
-   DNSSEC has some problems of its own:
-
-   - DNSSEC is complex to implement, and includes some nasty edge cases
-     at the zone cuts that require very careful coding.  Testbed
-     experience to date suggests that trivial zone configuration errors
-     or expired keys can cause serious problems for a DNSSEC-aware
-     resolver, and that the current protocol's error reporting
-     capabilities may leave something to be desired.
-
-   - DNSSEC significantly increases the size of DNS response packets;
-     among other issues, this makes DNSSEC-aware DNS servers even more
-     effective as denial of service amplifiers.
-
-   - DNSSEC answer validation increases the resolver's work load, since
-     a DNSSEC-aware resolver will need to perform signature validation
-     and in some cases will also need to issue further queries.  This
-     increased workload will also increase the time it takes to get an
-     answer back to the original DNS client, which is likely to trigger
-     both timeouts and re-queries in some cases.  (Arguably, many
-     current DNS clients are already too impatient even before taking
-     the further delays that DNSSEC will impose into account, but that's
-     a separate topic for another document....)
-
-   - Like DNS itself, DNSSEC's trust model is almost totally
-     hierarchical.  While DNSSEC does allow resolvers to have special
-     additional knowledge of public keys beyond those for the root, in
-     the general case the root key is the one that matters.  Thus any
-     compromise in any of the zones between the root and a particular
-     target name can damage DNSSEC's ability to protect the integrity of
-     data owned by that target name.  This is not a change, since
-     insecure DNS has the same model.
-
-   - Key rollover at the root is really hard.  Work to date has not even
-     come close to adequately specifying how the root key rolls over, or
-     even how it's configured in the first place.
-
-   - DNSSEC creates a requirement of loose time synchronization between
-     the validating resolver and the entity creating the DNSSEC
-     signatures.  Prior to DNSSEC, all time-related actions in DNS could
-     be performed by a machine that only knew about "elapsed" or
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 10]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-     "relative" time.  Because the validity period of a DNSSEC signature
-     is based on "absolute" time, a validating resolver must have the
-     same concept of absolute time as the zone signer in order to
-     determine whether the signature is within its validity period or
-     has expired.  An attacker that can change a resolver's opinion of
-     the current absolute time can fool the resolver using expired
-     signatures.  An attacker that can change the zone signer's opinion
-     of the current absolute time can fool the zone signer into
-     generating signatures whose validity period does not match what the
-     signer intended.
-
-   - The possible existence of wildcard RRs in a zone complicates the
-     authenticated denial mechanism considerably.  For most of the
-     decade that DNSSEC has been under development these issues were
-     poorly understood.  At various times there have been questions as
-     to whether the authenticated denial mechanism is completely
-     airtight and whether it would be worthwhile to optimize the
-     authenticated denial mechanism for the common case in which
-     wildcards are not present in a zone, but the main problem is just
-     the inherent complexity of the wildcard mechanism itself.  This
-     complexity probably makes the code for generating and checking
-     authenticated denial attestations somewhat fragile, but since the
-     alternative of giving up wildcards entirely is not practical due to
-     widespread use, we are going to have to live with wildcards, and
-     the question just becomes one of whether or not the proposed
-     optimizations would make DNSSEC's mechanisms more or less fragile.
-
-   - Even with DNSSEC, the class of attacks discussed in section 2.4 is
-     not easy to defeat.  In order for DNSSEC to be effective in this
-     case, it must be possible to configure the resolver to expect
-     certain categories of DNS records to be signed, which may require
-     manual configuration of the resolver, especially during the initial
-     DNSSEC rollout period when the resolver cannot reasonably expect
-     the root and TLD zones to be signed.
-
-
-4.  Topics for Future Work
-
-   This section lists a few subjects not covered above which probably
-   need additional study, additional mechanisms, or both.
-
-4.1.  Interactions With Other Protocols
-
-   The above discussion has concentrated exclusively on attacks within
-   the boundaries of the DNS protocol itself, since those are the
-   problems against (some of) which DNSSEC was intended to protect.
-   There are, however, other potential problems at the boundaries where
-   DNS interacts with other protocols.
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 11]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-4.2.  Securing DNS Dynamic Update
-
-   DNS dynamic update opens a number of potential problems when combined
-   with DNSSEC.  Dynamic update of a non-secure zone can use TSIG to
-   authenticate the updating client to the server.  While TSIG does not
-   scale very well (it requires manual configuration of shared keys
-   between the DNS name server and each TSIG client), it works well in a
-   limited or closed environment such as a DHCP server updating a local
-   DNS name server.
-
-   Major issues arise when trying to use dynamic update on a secure
-   zone.  TSIG can similarly be used in a limited fashion to
-   authenticate the client to the server, but TSIG only protects DNS
-   transactions, not the actual data, and the TSIG is not inserted into
-   the DNS zone, so resolvers cannot use the TSIG as a way of verifying
-   the changes to the zone.  This means that either:
-
-   a) The updating client must have access to a zone-signing key in
-       order to sign the update before sending it to the server, or
-
-   b) The DNS name server must have access to an online zone-signing key
-       in order to sign the update.
-
-   In either case, a zone-signing key must be available to create signed
-   RRsets to place in the updated zone.  The fact that this key must be
-   online (or at least available) is a potential security risk.
-
-   Dynamic update also requires an update to the SERIAL field of the
-   zone's SOA RR.  In theory, this could also be handled via either of
-   the above options, but in practice (a) would almost certainly be
-   extremely fragile, so (b) is the only workable mechanism.
-
-   There are other threats in terms of describing the policy of who can
-   make what changes to which RRsets in the zone.  The current access
-   control scheme in Secure Dynamic Update is fairly limited.  There is
-   no way to give fine-grained access to updating DNS zone information
-   to multiple entities, each of whom may require different kinds of
-   access.  For example, Alice may need to be able to add new nodes to
-   the zone or change existing nodes, but not remove them; Bob may need
-   to be able to remove zones but not add them; Carol may need to be
-   able to add, remove, or modify nodes, but only A records.
-
-   Scaling properties of the key management problem here are a
-   particular concern that needs more study.
-
-
-
-
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 12]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-4.3.  Securing DNS Zone Replication
-
-   As discussed in previous sections, DNSSEC per se attempts to provide
-   data integrity and data origin authentication services on top of the
-   normal DNS query protocol.  Using the terminology discussed in
-   [RFC3552], DNSSEC provides "object security" for the normal DNS query
-   protocol.  For purposes of replicating entire DNS zones, however,
-   DNSSEC does not provide object security, because zones include
-   unsigned NS RRs and glue at delegation points.  Use of TSIG to
-   protect zone transfer (AXFR or IXFR) operations provides "channel
-   security", but still does not provide object security for complete
-   zones, so the trust relationships involved in zone transfer are still
-   very much a hop-by-hop matter of name server operators trusting other
-   name server operators, rather than an end-to-end matter of name
-   server operators trusting zone administrators.
-
-   Zone object security was not an explicit design goal of DNSSEC, so
-   failure to provide this service should not be a surprise.
-   Nevertheless, there are some zone replication scenarios for which
-   this would be a very useful additional service, so this seems like a
-   useful area for future work.  In theory it should not be difficult to
-   zone object security as a backwards compatible enhancement to the
-   existing DNSSEC model, but the DNSEXT WG has not yet discussed either
-   the desirability of or the requirements for such an enhancement.
-
-5.  Conclusion
-
-   Based on the above analysis, the DNSSEC extensions do appear to solve
-   a set of problems that do need to be solved, and are worth deploying.
-
-Security Considerations
-
-   This entire document is about security considerations of the DNS.
-   The authors believe that deploying DNSSEC will help to address some,
-   but not all, of the known threats to the DNS.
-
-IANA Considerations
-
-   None.
-
-Acknowledgments
-
-   This note is based both previous published works by others and on a
-   number of discussions both public and private over a period of many
-   years, but particular thanks go to Jaap Akkerhuis, Steve Bellovin,
-   Dan Bernstein, Randy Bush, Steve Crocker, Olafur Gudmundsson, Russ
-   Housley, Rip Loomis, Allison Mankin, Paul Mockapetris, Thomas Narten
-   Mans Nilsson, Pekka Savola, Paul Vixie, Xunhua Wang, and any other
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 13]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   members of the DNS, DNSSEC, DNSIND, and DNSEXT working groups whose
-   names and contributions the authors have forgotten, none of whom are
-   responsible for what the authors did with their ideas.
-
-   As with any work of this nature, the authors of this note acknowledge
-   that we are standing on the toes of those who have gone before us.
-   Readers interested in this subject may also wish to read
-   [Bellovin95], [Schuba93], and [Vixie95].
-
-Normative References
-
-   [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
-        RFC 1034, November 1987.
-
-   [RFC1035] Mockapetris, P., "Domain names - implementation and
-        specification", RFC 1035, November 1987.
-
-   [RFC1123] Braden, R., Editor, "Requirements for Internet Hosts -
-        Application and Support", RFC 1123, October 1989.
-
-   [RFC2181] Elz, R., and R. Bush, "Clarifications to the DNS
-        Specification" RFC 2181, July 1997.
-
-   [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)"
-        RFC 2308, March 1998.
-
-   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-        2671, August 1999.
-
-   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
-        Wellington, "Secret Key Transaction Authentication for DNS
-        (TSIG)" RFC 2845, May 2000.
-
-   [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)"
-        RFC 2930, September 2000.
-
-   [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
-        Update" RFC 3007, November 2000.
-
-   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-Informative References
-
-   [RFC3552] Rescorla, E., Korver, B., and the Internet Architecture
-        Board, "Guidelines for Writing RFC Text on Security
-        Considerations", RFC 3552, July 2003.
-
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 14]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   [Bellovin95] Bellovin, S., "Using the Domain Name System for System
-        Break-Ins", Proceedings of the Fifth Usenix Unix Security
-        Symposium, June 1995.
-
-   [Galvin93] Design team meeting summary message posted to dns-
-        security@tis.com mailing list by Jim Galvin on 19 November 1993.
-
-   [Schuba93] Schuba, C., "Addressing Weaknesses in the Domain Name
-        System Protocol", Master's thesis, Purdue University Department
-        of Computer Sciences, August 1993.
-
-   [Vixie95] Vixie, P, "DNS and BIND Security Issues", Proceedings of
-        the Fifth Usenix Unix Security Symposium, June 1995.
-
-Authors' addresses:
-
-      Derek Atkins
-      IHTFP Consulting, Inc.
-      6 Farragut Ave
-      Somerville, MA  02144
-      USA
-
-      Email: derek@ihtfp.com
-
-      Rob Austein
-      Internet Systems Consortium
-      950 Charter Street
-      Redwood City, CA 94063
-      USA
-
-      Email: sra@isc.org
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 15]
-
-draft-ietf-dnsext-dns-threats-07.txt                          April 2004
-
-
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Atkins & Austein         Expires 9 October 2004                [Page 16]
-