move 9.5.0a5 tag point

[RT #16906]

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.6.2.2.8.3 2005/01/10 23:51:37 marka Exp $
+$Id: COPYRIGHT,v 1.12 2007/01/03 04:53:20 marka Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 

EXCLUDED

@@ -1,162 +0,0 @@
-
-1007.	[port]		config.guess, config.sub from autoconf-2.52.
-
-1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
-
-1009.	[port]		OpenUNIX 8 support. [RT #1728]
-
-1011.	[cleanup]	Removed isc_dir_current().
-
-1024.	[port]		Compilation failed on HP-UX 11.11 due to
-			incompatible use of the SIOCGLIFCONF macro
-			name. [RT #1831]
-			[needs more work]
-
-1025.	[bug]		Don't use multicast addresses to resolve iterative
-			queries. [RT #101]
-
-1034.	[bug]		Ignore the RD bit on multicast queries as specified
-			in RFC 1123. [RT #137]
-
-1035.	[bug]		If we respond to multicast queries (which we
-			currently do not), respond from a unicast address
-			as specified in RFC 1123. [RT #137]
-
-1037.	[bug]		Negative responses whose authority section contain
-			SOA or NS records whose owner names are not equal
-			equal to or parents of the query name should be
-			rejected. [RT #1862]
-
-1073.	[bug]		The ADB cache cleaning should also be space driven.
-			[RT #1915, #1938]
-			[ New function dns_adb_setadbsize() ]
-
-1079.	[bug]		BIND 8 compatibility: accept bare elements at top
-			level of sort list treating them as if they were
-			a single element list. [RT #1963]
-
-1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
-			as the second element of a two-element top level
-			sort list statement. [RT #1964]
-
-1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
-			[Functional change]
-
-1110.	[bug]		dig should only accept valid abbreviations of +options.
-			[RT #2003]
-			[Potentially breaks scripts.  Leave to 9.3.0.]
-
-1143.	[bug]		When a trusted-keys statement was present and named
-			was built without crypto support, it would leak memory.
-			[ Not applicable to 9.2 ]
-
-1150.	[bug]		named incorrectly accepted TTL values
-			containing plus or minus signs, such as
-			1d+1h-1s.
-			[ Uses new function isc_parse_uint32() ]
-
-1151.	[bug]		nslookup failed to check that the arguments to
-			the port, timeout, and retry options were
-			valid integers and in range. [RT #2099]
-			[ Uses new function isc_parse_uint32() ]
-
-1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123
-			[ Could cause zones that loaded in 9.2.0 to fail
-			to load.  Leave such breakages to 9.3.0. ]
-
-1187.	[bug]		named was incorrectly returning DNSSEC records
-			in negative responses when the DO bit was not set.
-			[ Requires API change (new argument) to
-			dns_rdataset_towire(), dns_rdataset_towirepartial()
-			and dns_rdataset_towirepartial() ]
-
-1192.	[bug]		The seconds fields in LOC records were restricted
-			to three decimal places.  More decimal places should
-			be allowed but warned about.
-
-1209.	[bug]		Dig, host, nslookup were not checking the message ids
-			on the responses. [RT #2454]
-
-1224.	[bug]		'rrset-order' and 'sortlist' should be additive
-			not exclusive.
-			[tightly coupled with 'cyclic' and 'random' support]
-
-1233.	[bug]		The flags field of a KEY record can be expressed in
-			hex as well as decimal.
-			[ Not applicable to 9.2.x ]
-
-1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
-			dns_result_register().  DNS_R_SEENINCLUDE should not
-			be fatal.
-
-1243.	[bug]		It was possible to trigger a REQUIRE() in
-			dns_message_findtype(). [RT #2659]
-
-1247.	[bug]		Don't reset the interface index for link/site local
-			addresses. [RT #2576]
-			[depends on new functions]
-
-1255.	[bug]		When verifying that an NXT proves nonexistence, check
-			the rcode of the message and only do the matching NXT
-			check.  That is, for NXDOMAIN responses, check that
-			the name is in the range between the NXT owner and
-			next name, and for NOERROR NODATA responses, check
-			that the type is not present in the NXT bitmap.
-			[required changes from DS support]
-
-1271.	[bug]		"recursion available: {denied,approved}" was too
-			confusing.
-
-1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
-			would incorrectly duplicate its output and sign it.
-			[DS specific]
-
-1322.	[bug]		dnssec-signzone usage message was misleading.
-			[DS specific]
-
-1328.	[bug]		The validator could incorrectly verify an invalid
-			negative proof.
-			[DS specific]
-
-1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
-
-1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
-
-1371.	[bug]		notify-source-v6, transfer-source-v6 and
-			query-source-v6 with explicit addresses and using the
-			same ports as named was listening on could interfere
-			with nameds ability to answer queries sent to those
-			addresses.
-
-1386.	[bug]		named-checkzone -z stopped on errors in a zone.
-			[RT #3653]
-
-1392.	[bug]		named-checkzone: update usage.
-
-1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
-			is not available in the kernel to prevent accidently
-			listening on IPv4 interfaces.
-
-1398.	[doc]		ARM: notify-also should have been also-notify.
-			[RT #4345]
-
-1400.	[bug]		Block the addition of wildcard NS records by IXFR
-			or UPDATE. [RT #3502]
-
-1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
-			buffer.
-
-1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
-
-1430.	[port]		linux: IPv6 interface scanning support.
-
-1433.	[bug]		named could trigger a REQUIRE failure if it could
-			not get a file descriptor when attempting to write
-			a master file. [RT #4347]
-
-1454.	[port]		Use getifaddrs() if available for interface scanning.
-			--disable-getifaddrs to override.  Glibc currently
-			has a getifaddrs() that does not support IPv6.
-			Use --enable-getifaddrs=glibc to force the use of
-			this version under linux machines.
-

Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41.2.2.2.2 2004/03/08 04:04:12 marka Exp $
+# $Id: Makefile.in,v 1.47 2006/05/19 00:04:02 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -44,7 +44,8 @@ maintainer-clean::
 	rm -f configure
 
 installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
+	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
 
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
@@ -57,3 +58,11 @@ check: test
 
 test:
 	(cd bin/tests && ${MAKE} ${MAKEDEFS} test)
+
+FAQ: FAQ.xml
+	${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
+	${W3M} -T text/html -dump >$@.tmp
+	mv $@.tmp $@
+
+clean::
+	rm -f FAQ.tmp

README

@@ -43,12 +43,181 @@ BIND 9
 		Nominum, Inc.
 
 
-BIND 9.3.1
+BIND 9.5.0
 
-        BIND 9.3.1 is a maintenance release, containing fixes for
-        a number of bugs in 9.3.0.
+	BIND 9.5.0 has a number of new features over 9.4,
+	including:
 
-        libbind: corresponds to that from BIND 8.4.6-REL.
+	GSS-TSIG support (RFC 3645).
+
+	DHCID support.
+
+	Experimental http server and statistics support for named via xml.
+
+	Use Doxygen to generate internal documention.
+
+BIND 9.4.0
+
+	BIND 9.4.0 has a number of new features over 9.3,
+	including:
+
+	Implemented "additional section caching (or acache)", an
+	internal cache framework for additional section content to
+	improve response performance.  Several configuration options
+	were provided to control the behavior.
+
+	New notify type 'master-only'.  Enable notify for master
+	zones only.
+
+	Accept 'notify-source' style syntax for query-source.
+
+	rndc now allows addresses to be set in the server clauses.
+
+	New option "allow-query-cache".  This lets allow-query be
+	used to specify the default zone access level rather than
+	having to have every zone override the global value.
+	allow-query-cache can be set at both the options and view
+	levels.  If allow-query-cache is not set allow-query applies.
+
+	rndc: the source address can now be specified.
+
+	ixfr-from-differences now takes master and slave in addition
+	to yes and no at the options and view levels.
+
+	Allow the journal's name to be changed via named.conf.
+
+	'rndc notify zone [class [view]]' resend the NOTIFY messages
+	for the specified zone.
+
+	'dig +trace' now randomly selects the next servers to try.
+	Report if there is a bad delegation.
+
+	Improve check-names error messages.
+
+	Make public the function to read a key file, dst_key_read_public().
+
+	dig now returns the byte count for axfr/ixfr.
+			
+	allow-update is now settable at the options / view level.
+
+	named-checkconf now checks the logging configuration.
+
+	host now can turn on memory debugging flags with '-m'.
+
+	Don't send notify messages to self.
+
+	Perform sanity checks on NS records which refer to 'in zone' names.
+
+	New zone option "notify-delay".  Specify a minimum delay
+	between sets of NOTIFY messages.
+
+	Extend adjusting TTL warning messages.
+
+	Named and named-checkzone can now both check for non-terminal
+	wildcard records.
+
+	"rndc freeze/thaw" now freezes/thaws all zones.
+
+	named-checkconf now check acls to verify that they only
+	refer to existing acls.
+
+	The server syntax has been extended to support a range of
+	servers.
+
+	Report differences between hints and real NS rrset and
+	associated address records.
+
+	Preserve the case of domain names in rdata during zone
+	transfers.
+
+	Restructured the data locking framework using architecture
+	dependent atomic operations (when available), improving
+	response performance on multi-processor machines significantly.
+	x86, x86_64, alpha, powerpc, and mips are currently supported.
+
+	UNIX domain controls are now supported.
+
+	Add support for additional zone file formats for improving
+	loading performance.  The masterfile-format option in
+	named.conf can be used to specify a non-default format.  A
+	separate command named-compilezone was provided to generate
+	zone files in the new format.  Additionally, the -I and -O
+	options for dnssec-signzone specify the input and output
+	formats.
+
+	dnssec-signzone can now randomize signature end times
+	(dnssec-signzone -j jitter).
+
+	Add support for CH A record.
+
+	Add additional zone data constancy checks.  named-checkzone
+	has extended checking of NS, MX and SRV record and the hosts
+	they reference.  named has extended post zone load checks.
+	New zone options: check-mx and integrity-check.
+
+
+	edns-udp-size can now be overridden on a per server basis.
+
+	dig can now specify the EDNS version when making a query.
+
+	Added framework for handling multiple EDNS versions.
+
+	Additional memory debugging support to track size and mctx
+	arguments.
+
+	Detect duplicates of UDP queries we are recursing on and
+	drop them.  New stats category "duplicates".
+
+	"USE INTERNAL MALLOC" is now runtime selectable.
+
+	The lame cache is now done on a <qname,qclass,qtype> basis
+	as some servers only appear to be lame for certain query
+	types.
+
+	Limit the number of recursive clients that can be waiting
+	for a single query (<qname,qtype,qclass>) to resolve.  New
+	options clients-per-query and max-clients-per-query.
+
+	dig: report the number of extra bytes still left in the
+	packet after processing all the records.
+
+	Support for IPSECKEY rdata type.
+
+	Raise the UDP recieve buffer size to 32k if it is less than 32k.
+
+	x86 and x86_64 now have seperate atomic locking implementations.
+
+	named-checkconf now validates update-policy entries.
+
+	Attempt to make the amount of work performed in a iteration
+	self tuning.  The covers nodes clean from the cache per
+	iteration, nodes written to disk when rewriting a master
+	file and nodes destroyed per iteration when destroying a
+	zone or a cache.
+
+	ISC string copy API.
+
+	Automatic empty zone creation for D.F.IP6.ARPA and friends.
+	Note: RFC 1918 zones are not yet covered by this but are
+	likely to be in a future release.
+
+	New options: empty-server, empty-contact, empty-zones-enable
+	and disable-empty-zone.
+
+	dig now has a '-q queryname' and '+showsearch' options.
+
+	host/nslookup now continue (default)/fail on SERVFAIL.
+
+	dig now warns if 'RA' is not set in the answer when 'RD'
+	was set in the query.  host/nslookup skip servers that fail
+	to set 'RA' when 'RD' is set unless a server is explicitly
+	set.
+
+	Integrate contibuted DLZ code into named.
+
+	Integrate contibuted IDN code from JPNIC.
+
+	libbind: corresponds to that from BIND 8.4.7.
 
 BIND 9.3.0
 
@@ -174,6 +343,9 @@ BIND 9.2.0
 
 		--with-libtool does not work on AIX.
 
+		--with-libtool does not work on SunOS 4.  configure
+		requires "printf" which is not available.
+
 	A bug in the Windows 2000 DNS server can cause zone transfers
 	from a BIND 9 server to a W2K server to fail.  For details,
 	see the "Zone Transfers" section in doc/misc/migration.
@@ -190,7 +362,7 @@ Building
 	We've had successful builds and tests on the following systems:
 
 		COMPAQ Tru64 UNIX 5.1B
-		FreeBSD 4.10, 5.2.1
+		FreeBSD 4.10, 5.2.1, 6.2
 		HP-UX 11.11
 		NetBSD 1.5
 		Slackware Linux 8.1
@@ -206,11 +378,11 @@ Building
 	        Red Hat Linux 7.1
 		Debian GNU/Linux 2.2 and 3.0
 		Mandrake 8.1
-		OpenBSD 2.6, 2.8, 2.9
+		OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
 		UnixWare 7.1.1
 		HP-UX 10.20
 		BSD/OS 4.2
-		Mac OS X 10.1
+		Mac OS X 10.1, 10.3.8
 
 	To build, just
 
@@ -245,10 +417,25 @@ Building
 		Enable DNSSEC signature chasing support in dig.
 		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
 				    -DDIG_SIGCHASE_BU=1)
+		Disable dropping queries from particular well known ports.
+		  -DNS_CLIENT_DROPPORT=0
+		Disable support for "rrset-order fixed".
+		  -DDNS_RDATASET_FIXED=0
 
 	    LDFLAGS
 		Linker flags. Defaults to empty string.
 
+	The following need to be set when cross compiling.
+
+	    BUILD_CC
+		The native C compiler.
+	    BUILD_CFLAGS (optional)
+	    BUILD_CPPFLAGS (optional)
+		Possible Settings:
+		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
+	    BUILD_LDFLAGS (optional)
+	    BUILD_LIBS (optional)
+
 	To build shared libraries, specify "--with-libtool" on the
 	configure command line.
 
@@ -300,9 +487,11 @@ Building
 	Building with gcc is not supported, unless gcc is the vendor's usual
 	compiler (e.g. the various BSD systems, Linux).
 	
+	Known compiler issues:
 	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
 	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
 	* gcc-3.3.5 powerpc generates incorrect code at -02.
+	* Irix, MipsPRO 7.4.1m is known to cause problems.
 
 	A limited test suite can be run with "make test".  Many of
 	the tests require you to configure a set of virtual IP addresses

README.idnkit

@@ -0,0 +1,112 @@
+
+			BIND-9 IDN patch
+
+	       Japan Network Information Center (JPNIC)
+
+
+* What is this patch for?
+
+This patch adds internationalized domain name (IDN) support to BIND-9.
+You'll get internationalized version of dig/host/nslookup commands.
+
+    + internationalized dig/host/nslookup
+	dig/host/nslookup accepts non-ASCII domain names in the local
+	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
+	the locale information.  The domain names are normalized and
+	converted to the encoding on the DNS protocol, and sent to DNS
+	servers.  The replies are converted back to the local codeset
+	and displayed.
+
+
+* Compilation & installation
+
+0. Prerequisite
+
+You have to build and install idnkit before building this patched version
+of bind-9.
+
+1. Running configure script
+
+Run `configure' in the top directory.  See `README' for the
+configuration options.
+
+This patch adds the following 4 options to `configure'.  You should
+at least specify `--with-idn' option to enable IDN support.
+
+    --with-idn[=IDN_PREFIX]
+	To enable IDN support, you have to specify `--with-idn' option.
+	The argument IDN_PREFIX is the install prefix of idnkit.  If
+	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
+	is assumed.
+
+    --with-libiconv[=LIBICONV_PREFIX]
+	Specify this option if idnkit you have installed links GNU
+	libiconv.  The argument LIBICONV_PREFIX is install prefix of
+	GNU libiconv.  If the argument is omitted, PREFIX (derived
+	from `--prefix=PREFIX') is assumed.
+
+	`--with-libiconv' is shorthand option for GNU libiconv.
+
+	    --with-libiconv=/usr/local
+
+	This is equivalent to:
+
+	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
+
+	`--with-libiconv' assumes that your C compiler has `-R'
+	option, and that the option adds the specified run-time path
+	to an exacutable binary.  If `-R' option of your compiler has
+	different meaning, or your compiler lacks the option, you
+	should use `--with-iconv' option instead.  Binary command
+	without run-time path information might be unexecutable.
+	In that case, you would see an error message like:
+
+	    error in loading shared libraries: libiconv.so.2: cannot
+	    open shared object file
+
+	If both `--with-libiconv' and `--with-iconv' options are
+	specified, `--with-iconv' is prior to `--with-libiconv'.
+
+    --with-iconv=ICONV_LIBSPEC
+	If your libc doens't provide iconv(), you need to specify the
+	library containing iconv() with this option.  `ICONV_LIBSPEC'
+	is the argument(s) to `cc' or `ld' to link the library, for
+	example, `--with-iconv="-L/usr/local/lib -liconv"'.
+	You don't need to specify the header file directory for "iconv.h"
+	to the compiler, as it isn't included directly by bind-9 with
+	this patch.
+
+    --with-idnlib=IDN_LIBSPEC
+	With this option, you can explicitly specify the argument(s)
+	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
+	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
+	assumed, where ${PREFIX} is the installation prefix specified
+	with `--with-idn' option above.  You may need to use this
+	option to specify extra argments, for example,
+	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
+
+Please consult `README' for other configuration options.
+
+Note that if you want to specify some extra header file directories,
+you should use the environment variable STD_CINCLUDES instead of
+CFLAGS, as described in README.
+
+2. Compilation and installation
+
+After running "configure", just do
+
+	make
+	make install
+
+for compiling and installing.
+
+
+* Contact information
+
+Please see http//www.nic.ad.jp/en/idn/ for the latest news
+about idnkit and this patch.
+
+Bug reports and comments on this kit should be sent to
+mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
+
+; $Id: README.idnkit,v 1.2 2005/09/09 06:13:57 marka Exp $

acconfig.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.35.2.4.2.10 2004/12/04 06:50:02 marka Exp $ */
+/* $Id: acconfig.h,v 1.49 2005/04/29 00:22:24 marka Exp $ */
+
+/*! \file */
 
 /***
  *** This file is not to be included by any public header files, because
@@ -23,95 +25,97 @@
  ***/
 @TOP@
 
-/* define to `int' if <sys/types.h> doesn't define.  */
+/** define to `int' if <sys/types.h> doesn't define.  */
 #undef ssize_t
 
-/* define on DEC OSF to enable 4.4BSD style sa_len support */
+/** define on DEC OSF to enable 4.4BSD style sa_len support */
 #undef _SOCKADDR_LEN
 
-/* define if your system needs pthread_init() before using pthreads */
+/** define if your system needs pthread_init() before using pthreads */
 #undef NEED_PTHREAD_INIT
 
-/* define if your system has sigwait() */
+/** define if your system has sigwait() */
 #undef HAVE_SIGWAIT
 
-/* define if sigwait() is the UnixWare flavor */
+/** define if sigwait() is the UnixWare flavor */
 #undef HAVE_UNIXWARE_SIGWAIT
 
-/* define on Solaris to get sigwait() to work using pthreads semantics */
+/** define on Solaris to get sigwait() to work using pthreads semantics */
 #undef _POSIX_PTHREAD_SEMANTICS
 
-/* define if LinuxThreads is in use */
+/** define if LinuxThreads is in use */
 #undef HAVE_LINUXTHREADS
 
-/* define if sysconf() is available */
+/** define if sysconf() is available */
 #undef HAVE_SYSCONF
 
-/* define if sysctlbyname() is available */
+/** define if sysctlbyname() is available */
 #undef HAVE_SYSCTLBYNAME
 
-/* define if catgets() is available */
+/** define if catgets() is available */
 #undef HAVE_CATGETS
 
-/* define if getifaddrs() exists */
+/** define if getifaddrs() exists */
 #undef HAVE_GETIFADDRS
 
-/* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
+/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
 #undef HAVE_IFLIST_SYSCTL
 
-/* define if chroot() is available */
+/** define if chroot() is available */
 #undef HAVE_CHROOT
 
-/* define if tzset() is available */
+/** define if tzset() is available */
 #undef HAVE_TZSET
 
-/* define if struct addrinfo exists */
+/** define if struct addrinfo exists */
 #undef HAVE_ADDRINFO
 
-/* define if getaddrinfo() exists */
+/** define if getaddrinfo() exists */
 #undef HAVE_GETADDRINFO
 
-/* define if gai_strerror() exists */
+/** define if gai_strerror() exists */
 #undef HAVE_GAISTRERROR
 
-/* define if arc4random() exists */
+/** define if arc4random() exists */
 #undef HAVE_ARC4RANDOM
 
-/* define if pthread_setconcurrency() should be called to tell the
+/**
+ * define if pthread_setconcurrency() should be called to tell the
  * OS how many threads we might want to run.
  */
 #undef CALL_PTHREAD_SETCONCURRENCY
 
-/* define if IPv6 is not disabled */
+/** define if IPv6 is not disabled */
 #undef WANT_IPV6
 
-/* define if flockfile() is available */
+/** define if flockfile() is available */
 #undef HAVE_FLOCKFILE
 
-/* define if getc_unlocked() is available */
+/** define if getc_unlocked() is available */
 #undef HAVE_GETCUNLOCKED
 
-/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
 #undef SHUTUP_SPUTAUX
 #ifdef SHUTUP_SPUTAUX
 struct __sFILE;
 extern __inline int __sputaux(int _c, struct __sFILE *_p);
 #endif
 
-/* Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
 #undef SHUTUP_SIGWAIT
 #ifdef SHUTUP_SIGWAIT
 int sigwait(const unsigned int *set, int *sig);
 #endif
 
-/* Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
 #undef SHUTUP_STDARG_CAST
 #if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
-#include <stdarg.h>		/* Grr.  Must be included *every time*. */
-/*
+#include <stdarg.h>		/** Grr.  Must be included *every time*. */
+/**
  * The silly continuation line is to keep configure from
  * commenting out the #undef.
  */
+ 
 #undef \
 	va_start
 #define	va_start(ap, last) \
@@ -120,21 +124,21 @@ int sigwait(const unsigned int *set, int *sig);
 		_u.konst = &(last); \
 		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
 	} while (0)
-#endif /* SHUTUP_STDARG_CAST && __GNUC__ */
+#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
 
-/* define if the system has a random number generating device */
+/** define if the system has a random number generating device */
 #undef PATH_RANDOMDEV
 
-/* define if pthread_attr_getstacksize() is available */
+/** define if pthread_attr_getstacksize() is available */
 #undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
 
-/* define if pthread_attr_setstacksize() is available */
+/** define if pthread_attr_setstacksize() is available */
 #undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
 
-/* define if you have strerror in the C library. */
+/** define if you have strerror in the C library. */
 #undef HAVE_STRERROR
 
-/* Define if you are running under Compaq TruCluster. */
+/** Define if you are running under Compaq TruCluster. */
 #undef HAVE_TRUCLUSTER
 
 /* Define if OpenSSL includes DSA support */

bin/Makefile.in

@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $
+# $Id: Makefile.in,v 1.23 2004/03/05 04:57:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@

bin/check/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.2.3.8.6 2004/07/20 07:01:48 marka Exp $
+# $Id: Makefile.in,v 1.30 2006/06/09 00:54:09 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -75,7 +75,8 @@ named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+	named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
+	${ISCLIBS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -89,7 +90,9 @@ installdirs:
 install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
 	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 
 clean distclean::
 	rm -f ${TARGETS} r1.htm

bin/check/check-tool.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.4.12.7 2004/11/30 01:15:40 marka Exp $ */
+/* $Id: check-tool.c,v 1.28 2007/05/21 03:46:41 tbox Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -27,42 +29,484 @@
 
 #include <isc/buffer.h>
 #include <isc/log.h>
+#include <isc/net.h>
+#include <isc/netdb.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
+#include <isc/symtab.h>
 #include <isc/types.h>
+#include <isc/mem.h>
 
 #include <dns/fixedname.h>
 #include <dns/log.h>
 #include <dns/name.h>
+#include <dns/rdata.h>
 #include <dns/rdataclass.h>
+#include <dns/rdataset.h>
 #include <dns/types.h>
 #include <dns/zone.h>
 
+#include <isccfg/log.h>
+
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
 #define CHECK(r) \
-        do { \
+	do { \
 		result = (r); \
-                if (result != ISC_R_SUCCESS) \
-                        goto cleanup; \
-        } while (0)   
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)   
+
+#define ERR_IS_CNAME 1
+#define ERR_NO_ADDRESSES 2
+#define ERR_LOOKUP_FAILURE 3
+#define ERR_EXTRA_A 4
+#define ERR_EXTRA_AAAA 5
+#define ERR_MISSING_GLUE 5
+#define ERR_IS_MXCNAME 6
+#define ERR_IS_SRVCNAME 7
 
 static const char *dbtype[] = { "rbt" };
 
 int debug = 0;
 isc_boolean_t nomerge = ISC_TRUE;
+isc_boolean_t docheckmx = ISC_TRUE;
+isc_boolean_t dochecksrv = ISC_TRUE;
+isc_boolean_t docheckns = ISC_TRUE;
 unsigned int zone_options = DNS_ZONEOPT_CHECKNS | 
+			    DNS_ZONEOPT_CHECKMX |
 			    DNS_ZONEOPT_MANYERRORS |
-			    DNS_ZONEOPT_CHECKNAMES;
+			    DNS_ZONEOPT_CHECKNAMES |
+			    DNS_ZONEOPT_CHECKINTEGRITY |
+			    DNS_ZONEOPT_CHECKWILDCARD |
+			    DNS_ZONEOPT_WARNMXCNAME |
+			    DNS_ZONEOPT_WARNSRVCNAME;
+
+/*
+ * This needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = {
+	{ "",		     0 },
+	{ "client",	     0 },
+	{ "network",	     0 },
+	{ "update",	     0 },
+	{ "queries",	     0 },
+	{ "unmatched", 	     0 },
+	{ "update-security", 0 },
+	{ NULL,		     0 }
+};
+
+static isc_symtab_t *symtab = NULL;
+static isc_mem_t *sym_mctx;
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+} 
+
+static void
+add(char *key, int value) {
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	if (sym_mctx == NULL) {
+		result = isc_mem_create(0, 0, &sym_mctx);
+		if (result != ISC_R_SUCCESS)
+			return;
+	}
+
+	if (symtab == NULL) {
+		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
+					   ISC_FALSE, &symtab);
+		if (result != ISC_R_SUCCESS)
+			return;
+	}
+
+	key = isc_mem_strdup(sym_mctx, key);
+	if (key == NULL)
+		return;
+
+	symvalue.as_pointer = NULL;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result != ISC_R_SUCCESS)
+		isc_mem_free(sym_mctx, key);
+}
+
+static isc_boolean_t
+logged(char *key, int value) {
+	isc_result_t result;
+
+	if (symtab == NULL)
+		return (ISC_FALSE);
+
+	result = isc_symtab_lookup(symtab, key, value, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static isc_boolean_t
+checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
+	dns_rdataset_t *a, dns_rdataset_t *aaaa)
+{
+#ifdef USE_GETADDRINFO
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct addrinfo hints, *ai, *cur;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
+	isc_boolean_t answer = ISC_TRUE;
+	isc_boolean_t match;
+	const char *type;
+	void *ptr = NULL;
+	int result;
+
+	REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
+		a->type == dns_rdatatype_a);
+	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
+		aaaa->type == dns_rdatatype_aaaa);
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U)
+		strcat(namebuf, ".");
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0 &&
+		    !logged(namebuf, ERR_IS_CNAME)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+			/* XXX950 make fatal for 9.5.0 */
+			/* answer = ISC_FALSE; */
+			add(namebuf, ERR_IS_CNAME);
+		}
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
+		/* XXX950 make fatal for 9.5.0 */
+		return (ISC_TRUE);
+
+	default:
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s",
+				     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
+		return (ISC_TRUE);
+	}
+	if (a == NULL || aaaa == NULL)
+		return (answer);
+	/*
+	 * Check that all glue records really exist.
+	 */
+	if (!dns_rdataset_isassociated(a))
+		goto checkaaaa;
+	result = dns_rdataset_first(a);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(a, &rdata);
+		match = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET)
+				continue;
+			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
+				match = ISC_TRUE;
+				break;
+			}
+		}
+		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+				     "extra GLUE A record (%s)",
+				     ownerbuf, namebuf,
+				     inet_ntop(AF_INET, rdata.data,
+					       addrbuf, sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_A);
+			/* XXX950 make fatal for 9.5.0 */
+			/* answer = ISC_FALSE; */
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(a);
+	}
+
+ checkaaaa:
+	if (!dns_rdataset_isassociated(aaaa))
+		goto checkmissing;
+	result = dns_rdataset_first(aaaa);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(aaaa, &rdata);
+		match = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET6)
+				continue;
+			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
+				match = ISC_TRUE;
+				break;
+			}
+		}
+		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+				     "extra GLUE AAAA record (%s)",
+				     ownerbuf, namebuf,
+				     inet_ntop(AF_INET6, rdata.data,
+					       addrbuf, sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_AAAA);
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = ISC_FALSE; */
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(aaaa);
+	}
+
+ checkmissing:
+	/*
+	 * Check that all addresses appear in the glue.
+	 */
+	if (!logged(namebuf, ERR_MISSING_GLUE)) {
+		isc_boolean_t missing_glue = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			switch (cur->ai_family) {
+			case AF_INET:
+				rdataset = a;
+				ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+				type = "A";
+				break;
+			case AF_INET6:
+				rdataset = aaaa;
+				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+				type = "AAAA";
+				break;
+			default:
+				 continue;
+			}
+			match = ISC_FALSE;
+			if (dns_rdataset_isassociated(rdataset))
+				result = dns_rdataset_first(rdataset);
+			else
+				result = ISC_R_FAILURE;
+			while (result == ISC_R_SUCCESS && !match) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (memcmp(ptr, rdata.data, rdata.length) == 0)
+					match = ISC_TRUE;
+				dns_rdata_reset(&rdata);
+				result = dns_rdataset_next(rdataset);
+			}
+			if (!match) {
+				dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+					     "missing GLUE %s record (%s)",
+					     ownerbuf, namebuf, type,
+					     inet_ntop(cur->ai_family, ptr,
+						       addrbuf, sizeof(addrbuf)));
+				/* XXX950 make fatal for 9.5.0. */
+				/* answer = ISC_FALSE; */
+				missing_glue = ISC_TRUE;
+			}
+		}
+		if (missing_glue)
+			add(namebuf, ERR_MISSING_GLUE);
+	}
+	freeaddrinfo(ai);
+	return (answer);
+#else
+	return (ISC_TRUE);
+#endif
+}
+
+static isc_boolean_t
+checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
+#ifdef USE_GETADDRINFO
+	struct addrinfo hints, *ai;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	int result;
+	int level = ISC_LOG_ERROR;
+	isc_boolean_t answer = ISC_TRUE;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U)
+		strcat(namebuf, ".");
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+	
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
+			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
+				level = ISC_LOG_WARNING;
+			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
+				if (!logged(namebuf, ERR_IS_MXCNAME)) {
+					dns_zone_log(zone, level,
+						     "%s/MX '%s' (out of zone)"
+						     " is a CNAME (illegal)",
+						     ownerbuf, namebuf);
+					add(namebuf, ERR_IS_MXCNAME);
+				}
+				if (level == ISC_LOG_ERROR)
+					answer = ISC_FALSE;
+			}
+		}
+		freeaddrinfo(ai);
+		return (answer);
+
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/MX '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
+		/* XXX950 make fatal for 9.5.0. */
+		return (ISC_TRUE);
+
+	default:
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+			     "getaddrinfo(%s) failed: %s",
+			     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
+		return (ISC_TRUE);
+	}
+#else
+	return (ISC_TRUE);
+#endif
+}
+
+static isc_boolean_t
+checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
+#ifdef USE_GETADDRINFO
+	struct addrinfo hints, *ai;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	int result;
+	int level = ISC_LOG_ERROR;
+	isc_boolean_t answer = ISC_TRUE;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U)
+		strcat(namebuf, ".");
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+	
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
+			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
+				level = ISC_LOG_WARNING;
+			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
+				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
+					dns_zone_log(zone, level, "%s/SRV '%s'"
+						     " (out of zone) is a "
+						     "CNAME (illegal)",
+						     ownerbuf, namebuf);
+					add(namebuf, ERR_IS_SRVCNAME);
+				}
+				if (level == ISC_LOG_ERROR)
+					answer = ISC_FALSE;
+			}
+		}
+		freeaddrinfo(ai);
+		return (answer);
+
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/SRV '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
+		/* XXX950 make fatal for 9.5.0. */
+		return (ISC_TRUE);
+
+	default:
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s",
+				     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
+		return (ISC_TRUE);
+	}
+#else
+	return (ISC_TRUE);
+#endif
+}
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
 	isc_logdestination_t destination;
 	isc_logconfig_t *logconfig = NULL;
 	isc_log_t *log = NULL;
 
 	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_registercategories(log, categories);
 	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+	cfg_log_init(log);
 
-	destination.file.stream = stdout;
+	destination.file.stream = errout;
 	destination.file.name = NULL;
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
@@ -77,9 +521,11 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	return (ISC_R_SUCCESS);
 }
 
+/*% load the zone */
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  const char *classname, dns_zone_t **zonep)
+	  dns_masterformat_t fileformat, const char *classname,
+	  dns_zone_t **zonep)
 {
 	isc_result_t result;
 	dns_rdataclass_t rdclass;
@@ -104,10 +550,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);
 	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
-			        ISC_FALSE, NULL));
+				ISC_FALSE, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
 	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
-	CHECK(dns_zone_setfile(zone, filename));
+	CHECK(dns_zone_setfile2(zone, filename, fileformat));
 
 	DE_CONST(classname, region.base);
 	region.length = strlen(classname);
@@ -116,9 +562,15 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	dns_zone_setclass(zone, rdclass);
 	dns_zone_setoption(zone, zone_options, ISC_TRUE);
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
+	if (docheckmx)
+		dns_zone_setcheckmx(zone, checkmx);
+	if (docheckns)
+		dns_zone_setcheckns(zone, checkns);
+	if (dochecksrv)
+		dns_zone_setchecksrv(zone, checksrv);
 
 	CHECK(dns_zone_load(zone));
-	if (zonep != NULL){
+	if (zonep != NULL) {
 		*zonep = zone;
 		zone = NULL;
 	}
@@ -129,21 +581,23 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	return (result);
 }
 
+/*% dump the zone */
 isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
+	  dns_masterformat_t fileformat, const dns_master_style_t *style)
 {
 	isc_result_t result;
 	FILE *output = stdout;
 
 	if (debug) {
-		if (filename != NULL)
+		if (filename != NULL && strcmp(filename, "-") != 0)
 			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
 				zonename, filename);
 		else
 			fprintf(stderr, "dumping \"%s\"\n", zonename);
 	}
 
-	if (filename != NULL) {
+	if (filename != NULL && strcmp(filename, "-") != 0) {
 		result = isc_stdio_open(filename, "w+", &output);
 
 		if (result != ISC_R_SUCCESS) {
@@ -153,9 +607,9 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
 		}
 	}
 
-	result = dns_zone_fulldumptostream(zone, output);
+	result = dns_zone_dumptostream2(zone, output, fileformat, style);
 
-	if (filename != NULL)
+	if (output != stdout)
 		(void)isc_stdio_close(output);
 
 	return (result);

bin/check/check-tool.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,30 +15,39 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */
+/* $Id: check-tool.h,v 1.13 2007/05/21 03:46:41 tbox Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
 
-#include <isc/lang.h>
+/*! \file */
 
+#include <isc/lang.h>
+#include <isc/stdio.h>
 #include <isc/types.h>
+
+#include <dns/masterdump.h>
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
 
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  const char *classname, dns_zone_t **zonep);
+	  dns_masterformat_t fileformat, const char *classname,
+	  dns_zone_t **zonep);
 
 isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename);
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
+	  dns_masterformat_t fileformat, const dns_master_style_t *style);
 
 extern int debug;
 extern isc_boolean_t nomerge;
+extern isc_boolean_t docheckmx;
+extern isc_boolean_t docheckns;
+extern isc_boolean_t dochecksrv;
 extern unsigned int zone_options;
 
 ISC_LANG_ENDDECLS

bin/check/named-checkconf.8

@@ -1,59 +1,93 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002  Internet Software Consortium.
-.\"
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.11.12.4 2004/06/03 05:35:41 marka Exp $
+.\" $Id: named-checkconf.8,v 1.29 2007/05/21 04:09:03 marka Exp $
 .\"
-.TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" ""
-.SH NAME
-named-checkconf \- named configuration file syntax checking tool
-.SH SYNOPSIS
-.sp
-\fBnamed-checkconf\fR [ \fB-v\fR ]  [ \fB-j\fR ]  [ \fB-t \fIdirectory\fB\fR ]  \fBfilename\fR [ \fB-z\fR ] 
+.hy 0
+.ad l
+.\"     Title: named\-checkconf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: June 14, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+named\-checkconf \- named configuration file syntax checking tool
+.SH "SYNOPSIS"
+.HP 16
+\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
 .SH "DESCRIPTION"
 .PP
-\fBnamed-checkconf\fR checks the syntax, but not
-the semantics, of a named configuration file.
+\fBnamed\-checkconf\fR
+checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
-.TP
-\fB-t \fIdirectory\fB\fR
-chroot to \fIdirectory\fR so that include
-directives in the configuration file are processed as if
-run by a similarly chrooted named.
-.TP
-\fB-v\fR
-Print the version of the \fBnamed-checkconf\fR
+.PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
+\-t \fIdirectory\fR
+.RS 4
+Chroot to
+\fIdirectory\fR
+so that include directives in the configuration file are processed as if run by a similarly chrooted named.
+.RE
+.PP
+\-v
+.RS 4
+Print the version of the
+\fBnamed\-checkconf\fR
 program and exit.
-.TP
-\fB-z\fR
-Perform a check load the master zonefiles found in
+.RE
+.PP
+\-z
+.RS 4
+Perform a test load of all master zones found in
 \fInamed.conf\fR.
-.TP
-\fB-j\fR
+.RE
+.PP
+\-j
+.RS 4
 When loading a zonefile read the journal if it exists.
-.TP
-\fBfilename\fR
-The name of the configuration file to be checked. If not
-specified, it defaults to \fI/etc/named.conf\fR.
+.RE
+.PP
+filename
+.RS 4
+The name of the configuration file to be checked. If not specified, it defaults to
+\fI/etc/named.conf\fR.
+.RE
 .SH "RETURN VALUES"
 .PP
-\fBnamed-checkconf\fR returns an exit status of 1 if
-errors were detected and 0 otherwise.
+\fBnamed\-checkconf\fR
+returns an exit status of 1 if errors were detected and 0 otherwise.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fIBIND 9 Administrator Reference Manual\fR.
+BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br

bin/check/named-checkconf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.12.12.7 2004/03/08 09:04:14 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.44 2007/05/21 03:46:41 tbox Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,6 +27,8 @@
 
 #include <isc/commandline.h>
 #include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/result.h>
@@ -35,11 +39,16 @@
 
 #include <bind9/check.h>
 
+#include <dns/fixedname.h>
 #include <dns/log.h>
+#include <dns/name.h>
 #include <dns/result.h>
+#include <dns/zone.h>
 
 #include "check-tool.h"
 
+static const char *program = "named-checkconf";
+
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -49,17 +58,19 @@ isc_log_t *logc = NULL;
 			goto cleanup; \
 	} while (0)
 
+/*% usage */
 static void
 usage(void) {
-        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
-		"[named.conf]\n");
+        fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
+		"[named.conf]\n", program);
         exit(1);
 }
 
+/*% directory callback */
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	char *directory;
+	const char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
@@ -81,19 +92,84 @@ directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_boolean_t
+get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
+	int i;
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_FALSE);
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+			return (ISC_TRUE);
+	}
+}
+
+static isc_boolean_t
+get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
+	isc_result_t result;
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_FALSE);
+		checknames = NULL;
+		result = cfg_map_get(maps[i], "check-names", &checknames);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (checknames != NULL && !cfg_obj_islist(checknames)) {
+			*obj = checknames;
+			return (ISC_TRUE);
+		}
+		for (element = cfg_list_first(checknames);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			value = cfg_listelt_value(element);
+			type = cfg_tuple_get(value, "type");
+			if (strcasecmp(cfg_obj_asstring(type), "master") != 0)
+				continue;
+			*obj = cfg_tuple_get(value, "mode");
+			return (ISC_TRUE);
+		}
+	}
+}
+
 static isc_result_t
-configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
-	       isc_mem_t *mctx)
+config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_R_NOTFOUND);
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+	}
+}
+
+/*% configure the zone */
+static isc_result_t
+configure_zone(const char *vclass, const char *view,
+	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+	       const cfg_obj_t *config, isc_mem_t *mctx)
 {
+	int i = 0;
 	isc_result_t result;
 	const char *zclass;
 	const char *zname;
 	const char *zfile;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *classobj = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *dbobj = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *classobj = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *dbobj = NULL;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *fmtobj = NULL;
+	dns_masterformat_t masterformat;
+
+	zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
 
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 	classobj = cfg_tuple_get(zconfig, "class");
@@ -101,7 +177,18 @@ configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
                 zclass = vclass;
         else
 		zclass = cfg_obj_asstring(classobj);
+
 	zoptions = cfg_tuple_get(zconfig, "options");
+	maps[i++] = zoptions;
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		cfg_map_get(config, "options", &obj);
+		if (obj != NULL)
+			maps[i++] = obj;
+	}
+	maps[i++] = NULL;
+
 	cfg_map_get(zoptions, "type", &typeobj);
 	if (typeobj == NULL)
 		return (ISC_R_FAILURE);
@@ -114,20 +201,123 @@ configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
 	if (fileobj == NULL)
 		return (ISC_R_FAILURE);
 	zfile = cfg_obj_asstring(fileobj);
-	result = load_zone(mctx, zname, zfile, zclass, NULL);
+
+	obj = NULL;
+	if (get_maps(maps, "check-mx", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKMX;
+			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKMX;
+			zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKMX;
+			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKMX;
+		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-integrity", &obj)) {
+		if (cfg_obj_asboolean(obj))
+			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+		else
+			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-mx-cname", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-srv-cname", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-sibling", &obj)) {
+		if (cfg_obj_asboolean(obj))
+			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
+		else
+			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+	}
+
+	obj = NULL;
+	if (get_checknames(maps, &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else
+			INSIST(0);
+	} else {
+               zone_options |= DNS_ZONEOPT_CHECKNAMES;
+               zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+	}
+
+	masterformat = dns_masterformat_text;
+	fmtobj = NULL;
+	result = config_get(maps, "masterfile-format", &fmtobj);
+	if (result == ISC_R_SUCCESS) {
+		const char *masterformatstr = cfg_obj_asstring(fmtobj);
+		if (strcasecmp(masterformatstr, "text") == 0)
+			masterformat = dns_masterformat_text;
+		else if (strcasecmp(masterformatstr, "raw") == 0)
+			masterformat = dns_masterformat_raw;
+		else
+			INSIST(0);
+	}
+
+	result = load_zone(mctx, zname, zfile, masterformat, zclass, NULL);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
 			dns_result_totext(result));
 	return(result);
 }
 
+/*% configure a view */
 static isc_result_t
-configure_view(const char *vclass, const char *view, cfg_obj_t *config,
-	       cfg_obj_t *vconfig, isc_mem_t *mctx)
+configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx)
 {
-	cfg_listelt_t *element;
-	cfg_obj_t *voptions;
-	cfg_obj_t *zonelist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *voptions;
+	const cfg_obj_t *zonelist;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 
@@ -145,8 +335,9 @@ configure_view(const char *vclass, const char *view, cfg_obj_t *config,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, mctx);
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
+		tresult = configure_zone(vclass, view, zconfig, vconfig,
+					 config, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
 	}
@@ -154,12 +345,13 @@ configure_view(const char *vclass, const char *view, cfg_obj_t *config,
 }
 
 
+/*% load zones from the configuration */
 static isc_result_t
-load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *classobj;
-	cfg_obj_t *views;
-	cfg_obj_t *vconfig;
+load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *classobj;
+	const cfg_obj_t *views;
+	const cfg_obj_t *vconfig;
 	const char *vclass;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
@@ -194,6 +386,7 @@ load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
 	return (result);
 }
 
+/*% The main processing routine */
 int
 main(int argc, char **argv) {
 	int c;
@@ -203,9 +396,12 @@ main(int argc, char **argv) {
 	isc_mem_t *mctx = NULL;
 	isc_result_t result;
 	int exit_status = 0;
+	isc_entropy_t *ectx = NULL;
 	isc_boolean_t load_zones = ISC_FALSE;
 	
-	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
 		switch (c) {
 		case 'd':
 			debug++;
@@ -236,13 +432,27 @@ main(int argc, char **argv) {
 
 		case 'z':
 			load_zones = ISC_TRUE;
+			docheckmx = ISC_FALSE;
+			docheckns = ISC_FALSE;
+			dochecksrv = ISC_FALSE;
 			break;
 
-		default:
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+		case 'h':
 			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
+	if (isc_commandline_index + 1 < argc)
+		usage();
 	if (argv[isc_commandline_index] != NULL)
 		conffile = argv[isc_commandline_index];
 	if (conffile == NULL || conffile[0] == '\0')
@@ -250,7 +460,11 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
+		      == ISC_R_SUCCESS);
 
 	dns_result_register();
 
@@ -267,8 +481,6 @@ main(int argc, char **argv) {
 		exit_status = 1;
 
 	if (result == ISC_R_SUCCESS && load_zones) {
-		dns_log_init(logc);
-                dns_log_setcontext(logc);
 		result = load_zones_fromconfig(config, mctx);
 		if (result != ISC_R_SUCCESS)
 			exit_status = 1;
@@ -278,8 +490,13 @@ main(int argc, char **argv) {
 
 	cfg_parser_destroy(&parser);
 
+	dns_name_destroy();
+
 	isc_log_destroy(&logc);
 
+	isc_hash_destroy();
+	isc_entropy_detach(&ectx);
+
 	isc_mem_destroy(&mctx);
 
 	return (exit_status);

bin/check/named-checkconf.docbook

@@ -1,7 +1,9 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2002  Internet Software Consortium.
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -16,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.5 2004/06/03 02:24:59 marka Exp $ -->
-
-<refentry>
+<!-- $Id: named-checkconf.docbook,v 1.17 2007/05/21 02:47:25 marka Exp $ -->
+<refentry id="man.named-checkconf">
   <refentryinfo>
     <date>June 14, 2000</date>
   </refentryinfo>
@@ -29,6 +30,21 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <holder>Internet Software Consortium.</holder>
+    </copyright>
+  </docinfo>
+
   <refnamediv>
     <refname><application>named-checkconf</application></refname>
     <refpurpose>named configuration file syntax checking tool</refpurpose>
@@ -37,6 +53,7 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named-checkconf</command>
+      <arg><option>-h</option></arg>
       <arg><option>-v</option></arg>
       <arg><option>-j</option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@@ -47,9 +64,9 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>named-checkconf</command> checks the syntax, but not
-	the semantics, of a named configuration file.
+    <para><command>named-checkconf</command>
+      checks the syntax, but not the semantics, of a named
+      configuration file.
     </para>
   </refsect1>
 
@@ -57,54 +74,64 @@
     <title>OPTIONS</title>
 
     <variablelist>
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	      chroot to <filename>directory</filename> so that include
-	      directives in the configuration file are processed as if
-	      run by a similarly chrooted named.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Chroot to <filename>directory</filename> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v</term>
-	<listitem>
-	  <para>
-	      Print the version of the <command>named-checkconf</command>
-	      program and exit.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkconf</command>
+            program and exit.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-z</term>
-	<listitem>
-	  <para>
-	      Perform a check load the master zonefiles found in
-	      <filename>named.conf</filename>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+	    Perform a test load of all master zones found in
+	    <filename>named.conf</filename>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-j</term>
-	<listitem>
-	  <para>
-	      When loading a zonefile read the journal if it exists.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            When loading a zonefile read the journal if it exists.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>filename</term>
-	<listitem>
-	  <para>
-	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <filename>/etc/named.conf</filename>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <filename>/etc/named.conf</filename>.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -113,17 +140,16 @@
 
   <refsect1>
     <title>RETURN VALUES</title>
-    <para>
-        <command>named-checkconf</command> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
+    <para><command>named-checkconf</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
@@ -131,16 +157,12 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
 -->
-

bin/check/named-checkconf.html

@@ -1,216 +1,95 @@
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2002  Internet Software Consortium.
- -
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002 Internet Software Consortium.
+ - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: named-checkconf.html,v 1.5.2.1.4.5 2004/08/22 23:38:57 marka Exp $ -->
-
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->named-checkconf</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-></A
-><SPAN
-CLASS="APPLICATION"
->named-checkconf</SPAN
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->named-checkconf</SPAN
->&nbsp;--&nbsp;named configuration file syntax checking tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->named-checkconf</B
->  [<VAR
-CLASS="OPTION"
->-v</VAR
->] [<VAR
-CLASS="OPTION"
->-j</VAR
->] [<VAR
-CLASS="OPTION"
->-t <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></VAR
->] {filename} [<VAR
-CLASS="OPTION"
->-z</VAR
->]</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN26"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->named-checkconf</B
-> checks the syntax, but not
-	the semantics, of a named configuration file.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN30"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-t <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></DT
-><DD
-><P
->	      chroot to <TT
-CLASS="FILENAME"
->directory</TT
-> so that include
-	      directives in the configuration file are processed as if
-	      run by a similarly chrooted named.
-	  </P
-></DD
-><DT
->-v</DT
-><DD
-><P
->	      Print the version of the <B
-CLASS="COMMAND"
->named-checkconf</B
->
-	      program and exit.
-	  </P
-></DD
-><DT
->-z</DT
-><DD
-><P
->	      Perform a check load the master zonefiles found in
-	      <TT
-CLASS="FILENAME"
->named.conf</TT
->.
-	  </P
-></DD
-><DT
->-j</DT
-><DD
-><P
->	      When loading a zonefile read the journal if it exists.
-	  </P
-></DD
-><DT
->filename</DT
-><DD
-><P
->	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <TT
-CLASS="FILENAME"
->/etc/named.conf</TT
->.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN58"
-></A
-><H2
->RETURN VALUES</H2
-><P
->        <B
-CLASS="COMMAND"
->named-checkconf</B
-> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
-  </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN62"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->named</SPAN
->(8)</SPAN
->,
-      <I
-CLASS="CITETITLE"
->BIND 9 Administrator Reference Manual</I
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN69"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Systems Consortium
-    </P
-></DIV
-></BODY
-></HTML
->
+<!-- $Id: named-checkconf.html,v 1.29 2007/05/21 04:09:03 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkconf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.named-checkconf"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543387"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+      checks the syntax, but not the semantics, of a named
+      configuration file.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543399"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+            Print the version of the <span><strong class="command">named-checkconf</strong></span>
+            program and exit.
+          </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd><p>
+	    Perform a test load of all master zones found in
+	    <code class="filename">named.conf</code>.
+          </p></dd>
+<dt><span class="term">-j</span></dt>
+<dd><p>
+            When loading a zonefile read the journal if it exists.
+          </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <code class="filename">/etc/named.conf</code>.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543507"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543518"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543540"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>

bin/check/named-checkzone.8

@@ -1,94 +1,277 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002  Internet Software Consortium.
-.\"
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.11.2.1.8.4 2004/06/03 05:35:42 marka Exp $
+.\" $Id: named-checkzone.8,v 1.41 2007/05/21 04:09:03 marka Exp $
 .\"
-.TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" ""
-.SH NAME
-named-checkzone \- zone file validity checking tool
-.SH SYNOPSIS
-.sp
-\fBnamed-checkzone\fR [ \fB-d\fR ]  [ \fB-j\fR ]  [ \fB-q\fR ]  [ \fB-v\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-k \fImode\fB\fR ]  [ \fB-n \fImode\fB\fR ]  [ \fB-o \fIfilename\fB\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-w \fIdirectory\fB\fR ]  [ \fB-D\fR ]  \fBzonename\fR \fBfilename\fR
+.hy 0
+.ad l
+.\"     Title: named\-checkzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: June 13, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
+.SH "SYNOPSIS"
+.HP 16
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+.HP 18
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
-\fBnamed-checkzone\fR checks the syntax and integrity of
-a zone file. It performs the same checks as \fBnamed\fR
+\fBnamed\-checkzone\fR
+checks the syntax and integrity of a zone file. It performs the same checks as
+\fBnamed\fR
 does when loading a zone. This makes
-\fBnamed-checkzone\fR useful for checking zone
-files before configuring them into a name server.
+\fBnamed\-checkzone\fR
+useful for checking zone files before configuring them into a name server.
+.PP
+\fBnamed\-compilezone\fR
+is similar to
+\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
+\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the
+\fBnamed\fR
+configuration file.
 .SH "OPTIONS"
-.TP
-\fB-d\fR
+.PP
+\-d
+.RS 4
 Enable debugging.
-.TP
-\fB-q\fR
-Quiet mode - exit code only.
-.TP
-\fB-v\fR
-Print the version of the \fBnamed-checkzone\fR
+.RE
+.PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode \- exit code only.
+.RE
+.PP
+\-v
+.RS 4
+Print the version of the
+\fBnamed\-checkzone\fR
 program and exit.
-.TP
-\fB-j\fR
+.RE
+.PP
+\-j
+.RS 4
 When loading the zone file read the journal if it exists.
-.TP
-\fB-c \fIclass\fB\fR
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
 Specify the class of the zone. If not specified "IN" is assumed.
-.TP
-\fB-k \fImode\fB\fR
-Perform \fB"check-name"\fR checks with the specified failure mode.
-Possible modes are \fB"fail"\fR,
-\fB"warn"\fR (default) and
+.RE
+.PP
+\-i \fImode\fR
+.RS 4
+Perform post\-load zone integrity checks. Possible modes are
+\fB"full"\fR
+(default),
+\fB"full\-sibling"\fR,
+\fB"local"\fR,
+\fB"local\-sibling"\fR
+and
+\fB"none"\fR.
+.sp
+Mode
+\fB"full"\fR
+checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
+\fB"local"\fR
+only checks MX records which refer to in\-zone hostnames.
+.sp
+Mode
+\fB"full"\fR
+checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
+\fB"local"\fR
+only checks SRV records which refer to in\-zone hostnames.
+.sp
+Mode
+\fB"full"\fR
+checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
+\fB"local"\fR
+only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
+.sp
+Mode
+\fB"full\-sibling"\fR
+and
+\fB"local\-sibling"\fR
+disable sibling glue checks but are otherwise the same as
+\fB"full"\fR
+and
+\fB"local"\fR
+respectively.
+.sp
+Mode
+\fB"none"\fR
+disables the checks.
+.RE
+.PP
+\-f \fIformat\fR
+.RS 4
+Specify the format of the zone file. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR.
+.RE
+.PP
+\-F \fIformat\fR
+.RS 4
+Specify the format of the output file specified. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR. For
+\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
+.RE
+.PP
+\-k \fImode\fR
+.RS 4
+Perform
+\fB"check\-names"\fR
+checks with the specified failure mode. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
 \fB"ignore"\fR.
-.TP
-\fB-n \fImode\fB\fR
-Specify whether NS records should be checked to see if they
-are addresses. Possible modes are \fB"fail"\fR,
-\fB"warn"\fR (default) and
+.RE
+.PP
+\-m \fImode\fR
+.RS 4
+Specify whether MX records should be checked to see if they are addresses. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
 \fB"ignore"\fR.
-.TP
-\fB-o \fIfilename\fB\fR
-Write zone output to \fIdirectory\fR.
-.TP
-\fB-t \fIdirectory\fB\fR
-chroot to \fIdirectory\fR so that include
-directives in the configuration file are processed as if
-run by a similarly chrooted named.
-.TP
-\fB-w \fIdirectory\fB\fR
-chdir to \fIdirectory\fR so that relative
-filenames in master file $INCLUDE directives work. This
-is similar to the directory clause in
+.RE
+.PP
+\-M \fImode\fR
+.RS 4
+Check if a MX record refers to a CNAME. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
+\-n \fImode\fR
+.RS 4
+Specify whether NS records should be checked to see if they are addresses. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR.
+.RE
+.PP
+\-o \fIfilename\fR
+.RS 4
+Write zone output to
+\fIfilename\fR. If
+\fIfilename\fR
+is
+\fI\-\fR
+then write to standard out. This is mandatory for
+\fBnamed\-compilezone\fR.
+.RE
+.PP
+\-s \fIstyle\fR
+.RS 4
+Specify the style of the dumped zone file. Possible styles are
+\fB"full"\fR
+(default) and
+\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
+\fBnamed\-checkzone\fR
+this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
+.RE
+.PP
+\-S \fImode\fR
+.RS 4
+Check if a SRV record refers to a CNAME. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
+\-t \fIdirectory\fR
+.RS 4
+Chroot to
+\fIdirectory\fR
+so that include directives in the configuration file are processed as if run by a similarly chrooted named.
+.RE
+.PP
+\-w \fIdirectory\fR
+.RS 4
+chdir to
+\fIdirectory\fR
+so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
 \fInamed.conf\fR.
-.TP
-\fB-D\fR
-Dump zone file in canonical format.
-.TP
-\fBzonename\fR
+.RE
+.PP
+\-D
+.RS 4
+Dump zone file in canonical format. This is always enabled for
+\fBnamed\-compilezone\fR.
+.RE
+.PP
+\-W \fImode\fR
+.RS 4
+Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
+zonename
+.RS 4
 The domain name of the zone being checked.
-.TP
-\fBfilename\fR
+.RE
+.PP
+filename
+.RS 4
 The name of the zone file.
+.RE
 .SH "RETURN VALUES"
 .PP
-\fBnamed-checkzone\fR returns an exit status of 1 if
-errors were detected and 0 otherwise.
+\fBnamed\-checkzone\fR
+returns an exit status of 1 if errors were detected and 0 otherwise.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fIRFC 1035\fR,
-\fIBIND 9 Administrator Reference Manual\fR.
+RFC 1035,
+BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br

bin/check/named-checkzone.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.13.2.3.8.11 2004/10/25 01:36:06 marka Exp $ */
+/* $Id: named-checkzone.c,v 1.48 2007/05/21 02:47:25 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -37,9 +39,12 @@
 #include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
+#include <dns/types.h>
 #include <dns/zone.h>
 
 #include "check-tool.h"
@@ -51,6 +56,9 @@ dns_zone_t *zone = NULL;
 dns_zonetype_t zonetype = dns_zone_master;
 static int dumpzone = 0;
 static const char *output_filename;
+static char *prog_name = NULL;
+static const dns_master_style_t *outputstyle = NULL;
+static enum { progmode_check, progmode_compile } progmode;
 
 #define ERRRET(result, function) \
 	do { \
@@ -65,9 +73,13 @@ static const char *output_filename;
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
+		"usage: %s [-djqvD] [-c class] [-o output] "
+		"[-f inputformat] [-F outputformat] "
 		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] zonename filename\n");
+		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-i (full|local|none)] [-M (ignore|warn|fail)] "
+		"[-S (ignore|warn|fail)] [-W (ignore|warn)] "
+		"zonename filename\n", prog_name);
 	exit(1);
 }
 
@@ -75,8 +87,10 @@ static void
 destroy(void) {
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+	dns_name_destroy();
 }
 
+/*% main processing routine */
 int
 main(int argc, char **argv) {
 	int c;
@@ -87,8 +101,50 @@ main(int argc, char **argv) {
 	char classname_in[] = "IN";
 	char *classname = classname_in;
 	const char *workdir = NULL;
+	const char *inputformatstr = NULL;
+	const char *outputformatstr = NULL;
+	dns_masterformat_t inputformat = dns_masterformat_text;
+	dns_masterformat_t outputformat = dns_masterformat_text;
+	FILE *errout = stdout;
 
-	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
+	outputstyle = &dns_master_style_full;
+
+	prog_name = strrchr(argv[0], '/');
+	if (prog_name == NULL)
+		prog_name = strrchr(argv[0], '\\');
+	if (prog_name != NULL)
+		prog_name++;
+	else
+		prog_name = argv[0];
+	/*
+	 * Libtool doesn't preserve the program name prior to final
+	 * installation.  Remove the libtool prefix ("lt-").
+	 */
+	if (strncmp(prog_name, "lt-", 3) == 0)
+		prog_name += 3;
+	if (strcmp(prog_name, "named-checkzone") == 0)
+		progmode = progmode_check;
+	else if (strcmp(prog_name, "named-compilezone") == 0)
+		progmode = progmode_compile;
+	else
+		INSIST(0);
+
+	/* Compilation specific defaults */
+	if (progmode == progmode_compile) {
+		zone_options |= (DNS_ZONEOPT_CHECKNS |
+				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKNAMES |
+				 DNS_ZONEOPT_CHECKNAMESFAIL |
+				 DNS_ZONEOPT_CHECKWILDCARD);
+	}
+
+#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv,
+					 "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+	       != EOF) {
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
@@ -98,34 +154,104 @@ main(int argc, char **argv) {
 			debug++;
 			break;
 
+		case 'i':
+			if (ARGCMP("full")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
+						DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_TRUE;
+				docheckns = ISC_TRUE;
+				dochecksrv = ISC_TRUE;
+			} else if (ARGCMP("full-sibling")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_TRUE;
+				docheckns = ISC_TRUE;
+				dochecksrv = ISC_TRUE;
+			} else if (ARGCMP("local")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options |= DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
+			} else if (ARGCMP("local-sibling")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
+			} else if (ARGCMP("none")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
+			} else {
+				fprintf(stderr, "invalid argument to -i: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'f':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'F':
+			outputformatstr = isc_commandline_argument;
+			break;
+
 		case 'j':
 			nomerge = ISC_FALSE;
 			break;
 
-		case 'n':
-			if (!strcmp(isc_commandline_argument, "ignore"))
-				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
-						  DNS_ZONEOPT_FATALNS);
-			else if (!strcmp(isc_commandline_argument, "warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS;
-				zone_options &= ~DNS_ZONEOPT_FATALNS;
-			} else if (!strcmp(isc_commandline_argument, "fail"))
-				zone_options |= DNS_ZONEOPT_CHECKNS|
-					        DNS_ZONEOPT_FATALNS;
-			break;
-
 		case 'k':
-			if (!strcmp(isc_commandline_argument, "warn")) {
+			if (ARGCMP("warn")) {
 				zone_options |= DNS_ZONEOPT_CHECKNAMES;
 				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (!strcmp(isc_commandline_argument,
-					   "fail")) {
+			} else if (ARGCMP("fail")) {
 				zone_options |= DNS_ZONEOPT_CHECKNAMES |
 						DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (!strcmp(isc_commandline_argument,
-					   "ignore")) {
+			} else if (ARGCMP("ignore")) {
 				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
 						  DNS_ZONEOPT_CHECKNAMESFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -k: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'n':
+			if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
+						  DNS_ZONEOPT_FATALNS);
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS;
+				zone_options &= ~DNS_ZONEOPT_FATALNS;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS|
+					        DNS_ZONEOPT_FATALNS;
+			} else {
+				fprintf(stderr, "invalid argument to -n: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'm':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKMX;
+				zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKMX |
+						DNS_ZONEOPT_CHECKMXFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKMX |
+						  DNS_ZONEOPT_CHECKMXFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -m: %s\n",
+					isc_commandline_argument);
+				exit(1);
 			}
 			break;
 
@@ -149,6 +275,19 @@ main(int argc, char **argv) {
 			}
 			break;
 
+		case 's':
+			if (ARGCMP("full"))
+				outputstyle = &dns_master_style_full;
+			else if (ARGCMP("relative")) {
+				outputstyle = &dns_master_style_default;
+			} else {
+				fprintf(stderr,
+					"unknown or unsupported style: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
 		case 'o':
 			output_filename = isc_commandline_argument;
 			break;
@@ -165,8 +304,58 @@ main(int argc, char **argv) {
 			dumpzone++;
 			break;
 
-		default:
+		case 'M':
+			if (ARGCMP("fail")) {
+				zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+			} else if (ARGCMP("ignore")) {
+				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+				zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
+			} else {
+				fprintf(stderr, "invalid argument to -M: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'S':
+			if (ARGCMP("fail")) {
+				zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+			} else if (ARGCMP("ignore")) {
+				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
+			} else {
+				fprintf(stderr, "invalid argument to -S: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'W':
+			if (ARGCMP("warn"))
+				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
+			else if (ARGCMP("ignore"))
+				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					prog_name, isc_commandline_option);
+		case 'h':
 			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+                                prog_name, isc_commandline_option);
+			exit(1);
 		}
 	}
 
@@ -179,15 +368,60 @@ main(int argc, char **argv) {
 		}
 	}
 
-	if (isc_commandline_index + 2 > argc)
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0)
+			inputformat = dns_masterformat_text;
+		else if (strcasecmp(inputformatstr, "raw") == 0)
+			inputformat = dns_masterformat_raw;
+		else {
+			fprintf(stderr, "unknown file format: %s\n",
+			    inputformatstr);
+			exit(1);
+		}
+	}
+
+	if (outputformatstr != NULL) {
+		if (strcasecmp(outputformatstr, "text") == 0)
+			outputformat = dns_masterformat_text;
+		else if (strcasecmp(outputformatstr, "raw") == 0)
+			outputformat = dns_masterformat_raw;
+		else {
+			fprintf(stderr, "unknown file format: %s\n",
+				outputformatstr);
+			exit(1);
+		}
+	}
+
+	if (progmode == progmode_compile) {
+		dumpzone = 1;	/* always dump */
+		if (output_filename == NULL) {
+			fprintf(stderr,
+				"output file required, but not specified\n");
+			usage();
+		}
+	}
+
+	if (output_filename != NULL)
+		dumpzone = 1;
+
+	/*
+	 * If we are outputing to stdout then send the informational
+	 * output to stderr.
+	 */
+	if (dumpzone &&
+	    (output_filename == NULL ||
+	     strcmp(output_filename, "-") == 0 ||
+	     strcmp(output_filename, "/dev/fd/1") == 0 ||
+	     strcmp(output_filename, "/dev/stdout") == 0))
+		errout = stderr;
+
+	if (isc_commandline_index + 2 != argc)
 		usage();
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	if (!quiet) {
-		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
-		dns_log_init(lctx);
-		dns_log_setcontext(lctx);
-	}
+	if (!quiet)
+		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
+			      == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
 		      == ISC_R_SUCCESS);
@@ -196,14 +430,22 @@ main(int argc, char **argv) {
 
 	origin = argv[isc_commandline_index++];
 	filename = argv[isc_commandline_index++];
-	result = load_zone(mctx, origin, filename, classname, &zone);
+	result = load_zone(mctx, origin, filename, inputformat, classname,
+			   &zone);
 
 	if (result == ISC_R_SUCCESS && dumpzone) {
-		result = dump_zone(origin, zone, output_filename);
+		if (!quiet && progmode == progmode_compile) {
+			fprintf(errout, "dump zone to %s...", output_filename);
+			fflush(errout);
+		}
+		result = dump_zone(origin, zone, output_filename,
+				   outputformat, outputstyle);
+		if (!quiet && progmode == progmode_compile)
+			fprintf(errout, "done\n");
 	}
 
 	if (!quiet && result == ISC_R_SUCCESS)
-		fprintf(stdout, "OK\n");
+		fprintf(errout, "OK\n");
 	destroy();
 	if (lctx != NULL)
 		isc_log_destroy(&lctx);

bin/check/named-checkzone.docbook

@@ -1,7 +1,9 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2002  Internet Software Consortium.
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -16,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.7 2004/06/03 02:25:00 marka Exp $ -->
-
-<refentry>
+<!-- $Id: named-checkzone.docbook,v 1.32 2007/05/21 02:47:25 marka Exp $ -->
+<refentry id="man.named-checkzone">
   <refentryinfo>
     <date>June 13, 2000</date>
   </refentryinfo>
@@ -29,25 +30,74 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <holder>Internet Software Consortium.</holder>
+    </copyright>
+  </docinfo>
+
   <refnamediv>
     <refname><application>named-checkzone</application></refname>
-    <refpurpose>zone file validity checking tool</refpurpose>
+    <refname><application>named-compilezone</application></refname>
+    <refpurpose>zone file validity checking or converting tool</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named-checkzone</command>
       <arg><option>-d</option></arg>
+      <arg><option>-h</option></arg>
       <arg><option>-j</option></arg>
       <arg><option>-q</option></arg>
       <arg><option>-v</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-D</option></arg>
+      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="req">zonename</arg>
+      <arg choice="req">filename</arg>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>named-compilezone</command>
+      <arg><option>-d</option></arg>
+      <arg><option>-j</option></arg>
+      <arg><option>-q</option></arg>
+      <arg><option>-v</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-D</option></arg>
+      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
       <arg choice="req">zonename</arg>
       <arg choice="req">filename</arg>
     </cmdsynopsis>
@@ -55,13 +105,23 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>named-checkzone</command> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <command>named</command>
-	does when loading a zone.  This makes
-	<command>named-checkzone</command> useful for checking zone
-	files before configuring them into a name server.
+    <para><command>named-checkzone</command>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <command>named</command> does when loading a
+      zone.  This makes <command>named-checkzone</command> useful for
+      checking zone files before configuring them into a name server.
     </para>
+    <para>
+        <command>named-compilezone</command> is similar to
+	<command>named-checkzone</command>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <command>named</command>.
+	When manually specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<command>named</command> configuration file.
+     </para>
   </refsect1>
 
   <refsect1>
@@ -70,89 +130,234 @@
     <variablelist>
       <varlistentry>
         <term>-d</term>
-	<listitem>
-	  <para>
-	      Enable debugging.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Enable debugging.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-q</term>
-	<listitem>
-	  <para>
-	      Quiet mode - exit code only.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Quiet mode - exit code only.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v</term>
-	<listitem>
-	  <para>
-	      Print the version of the <command>named-checkzone</command>
-	      program and exit.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkzone</command>
+            program and exit.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-j</term>
         <listitem>
           <para>
-              When loading the zone file read the journal if it exists.
-          </para>   
+            When loading the zone file read the journal if it exists.
+          </para>
         </listitem>
+      </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specify the class of the zone.  If not specified "IN" is assumed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">mode</replaceable></term>
 	<listitem>
 	  <para>
-	      Specify the class of the zone.  If not specified "IN" is assumed.
+	      Perform post-load zone integrity checks.  Possible modes are
+	      <command>"full"</command> (default),
+	      <command>"full-sibling"</command>,
+	      <command>"local"</command>,
+	      <command>"local-sibling"</command> and
+	      <command>"none"</command>.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks MX records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue address records
+	      in the zone match those advertised by the child.
+	      Mode <command>"local"</command> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </para>
+	  <para>
+	      Mode <command>"full-sibling"</command> and
+	      <command>"local-sibling"</command> disable sibling glue
+	      checks but are otherwise the same as <command>"full"</command>
+	      and <command>"local"</command> respectively.
+	  </para>
+	  <para>
+	      Mode <command>"none"</command> disables the checks.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f <replaceable class="parameter">format</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the format of the zone file.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-F <replaceable class="parameter">format</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the format of the output file specified.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+	    For <command>named-checkzone</command>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
+        <listitem>
+          <para>
+            Perform <command>"check-names"</command> checks with the
+	    specified failure mode.
+            Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-m <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-M <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
 	  <para>
-	      Perform <command>"check-name"</command> checks with the specified failure mode.
-	      Possible modes are <command>"fail"</command>,
-	      <command>"warn"</command> (default) and
-	      <command>"ignore"</command>.
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
 	  </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	      Specify whether NS records should be checked to see if they
-	      are addresses.  Possible modes are <command>"fail"</command>,
-	      <command>"warn"</command> (default) and
-	      <command>"ignore"</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-o <replaceable class="parameter">filename</replaceable></term>
         <listitem>
           <para>
-	      Write zone output to <filename>directory</filename>.
+            Write zone output to <filename>filename</filename>.
+	    If <filename>filename</filename> is <filename>-</filename> then
+	    write to standard out.
+	    This is mandatory for <command>named-compilezone</command>.
           </para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-s <replaceable class="parameter">style</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <command>"full"</command> (default)
+	    and <command>"relative"</command>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <command>named-checkzone</command>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-S <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-t <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
-              chroot to <filename>directory</filename> so that include
-              directives in the configuration file are processed as if
-              run by a similarly chrooted named.
+            Chroot to <filename>directory</filename> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
           </para>
         </listitem>
       </varlistentry>
@@ -161,39 +366,55 @@
         <term>-w <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
-              chdir to <filename>directory</filename> so that relative
-	      filenames in master file $INCLUDE directives work.  This
-	      is similar to the directory clause in
-	      <filename>named.conf</filename>.
+            chdir to <filename>directory</filename> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <filename>named.conf</filename>.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-D</term>
-	<listitem>
-	  <para>
-	      Dump zone file in canonical format.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Dump zone file in canonical format.
+	    This is always enabled for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-W <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <command>"warn"</command> (default)
+            and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>zonename</term>
-	<listitem>
-	  <para>
-	       The domain name of the zone being checked.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The domain name of the zone being checked.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>filename</term>
-	<listitem>
-	  <para>
-	       The name of the zone file.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The name of the zone file.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -202,17 +423,16 @@
 
   <refsect1>
     <title>RETURN VALUES</title>
-    <para>
-        <command>named-checkzone</command> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
+    <para><command>named-checkzone</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>RFC 1035</citetitle>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
@@ -221,16 +441,12 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
 -->
-

bin/check/named-checkzone.html

@@ -1,367 +1,261 @@
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2002  Internet Software Consortium.
- -
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002 Internet Software Consortium.
+ - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: named-checkzone.html,v 1.5.2.2.4.5 2004/08/22 23:38:57 marka Exp $ -->
-
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->named-checkzone</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-></A
-><SPAN
-CLASS="APPLICATION"
->named-checkzone</SPAN
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->named-checkzone</SPAN
->&nbsp;--&nbsp;zone file validity checking tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->named-checkzone</B
->  [<VAR
-CLASS="OPTION"
->-d</VAR
->] [<VAR
-CLASS="OPTION"
->-j</VAR
->] [<VAR
-CLASS="OPTION"
->-q</VAR
->] [<VAR
-CLASS="OPTION"
->-v</VAR
->] [<VAR
-CLASS="OPTION"
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-k <VAR
-CLASS="REPLACEABLE"
->mode</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-n <VAR
-CLASS="REPLACEABLE"
->mode</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-o <VAR
-CLASS="REPLACEABLE"
->filename</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-t <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-w <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-D</VAR
->] {zonename} {filename}</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN46"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->named-checkzone</B
-> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <B
-CLASS="COMMAND"
->named</B
->
-	does when loading a zone.  This makes
-	<B
-CLASS="COMMAND"
->named-checkzone</B
-> useful for checking zone
-	files before configuring them into a name server.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN52"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-d</DT
-><DD
-><P
->	      Enable debugging.
-	  </P
-></DD
-><DT
->-q</DT
-><DD
-><P
->	      Quiet mode - exit code only.
-	  </P
-></DD
-><DT
->-v</DT
-><DD
-><P
->	      Print the version of the <B
-CLASS="COMMAND"
->named-checkzone</B
->
-	      program and exit.
-	  </P
-></DD
-><DT
->-j</DT
-><DD
-><P
->              When loading the zone file read the journal if it exists.
-          </P
-></DD
-><DT
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></DT
-><DD
-><P
->	      Specify the class of the zone.  If not specified "IN" is assumed.
-	  </P
-></DD
-><DT
->-k <VAR
-CLASS="REPLACEABLE"
->mode</VAR
-></DT
-><DD
-><P
->	      Perform <B
-CLASS="COMMAND"
->"check-name"</B
-> checks with the specified failure mode.
-	      Possible modes are <B
-CLASS="COMMAND"
->"fail"</B
->,
-	      <B
-CLASS="COMMAND"
->"warn"</B
-> (default) and
-	      <B
-CLASS="COMMAND"
->"ignore"</B
->.
-	  </P
-></DD
-><DT
->-n <VAR
-CLASS="REPLACEABLE"
->mode</VAR
-></DT
-><DD
-><P
->	      Specify whether NS records should be checked to see if they
-	      are addresses.  Possible modes are <B
-CLASS="COMMAND"
->"fail"</B
->,
-	      <B
-CLASS="COMMAND"
->"warn"</B
-> (default) and
-	      <B
-CLASS="COMMAND"
->"ignore"</B
->.
-	  </P
-></DD
-><DT
->-o <VAR
-CLASS="REPLACEABLE"
->filename</VAR
-></DT
-><DD
-><P
->	      Write zone output to <TT
-CLASS="FILENAME"
->directory</TT
->.
-          </P
-></DD
-><DT
->-t <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></DT
-><DD
-><P
->              chroot to <TT
-CLASS="FILENAME"
->directory</TT
-> so that include
-              directives in the configuration file are processed as if
-              run by a similarly chrooted named.
-          </P
-></DD
-><DT
->-w <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></DT
-><DD
-><P
->              chdir to <TT
-CLASS="FILENAME"
->directory</TT
-> so that relative
-	      filenames in master file $INCLUDE directives work.  This
-	      is similar to the directory clause in
-	      <TT
-CLASS="FILENAME"
->named.conf</TT
->.
-          </P
-></DD
-><DT
->-D</DT
-><DD
-><P
->	      Dump zone file in canonical format.
-	  </P
-></DD
-><DT
->zonename</DT
-><DD
-><P
->	       The domain name of the zone being checked.
-	  </P
-></DD
-><DT
->filename</DT
-><DD
-><P
->	       The name of the zone file.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN125"
-></A
-><H2
->RETURN VALUES</H2
-><P
->        <B
-CLASS="COMMAND"
->named-checkzone</B
-> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
-  </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN129"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->named</SPAN
->(8)</SPAN
->,
-      <I
-CLASS="CITETITLE"
->RFC 1035</I
->,
-      <I
-CLASS="CITETITLE"
->BIND 9 Administrator Reference Manual</I
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN137"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Systems Consortium
-    </P
-></DIV
-></BODY
-></HTML
->
+<!-- $Id: named-checkzone.html,v 1.41 2007/05/21 04:09:03 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.named-checkzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543669"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <span><strong class="command">named</strong></span> does when loading a
+      zone.  This makes <span><strong class="command">named-checkzone</strong></span> useful for
+      checking zone files before configuring them into a name server.
+    </p>
+<p>
+        <span><strong class="command">named-compilezone</strong></span> is similar to
+	<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <span><strong class="command">named</strong></span>.
+	When manually specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<span><strong class="command">named</strong></span> configuration file.
+     </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543704"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-d</span></dt>
+<dd><p>
+            Enable debugging.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+            Quiet mode - exit code only.
+          </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+            Print the version of the <span><strong class="command">named-checkzone</strong></span>
+            program and exit.
+          </p></dd>
+<dt><span class="term">-j</span></dt>
+<dd><p>
+            When loading the zone file read the journal if it exists.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specify the class of the zone.  If not specified "IN" is assumed.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+<p>
+	      Perform post-load zone integrity checks.  Possible modes are
+	      <span><strong class="command">"full"</strong></span> (default),
+	      <span><strong class="command">"full-sibling"</strong></span>,
+	      <span><strong class="command">"local"</strong></span>,
+	      <span><strong class="command">"local-sibling"</strong></span> and
+	      <span><strong class="command">"none"</strong></span>.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
+	      checks MX records which refer to in-zone hostnames.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue address records
+	      in the zone match those advertised by the child.
+	      Mode <span><strong class="command">"local"</strong></span> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full-sibling"</strong></span> and
+	      <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
+	      checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
+	      and <span><strong class="command">"local"</strong></span> respectively.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"none"</strong></span> disables the checks.
+	  </p>
+</dd>
+<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+	    Specify the format of the zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+	    Specify the format of the output file specified.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    For <span><strong class="command">named-checkzone</strong></span>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	  </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Perform <span><strong class="command">"check-names"</strong></span> checks with the
+	    specified failure mode.
+            Possible modes are <span><strong class="command">"fail"</strong></span>
+	    (default for <span><strong class="command">named-compilezone</strong></span>),
+            <span><strong class="command">"warn"</strong></span>
+	    (default for <span><strong class="command">named-checkzone</strong></span>) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <span><strong class="command">"fail"</strong></span>
+	    (default for <span><strong class="command">named-compilezone</strong></span>),
+            <span><strong class="command">"warn"</strong></span>
+	    (default for <span><strong class="command">named-checkzone</strong></span>) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
+<dd><p>
+            Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
+	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
+<dd><p>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <span><strong class="command">"full"</strong></span> (default)
+	    and <span><strong class="command">"relative"</strong></span>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <span><strong class="command">named-checkzone</strong></span>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </p></dd>
+<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            chdir to <code class="filename">directory</code> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <code class="filename">named.conf</code>.
+          </p></dd>
+<dt><span class="term">-D</span></dt>
+<dd><p>
+            Dump zone file in canonical format.
+	    This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
+          </p></dd>
+<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <span><strong class="command">"warn"</strong></span> (default)
+            and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">zonename</span></dt>
+<dd><p>
+            The domain name of the zone being checked.
+          </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+            The name of the zone file.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544325"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544337"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">RFC 1035</em>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544361"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>

bin/check/win32/checktool.dsp

@@ -0,0 +1,113 @@
+# Microsoft Developer Studio Project File - Name="checktool" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104
+
+CFG=checktool - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "checktool.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "checktool.mak" CFG="checktool - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "checktool - Win32 Release" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE "checktool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "checktool - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdchecktool
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /out:"Release/checktool.lib"
+
+!ELSEIF  "$(CFG)" == "checktool - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdchecktool
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /debug out:"Debug/checktool.lib"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "checktool - Win32 Release"
+# Name "checktool - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Dns Lib"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\check-tool.c
+# End Source File
+# End Group
+# End Target
+# End Project

bin/check/win32/checktool.dsw

@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "checktool"=".\checktool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+

bin/check/win32/namedcheckconf.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkconf.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/checktool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkconf.exe"
 
 !ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkconf.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/checktool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkconf.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -88,10 +88,6 @@ LINK32=link.exe
 # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 # Begin Source File
 
-SOURCE="..\check-tool.c"
-# End Source File
-# Begin Source File
-
 SOURCE="..\named-checkconf.c"
 # End Source File
 # End Group

bin/check/win32/namedcheckconf.mak

@@ -28,6 +28,81 @@ NULL=nul
 CPP=cl.exe
 RSC=rc.exe
 
+!IF  "$(CFG)" == "namedcheckconf - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "namedcheckconf - Win32 Release"
 
 OUTDIR=.\Release
@@ -58,11 +133,12 @@ CLEAN :
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "$(OUTDIR)\namedcheckconf.bsc"
 	-@erase "..\..\..\Build\Release\named-checkconf.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" 
 BSC32_SBRS= \
@@ -87,6 +163,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
 
@@ -121,11 +198,12 @@ CLEAN :
 	-@erase "$(OUTDIR)\namedcheckconf.bsc"
 	-@erase "..\..\..\Build\Debug\named-checkconf.exe"
 	-@erase "..\..\..\Build\Debug\named-checkconf.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" 
 BSC32_SBRS= \
@@ -150,6 +228,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -287,3 +366,39 @@ SOURCE="..\named-checkconf.c"
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/check/win32/namedcheckzone.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c
 # SUBTRACT CPP /Fr
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
@@ -51,7 +51,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkzone.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/checktool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkzone.exe"
 
 !ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
 
@@ -67,7 +67,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -76,7 +76,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/checktool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -89,10 +89,6 @@ LINK32=link.exe
 # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 # Begin Source File
 
-SOURCE="..\check-tool.c"
-# End Source File
-# Begin Source File
-
 SOURCE="..\named-checkzone.c"
 # End Source File
 # End Group

bin/check/win32/namedcheckzone.mak

@@ -25,6 +25,81 @@ NULL=
 NULL=nul
 !ENDIF 
 
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "namedcheckzone - Win32 Release"
 
 OUTDIR=.\Release
@@ -49,12 +124,13 @@ CLEAN :
 	-@erase "$(INTDIR)\named-checkzone.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\named-checkzone.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -92,17 +168,19 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckzone.bsc"
 BSC32_SBRS= \
 	
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkzone.pdb" /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkzone.pdb" /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" 
 LINK32_OBJS= \
 	"$(INTDIR)\check-tool.obj" \
 	"$(INTDIR)\named-checkzone.obj" \
 	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
 	"..\..\..\lib\isc\win32\Release\libisc.lib"
 
 "..\..\..\Build\Release\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
 
@@ -137,12 +215,13 @@ CLEAN :
 	-@erase "$(OUTDIR)\namedcheckzone.bsc"
 	-@erase "..\..\..\Build\Debug\named-checkzone.exe"
 	-@erase "..\..\..\Build\Debug\named-checkzone.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -187,17 +266,19 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept 
 LINK32_OBJS= \
 	"$(INTDIR)\check-tool.obj" \
 	"$(INTDIR)\named-checkzone.obj" \
 	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
 	"..\..\..\lib\isc\win32\Debug\libisc.lib"
 
 "..\..\..\Build\Debug\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -303,3 +384,21 @@ SOURCE="..\named-checkzone.c"
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/dig/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $
+# $Id: Makefile.in,v 1.39 2005/09/09 14:11:37 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -45,7 +45,7 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 		${LWRESDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
-		${ISCCFGLIBS} @LIBS@
+		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
 
 SUBDIRS =
 

bin/dig/dig.1

@@ -1,390 +1,541 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003  Internet Software Consortium.
-.\"
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.14.2.4.2.6 2004/06/23 09:11:01 marka Exp $
+.\" $Id: dig.1,v 1.45 2007/05/16 06:12:00 marka Exp $
 .\"
-.TH "DIG" "1" "Jun 30, 2000" "BIND9" ""
-.SH NAME
+.hy 0
+.ad l
+.\"     Title: dig
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
 dig \- DNS lookup utility
-.SH SYNOPSIS
-.sp
-\fBdig\fR [ \fB@server\fR ]  [ \fB-b \fIaddress\fB\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-f \fIfilename\fB\fR ]  [ \fB-k \fIfilename\fB\fR ]  [ \fB-p \fIport#\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-x \fIaddr\fB\fR ]  [ \fB-y \fIname:key\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  [ \fBname\fR ]  [ \fBtype\fR ]  [ \fBclass\fR ]  [ \fBqueryopt\fR\fI...\fR ] 
-.sp
-\fBdig\fR [ \fB-h\fR ] 
-.sp
-\fBdig\fR [ \fBglobal-queryopt\fR\fI...\fR ]  [ \fBquery\fR\fI...\fR ] 
+.SH "SYNOPSIS"
+.HP 4
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+.HP 4
+\fBdig\fR [\fB\-h\fR]
+.HP 4
+\fBdig\fR [global\-queryopt...] [query...]
 .SH "DESCRIPTION"
 .PP
-\fBdig\fR (domain information groper) is a flexible tool
-for interrogating DNS name servers. It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried. Most DNS administrators use \fBdig\fR to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output. Other lookup tools tend to have less functionality
-than \fBdig\fR.
+\fBdig\fR
+(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use
+\fBdig\fR
+to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than
+\fBdig\fR.
 .PP
-Although \fBdig\fR is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file. A brief summary of its command-line arguments
-and options is printed when the \fB-h\fR option is given.
-Unlike earlier versions, the BIND9 implementation of
-\fBdig\fR allows multiple lookups to be issued from the
-command line.
+Although
+\fBdig\fR
+is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
+\fB\-h\fR
+option is given. Unlike earlier versions, the BIND 9 implementation of
+\fBdig\fR
+allows multiple lookups to be issued from the command line.
 .PP
 Unless it is told to query a specific name server,
-\fBdig\fR will try each of the servers listed in
+\fBdig\fR
+will try each of the servers listed in
 \fI/etc/resolv.conf\fR.
 .PP
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
+When no command line arguments or options are given, will perform an NS query for "." (the root).
 .PP
-It is possible to set per-user defaults for \fBdig\fR via
-\fI${HOME}/.digrc\fR. This file is read and any options in it
-are applied before the command line arguments.
+It is possible to set per\-user defaults for
+\fBdig\fR
+via
+\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
+.PP
+The IN and CH class names overlap with the IN and CH top level domains names. Either use the
+\fB\-t\fR
+and
+\fB\-c\fR
+options to specify the type and class or use the
+\fB\-q\fR
+the specify the domain name or use "IN." and "CH." when looking up these top level domains.
 .SH "SIMPLE USAGE"
 .PP
-A typical invocation of \fBdig\fR looks like:
+A typical invocation of
+\fBdig\fR
+looks like:
 .sp
+.RS 4
 .nf
  dig @server name type 
-.sp
 .fi
+.RE
+.sp
 where:
-.TP
+.PP
 \fBserver\fR
-is the name or IP address of the name server to query. This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation. When the supplied
-\fIserver\fR argument is a hostname,
-\fBdig\fR resolves that name before querying that name
-server. If no \fIserver\fR argument is provided,
-\fBdig\fR consults \fI/etc/resolv.conf\fR
-and queries the name servers listed there. The reply from the name
-server that responds is displayed.
-.TP
+.RS 4
+is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
+\fIserver\fR
+argument is a hostname,
+\fBdig\fR
+resolves that name before querying that name server. If no
+\fIserver\fR
+argument is provided,
+\fBdig\fR
+consults
+\fI/etc/resolv.conf\fR
+and queries the name servers listed there. The reply from the name server that responds is displayed.
+.RE
+.PP
 \fBname\fR
+.RS 4
 is the name of the resource record that is to be looked up.
-.TP
+.RE
+.PP
 \fBtype\fR
-indicates what type of query is required \(em
-ANY, A, MX, SIG, etc.
-\fItype\fR can be any valid query type. If no
-\fItype\fR argument is supplied,
-\fBdig\fR will perform a lookup for an A record.
+.RS 4
+indicates what type of query is required \(em ANY, A, MX, SIG, etc.
+\fItype\fR
+can be any valid query type. If no
+\fItype\fR
+argument is supplied,
+\fBdig\fR
+will perform a lookup for an A record.
+.RE
 .SH "OPTIONS"
 .PP
-The \fB-b\fR option sets the source IP address of the query
-to \fIaddress\fR. This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::". An optional port
-may be specified by appending "#<port>"
+The
+\fB\-b\fR
+option sets the source IP address of the query to
+\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
 .PP
 The default query class (IN for internet) is overridden by the
-\fB-c\fR option. \fIclass\fR is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
+\fB\-c\fR
+option.
+\fIclass\fR
+is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
 .PP
-The \fB-f\fR option makes \fBdig \fR operate
-in batch mode by reading a list of lookup requests to process from the
-file \fIfilename\fR. The file contains a number of
-queries, one per line. Each entry in the file should be organised in
-the same way they would be presented as queries to
-\fBdig\fR using the command-line interface.
+The
+\fB\-f\fR
+option makes
+\fBdig \fR
+operate in batch mode by reading a list of lookup requests to process from the file
+\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
+\fBdig\fR
+using the command\-line interface.
 .PP
-If a non-standard port number is to be queried, the
-\fB-p\fR option is used. \fIport#\fR is
-the port number that \fBdig\fR will send its queries
-instead of the standard DNS port number 53. This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
+If a non\-standard port number is to be queried, the
+\fB\-p\fR
+option is used.
+\fIport#\fR
+is the port number that
+\fBdig\fR
+will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
 .PP
-The \fB-4\fR option forces \fBdig\fR to only
-use IPv4 query transport. The \fB-6\fR option forces
-\fBdig\fR to only use IPv6 query transport.
+The
+\fB\-4\fR
+option forces
+\fBdig\fR
+to only use IPv4 query transport. The
+\fB\-6\fR
+option forces
+\fBdig\fR
+to only use IPv6 query transport.
 .PP
-The \fB-t\fR option sets the query type to
-\fItype\fR. It can be any valid query type which is
-supported in BIND9. The default query type "A", unless the
-\fB-x\fR option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR. When
-an incremental zone transfer (IXFR) is required,
-\fItype\fR is set to ixfr=N.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
+The
+\fB\-t\fR
+option sets the query type to
+\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
+\fB\-x\fR
+option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
+\fItype\fR
+is set to
+ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
 \fIN\fR.
 .PP
-Reverse lookups - mapping addresses to names - are simplified by the
-\fB-x\fR option. \fIaddr\fR is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-\fIname\fR, \fIclass\fR and
-\fItype\fR arguments. \fBdig\fR
-automatically performs a lookup for a name like
-11.12.13.10.in-addr.arpa and sets the query type and
-class to PTR and IN respectively. By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the \fB-i\fR option. Bit string labels (RFC2874)
-are now experimental and are not attempted.
+The
+\fB\-q\fR
+option sets the query name to
+\fIname\fR. This useful do distinguish the
+\fIname\fR
+from other arguments.
 .PP
-To sign the DNS queries sent by \fBdig\fR and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the \fB-k\fR option. You can also specify the TSIG
-key itself on the command line using the \fB-y\fR option;
-\fIname\fR is the name of the TSIG key and
-\fIkey\fR is the actual key. The key is a base-64
-encoded string, typically generated by \fBdnssec-keygen\fR(8).
-Caution should be taken when using the \fB-y\fR option on
-multi-user systems as the key can be visible in the output from
-\fBps\fR(1) or in the shell's history file. When
-using TSIG authentication with \fBdig\fR, the name
-server that is queried needs to know the key and algorithm that is
-being used. In BIND, this is done by providing appropriate
-\fBkey\fR and \fBserver\fR statements in
+Reverse lookups \(em mapping addresses to names \(em are simplified by the
+\fB\-x\fR
+option.
+\fIaddr\fR
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
+\fIname\fR,
+\fIclass\fR
+and
+\fItype\fR
+arguments.
+\fBdig\fR
+automatically performs a lookup for a name like
+11.12.13.10.in\-addr.arpa
+and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the
+\fB\-i\fR
+option. Bit string labels (RFC2874) are now experimental and are not attempted.
+.PP
+To sign the DNS queries sent by
+\fBdig\fR
+and their responses using transaction signatures (TSIG), specify a TSIG key file using the
+\fB\-k\fR
+option. You can also specify the TSIG key itself on the command line using the
+\fB\-y\fR
+option;
+\fIhmac\fR
+is the type of the TSIG, default HMAC\-MD5,
+\fIname\fR
+is the name of the TSIG key and
+\fIkey\fR
+is the actual key. The key is a base\-64 encoded string, typically generated by
+\fBdnssec\-keygen\fR(8). Caution should be taken when using the
+\fB\-y\fR
+option on multi\-user systems as the key can be visible in the output from
+\fBps\fR(1)
+or in the shell's history file. When using TSIG authentication with
+\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
+\fBkey\fR
+and
+\fBserver\fR
+statements in
 \fInamed.conf\fR.
 .SH "QUERY OPTIONS"
 .PP
-\fBdig\fR provides a number of query options which affect
-the way in which lookups are made and the results displayed. Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
+\fBdig\fR
+provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
+.PP
+Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
+no
+to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
+\fB+keyword=value\fR. The query options are:
 .PP
-Each query option is identified by a keyword preceded by a plus sign
-(+). Some keywords set or reset an option. These may be preceded
-by the string no to negate the meaning of that keyword. Other
-keywords assign values to options like the timeout interval. They
-have the form \fB+keyword=value\fR.
-The query options are:
-.TP
 \fB+[no]tcp\fR
-Use [do not use] TCP when querying name servers. The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-.TP
+.RS 4
+Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
+.RE
+.PP
 \fB+[no]vc\fR
-Use [do not use] TCP when querying name servers. This alternate
-syntax to \fI+[no]tcp\fR is provided for backwards
-compatibility. The "vc" stands for "virtual circuit".
-.TP
+.RS 4
+Use [do not use] TCP when querying name servers. This alternate syntax to
+\fI+[no]tcp\fR
+is provided for backwards compatibility. The "vc" stands for "virtual circuit".
+.RE
+.PP
 \fB+[no]ignore\fR
-Ignore truncation in UDP responses instead of retrying with TCP. By
-default, TCP retries are performed.
-.TP
+.RS 4
+Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
+.RE
+.PP
 \fB+domain=somename\fR
+.RS 4
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
-\fBdomain\fR directive in
-\fI/etc/resolv.conf\fR, and enable search list
-processing as if the \fI+search\fR option were given.
-.TP
+\fBdomain\fR
+directive in
+\fI/etc/resolv.conf\fR, and enable search list processing as if the
+\fI+search\fR
+option were given.
+.RE
+.PP
 \fB+[no]search\fR
-Use [do not use] the search list defined by the searchlist or domain
-directive in \fIresolv.conf\fR (if any).
-The search list is not used by default.
-.TP
+.RS 4
+Use [do not use] the search list defined by the searchlist or domain directive in
+\fIresolv.conf\fR
+(if any). The search list is not used by default.
+.RE
+.PP
+\fB+[no]showsearch\fR
+.RS 4
+Perform [do not perform] a search showing intermediate results.
+.RE
+.PP
 \fB+[no]defname\fR
-Deprecated, treated as a synonym for \fI+[no]search\fR
-.TP
+.RS 4
+Deprecated, treated as a synonym for
+\fI+[no]search\fR
+.RE
+.PP
 \fB+[no]aaonly\fR
+.RS 4
 Sets the "aa" flag in the query.
-.TP
+.RE
+.PP
 \fB+[no]aaflag\fR
-A synonym for \fI+[no]aaonly\fR.
-.TP
+.RS 4
+A synonym for
+\fI+[no]aaonly\fR.
+.RE
+.PP
 \fB+[no]adflag\fR
-Set [do not set] the AD (authentic data) bit in the query. The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-.TP
+.RS 4
+Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
+.RE
+.PP
 \fB+[no]cdflag\fR
-Set [do not set] the CD (checking disabled) bit in the query. This
-requests the server to not perform DNSSEC validation of responses.
-.TP
+.RS 4
+Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
+.RE
+.PP
 \fB+[no]cl\fR
+.RS 4
 Display [do not display] the CLASS when printing the record.
-.TP
+.RE
+.PP
 \fB+[no]ttlid\fR
+.RS 4
 Display [do not display] the TTL when printing the record.
-.TP
+.RE
+.PP
 \fB+[no]recurse\fR
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means \fBdig\fR
-normally sends recursive queries. Recursion is automatically disabled
-when the \fI+nssearch\fR or
-\fI+trace\fR query options are used.
-.TP
+.RS 4
+Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
+\fBdig\fR
+normally sends recursive queries. Recursion is automatically disabled when the
+\fI+nssearch\fR
+or
+\fI+trace\fR
+query options are used.
+.RE
+.PP
 \fB+[no]nssearch\fR
-When this option is set, \fBdig\fR attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-.TP
+.RS 4
+When this option is set,
+\fBdig\fR
+attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
+.RE
+.PP
 \fB+[no]trace\fR
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up. Tracing is disabled by default. When
-tracing is enabled, \fBdig\fR makes iterative queries to
-resolve the name being looked up. It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-.TP
+.RS 4
+Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
+\fBdig\fR
+makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
+.RE
+.PP
 \fB+[no]cmd\fR
-toggles the printing of the initial comment in the output identifying
-the version of \fBdig\fR and the query options that have
-been applied. This comment is printed by default.
-.TP
+.RS 4
+Toggles the printing of the initial comment in the output identifying the version of
+\fBdig\fR
+and the query options that have been applied. This comment is printed by default.
+.RE
+.PP
 \fB+[no]short\fR
-Provide a terse answer. The default is to print the answer in a
-verbose form.
-.TP
+.RS 4
+Provide a terse answer. The default is to print the answer in a verbose form.
+.RE
+.PP
 \fB+[no]identify\fR
-Show [or do not show] the IP address and port number that supplied the
-answer when the \fI+short\fR option is enabled. If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-.TP
+.RS 4
+Show [or do not show] the IP address and port number that supplied the answer when the
+\fI+short\fR
+option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
+.RE
+.PP
 \fB+[no]comments\fR
-Toggle the display of comment lines in the output. The default is to
-print comments.
-.TP
+.RS 4
+Toggle the display of comment lines in the output. The default is to print comments.
+.RE
+.PP
 \fB+[no]stats\fR
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on. The default behaviour is
-to print the query statistics.
-.TP
+.RS 4
+This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
+.RE
+.PP
 \fB+[no]qr\fR
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-.TP
+.RS 4
+Print [do not print] the query as it is sent. By default, the query is not printed.
+.RE
+.PP
 \fB+[no]question\fR
-Print [do not print] the question section of a query when an answer is
-returned. The default is to print the question section as a comment.
-.TP
+.RS 4
+Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
+.RE
+.PP
 \fB+[no]answer\fR
-Display [do not display] the answer section of a reply. The default
-is to display it.
-.TP
+.RS 4
+Display [do not display] the answer section of a reply. The default is to display it.
+.RE
+.PP
 \fB+[no]authority\fR
-Display [do not display] the authority section of a reply. The
-default is to display it.
-.TP
+.RS 4
+Display [do not display] the authority section of a reply. The default is to display it.
+.RE
+.PP
 \fB+[no]additional\fR
-Display [do not display] the additional section of a reply.
-The default is to display it.
-.TP
+.RS 4
+Display [do not display] the additional section of a reply. The default is to display it.
+.RE
+.PP
 \fB+[no]all\fR
+.RS 4
 Set or clear all display flags.
-.TP
+.RE
+.PP
 \fB+time=T\fR
+.RS 4
 Sets the timeout for a query to
-\fIT\fR seconds. The default time out is 5 seconds.
-An attempt to set \fIT\fR to less than 1 will result
-in a query timeout of 1 second being applied.
-.TP
+\fIT\fR
+seconds. The default timeout is 5 seconds. An attempt to set
+\fIT\fR
+to less than 1 will result in a query timeout of 1 second being applied.
+.RE
+.PP
 \fB+tries=T\fR
+.RS 4
 Sets the number of times to try UDP queries to server to
-\fIT\fR instead of the default, 3. If
-\fIT\fR is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-.TP
+\fIT\fR
+instead of the default, 3. If
+\fIT\fR
+is less than or equal to zero, the number of tries is silently rounded up to 1.
+.RE
+.PP
 \fB+retry=T\fR
+.RS 4
 Sets the number of times to retry UDP queries to server to
-\fIT\fR instead of the default, 2. Unlike
-\fI+tries\fR, this does not include the initial
-query.
-.TP
+\fIT\fR
+instead of the default, 2. Unlike
+\fI+tries\fR, this does not include the initial query.
+.RE
+.PP
 \fB+ndots=D\fR
+.RS 4
 Set the number of dots that have to appear in
-\fIname\fR to \fID\fR for it to be
-considered absolute. The default value is that defined using the
-ndots statement in \fI/etc/resolv.conf\fR, or 1 if no
-ndots statement is present. Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-\fBsearch\fR or \fBdomain\fR directive in
+\fIname\fR
+to
+\fID\fR
+for it to be considered absolute. The default value is that defined using the ndots statement in
+\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
+\fBsearch\fR
+or
+\fBdomain\fR
+directive in
 \fI/etc/resolv.conf\fR.
-.TP
+.RE
+.PP
 \fB+bufsize=B\fR
+.RS 4
 Set the UDP message buffer size advertised using EDNS0 to
-\fIB\fR bytes. The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively. Values outside this range are
-rounded up or down appropriately.
-.TP
+\fIB\fR
+bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
+.RE
+.PP
+\fB+edns=#\fR
+.RS 4
+Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
+\fB+noedns\fR
+clears the remembered EDNS version.
+.RE
+.PP
 \fB+[no]multiline\fR
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments. The default is to print
-each record on a single line, to facilitate machine parsing 
-of the \fBdig\fR output.
-.TP
+.RS 4
+Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
+\fBdig\fR
+output.
+.RE
+.PP
 \fB+[no]fail\fR
-Do not try the next server if you receive a SERVFAIL. The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-.TP
+.RS 4
+Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
+.RE
+.PP
 \fB+[no]besteffort\fR
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-.TP
+.RS 4
+Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
+.RE
+.PP
 \fB+[no]dnssec\fR
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-.TP
+.RS 4
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
+.RE
+.PP
 \fB+[no]sigchase\fR
-Chase DNSSEC signature chains. Requires dig be compiled with
--DDIG_SIGCHASE.
-.TP
-\fB+trusted-key=####\fR
-Specify a trusted key to be used with \fB+sigchase\fR.
-Requires dig be compiled with -DDIG_SIGCHASE.
-.TP
+.RS 4
+Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
+.RE
+.PP
+\fB+trusted\-key=####\fR
+.RS 4
+Specifies a file containing trusted keys to be used with
+\fB+sigchase\fR. Each DNSKEY record must be on its own line.
+.sp
+If not specified
+\fBdig\fR
+will look for
+\fI/etc/trusted\-key.key\fR
+then
+\fItrusted\-key.key\fR
+in the current directory.
+.sp
+Requires dig be compiled with \-DDIG_SIGCHASE.
+.RE
+.PP
 \fB+[no]topdown\fR
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
+.RS 4
+When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
+.RE
 .SH "MULTIPLE QUERIES"
 .PP
-The BIND 9 implementation of \fBdig \fR supports
-specifying multiple queries on the command line (in addition to
-supporting the \fB-f\fR batch file option). Each of those
-queries can be supplied with its own set of flags, options and query
-options.
+The BIND 9 implementation of
+\fBdig \fR
+supports specifying multiple queries on the command line (in addition to supporting the
+\fB\-f\fR
+batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
 .PP
-In this case, each \fIquery\fR argument represent an
-individual query in the command-line syntax described above. Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
+In this case, each
+\fIquery\fR
+argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
 .PP
-A global set of query options, which should be applied to all queries,
-can also be supplied. These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line. Any global query options (except
-the \fB+[no]cmd\fR option) can be
-overridden by a query-specific set of query options. For example:
+A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the
+\fB+[no]cmd\fR
+option) can be overridden by a query\-specific set of query options. For example:
 .sp
+.RS 4
 .nf
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-.sp
+dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 .fi
-shows how \fBdig\fR could be used from the command line
-to make three lookups: an ANY query for www.isc.org, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-isc.org.
-A global query option of \fI+qr\fR is applied, so
-that \fBdig\fR shows the initial query it made for each
-lookup. The final query has a local query option of
-\fI+noqr\fR which means that \fBdig\fR
+.RE
+.sp
+shows how
+\fBdig\fR
+could be used from the command line to make three lookups: an ANY query for
+www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of
+isc.org. A global query option of
+\fI+qr\fR
+is applied, so that
+\fBdig\fR
+shows the initial query it made for each lookup. The final query has a local query option of
+\fI+noqr\fR
+which means that
+\fBdig\fR
 will not print the initial query when it looks up the NS records for
 isc.org.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBdig\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+\fBdig\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+\fBIDN_DISABLE\fR
+environment variable. The IDN support is disabled if the variable is set when
+\fBdig\fR
+runs.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -394,8 +545,13 @@ isc.org.
 .PP
 \fBhost\fR(1),
 \fBnamed\fR(8),
-\fBdnssec-keygen\fR(8),
-\fIRFC1035\fR.
+\fBdnssec\-keygen\fR(8),
+RFC1035.
 .SH "BUGS"
 .PP
-There are probably too many query options. 
+There are probably too many query options.
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br

bin/dig/dig.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.157.2.13.2.25 2004/09/16 02:14:14 marka Exp $ */
+/* $Id: dig.c,v 1.216 2007/04/03 23:06:39 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <stdlib.h>
@@ -40,15 +42,12 @@
 #include <dns/rdatatype.h>
 #include <dns/rdataclass.h>
 #include <dns/result.h>
+#include <dns/tsig.h>
 
 #include <bind9/getaddresses.h>
 
 #include <dig/dig.h>
 
-extern ISC_LIST(dig_lookup_t) lookup_list;
-extern dig_serverlist_t server_list;
-extern ISC_LIST(dig_searchlist_t) search_list;
-
 #define ADD_STRING(b, s) { 				\
 	if (strlen(s) >= isc_buffer_availablelength(b)) \
  		return (ISC_R_NOSPACE); 		\
@@ -58,31 +57,8 @@ extern ISC_LIST(dig_searchlist_t) search_list;
 
 #define DIG_MAX_ADDRESSES 20
 
-extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
-	usesearch, qr;
-extern in_port_t port;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern dns_messageid_t id;
-extern int sendcount;
-extern int ndots;
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t bind_address;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
-#ifdef DIG_SIGCHASE
-extern char trustedkey[MXNAME];
-#endif
-extern dns_tsigkey_t *key;
-extern isc_boolean_t validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern isc_boolean_t free_now;
 dig_lookup_t *default_lookup = NULL;
 
-extern isc_boolean_t debugging, memdebugging;
 static char *batchname = NULL;
 static FILE *batchfp = NULL;
 static char *argv0;
@@ -94,6 +70,7 @@ static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
 	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
 	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
 
+/*% opcode text */
 static const char *opcodetext[] = {
 	"QUERY",
 	"IQUERY",
@@ -113,6 +90,7 @@ static const char *opcodetext[] = {
 	"RESERVED15"
 };
 
+/*% return code text */
 static const char *rcodetext[] = {
 	"NOERROR",
 	"FORMERR",
@@ -133,8 +111,7 @@ static const char *rcodetext[] = {
 	"BADVERS"
 };
 
-extern char *progname;
-
+/*% print usage */
 static void
 print_usage(FILE *fp) {
 	fputs(
@@ -151,11 +128,13 @@ usage(void) {
 	exit(1);
 }
 
+/*% version */
 static void
 version(void) {
 	fputs("DiG " VERSION "\n", stderr);
 }
 
+/*% help */
 static void
 help(void) {
 	print_usage(stdout);
@@ -170,10 +149,11 @@ help(void) {
 "                 -f filename         (batch mode)\n"
 "                 -b address[#port]   (bind to source address/port)\n"
 "                 -p port             (specify port number)\n"
+"                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
 "                 -c class            (specify query class)\n"
 "                 -k keyfile          (specify tsig key file)\n"
-"                 -y name:key         (specify named base64 tsig key)\n"
+"                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
 "                 -4                  (use IPv4 query transport only)\n"
 "                 -6                  (use IPv6 query transport only)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
@@ -185,7 +165,9 @@ help(void) {
 "                 +domain=###         (Set default domainname)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
+"                 +edns=###           (Set EDNS version)\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]defname        (Ditto)\n"
 "                 +[no]recurse        (Recursive mode)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)"
@@ -227,7 +209,7 @@ help(void) {
 	stdout);
 }
 
-/*
+/*%
  * Callback from dighost.c to print the received message.
  */
 void
@@ -248,10 +230,12 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		time(&tnow);
 		printf(";; WHEN: %s", ctime(&tnow));
 		if (query->lookup->doing_xfr) {
-			printf(";; XFR size: %u records (messages %u)\n",
-			       query->rr_count, query->msg_count);
+			printf(";; XFR size: %u records (messages %u, "
+			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
+			       query->rr_count, query->msg_count,
+			       query->byte_count);
 		} else {
-			printf(";; MSG SIZE  rcvd: %d\n", bytes);
+			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 
 		}
 		if (key != NULL) {
@@ -265,8 +249,11 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		puts("");
 	} else if (query->lookup->identify && !short_form) {
 		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Received %u bytes from %s(%s) in %d ms\n\n",
-		       bytes, fromtext, query->servname,
+		printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes "
+		       "from %s(%s) in %d ms\n\n",
+		       query->lookup->doing_xfr ?
+				query->byte_count : (isc_uint64_t)bytes,
+		       fromtext, query->servname,
 		       (int)diff/1000);
 	}
 }
@@ -282,7 +269,7 @@ trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(lookup);
 }
 
-/*
+/*%
  * Internal print routine used to print short form replies.
  */
 static isc_result_t
@@ -312,7 +299,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * short_form message print handler.  Calls above say_message()
  */
 static isc_result_t
@@ -504,7 +491,16 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 			       msg->counts[DNS_SECTION_ANSWER],
 			       msg->counts[DNS_SECTION_AUTHORITY],
 			       msg->counts[DNS_SECTION_ADDITIONAL]);
+
+			if (msg != query->lookup->sendmsg &&
+			    (msg->flags & DNS_MESSAGEFLAG_RD) != 0 &&
+			    (msg->flags & DNS_MESSAGEFLAG_RA) == 0)
+				printf(";; WARNING: recursion requested "
+				       "but not available\n");
 		}
+		if (msg != query->lookup->sendmsg && extrabytes != 0U)
+			printf(";; WARNING: Messages has %u extra byte%s at "
+			       "end\n", extrabytes, extrabytes != 0 ? "s" : "");
 	}
 
 repopulate_buffer:
@@ -593,6 +589,7 @@ buftoosmall:
 			}
 		}
 	}
+
 	if (headers && query->lookup->comments && !short_form)
 		printf("\n");
 
@@ -606,7 +603,7 @@ cleanup:
 	return (result);
 }
 
-/*
+/*%
  * print the greeting message when the program first starts up.
  */
 static void
@@ -653,42 +650,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	}
 }
 
-/*
- * Reorder an argument list so that server names all come at the end.
- * This is a bit of a hack, to allow batch-mode processing to properly
- * handle the server options.
- */
-static void
-reorder_args(int argc, char *argv[]) {
-	int i, j;
-	char *ptr;
-	int end;
-
-	debug("reorder_args()");
-	end = argc - 1;
-	while (argv[end][0] == '@') {
-		end--;
-		if (end == 0)
-			return;
-	}
-	debug("arg[end]=%s", argv[end]);
-	for (i = 1; i < end - 1; i++) {
-		if (argv[i][0] == '@') {
-			debug("arg[%d]=%s", i, argv[i]);
-			ptr = argv[i];
-			for (j = i + 1; j < end; j++) {
-				debug("Moving %s to %d", argv[j], j - 1);
-				argv[j - 1] = argv[j];
-			}
-			debug("moving %s to end, %d", ptr, end - 1);
-			argv[end - 1] = ptr;
-			end--;
-			if (end < 1)
-				return;
-		}
-	}
-}
-
 static isc_uint32_t
 parse_uint(char *arg, const char *desc, isc_uint32_t max) {
 	isc_result_t result;
@@ -702,7 +663,7 @@ parse_uint(char *arg, const char *desc, isc_uint32_t max) {
 	return (tmp);
 }
 
-/*
+/*%
  * We're not using isc_commandline_parse() here since the command line
  * syntax of dig is quite a bit different from that which can be described
  * by that routine.
@@ -818,7 +779,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			break;
 		case 'l': /* cl */
 			FULLCHECK("cl");
-			noclass = !state;
+			noclass = ISC_TF(!state);
 			break;
 		case 'm': /* cmd */
 			FULLCHECK("cmd");
@@ -842,6 +803,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			break;
 		case 'n': /* dnssec */	
 			FULLCHECK("dnssec");
+			if (state && lookup->edns == -1)
+				lookup->edns = 0;
 			lookup->dnssec = state;
 			break;
 		case 'o': /* domain */	
@@ -857,6 +820,16 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			goto invalid_option;
 		}
 		break;
+	case 'e':
+		FULLCHECK("edns");
+		if (!state) {
+			lookup->edns = -1;
+			break;
+		}
+		if (value == NULL)
+			goto need_value;
+		lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
+		break;
 	case 'f': /* fail */
 		FULLCHECK("fail");
 		lookup->servfail_stops = state;
@@ -892,7 +865,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			lookup->ns_search_only = state;
 			if (state) {
 				lookup->trace_root = ISC_TRUE;
-				lookup->recurse = ISC_FALSE;
+				lookup->recurse = ISC_TRUE;
 				lookup->identify = ISC_TRUE;
 				lookup->stats = ISC_FALSE;
 				lookup->comments = ISC_FALSE;
@@ -956,17 +929,30 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			FULLCHECK("search");
 			usesearch = state;
 			break;
-		case 'h': /* short */
-			FULLCHECK("short");
-			short_form = state;
-			if (state) {
-				printcmd = ISC_FALSE;
-				lookup->section_additional = ISC_FALSE;
-				lookup->section_answer = ISC_TRUE;
-				lookup->section_authority = ISC_FALSE;
-				lookup->section_question = ISC_FALSE;
-				lookup->comments = ISC_FALSE;
-				lookup->stats = ISC_FALSE;
+		case 'h':
+			if (cmd[2] != 'o')
+				goto invalid_option;
+			switch (cmd[3]) {
+			case 'r': /* short */
+				FULLCHECK("short");
+				short_form = state;
+				if (state) {
+					printcmd = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_answer = ISC_TRUE;
+					lookup->section_authority = ISC_FALSE;
+					lookup->section_question = ISC_FALSE;
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
+				}
+				break;
+			case 'w': /* showsearch */
+				FULLCHECK("showsearch");
+				showsearch = state;
+				usesearch = state;
+				break;
+			default:
+				goto invalid_option;
 			}
 			break;
 #ifdef DIG_SIGCHASE
@@ -1054,7 +1040,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			break;
 		case 't': /* ttlid */
 			FULLCHECK("ttlid");
-			nottl = !state;
+			nottl = ISC_TF(!state);
 			break;
 		default:
 			goto invalid_option;
@@ -1075,16 +1061,18 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	return;
 }
 
-/*
- * ISC_TRUE returned if value was used
+/*%
+ * #ISC_TRUE returned if value was used
  */
 static const char *single_dash_opts = "46dhimnv";
 static const char *dash_opts = "46bcdfhikmnptvyx";
 static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
-	    isc_boolean_t *open_type_class)
+	    isc_boolean_t *open_type_class, isc_boolean_t *need_clone,
+	    isc_boolean_t config_only, int argc, char **argv,
+	    isc_boolean_t *firstarg)
 {
-	char opt, *value, *ptr;
+	char opt, *value, *ptr, *ptr2, *ptr3;
 	isc_result_t result;
 	isc_boolean_t value_from_next;
 	isc_textregion_t tr;
@@ -1217,6 +1205,26 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	case 'p':
 		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
 		return (value_from_next);
+	case 'q':
+		if (!config_only) {
+			if (*need_clone)
+				(*lookup) = clone_lookup(default_lookup,
+							 ISC_TRUE);
+			*need_clone = ISC_TRUE;
+			strncpy((*lookup)->textname, value, 
+				sizeof((*lookup)->textname));
+			(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
+			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
+						     (*lookup)->ns_search_only);
+			(*lookup)->new_search = ISC_TRUE;
+			if (*firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = ISC_FALSE;
+			}
+			ISC_LIST_APPEND(lookup_list, (*lookup), link);
+			debug("looking up %s", (*lookup)->textname);
+		}
+		return (value_from_next);
 	case 't':
 		*open_type_class = ISC_FALSE;
 		if (strncasecmp(value, "ixfr=", 5) == 0) {
@@ -1260,20 +1268,89 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				 value);
 		return (value_from_next);
 	case 'y':
-		ptr = next_token(&value,":");
+		ptr = next_token(&value,":");	/* hmac type or name */
 		if (ptr == NULL) {
 			usage();
 		}
+		ptr2 = next_token(&value, ":");	/* name or secret */
+		if (ptr2 == NULL)
+			usage();
+		ptr3 = next_token(&value,":"); /* secret or NULL */
+		if (ptr3 != NULL) {	
+			if (strcasecmp(ptr, "hmac-md5") == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = parse_uint(&ptr[9],
+							"digest-bits [0..128]",
+							128);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = parse_uint(&ptr[10],
+							"digest-bits [0..160]",
+							160);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..224]",
+							224);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..256]",
+							256);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..384]",
+							384);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..512]",
+							512);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else {
+				fprintf(stderr, ";; Warning, ignoring "
+					"invalid TSIG algorithm %s\n", ptr);
+				return (value_from_next);
+			}
+			ptr = ptr2;
+			ptr2 = ptr3;
+		} else  {
+			hmacname = DNS_TSIG_HMACMD5_NAME;
+			digestbits = 0;
+		}
 		strncpy(keynametext, ptr, sizeof(keynametext));
 		keynametext[sizeof(keynametext)-1]=0;
-		ptr = next_token(&value, "");
-		if (ptr == NULL)
-			usage();
-		strncpy(keysecret, ptr, sizeof(keysecret));
+		strncpy(keysecret, ptr2, sizeof(keysecret));
 		keysecret[sizeof(keysecret)-1]=0;
 		return (value_from_next);
 	case 'x':
-		*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		if (*need_clone)
+			*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		*need_clone = ISC_TRUE;
 		if (get_reverse(textname, sizeof(textname), value,
 				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
 			strncpy((*lookup)->textname, textname,
@@ -1287,6 +1364,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			if (!(*lookup)->rdclassset)
 				(*lookup)->rdclass = dns_rdataclass_in;
 			(*lookup)->new_search = ISC_TRUE;
+			if (*firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = ISC_FALSE;
+			}
 			ISC_LIST_APPEND(lookup_list, *lookup, link);
 		} else {
 			fprintf(stderr, "Invalid IP address %s\n", value);
@@ -1301,10 +1382,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	return (ISC_FALSE);
 }
 
-/*
+/*%
  * Because we may be trying to do memory allocation recording, we're going
  * to need to parse the arguments for the -m *before* we start the main
  * argument parsing routine.
+ *
  * I'd prefer not to have to do this, but I am not quite sure how else to
  * fix the problem.  Argument parsing in dig involves memory allocation
  * by its nature, so it can't be done in the main argument parser.
@@ -1377,6 +1459,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 	char rcfile[256];
 #endif
 	char *input;
+	int i;
+	isc_boolean_t need_clone = ISC_TRUE;
 
 	/*
 	 * The semantics for parsing the args is a bit complex; if
@@ -1424,7 +1508,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				bargv[0] = argv[0];
 				argv0 = argv[0];
 
-				reorder_args(bargc, (char **)bargv);
+				for(i = 0; i < bargc; i++)
+					debug(".digrc argv %d: %s",
+					      i, bargv[i]);
 				parse_args(ISC_TRUE, ISC_TRUE, bargc,
 					   (char **)bargv);
 			}
@@ -1433,7 +1519,12 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 #endif
 	}
 
-	lookup = default_lookup;
+	if (is_batchfile && !config_only) {
+		/* Processing '-f batchfile'. */
+		lookup = clone_lookup(default_lookup, ISC_TRUE);
+		need_clone = ISC_FALSE;
+	} else
+		lookup = default_lookup;
 
 	rc = argc;
 	rv = argv;
@@ -1449,13 +1540,17 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		} else if (rv[0][0] == '-') {
 			if (rc <= 1) {
 				if (dash_option(&rv[0][1], NULL,
-						&lookup, &open_type_class)) {
+						&lookup, &open_type_class,
+						&need_clone, config_only,
+						argc, argv, &firstarg)) {
 					rc--;
 					rv++;
 				}
 			} else {
 				if (dash_option(&rv[0][1], rv[1],
-						&lookup, &open_type_class)) {
+						&lookup, &open_type_class,
+						&need_clone, config_only,
+						argc, argv, &firstarg)) {
 					rc--;
 					rv++;
 				}
@@ -1465,7 +1560,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			 * Anything which isn't an option
 			 */
 			if (open_type_class) {
-				if (strncmp(rv[0], "ixfr=", 5) == 0) {
+				if (strncasecmp(rv[0], "ixfr=", 5) == 0) {
 					rdtype = dns_rdatatype_ixfr;
 					result = ISC_R_SUCCESS;
 				} else {
@@ -1523,21 +1618,29 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 					continue;
 				}
 			}
+
 			if (!config_only) {
-				lookup = clone_lookup(default_lookup,
-						      ISC_TRUE);
+				if (need_clone)
+					lookup = clone_lookup(default_lookup,
+								      ISC_TRUE);
+				need_clone = ISC_TRUE;
 				strncpy(lookup->textname, rv[0], 
 					sizeof(lookup->textname));
 				lookup->textname[sizeof(lookup->textname)-1]=0;
 				lookup->trace_root = ISC_TF(lookup->trace  ||
 						     lookup->ns_search_only);
 				lookup->new_search = ISC_TRUE;
+				if (firstarg) {
+					printgreeting(argc, argv, lookup);
+					firstarg = ISC_FALSE;
+				}
 				ISC_LIST_APPEND(lookup_list, lookup, link);
 				debug("looking up %s", lookup->textname);
 			}
 			/* XXX Error message */
 		}
 	}
+
 	/*
 	 * If we have a batchfile, seed the lookup list with the
 	 * first entry, then trust the callback in dighost_shutdown
@@ -1572,15 +1675,20 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			bargv[0] = argv[0];
 			argv0 = argv[0];
 
-			reorder_args(bargc, (char **)bargv);
+			for(i = 0; i < bargc; i++)
+				debug("batch argv %d: %s", i, bargv[i]);
 			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
+			return;
 		}
+		return;
 	}
 	/*
 	 * If no lookup specified, search for root
 	 */
 	if ((lookup_list.head == NULL) && !config_only) {
-		lookup = clone_lookup(default_lookup, ISC_TRUE);
+		if (need_clone)
+			lookup = clone_lookup(default_lookup, ISC_TRUE);
+		need_clone = ISC_TRUE;
 		lookup->trace_root = ISC_TF(lookup->trace ||
 					    lookup->ns_search_only);
 		lookup->new_search = ISC_TRUE;
@@ -1592,10 +1700,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			firstarg = ISC_FALSE;
 		}
 		ISC_LIST_APPEND(lookup_list, lookup, link);
-	} else if (!config_only && firstarg) {
-			printgreeting(argc, argv, lookup);
-			firstarg = ISC_FALSE;
 	}
+	if (!need_clone)
+		destroy_lookup(lookup);
 }
 
 /*
@@ -1609,7 +1716,7 @@ dighost_shutdown(void) {
 	int bargc;
 	char *bargv[16];
 	char *input;
-
+	int i;
 
 	if (batchname == NULL) {
 		isc_app_shutdown();
@@ -1637,7 +1744,8 @@ dighost_shutdown(void) {
 
 		bargv[0] = argv0;
 
-		reorder_args(bargc, (char **)bargv);
+		for(i = 0; i < bargc; i++)
+			debug("batch argv %d: %s", i, bargv[i]);
 		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
 		start_lookup();
 	} else {
@@ -1649,10 +1757,10 @@ dighost_shutdown(void) {
 	}
 }
 
+/*% Main processing routine for dig */
 int
 main(int argc, char **argv) {
 	isc_result_t result;
-	dig_server_t *s, *s2;
 
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
@@ -1673,16 +1781,7 @@ main(int argc, char **argv) {
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();
-	s = ISC_LIST_HEAD(default_lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p",
-		      s, default_lookup);
-		s2 = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link);
-		isc_mem_free(mctx, s2);
-	}
-	isc_mem_free(mctx, default_lookup);
+	destroy_lookup(default_lookup);
 	if (batchname != NULL) {
 		if (batchfp != stdin)
 			fclose(batchfp);

bin/dig/host.1

@@ -1,132 +1,210 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002  Internet Software Consortium.
-.\"
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.11.2.1.4.4 2004/04/13 04:11:03 marka Exp $
+.\" $Id: host.1,v 1.28 2007/05/09 03:33:50 marka Exp $
 .\"
-.TH "HOST" "1" "Jun 30, 2000" "BIND9" ""
-.SH NAME
+.hy 0
+.ad l
+.\"     Title: host
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
 host \- DNS lookup utility
-.SH SYNOPSIS
-.sp
-\fBhost\fR [ \fB-aCdlnrTwv\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-N \fIndots\fB\fR ]  [ \fB-R \fInumber\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-W \fIwait\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  \fBname\fR [ \fBserver\fR ] 
+.SH "SYNOPSIS"
+.HP 5
+\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
+is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given,
 \fBhost\fR
 prints a short summary of its command line arguments and options.
 .PP
-\fIname\fR is the domain name that is to be looked
-up. It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case \fBhost\fR will by default
-perform a reverse lookup for that address.
-\fIserver\fR is an optional argument which is either
-the name or IP address of the name server that \fBhost\fR
+\fIname\fR
+is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
+\fBhost\fR
+will by default perform a reverse lookup for that address.
+\fIserver\fR
+is an optional argument which is either the name or IP address of the name server that
+\fBhost\fR
 should query instead of the server or servers listed in
 \fI/etc/resolv.conf\fR.
 .PP
-The \fB-a\fR (all) option is equivalent to setting the
-\fB-v\fR option and asking \fBhost\fR to make
-a query of type ANY.
+The
+\fB\-a\fR
+(all) option is equivalent to setting the
+\fB\-v\fR
+option and asking
+\fBhost\fR
+to make a query of type ANY.
 .PP
-When the \fB-C\fR option is used, \fBhost\fR
+When the
+\fB\-C\fR
+option is used,
+\fBhost\fR
 will attempt to display the SOA records for zone
-\fIname\fR from all the listed authoritative name
-servers for that zone. The list of name servers is defined by the NS
-records that are found for the zone.
+\fIname\fR
+from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
 .PP
-The \fB-c\fR option instructs to make a DNS query of class
-\fIclass\fR. This can be used to lookup Hesiod or
-Chaosnet class resource records. The default class is IN (Internet).
+The
+\fB\-c\fR
+option instructs to make a DNS query of class
+\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).
 .PP
-Verbose output is generated by \fBhost\fR when the
-\fB-d\fR or \fB-v\fR option is used. The two
-options are equivalent. They have been provided for backwards
-compatibility. In previous versions, the \fB-d\fR option
-switched on debugging traces and \fB-v\fR enabled verbose
-output.
+Verbose output is generated by
+\fBhost\fR
+when the
+\fB\-d\fR
+or
+\fB\-v\fR
+option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the
+\fB\-d\fR
+option switched on debugging traces and
+\fB\-v\fR
+enabled verbose output.
 .PP
-List mode is selected by the \fB-l\fR option. This makes
-\fBhost\fR perform a zone transfer for zone
-\fIname\fR. Transfer the zone printing out the NS, PTR
-and address records (A/AAAA). If combined with \fB-a\fR
-all records will be printed. 
+List mode is selected by the
+\fB\-l\fR
+option. This makes
+\fBhost\fR
+perform a zone transfer for zone
+\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with
+\fB\-a\fR
+all records will be printed.
 .PP
-The \fB-i\fR
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
+The
+\fB\-i\fR
+option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.
 .PP
-The \fB-N\fR option sets the number of dots that have to be
-in \fIname\fR for it to be considered absolute. The
-default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is
-present. Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the \fBsearch\fR
-or \fBdomain\fR directive in
+The
+\fB\-N\fR
+option sets the number of dots that have to be in
+\fIname\fR
+for it to be considered absolute. The default value is that defined using the ndots statement in
+\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
+\fBsearch\fR
+or
+\fBdomain\fR
+directive in
 \fI/etc/resolv.conf\fR.
 .PP
 The number of UDP retries for a lookup can be changed with the
-\fB-R\fR option. \fInumber\fR indicates
-how many times \fBhost\fR will repeat a query that does
-not get answered. The default number of retries is 1. If
-\fInumber\fR is negative or zero, the number of
-retries will default to 1.
+\fB\-R\fR
+option.
+\fInumber\fR
+indicates how many times
+\fBhost\fR
+will repeat a query that does not get answered. The default number of retries is 1. If
+\fInumber\fR
+is negative or zero, the number of retries will default to 1.
 .PP
-Non-recursive queries can be made via the \fB-r\fR option.
-Setting this option clears the \fBRD\fR \(em recursion
-desired \(em bit in the query which \fBhost\fR makes.
-This should mean that the name server receiving the query will not
-attempt to resolve \fIname\fR. The
-\fB-r\fR option enables \fBhost\fR to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
+Non\-recursive queries can be made via the
+\fB\-r\fR
+option. Setting this option clears the
+\fBRD\fR
+\(em recursion desired \(em bit in the query which
+\fBhost\fR
+makes. This should mean that the name server receiving the query will not attempt to resolve
+\fIname\fR. The
+\fB\-r\fR
+option enables
+\fBhost\fR
+to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
 .PP
-By default \fBhost\fR uses UDP when making queries. The
-\fB-T\fR option makes it use a TCP connection when querying
-the name server. TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
+By default
+\fBhost\fR
+uses UDP when making queries. The
+\fB\-T\fR
+option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.
 .PP
-The \fB-4\fR option forces \fBhost\fR to only
-use IPv4 query transport. The \fB-6\fR option forces
-\fBhost\fR to only use IPv6 query transport.
+The
+\fB\-4\fR
+option forces
+\fBhost\fR
+to only use IPv4 query transport. The
+\fB\-6\fR
+option forces
+\fBhost\fR
+to only use IPv6 query transport.
 .PP
-The \fB-t\fR option is used to select the query type.
-\fItype\fR can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
-\fBhost\fR automatically selects an appropriate query
-type. By default it looks for A records, but if the
-\fB-C\fR option was given, queries will be made for SOA
-records, and if \fIname\fR is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, \fBhost\fR will
-query for PTR records. If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
+The
+\fB\-t\fR
+option is used to select the query type.
+\fItype\fR
+can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
+\fBhost\fR
+automatically selects an appropriate query type. By default it looks for A records, but if the
+\fB\-C\fR
+option was given, queries will be made for SOA records, and if
+\fIname\fR
+is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
+\fBhost\fR
+will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678).
 .PP
 The time to wait for a reply can be controlled through the
-\fB-W\fR and \fB-w\fR options. The
-\fB-W\fR option makes \fBhost\fR wait for
-\fIwait\fR seconds. If \fIwait\fR
+\fB\-W\fR
+and
+\fB\-w\fR
+options. The
+\fB\-W\fR
+option makes
+\fBhost\fR
+wait for
+\fIwait\fR
+seconds. If
+\fIwait\fR
 is less than one, the wait interval is set to one second. When the
-\fB-w\fR option is used, \fBhost\fR will
-effectively wait forever for a reply. The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
+\fB\-w\fR
+option is used,
+\fBhost\fR
+will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
+.PP
+The
+\fB\-s\fR
+option tells
+\fBhost\fR
+\fInot\fR
+to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
+.PP
+The
+\fB\-m\fR
+can be used to set the memory usage debugging flags
+\fIrecord\fR,
+\fIusage\fR
+and
+\fItrace\fR.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBhost\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+\fBhost\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+\fBIDN_DISABLE\fR
+environment variable. The IDN support is disabled if the variable is set when
+\fBhost\fR
+runs.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -134,3 +212,8 @@ value for an integer quantity.
 .PP
 \fBdig\fR(1),
 \fBnamed\fR(8).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br

bin/dig/host.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.76.2.5.2.10 2004/09/06 01:33:05 marka Exp $ */
+/* $Id: host.c,v 1.113 2007/04/24 07:20:45 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
+#include <stdlib.h>
 #include <limits.h>
 
+#ifdef HAVE_LOCALE_H
+#include <locale.h>
+#endif
+
+#ifdef WITH_IDN
+#include <idn/result.h>
+#include <idn/log.h>
+#include <idn/resconf.h>
+#include <idn/api.h>
+#endif
+
 #include <isc/app.h>
 #include <isc/commandline.h>
 #include <isc/netaddr.h>
@@ -37,29 +51,16 @@
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatatype.h>
+#include <dns/rdatastruct.h>
 
 #include <dig/dig.h>
 
-extern ISC_LIST(dig_lookup_t) lookup_list;
-extern dig_serverlist_t server_list;
-extern ISC_LIST(dig_searchlist_t) search_list;
-
-extern isc_boolean_t have_ipv4, have_ipv6;
-extern isc_boolean_t usesearch;
-extern isc_boolean_t debugging;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern int ndots;
-extern int tries;
-extern char *progname;
-extern isc_task_t *global_task;
-extern int fatalexit;
-
 static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
 static isc_boolean_t default_lookups = ISC_TRUE;
 static int seen_error = -1;
 static isc_boolean_t list_addresses = ISC_TRUE;
 static dns_rdatatype_t list_type = dns_rdatatype_a;
+static isc_boolean_t printed_server = ISC_FALSE;
 
 static const char *opcodetext[] = {
 	"QUERY",
@@ -127,8 +128,8 @@ static void
 show_usage(void) {
 	fputs(
 "Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
-"            [-R number] hostname [server]\n"
-"       -a is equivalent to -v -t *\n"
+"            [-R number] [-m flag] hostname [server]\n"
+"       -a is equivalent to -v -t ANY\n"
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
@@ -137,13 +138,15 @@ show_usage(void) {
 "       -N changes the number of dots allowed before root lookup is done\n"
 "       -r disables recursive processing\n"
 "       -R specifies number of retries for UDP packets\n"
+"       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
 "       -v enables verbose output\n"
 "       -w specifies to wait forever for a reply\n"
 "       -W specifies how long to wait for a reply\n"
 "       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n", stderr);
+"       -6 use IPv6 query transport only\n"
+"       -m set memory debugging flag (trace|record|usage)\n", stderr);
 	exit(1);
 }
 
@@ -366,6 +369,32 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
 	return (ISC_R_SUCCESS);
 }
 
+static void
+chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset;
+	dns_rdata_cname_t cname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
+
+ 	while (i-- > 0) {
+		rdataset = NULL;
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					      dns_rdatatype_cname, 0, NULL,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS)
+			return;
+		result = dns_rdataset_first(rdataset);
+		check_result(result, "dns_rdataset_first");
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		dns_name_copy(&cname.cname, qname, NULL);
+		dns_rdata_freestruct(&cname);
+	}
+}
+
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_boolean_t did_flag = ISC_FALSE;
@@ -382,7 +411,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	 */
 	force_error = (seen_error == 1) ? 1 : 0;
 	seen_error = 1;
-	if (listed_server) {
+	if (listed_server && !printed_server) {
 		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 
 		printf("Using domain server:\n");
@@ -391,23 +420,31 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				    sizeof(sockstr));
 		printf("Address: %s\n", sockstr);
 		printf("Aliases: \n\n");
+		printed_server = ISC_TRUE;
 	}
 
 	if (msg->rcode != 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		printf("Host %s not found: %d(%s)\n", namestr,
-		       msg->rcode, rcodetext[msg->rcode]);
+		printf("Host %s not found: %d(%s)\n",
+		       (msg->rcode != dns_rcode_nxdomain) ? namestr :
+		       query->lookup->textname, msg->rcode,
+		       rcodetext[msg->rcode]);
 		return (ISC_R_SUCCESS);
 	}
 
 	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dig_lookup_t *lookup;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
 
 		/* Add AAAA and MX lookups. */
-
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		dns_name_copy(query->lookup->name, name, NULL);
+		chase_cnamechain(msg, name);
+		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
 			strncpy(lookup->textname, namestr,
@@ -537,6 +574,52 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	return (result);
 }
 
+static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:";
+
+static void
+pre_parse_args(int argc, char **argv) {
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
+		switch (c) {
+		case 'm':
+			if (strcasecmp("trace", isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			else if (!strcasecmp("record",
+					     isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			else if (strcasecmp("usage",
+					    isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			break;
+
+		case '4': break;
+		case '6': break;
+		case 'a': break;
+		case 'c': break;
+		case 'd': break;
+		case 'i': break;
+		case 'l': break;
+		case 'n': break;
+		case 'r': break;
+		case 's': break;
+		case 't': break;
+		case 'v': break;
+		case 'w': break;
+		case 'C': break;
+		case 'D': break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
+		case 'W': break;
+		default:
+			show_usage();
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+	isc_commandline_index = 1;
+}
+
 static void
 parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	char hostname[MXNAME];
@@ -553,8 +636,10 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 
 	lookup = make_empty_lookup();
 
-	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46"))
-	       != EOF) {
+	lookup->servfail_stops = ISC_FALSE;
+	lookup->comments = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
 		switch (c) {
 		case 'l':
 			lookup->tcp_mode = ISC_TRUE;
@@ -593,6 +678,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			    lookup->rdtype != dns_rdatatype_axfr)
 				lookup->rdtype = rdtype;
 			lookup->rdtypeset = ISC_TRUE;
+#ifdef WITH_IDN
+			idnoptions = 0;
+#endif
 			if (rdtype == dns_rdatatype_axfr) {
 				/* -l -t any -v */
 				list_type = dns_rdatatype_any;
@@ -601,9 +689,17 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			} else if (rdtype == dns_rdatatype_ixfr) {
 				lookup->ixfr_serial = serial;
 				list_type = rdtype;
+#ifdef WITH_IDN
+			} else if (rdtype == dns_rdatatype_a ||
+				   rdtype == dns_rdatatype_aaaa ||
+				   rdtype == dns_rdatatype_mx) {
+				idnoptions = IDN_ASCCHECK;
+				list_type = rdtype;
+#endif
 			} else
 				list_type = rdtype;
 			list_addresses = ISC_FALSE;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'c':
 			tr.base = isc_commandline_argument;
@@ -637,6 +733,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		case 'n':
 			/* deprecated */
 			break;
+		case 'm':
+			/* Handled by pre_parse_args(). */
+			break;
 		case 'w':
 			/*
 			 * The timer routines are coded such that
@@ -690,6 +789,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			} else
 				fatal("can't find IPv6 networking");
 			break;
+		case 's':
+			lookup->servfail_stops = ISC_TRUE;
+			break;
 		}
 	}
 
@@ -704,7 +806,8 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		set_nameserver(argv[isc_commandline_index+1]);
 		debug("server is %s", argv[isc_commandline_index+1]);
 		listed_server = ISC_TRUE;
-	}
+	} else
+		check_ra = ISC_TRUE;
 
 	lookup->pending = ISC_FALSE;
 	if (get_reverse(store, sizeof(store), hostname,
@@ -735,9 +838,13 @@ main(int argc, char **argv) {
 	ISC_LIST_INIT(search_list);
 	
 	fatalexit = 1;
+#ifdef WITH_IDN
+	idnoptions = IDN_ASCCHECK;
+#endif
 
 	debug("main()");
 	progname = argv[0];
+	pre_parse_args(argc, argv);
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 	setup_libs();
@@ -751,4 +858,3 @@ main(int argc, char **argv) {
 	isc_app_finish();
 	return ((seen_error == 0) ? 0 : 1);
 }
-

bin/dig/host.docbook

@@ -1,6 +1,8 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -16,197 +18,260 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: host.docbook,v 1.2.2.2.4.5 2004/04/13 01:26:26 marka Exp $ -->
+<!-- $Id: host.docbook,v 1.15 2007/05/09 01:32:08 marka Exp $ -->
+<refentry id="man.host">
 
-<refentry>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refmeta>
+    <refentrytitle>host</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refmeta>
-<refentrytitle>host</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refnamediv>
+    <refname>host</refname>
+    <refpurpose>DNS lookup utility</refpurpose>
+  </refnamediv>
 
-<refnamediv>
-<refname>host</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <holder>Internet Software Consortium.</holder>
+    </copyright>
+  </docinfo>
 
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>host</command>
-  <arg><option>-aCdlnrTwv</option></arg>
-  <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-  <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
-  <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
-  <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-  <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-  <arg><option>-4</option></arg>
-  <arg><option>-6</option></arg>
-  <arg choice=req>name</arg>
-  <arg choice=opt>server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>host</command>
+      <arg><option>-aCdlnrsTwv</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
+      <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg choice="req">name</arg>
+      <arg choice="opt">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>host</command>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<command>host</command>
-prints a short summary of its command line arguments and options.
-</para>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-<para>
-<parameter>name</parameter> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <command>host</command> will by default
-perform a reverse lookup for that address.
-<parameter>server</parameter> is an optional argument which is either
-the name or IP address of the name server that <command>host</command>
-should query instead of the server or servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
+    <para><command>host</command>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <command>host</command>
+      prints a short summary of its command line arguments and options.
+    </para>
 
-<para>
-The <option>-a</option> (all) option is equivalent to setting the
-<option>-v</option> option and asking <command>host</command> to make
-a query of type ANY.
-</para>
+    <para><parameter>name</parameter> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <command>host</command> will by
+      default
+      perform a reverse lookup for that address.
+      <parameter>server</parameter> is an optional argument which
+      is either
+      the name or IP address of the name server that <command>host</command>
+      should query instead of the server or servers listed in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
 
-<para>
-When the <option>-C</option> option is used, <command>host</command>
-will attempt to display the SOA records for zone
-<parameter>name</parameter> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</para>
+    <para>
+      The <option>-a</option> (all) option is equivalent to setting the
+      <option>-v</option> option and asking <command>host</command> to make
+      a query of type ANY.
+    </para>
 
-<para>
-The <option>-c</option> option instructs to make a DNS query of class
-<parameter>class</parameter>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</para>
+    <para>
+      When the <option>-C</option> option is used, <command>host</command>
+      will attempt to display the SOA records for zone
+      <parameter>name</parameter> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </para>
 
-<para>
-Verbose output is generated by <command>host</command> when the
-<option>-d</option> or <option>-v</option> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <option>-d</option> option
-switched on debugging traces and <option>-v</option> enabled verbose
-output.
-</para>
+    <para>
+      The <option>-c</option> option instructs to make a DNS query of class
+      <parameter>class</parameter>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </para>
 
-<para>
-List mode is selected by the <option>-l</option> option.  This makes
-<command>host</command> perform a zone transfer for zone
-<parameter>name</parameter>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <option>-a</option>
-all records will be printed.  
-</para>
+    <para>
+      Verbose output is generated by <command>host</command> when
+      the
+      <option>-d</option> or <option>-v</option> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <option>-d</option> option
+      switched on debugging traces and <option>-v</option> enabled verbose
+      output.
+    </para>
 
-<para>
-The <option>-i</option>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</para>
+    <para>
+      List mode is selected by the <option>-l</option> option.  This makes
+      <command>host</command> perform a zone transfer for zone
+      <parameter>name</parameter>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <option>-a</option>
+      all records will be printed.
+    </para>
 
-<para>
-The <option>-N</option> option sets the number of dots that have to be
-in <parameter>name</parameter> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<filename>/etc/resolv.conf</filename>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <type>search</type>
-or <type>domain</type> directive in
-<filename>/etc/resolv.conf</filename>.
-</para>
+    <para>
+      The <option>-i</option>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </para>
 
-<para>
-The number of UDP retries for a lookup can be changed with the
-<option>-R</option> option.  <parameter>number</parameter> indicates
-how many times <command>host</command> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<parameter>number</parameter> is negative or zero, the number of
-retries will default to 1.
-</para>
+    <para>
+      The <option>-N</option> option sets the number of dots that have to be
+      in <parameter>name</parameter> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <filename>/etc/resolv.conf</filename>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <type>search</type>
+      or <type>domain</type> directive in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
 
-<para>
-Non-recursive queries can be made via the <option>-r</option> option.
-Setting this option clears the <type>RD</type> &mdash; recursion
-desired &mdash; bit in the query which <command>host</command> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <parameter>name</parameter>.  The
-<option>-r</option> option enables <command>host</command> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</para>
+    <para>
+      The number of UDP retries for a lookup can be changed with the
+      <option>-R</option> option.  <parameter>number</parameter>
+      indicates
+      how many times <command>host</command> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <parameter>number</parameter> is negative or zero, the
+      number of
+      retries will default to 1.
+    </para>
 
-<para>
-By default <command>host</command> uses UDP when making queries.  The
-<option>-T</option> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</para>
+    <para>
+      Non-recursive queries can be made via the <option>-r</option> option.
+      Setting this option clears the <type>RD</type> &mdash; recursion
+      desired &mdash; bit in the query which <command>host</command> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <parameter>name</parameter>.  The
+      <option>-r</option> option enables <command>host</command>
+      to mimic
+      the behavior of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </para>
 
-<para>
-The <option>-4</option> option forces <command>host</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>host</command> to only use IPv6 query transport.
-</para>
+    <para>
+      By default <command>host</command> uses UDP when making
+      queries.  The
+      <option>-T</option> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </para>
 
-<para>
-The <option>-t</option> option is used to select the query type.
-<parameter>type</parameter> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<command>host</command> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<option>-C</option> option was given, queries will be made for SOA
-records, and if <parameter>name</parameter> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <command>host</command> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</para>
+    <para>
+      The <option>-4</option> option forces <command>host</command> to only
+      use IPv4 query transport.  The <option>-6</option> option forces
+      <command>host</command> to only use IPv6 query transport.
+    </para>
 
-<para>
-The time to wait for a reply can be controlled through the
-<option>-W</option> and <option>-w</option> options.  The
-<option>-W</option> option makes <command>host</command> wait for
-<parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
-is less than one, the wait interval is set to one second.  When the
-<option>-w</option> option is used, <command>host</command> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</para>
+    <para>
+      The <option>-t</option> option is used to select the query type.
+      <parameter>type</parameter> can be any recognized query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <command>host</command> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <option>-C</option> option was given, queries will be made for SOA
+      records, and if <parameter>name</parameter> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <command>host</command> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </para>
 
-</refsect1>
+    <para>
+      The time to wait for a reply can be controlled through the
+      <option>-W</option> and <option>-w</option> options.  The
+      <option>-W</option> option makes <command>host</command>
+      wait for
+      <parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
+      is less than one, the wait interval is set to one second.  When the
+      <option>-w</option> option is used, <command>host</command>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </para>
 
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
+    <para>
+      The <option>-s</option> option tells <command>host</command> 
+      <emphasis>not</emphasis> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behavior.
+    </para>
 
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
+    <para>
+      The <option>-m</option> can be used to set the memory usage debugging
+      flags
+      <parameter>record</parameter>, <parameter>usage</parameter> and
+      <parameter>trace</parameter>.
+    </para>
+  </refsect1>
 
-</refsect1>
-</refentry>
+  <refsect1>
+    <title>IDN SUPPORT</title>
+    <para>
+      If <command>host</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <command>host</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when
+      <command>host</command> runs.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->

bin/dig/host.html

@@ -1,434 +1,212 @@
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002 Internet Software Consortium.
+ - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: host.html,v 1.4.2.1.4.6 2004/08/22 23:38:58 marka Exp $ -->
-
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->host</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-></A
->host</H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->host&nbsp;--&nbsp;DNS lookup utility</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN11"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->host</B
->  [<VAR
-CLASS="OPTION"
->-aCdlnrTwv</VAR
->] [<VAR
-CLASS="OPTION"
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-N <VAR
-CLASS="REPLACEABLE"
->ndots</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-R <VAR
-CLASS="REPLACEABLE"
->number</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-t <VAR
-CLASS="REPLACEABLE"
->type</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-W <VAR
-CLASS="REPLACEABLE"
->wait</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-4</VAR
->] [<VAR
-CLASS="OPTION"
->-6</VAR
->] {name} [server]</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN37"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><B
-CLASS="COMMAND"
->host</B
->
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<B
-CLASS="COMMAND"
->host</B
->
-prints a short summary of its command line arguments and options.</P
-><P
-><VAR
-CLASS="PARAMETER"
->name</VAR
-> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <B
-CLASS="COMMAND"
->host</B
-> will by default
-perform a reverse lookup for that address.
-<VAR
-CLASS="PARAMETER"
->server</VAR
-> is an optional argument which is either
-the name or IP address of the name server that <B
-CLASS="COMMAND"
->host</B
->
-should query instead of the server or servers listed in
-<TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
->.</P
-><P
->The <VAR
-CLASS="OPTION"
->-a</VAR
-> (all) option is equivalent to setting the
-<VAR
-CLASS="OPTION"
->-v</VAR
-> option and asking <B
-CLASS="COMMAND"
->host</B
-> to make
-a query of type ANY.</P
-><P
->When the <VAR
-CLASS="OPTION"
->-C</VAR
-> option is used, <B
-CLASS="COMMAND"
->host</B
->
-will attempt to display the SOA records for zone
-<VAR
-CLASS="PARAMETER"
->name</VAR
-> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.</P
-><P
->The <VAR
-CLASS="OPTION"
->-c</VAR
-> option instructs to make a DNS query of class
-<VAR
-CLASS="PARAMETER"
->class</VAR
->.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).</P
-><P
->Verbose output is generated by <B
-CLASS="COMMAND"
->host</B
-> when the
-<VAR
-CLASS="OPTION"
->-d</VAR
-> or <VAR
-CLASS="OPTION"
->-v</VAR
-> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <VAR
-CLASS="OPTION"
->-d</VAR
-> option
-switched on debugging traces and <VAR
-CLASS="OPTION"
->-v</VAR
-> enabled verbose
-output.</P
-><P
->List mode is selected by the <VAR
-CLASS="OPTION"
->-l</VAR
-> option.  This makes
-<B
-CLASS="COMMAND"
->host</B
-> perform a zone transfer for zone
-<VAR
-CLASS="PARAMETER"
->name</VAR
->.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <VAR
-CLASS="OPTION"
->-a</VAR
->
-all records will be printed.  </P
-><P
->The <VAR
-CLASS="OPTION"
->-i</VAR
->
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.</P
-><P
->The <VAR
-CLASS="OPTION"
->-N</VAR
-> option sets the number of dots that have to be
-in <VAR
-CLASS="PARAMETER"
->name</VAR
-> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
->, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <SPAN
-CLASS="TYPE"
->search</SPAN
->
-or <SPAN
-CLASS="TYPE"
->domain</SPAN
-> directive in
-<TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
->.</P
-><P
->The number of UDP retries for a lookup can be changed with the
-<VAR
-CLASS="OPTION"
->-R</VAR
-> option.  <VAR
-CLASS="PARAMETER"
->number</VAR
-> indicates
-how many times <B
-CLASS="COMMAND"
->host</B
-> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<VAR
-CLASS="PARAMETER"
->number</VAR
-> is negative or zero, the number of
-retries will default to 1.</P
-><P
->Non-recursive queries can be made via the <VAR
-CLASS="OPTION"
->-r</VAR
-> option.
-Setting this option clears the <SPAN
-CLASS="TYPE"
->RD</SPAN
-> &mdash; recursion
-desired &mdash; bit in the query which <B
-CLASS="COMMAND"
->host</B
-> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <VAR
-CLASS="PARAMETER"
->name</VAR
->.  The
-<VAR
-CLASS="OPTION"
->-r</VAR
-> option enables <B
-CLASS="COMMAND"
->host</B
-> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.</P
-><P
->By default <B
-CLASS="COMMAND"
->host</B
-> uses UDP when making queries.  The
-<VAR
-CLASS="OPTION"
->-T</VAR
-> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.</P
-><P
->The <VAR
-CLASS="OPTION"
->-4</VAR
-> option forces <B
-CLASS="COMMAND"
->host</B
-> to only
-use IPv4 query transport.  The <VAR
-CLASS="OPTION"
->-6</VAR
-> option forces
-<B
-CLASS="COMMAND"
->host</B
-> to only use IPv6 query transport.</P
-><P
->The <VAR
-CLASS="OPTION"
->-t</VAR
-> option is used to select the query type.
-<VAR
-CLASS="PARAMETER"
->type</VAR
-> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<B
-CLASS="COMMAND"
->host</B
-> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<VAR
-CLASS="OPTION"
->-C</VAR
-> option was given, queries will be made for SOA
-records, and if <VAR
-CLASS="PARAMETER"
->name</VAR
-> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <B
-CLASS="COMMAND"
->host</B
-> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).</P
-><P
->The time to wait for a reply can be controlled through the
-<VAR
-CLASS="OPTION"
->-W</VAR
-> and <VAR
-CLASS="OPTION"
->-w</VAR
-> options.  The
-<VAR
-CLASS="OPTION"
->-W</VAR
-> option makes <B
-CLASS="COMMAND"
->host</B
-> wait for
-<VAR
-CLASS="PARAMETER"
->wait</VAR
-> seconds.  If <VAR
-CLASS="PARAMETER"
->wait</VAR
->
-is less than one, the wait interval is set to one second.  When the
-<VAR
-CLASS="OPTION"
->-w</VAR
-> option is used, <B
-CLASS="COMMAND"
->host</B
-> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN115"
-></A
-><H2
->FILES</H2
-><P
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN119"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dig</SPAN
->(1)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->named</SPAN
->(8)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
+<!-- $Id: host.html,v 1.27 2007/05/09 03:33:50 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>host</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.host"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>host &#8212; DNS lookup utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543428"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">host</strong></span>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <span><strong class="command">host</strong></span>
+      prints a short summary of its command line arguments and options.
+    </p>
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <span><strong class="command">host</strong></span> will by
+      default
+      perform a reverse lookup for that address.
+      <em class="parameter"><code>server</code></em> is an optional argument which
+      is either
+      the name or IP address of the name server that <span><strong class="command">host</strong></span>
+      should query instead of the server or servers listed in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The <code class="option">-a</code> (all) option is equivalent to setting the
+      <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
+      a query of type ANY.
+    </p>
+<p>
+      When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
+      will attempt to display the SOA records for zone
+      <em class="parameter"><code>name</code></em> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </p>
+<p>
+      The <code class="option">-c</code> option instructs to make a DNS query of class
+      <em class="parameter"><code>class</code></em>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </p>
+<p>
+      Verbose output is generated by <span><strong class="command">host</strong></span> when
+      the
+      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <code class="option">-d</code> option
+      switched on debugging traces and <code class="option">-v</code> enabled verbose
+      output.
+    </p>
+<p>
+      List mode is selected by the <code class="option">-l</code> option.  This makes
+      <span><strong class="command">host</strong></span> perform a zone transfer for zone
+      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <code class="option">-a</code>
+      all records will be printed.
+    </p>
+<p>
+      The <code class="option">-i</code>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </p>
+<p>
+      The <code class="option">-N</code> option sets the number of dots that have to be
+      in <em class="parameter"><code>name</code></em> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <span class="type">search</span>
+      or <span class="type">domain</span> directive in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The number of UDP retries for a lookup can be changed with the
+      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
+      indicates
+      how many times <span><strong class="command">host</strong></span> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <em class="parameter"><code>number</code></em> is negative or zero, the
+      number of
+      retries will default to 1.
+    </p>
+<p>
+      Non-recursive queries can be made via the <code class="option">-r</code> option.
+      Setting this option clears the <span class="type">RD</span> &#8212; recursion
+      desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <em class="parameter"><code>name</code></em>.  The
+      <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
+      to mimic
+      the behavior of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </p>
+<p>
+      By default <span><strong class="command">host</strong></span> uses UDP when making
+      queries.  The
+      <code class="option">-T</code> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </p>
+<p>
+      The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">host</strong></span> to only use IPv6 query transport.
+    </p>
+<p>
+      The <code class="option">-t</code> option is used to select the query type.
+      <em class="parameter"><code>type</code></em> can be any recognized query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <span><strong class="command">host</strong></span> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <code class="option">-C</code> option was given, queries will be made for SOA
+      records, and if <em class="parameter"><code>name</code></em> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </p>
+<p>
+      The time to wait for a reply can be controlled through the
+      <code class="option">-W</code> and <code class="option">-w</code> options.  The
+      <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
+      wait for
+      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
+      is less than one, the wait interval is set to one second.  When the
+      <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </p>
+<p>
+      The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
+      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behavior.
+    </p>
+<p>
+      The <code class="option">-m</code> can be used to set the memory usage debugging
+      flags
+      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
+      <em class="parameter"><code>trace</code></em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543725"></a><h2>IDN SUPPORT</h2>
+<p>
+      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <span><strong class="command">host</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when
+      <span><strong class="command">host</strong></span> runs.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543748"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543828"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+    </p>
+</div>
+</div></body>
+</html>

bin/dig/include/dig/dig.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.71.2.6.2.7 2004/09/06 01:33:06 marka Exp $ */
+/* $Id: dig.h,v 1.104 2007/04/03 23:06:39 marka Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
 
+/*! \file */
+
 #include <dns/rdatalist.h>
 
 #include <dst/dst.h>
@@ -35,45 +37,44 @@
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
 
-#define MXSERV 6
+#define MXSERV 20
 #define MXNAME (DNS_NAME_MAXTEXT+1)
 #define MXRD 32
+/*% Buffer Size */
 #define BUFSIZE 512
 #define COMMSIZE 0xffff
 #ifndef RESOLV_CONF
+/*% location of resolve.conf */
 #define RESOLV_CONF "/etc/resolv.conf"
 #endif
+/*% output buffer */
 #define OUTPUTBUF 32767
+/*% Max RR Limit */
 #define MAXRRLIMIT 0xffffffff
 #define MAXTIMEOUT 0xffff
+/*% Max number of tries */
 #define MAXTRIES 0xffffffff
+/*% Max number of dots */
 #define MAXNDOTS 0xffff
+/*% Max number of ports */
 #define MAXPORT 0xffff
+/*% Max serial number */
 #define MAXSERIAL 0xffffffff
 
-/*
- * Default timeout values
- */
+/*% Default TCP Timeout */
 #define TCP_TIMEOUT 10
+/*% Default UDP Timeout */
 #define UDP_TIMEOUT 5
 
 #define SERVER_TIMEOUT 1
 
 #define LOOKUP_LIMIT 64
-/*
+/*%
  * Lookup_limit is just a limiter, keeping too many lookups from being
  * created.  It's job is mainly to prevent the program from running away
  * in a tight loop of constant lookups.  It's value is arbitrary.
  */
 
-#define ROOTNS 1
-/*
- * Set the number of root servers to ask for information when running in
- * trace mode.
- * XXXMWS -- trace mode is currently semi-broken, and this number *MUST*
- * be 1.
- */
-
 /*
  * Defaults for the sigchase suboptions.  Consolidated here because
  * these control the layout of dig_lookup_t (among other things).
@@ -98,22 +99,23 @@ typedef struct dig_message dig_message_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
+/*% The dig_lookup structure */
 struct dig_lookup {
 	isc_boolean_t
-	        pending, /* Pending a successful answer */
+	        pending, /*%< Pending a successful answer */
 		waiting_connect,
 		doing_xfr,
-		ns_search_only, /* dig +nssearch, host -C */
-		identify, /* Append an "on server <foo>" message */
-		identify_previous_line, /* Prepend a "Nameserver <foo>:"
+		ns_search_only, /*%< dig +nssearch, host -C */
+		identify, /*%< Append an "on server <foo>" message */
+		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
 					   message, with newline and tab */
 		ignore,
 		recurse,
 		aaonly,
 		adflag,
 		cdflag,
-		trace, /* dig +trace */
-		trace_root, /* initial query for either +trace or +nssearch */
+		trace, /*% dig +trace */
+		trace_root, /*% initial query for either +trace or +nssearch */
 		tcp_mode,
 		ip6_int,
 		comments,
@@ -124,6 +126,8 @@ struct dig_lookup {
 		section_additional,
 		servfail_stops,
 		new_search,
+		need_search,
+		done_as_is,
 		besteffort,
 		dnssec;
 #ifdef DIG_SIGCHASE
@@ -138,7 +142,7 @@ isc_boolean_t	sigchase;
 #endif
 #endif
 	
-	char textname[MXNAME]; /* Name we're going to be looking up */
+	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
 	dns_rdatatype_t qrdtype;
@@ -154,7 +158,7 @@ isc_boolean_t	sigchase;
 	char onamespace[BUFSIZE];
 	isc_buffer_t namebuf;
 	isc_buffer_t onamebuf;
-	isc_buffer_t sendbuf;
+	isc_buffer_t renderbuf;
 	char *sendspace;
 	dns_name_t *name;
 	isc_timer_t *timer;
@@ -170,17 +174,22 @@ isc_boolean_t	sigchase;
 	isc_uint32_t retries;
 	int nsfound;
 	isc_uint16_t udpsize;
+	isc_int16_t edns;
 	isc_uint32_t ixfr_serial;
 	isc_buffer_t rdatabuf;
 	char rdatastore[MXNAME];
 	dst_context_t *tsigctx;
 	isc_buffer_t *querysig;
 	isc_uint32_t msgcounter;
+	dns_fixedname_t fdomain;
 };
 
+/*% The dig_query structure */
 struct dig_query {
 	dig_lookup_t *lookup;
 	isc_boolean_t waiting_connect,
+		pending_free,
+		waiting_senddone,
 		first_pass,
 		first_soa_rcvd,
 		second_rr_rcvd,
@@ -206,6 +215,8 @@ struct dig_query {
 	ISC_LINK(dig_query_t) link;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
+	isc_uint64_t byte_count;
+	isc_buffer_t sendbuf;
 };
 
 struct dig_server {
@@ -224,6 +235,52 @@ struct dig_message {
 		ISC_LINK(dig_message_t) link;
 };
 #endif
+
+typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
+typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
+
+/*
+ * Externals from dighost.c
+ */
+
+extern dig_lookuplist_t lookup_list;
+extern dig_serverlist_t server_list;
+extern dig_searchlistlist_t search_list;
+extern unsigned int extrabytes;
+
+extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
+        usesearch, showsearch, qr;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern dns_messageid_t id;
+extern int sendcount;
+extern int ndots;
+extern int lookup_counter;
+extern int exitcode;
+extern isc_sockaddr_t bind_address;
+extern char keynametext[MXNAME];
+extern char keyfile[MXNAME];
+extern char keysecret[MXNAME];
+extern dns_name_t *hmacname;
+extern unsigned int digestbits;
+#ifdef DIG_SIGCHASE
+extern char trustedkey[MXNAME];
+#endif
+extern dns_tsigkey_t *key;
+extern isc_boolean_t validated;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *global_task;
+extern isc_boolean_t free_now;
+extern isc_boolean_t debugging, memdebugging;
+
+extern char *progname;
+extern int tries;
+extern int fatalexit;
+#ifdef WITH_IDN
+extern int idnoptions;
+#endif
+
 /*
  * Routines in dighost.c.
  */
@@ -246,6 +303,9 @@ check_result(isc_result_t result, const char *msg);
 void
 setup_lookup(dig_lookup_t *lookup);
 
+void
+destroy_lookup(dig_lookup_t *lookup);
+
 void
 do_lookup(dig_lookup_t *lookup);
 
@@ -311,13 +371,13 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
-/*
+/*%<
  * Print the final result of the lookup.
  */
 
 void
 received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
-/*
+/*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the
  * output of "dig".

bin/dig/nslookup.1

@@ -1,184 +1,241 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.1.6.2 2004/08/20 02:29:39 marka Exp $
+.\" $Id: nslookup.1,v 1.14 2007/05/16 06:12:01 marka Exp $
 .\"
-.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" ""
-.SH NAME
+.hy 0
+.ad l
+.\"     Title: nslookup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
 nslookup \- query Internet name servers interactively
-.SH SYNOPSIS
-.sp
-\fBnslookup\fR [ \fB-option\fR ]  [ \fBname | -\fR ]  [ \fBserver\fR ] 
+.SH "SYNOPSIS"
+.HP 9
+\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
 .SH "DESCRIPTION"
 .PP
 \fBNslookup\fR
-is a program to query Internet domain name servers. \fBNslookup\fR
-has two modes: interactive and non-interactive. Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain. Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
+is a program to query Internet domain name servers.
+\fBNslookup\fR
+has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain.
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.IP 1. 
+.TP 4
+1.
 when no arguments are given (the default name server will be used)
-.IP 2. 
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-.PP
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-.PP
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen. For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-.PP
+.TP 4
+2.
+when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
 .sp
-.nf
-nslookup -query=hinfo  -timeout=10
-.sp
-.fi
-.SH "INTERACTIVE COMMANDS"
-.TP
-\fBhost [server]\fR
-Look up information for host using the current default server or
-using server, if specified. If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-
-To look up a host not in the current domain, append a period to
-the name.
-.TP
-\fBserver \fIdomain\fB\fR
-.TP
-\fBlserver \fIdomain\fB\fR
-Change the default server to \fIdomain\fR; lserver uses the initial
-server to look up information about \fIdomain\fR, while server uses
-the current default server. If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-.TP
-\fBroot\fR
-not implemented
-.TP
-\fBfinger\fR
-not implemented
-.TP
-\fBls\fR
-not implemented
-.TP
-\fBview\fR
-not implemented
-.TP
-\fBhelp\fR
-not implemented
-.TP
-\fB?\fR
-not implemented
-.TP
-\fBexit\fR
-Exits the program.
-.TP
-\fBset \fIkeyword[=value]\fB\fR
-This command is used to change state information that affects
-the lookups. Valid keywords are:
-.RS
-.TP
-\fBall\fR
-Prints the current values of the frequently used
-options to \fBset\fR. Information about the current default
-server and host is also printed.
-.TP
-\fBclass=\fIvalue\fB\fR
-Change the query class to one of:
-.RS
-.TP
-\fBIN\fR
-the Internet class
-.TP
-\fBCH\fR
-the Chaos class
-.TP
-\fBHS\fR
-the Hesiod class
-.TP
-\fBANY\fR
-wildcard
 .RE
 .PP
+Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
+.PP
+Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
+.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
+.SH "INTERACTIVE COMMANDS"
+.PP
+\fBhost\fR [server]
+.RS 4
+Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
+.sp
+To look up a host not in the current domain, append a period to the name.
+.RE
+.PP
+\fBserver\fR \fIdomain\fR
+.RS 4
+.RE
+.PP
+\fBlserver\fR \fIdomain\fR
+.RS 4
+Change the default server to
+\fIdomain\fR;
+\fBlserver\fR
+uses the initial server to look up information about
+\fIdomain\fR, while
+\fBserver\fR
+uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
+.RE
+.PP
+\fBroot\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBfinger\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBls\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBview\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBhelp\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fB?\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBexit\fR
+.RS 4
+Exits the program.
+.RE
+.PP
+\fBset\fR \fIkeyword\fR\fI[=value]\fR
+.RS 4
+This command is used to change state information that affects the lookups. Valid keywords are:
+.RS 4
+.PP
+\fBall\fR
+.RS 4
+Prints the current values of the frequently used options to
+\fBset\fR. Information about the current default server and host is also printed.
+.RE
+.PP
+\fBclass=\fR\fIvalue\fR
+.RS 4
+Change the query class to one of:
+.RS 4
+.PP
+\fBIN\fR
+.RS 4
+the Internet class
+.RE
+.PP
+\fBCH\fR
+.RS 4
+the Chaos class
+.RE
+.PP
+\fBHS\fR
+.RS 4
+the Hesiod class
+.RE
+.PP
+\fBANY\fR
+.RS 4
+wildcard
+.RE
+.RE
+.IP "" 4
 The class specifies the protocol group of the information.
-
+.sp
 (Default = IN; abbreviation = cl)
-.TP
-\fB\fI[no]\fBdebug\fR
-Turn debugging mode on. A lot more information is
-printed about the packet sent to the server and the
-resulting answer.
-
-(Default = nodebug; abbreviation = [no]deb)
-.TP
-\fB\fI[no]\fBd2\fR
-Turn debugging mode on. A lot more information is
-printed about the packet sent to the server and the
-resulting answer.
-
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
+.RS 4
+Turn on or off the display of the full response packet and any intermediate response packets when searching.
+.sp
+(Default = nodebug; abbreviation =
+[no]deb)
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
+.RS 4
+Turn debugging mode on or off. This displays more about what nslookup is doing.
+.sp
 (Default = nod2)
-.TP
-\fBdomain=\fIname\fB\fR
-Sets the search list to \fIname\fR.
-.TP
-\fB\fI[no]\fBsearch\fR
-If the lookup request contains at least one period but
-doesn't end with a trailing period, append the domain
-names in the domain search list to the request until an
-answer is received.
-
+.RE
+.PP
+\fBdomain=\fR\fIname\fR
+.RS 4
+Sets the search list to
+\fIname\fR.
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
+.RS 4
+If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
+.sp
 (Default = search)
-.TP
-\fBport=\fIvalue\fB\fR
-Change the default TCP/UDP name server port to \fIvalue\fR.
-
+.RE
+.PP
+\fBport=\fR\fIvalue\fR
+.RS 4
+Change the default TCP/UDP name server port to
+\fIvalue\fR.
+.sp
 (Default = 53; abbreviation = po)
-.TP
-\fBquerytype=\fIvalue\fB\fR
-.TP
-\fBtype=\fIvalue\fB\fR
-Change the top of the information query.
-
+.RE
+.PP
+\fBquerytype=\fR\fIvalue\fR
+.RS 4
+.RE
+.PP
+\fBtype=\fR\fIvalue\fR
+.RS 4
+Change the type of the information query.
+.sp
 (Default = A; abbreviations = q, ty)
-.TP
-\fB\fI[no]\fBrecurse\fR
-Tell the name server to query other servers if it does not have the
-information.
-
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
+.RS 4
+Tell the name server to query other servers if it does not have the information.
+.sp
 (Default = recurse; abbreviation = [no]rec)
-.TP
-\fBretry=\fInumber\fB\fR
+.RE
+.PP
+\fBretry=\fR\fInumber\fR
+.RS 4
 Set the number of retries to number.
-.TP
-\fBtimeout=\fInumber\fB\fR
-Change the initial timeout interval for waiting for a
-reply to number seconds.
-.TP
-\fB\fI[no]\fBvc\fR
+.RE
+.PP
+\fBtimeout=\fR\fInumber\fR
+.RS 4
+Change the initial timeout interval for waiting for a reply to number seconds.
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBvc\fR
+.RS 4
 Always use a virtual circuit when sending requests to the server.
-
+.sp
 (Default = novc)
 .RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBfail\fR
+.RS 4
+Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
+.sp
+(Default = nofail)
+.RE
+.RE
+.IP "" 4
+.RE
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -190,3 +247,6 @@ Always use a virtual circuit when sending requests to the server.
 .SH "AUTHOR"
 .PP
 Andrew Cherenson
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dig/nslookup.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.4.2.8 2004/09/06 01:33:05 marka Exp $ */
+/* $Id: nslookup.c,v 1.116 2007/04/24 23:46:56 tbox Exp $ */
 
 #include <config.h>
 
@@ -44,26 +44,14 @@
 
 #include <dig/dig.h>
 
-extern ISC_LIST(dig_lookup_t) lookup_list;
-extern dig_serverlist_t server_list;
-extern ISC_LIST(dig_searchlist_t) search_list;
-
-extern isc_boolean_t usesearch, debugging;
-extern in_port_t port;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern int tries;
-extern int lookup_counter;
-extern isc_task_t *global_task;
-extern char *progname;
-
 static isc_boolean_t short_form = ISC_TRUE,
 	tcpmode = ISC_FALSE,
 	identify = ISC_FALSE, stats = ISC_TRUE,
 	comments = ISC_TRUE, section_question = ISC_TRUE,
 	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
 	section_additional = ISC_TRUE, recurse = ISC_TRUE,
-	aaonly = ISC_FALSE;
+	aaonly = ISC_FALSE, nofail = ISC_TRUE;
+
 static isc_boolean_t in_use = ISC_FALSE;
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
@@ -422,8 +410,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		char nametext[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name,
 				nametext, sizeof(nametext));
-		printf("** server can't find %s: %s\n", nametext,
-		       rcodetext[msg->rcode]);
+		printf("** server can't find %s: %s\n",
+		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
+		       query->lookup->textname, rcodetext[msg->rcode]);
 		debug("returning with rcode == 0");
 		return (ISC_R_SUCCESS);
 	}
@@ -632,8 +621,10 @@ setoption(char *opt) {
 		tcpmode = ISC_FALSE;
  	} else if (strncasecmp(opt, "deb", 3) == 0) {
 		short_form = ISC_FALSE;
+		showsearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
 		short_form = ISC_TRUE;
+		showsearch = ISC_FALSE;
  	} else if (strncasecmp(opt, "d2", 2) == 0) {
 		debugging = ISC_TRUE;
 	} else if (strncasecmp(opt, "nod2", 4) == 0) {
@@ -644,6 +635,10 @@ setoption(char *opt) {
 		usesearch = ISC_FALSE;
 	} else if (strncasecmp(opt, "sil", 3) == 0) {
 		/* deprecation_msg = ISC_FALSE; */
+	} else if (strncasecmp(opt, "fail", 3) == 0) {
+		nofail=ISC_FALSE;
+	} else if (strncasecmp(opt, "nofail", 3) == 0) {
+		nofail=ISC_TRUE;
 	} else {
 		printf("*** Invalid option: %s\n", opt);	
 	}
@@ -702,6 +697,8 @@ addlookup(char *opt) {
 	lookup->section_authority = section_authority;
 	lookup->section_additional = section_additional;
 	lookup->new_search = ISC_TRUE;
+	if (nofail)
+		lookup->servfail_stops = ISC_FALSE;
 	ISC_LIST_INIT(lookup->q);
 	ISC_LINK_INIT(lookup, link);
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -721,6 +718,7 @@ get_next_command(void) {
 	if (buf == NULL)
 		fatal("memory allocation failure");
 	fputs("> ", stderr);
+	fflush(stderr);
 	isc_app_block();
 	ptr = fgets(buf, COMMSIZE, stdin);
 	isc_app_unblock();
@@ -740,6 +738,7 @@ get_next_command(void) {
 		 (strcasecmp(ptr, "lserver") == 0)) {
 		isc_app_block();
 		set_nameserver(arg);
+		check_ra = ISC_FALSE;
 		isc_app_unblock();
 		show_settings(ISC_TRUE, ISC_TRUE);
 	} else if (strcasecmp(ptr, "exit") == 0) {
@@ -778,9 +777,10 @@ parse_args(int argc, char **argv) {
 				have_lookup = ISC_TRUE;
 				in_use = ISC_TRUE;
 				addlookup(argv[0]);
-			}
-			else
+			} else {
 				set_nameserver(argv[0]);
+				check_ra = ISC_FALSE;
+			}
 		}
 	}
 }
@@ -856,6 +856,8 @@ main(int argc, char **argv) {
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
+	check_ra = ISC_TRUE;
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 

bin/dig/nslookup.docbook

@@ -1,6 +1,8 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,12 +17,11 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nslookup.docbook,v 1.3.6.3 2004/08/30 00:50:11 marka Exp $ -->
-
+<!-- $Id: nslookup.docbook,v 1.15 2007/05/16 01:42:26 marka Exp $ -->
 <!--
  - Copyright (c) 1985, 1989
  -    The Regents of the University of California.  All rights reserved.
- - 
+ -
  - Redistribution and use in source and binary forms, with or without
  - modification, are permitted provided that the following conditions
  - are met:
@@ -36,7 +37,7 @@
  - 4. Neither the name of the University nor the names of its contributors
  -    may be used to endorse or promote products derived from this software
  -    without specific prior written permission.
- - 
+ -
  - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,272 +50,447 @@
  - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  - SUCH DAMAGE.
 -->
-
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>nslookup</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>nslookup</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refnamediv>
-<refname>nslookup</refname>
-<refpurpose>query Internet name servers interactively</refpurpose>
-</refnamediv>
+  <refnamediv>
+    <refname>nslookup</refname>
+    <refpurpose>query Internet name servers interactively</refpurpose>
+  </refnamediv>
 
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>nslookup</command>
-  <arg><option>-option</option></arg>
-  <arg choice=opt>name | -</arg>
-  <arg choice=opt>server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
 
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>Nslookup</command>
-is a program to query Internet domain name servers.  <command>Nslookup</command>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</para>
-</refsect1>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nslookup</command>
+      <arg><option>-option</option></arg>
+      <arg choice="opt">name | -</arg>
+      <arg choice="opt">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>ARGUMENTS</title>
-<para>
-Interactive mode is entered in the following cases:
-<OrderedList Numeration=Loweralpha>
-<Listitem>
-<para>
-when no arguments are given (the default name server will be used)
-</para>
-</Listitem>
-<Listitem>
-<para>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</para>
-</Listitem>
-</OrderedList>
-</para>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>Nslookup</command>
+      is a program to query Internet domain name servers.  <command>Nslookup</command>
+      has two modes: interactive and non-interactive.  Interactive mode allows
+      the user to query name servers for information about various hosts and
+      domains or to print a list of hosts in a domain.  Non-interactive mode
+      is
+      used to print just the name and requested information for a host or
+      domain.
+    </para>
+  </refsect1>
 
-<para>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</para>
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <para>
+      Interactive mode is entered in the following cases:
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>
+            when no arguments are given (the default name server will be used)
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            when the first argument is a hyphen (-) and the second argument is
+            the host name or Internet address of a name server.
+          </para>
+        </listitem>
+      </orderedlist>
+    </para>
 
-<para>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-<InformalExample>
-<PROGRAMLISTING>
+    <para>
+      Non-interactive mode is used when the name or Internet address of the
+      host to be looked up is given as the first argument. The optional second
+      argument specifies the host name or address of a name server.
+    </para>
+
+    <para>
+      Options can also be specified on the command line if they precede the
+      arguments and are prefixed with a hyphen.  For example, to
+      change the default query type to host information, and the initial
+      timeout to 10 seconds, type:
+      <informalexample>
+        <programlisting>
 nslookup -query=hinfo  -timeout=10
-</PROGRAMLISTING>
-</InformalExample>
-</para>
+</programlisting>
+      </informalexample>
+    </para>
 
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>INTERACTIVE COMMANDS</title>
-<variablelist>
-<varlistentry><term>host <optional>server</optional></term>
-<listitem><para>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</para>
+  <refsect1>
+    <title>INTERACTIVE COMMANDS</title>
+    <variablelist>
+      <varlistentry>
+        <term><constant>host</constant> <optional>server</optional></term>
+        <listitem>
+          <para>
+            Look up information for host using the current default server or
+            using server, if specified.  If host is an Internet address and
+            the query type is A or PTR, the name of the host is returned.
+            If host is a name and does not have a trailing period, the
+            search list is used to qualify the name.
+          </para>
 
-<para>
-To look up a host not in the current domain, append a period to
-the name.
-</para></listitem></varlistentry>
+          <para>
+            To look up a host not in the current domain, append a period to
+            the name.
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para></para></listitem></varlistentry>
-<varlistentry><term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para>
-Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
-server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para>
+            Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
+            server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
+            the current default server.  If an authoritative answer can't be
+            found, the names of servers that might have the answer are
+            returned.
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>root</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>root</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>finger</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>finger</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>ls</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>ls</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>view</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>view</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>help</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>help</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>?</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>?</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>exit</constant></term>
-<listitem><para>Exits the program.</para></listitem></varlistentry>
+      <varlistentry>
+        <term><constant>exit</constant></term>
+        <listitem>
+          <para>
+            Exits the program.
+          </para>
+        </listitem>
+      </varlistentry>
 
-<varlistentry><term><constant>set</constant> <replaceable>keyword<optional>=value</optional></replaceable></term>
-<listitem><para>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- <variablelist>
-  <varlistentry><term><constant>all</constant></term>
-  <listitem>
-  <para>Prints the current values of the frequently used
-  options to <command>set</command>.  Information about the  current default
-  server and host is also printed.
-  </para>
-  </listitem>
-  </varlistentry>
+      <varlistentry>
+        <term><constant>set</constant>
+          <replaceable>keyword<optional>=value</optional></replaceable></term>
+        <listitem>
+          <para>
+            This command is used to change state information that affects
+            the lookups.  Valid keywords are:
+            <variablelist>
+              <varlistentry>
+                <term><constant>all</constant></term>
+                <listitem>
+                  <para>
+                    Prints the current values of the frequently used
+                    options to <command>set</command>.
+                    Information about the  current default
+                    server and host is also printed.
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>class=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-   Change the query class to one of:
-   <variablelist>
-    <varlistentry><term><constant>IN</constant></term>
-    <listitem><para>the Internet class</para></listitem></varlistentry>
-    <varlistentry><term><constant>CH</constant></term>
-    <listitem><para>the Chaos class</para></listitem></varlistentry>
-    <varlistentry><term><constant>HS</constant></term>
-    <listitem><para>the Hesiod class</para></listitem></varlistentry>
-    <varlistentry><term><constant>ANY</constant></term>
-    <listitem><para>wildcard</para></listitem></varlistentry>
-   </variablelist>
-   The class specifies the protocol group of the information.
-   </para><para>
-   (Default = IN; abbreviation = cl)
-   </para></listitem>
-  </varlistentry>
+              <varlistentry>
+                <term><constant>class=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the query class to one of:
+                    <variablelist>
+                      <varlistentry>
+                        <term><constant>IN</constant></term>
+                        <listitem>
+                          <para>
+                            the Internet class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>CH</constant></term>
+                        <listitem>
+                          <para>
+                            the Chaos class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>HS</constant></term>
+                        <listitem>
+                          <para>
+                            the Hesiod class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>ANY</constant></term>
+                        <listitem>
+                          <para>
+                            wildcard
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                    </variablelist>
+                    The class specifies the protocol group of the information.
 
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
-  <listitem><para>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </para><para>
-  (Default = nodebug; abbreviation = <optional>no</optional>deb)
-  </para></listitem></varlistentry>
+                  </para>
+		  <para>
+                    (Default = IN; abbreviation = cl)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
-  <listitem><para>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </para><para>
-  (Default = nod2)
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>debug</constant></term>
+                <listitem>
+                  <para>
+		    Turn on or off the display of the full response packet and
+		    any intermediate response packets when searching.
+                  </para>
+		  <para>
+                    (Default = nodebug; abbreviation = <optional>no</optional>deb)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>domain=</constant><replaceable>name</replaceable></term>
-  <listitem><para>
-  Sets the search list to <replaceable>name</replaceable>.
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>d2</constant></term>
+                <listitem>
+                  <para>
+                    Turn debugging mode on or off.  This displays more about
+	            what nslookup is doing.
+                  </para>
+		  <para>
+                    (Default = nod2)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
-  <listitem><para>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </para><para>
-  (Default = search)
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>domain=</constant><replaceable>name</replaceable></term>
+                <listitem>
+                  <para>
+                    Sets the search list to <replaceable>name</replaceable>.
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>port=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
-  </para><para>
-  (Default = 53; abbreviation = po)
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>search</constant></term>
+                <listitem>
+                  <para>
+                    If the lookup request contains at least one period but
+                    doesn't end with a trailing period, append the domain
+                    names in the domain search list to the request until an
+                    answer is received.
+                  </para>
+		  <para>
+                    (Default = search)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>querytype=</constant><replaceable>value</replaceable></term>
-  <listitem><para></para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>port=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
+                  </para>
+		  <para>
+                    (Default = 53; abbreviation = po)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>type=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the top of the information query.
-  </para><para>
-  (Default = A; abbreviations = q, ty)
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>querytype=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para/>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
-  <listitem><para>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </para><para>
-  (Default = recurse; abbreviation = [no]rec)
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>type=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the type of the information query.
+                  </para>
+		  <para>
+                    (Default = A; abbreviations = q, ty)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>retry=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Set the number of retries to number.
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>recurse</constant></term>
+                <listitem>
+                  <para>
+                    Tell the name server to query other servers if it does not
+                    have the
+                    information.
+                  </para>
+		  <para>
+                    (Default = recurse; abbreviation = [no]rec)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant>timeout=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>retry=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Set the number of retries to number.
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
-  <listitem><para>
-  Always use a virtual circuit when sending requests to the server.
-  </para><para>
-  (Default = novc)
-  </para></listitem></varlistentry>
+              <varlistentry>
+                <term><constant>timeout=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the initial timeout interval for waiting for a
+                    reply to number seconds.
+                  </para>
+                </listitem>
+              </varlistentry>
 
-  </variablelist>
-</para></listitem></varlistentry>
-</variablelist>
-</refsect1>
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>vc</constant></term>
+                <listitem>
+                  <para>
+                    Always use a virtual circuit when sending requests to the
+                    server.
+                  </para>
+		  <para>
+                    (Default = novc)
+                  </para>
+                </listitem>
+              </varlistentry>
 
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>fail</constant></term>
+                <listitem>
+                  <para>
+		    Try the next nameserver if a nameserver responds with
+		    SERVFAIL or a referral (nofail) or terminate query
+		    (fail) on such a response.
+		  </para>
+		  <para>
+                    (Default = nofail)
+                  </para>
+	        </listitem>
+	      </varlistentry>
 
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
+            </variablelist>
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
 
-<refsect1>
-<title>Author</title>
-<para>
-Andrew Cherenson
-</para>
-</refsect1>
-</refentry>
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>Author</title>
+    <para>
+      Andrew Cherenson
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->

bin/dig/nslookup.html

@@ -1,617 +1,307 @@
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- -
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
+<!-- $Id: nslookup.html,v 1.21 2007/05/16 06:12:01 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nslookup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="id2476276"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>nslookup &#8212; query Internet name servers interactively</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543355"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">Nslookup</strong></span>
+      is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
+      has two modes: interactive and non-interactive.  Interactive mode allows
+      the user to query name servers for information about various hosts and
+      domains or to print a list of hosts in a domain.  Non-interactive mode
+      is
+      used to print just the name and requested information for a host or
+      domain.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543371"></a><h2>ARGUMENTS</h2>
+<p>
+      Interactive mode is entered in the following cases:
+      </p>
+<div class="orderedlist"><ol type="a">
+<li><p>
+            when no arguments are given (the default name server will be used)
+          </p></li>
+<li><p>
+            when the first argument is a hyphen (-) and the second argument is
+            the host name or Internet address of a name server.
+          </p></li>
+</ol></div>
+<p>
+    </p>
+<p>
+      Non-interactive mode is used when the name or Internet address of the
+      host to be looked up is given as the first argument. The optional second
+      argument specifies the host name or address of a name server.
+    </p>
+<p>
+      Options can also be specified on the command line if they precede the
+      arguments and are prefixed with a hyphen.  For example, to
+      change the default query type to host information, and the initial
+      timeout to 10 seconds, type:
+      </p>
+<div class="informalexample"><pre class="programlisting">
+nslookup -query=hinfo  -timeout=10
+</pre></div>
+<p>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543413"></a><h2>INTERACTIVE COMMANDS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
+<dd>
+<p>
+            Look up information for host using the current default server or
+            using server, if specified.  If host is an Internet address and
+            the query type is A or PTR, the name of the host is returned.
+            If host is a name and does not have a trailing period, the
+            search list is used to qualify the name.
+          </p>
+<p>
+            To look up a host not in the current domain, append a period to
+            the name.
+          </p>
+</dd>
+<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p></p></dd>
+<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
+            server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
+            the current default server.  If an authoritative answer can't be
+            found, the names of servers that might have the answer are
+            returned.
+          </p></dd>
+<dt><span class="term"><code class="constant">root</code></span></dt>
+<dd><p>
+            not implemented
+          </p></dd>
+<dt><span class="term"><code class="constant">finger</code></span></dt>
+<dd><p>
+            not implemented
+          </p></dd>
+<dt><span class="term"><code class="constant">ls</code></span></dt>
+<dd><p>
+            not implemented
+          </p></dd>
+<dt><span class="term"><code class="constant">view</code></span></dt>
+<dd><p>
+            not implemented
+          </p></dd>
+<dt><span class="term"><code class="constant">help</code></span></dt>
+<dd><p>
+            not implemented
+          </p></dd>
+<dt><span class="term"><code class="constant">?</code></span></dt>
+<dd><p>
+            not implemented
+          </p></dd>
+<dt><span class="term"><code class="constant">exit</code></span></dt>
+<dd><p>
+            Exits the program.
+          </p></dd>
+<dt><span class="term"><code class="constant">set</code>
+          <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
+<dd>
+<p>
+            This command is used to change state information that affects
+            the lookups.  Valid keywords are:
+            </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">all</code></span></dt>
+<dd><p>
+                    Prints the current values of the frequently used
+                    options to <span><strong class="command">set</strong></span>.
+                    Information about the  current default
+                    server and host is also printed.
+                  </p></dd>
+<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+<p>
+                    Change the query class to one of:
+                    </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">IN</code></span></dt>
+<dd><p>
+                            the Internet class
+                          </p></dd>
+<dt><span class="term"><code class="constant">CH</code></span></dt>
+<dd><p>
+                            the Chaos class
+                          </p></dd>
+<dt><span class="term"><code class="constant">HS</code></span></dt>
+<dd><p>
+                            the Hesiod class
+                          </p></dd>
+<dt><span class="term"><code class="constant">ANY</code></span></dt>
+<dd><p>
+                            wildcard
+                          </p></dd>
+</dl></div>
+<p>
+                    The class specifies the protocol group of the information.
 
-<!-- $Id: nslookup.html,v 1.1.6.3 2004/08/22 23:38:58 marka Exp $ -->
-
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->nslookup</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-></A
->nslookup</H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->nslookup&nbsp;--&nbsp;query Internet name servers interactively</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN11"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->nslookup</B
->  [<VAR
-CLASS="OPTION"
->-option</VAR
->] [name | -] [server]</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN18"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><B
-CLASS="COMMAND"
->Nslookup</B
->
-is a program to query Internet domain name servers.  <B
-CLASS="COMMAND"
->Nslookup</B
->
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN23"
-></A
-><H2
->ARGUMENTS</H2
-><P
->Interactive mode is entered in the following cases:
-<P
-></P
-><OL
-TYPE="a"
-><LI
-><P
->when no arguments are given (the default name server will be used)</P
-></LI
-><LI
-><P
->when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.</P
-></LI
-></OL
-></P
-><P
->Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.</P
-><P
->Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-<DIV
-CLASS="INFORMALEXAMPLE"
-><P
-></P
-><A
-NAME="AEN33"
-></A
-><PRE
-CLASS="PROGRAMLISTING"
->nslookup -query=hinfo  -timeout=10</PRE
-><P
-></P
-></DIV
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN35"
-></A
-><H2
->INTERACTIVE COMMANDS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->host [<SPAN
-CLASS="OPTIONAL"
->server</SPAN
->]</DT
-><DD
-><P
->Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.</P
-><P
->To look up a host not in the current domain, append a period to
-the name.</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->server</CODE
-> <VAR
-CLASS="REPLACEABLE"
->domain</VAR
-></DT
-><DD
-><P
-></P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->lserver</CODE
-> <VAR
-CLASS="REPLACEABLE"
->domain</VAR
-></DT
-><DD
-><P
->Change the default server to <VAR
-CLASS="REPLACEABLE"
->domain</VAR
->; <CODE
-CLASS="CONSTANT"
->lserver</CODE
-> uses the initial
-server to look up information about <VAR
-CLASS="REPLACEABLE"
->domain</VAR
->, while <CODE
-CLASS="CONSTANT"
->server</CODE
-> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->root</CODE
-></DT
-><DD
-><P
->not implemented</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->finger</CODE
-></DT
-><DD
-><P
->not implemented</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->ls</CODE
-></DT
-><DD
-><P
->not implemented</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->view</CODE
-></DT
-><DD
-><P
->not implemented</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->help</CODE
-></DT
-><DD
-><P
->not implemented</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->?</CODE
-></DT
-><DD
-><P
->not implemented</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->exit</CODE
-></DT
-><DD
-><P
->Exits the program.</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->set</CODE
-> <VAR
-CLASS="REPLACEABLE"
->keyword[<SPAN
-CLASS="OPTIONAL"
->=value</SPAN
->]</VAR
-></DT
-><DD
-><P
->This command is used to change state information that affects
-the lookups.  Valid keywords are:
- <P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><CODE
-CLASS="CONSTANT"
->all</CODE
-></DT
-><DD
-><P
->Prints the current values of the frequently used
-  options to <B
-CLASS="COMMAND"
->set</B
->.  Information about the  current default
-  server and host is also printed.
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->class=</CODE
-><VAR
-CLASS="REPLACEABLE"
->value</VAR
-></DT
-><DD
-><P
->   Change the query class to one of:
-   <P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><CODE
-CLASS="CONSTANT"
->IN</CODE
-></DT
-><DD
-><P
->the Internet class</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->CH</CODE
-></DT
-><DD
-><P
->the Chaos class</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->HS</CODE
-></DT
-><DD
-><P
->the Hesiod class</P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->ANY</CODE
-></DT
-><DD
-><P
->wildcard</P
-></DD
-></DL
-></DIV
->
-   The class specifies the protocol group of the information.
-   </P
-><P
->   (Default = IN; abbreviation = cl)
-   </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
-><VAR
-CLASS="REPLACEABLE"
->[<SPAN
-CLASS="OPTIONAL"
->no</SPAN
->]</VAR
->debug</CODE
-></DT
-><DD
-><P
->  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </P
-><P
->  (Default = nodebug; abbreviation = [<SPAN
-CLASS="OPTIONAL"
->no</SPAN
->]deb)
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
-><VAR
-CLASS="REPLACEABLE"
->[<SPAN
-CLASS="OPTIONAL"
->no</SPAN
->]</VAR
->d2</CODE
-></DT
-><DD
-><P
->  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </P
-><P
->  (Default = nod2)
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->domain=</CODE
-><VAR
-CLASS="REPLACEABLE"
->name</VAR
-></DT
-><DD
-><P
->  Sets the search list to <VAR
-CLASS="REPLACEABLE"
->name</VAR
->.
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
-><VAR
-CLASS="REPLACEABLE"
->[<SPAN
-CLASS="OPTIONAL"
->no</SPAN
->]</VAR
->search</CODE
-></DT
-><DD
-><P
->  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </P
-><P
->  (Default = search)
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->port=</CODE
-><VAR
-CLASS="REPLACEABLE"
->value</VAR
-></DT
-><DD
-><P
->  Change the default TCP/UDP name server port to <VAR
-CLASS="REPLACEABLE"
->value</VAR
->.
-  </P
-><P
->  (Default = 53; abbreviation = po)
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->querytype=</CODE
-><VAR
-CLASS="REPLACEABLE"
->value</VAR
-></DT
-><DD
-><P
-></P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->type=</CODE
-><VAR
-CLASS="REPLACEABLE"
->value</VAR
-></DT
-><DD
-><P
->  Change the top of the information query.
-  </P
-><P
->  (Default = A; abbreviations = q, ty)
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
-><VAR
-CLASS="REPLACEABLE"
->[<SPAN
-CLASS="OPTIONAL"
->no</SPAN
->]</VAR
->recurse</CODE
-></DT
-><DD
-><P
->  Tell the name server to query other servers if it does not have the
-  information.
-  </P
-><P
->  (Default = recurse; abbreviation = [no]rec)
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->retry=</CODE
-><VAR
-CLASS="REPLACEABLE"
->number</VAR
-></DT
-><DD
-><P
->  Set the number of retries to number.
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
->timeout=</CODE
-><VAR
-CLASS="REPLACEABLE"
->number</VAR
-></DT
-><DD
-><P
->  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </P
-></DD
-><DT
-><CODE
-CLASS="CONSTANT"
-><VAR
-CLASS="REPLACEABLE"
->[<SPAN
-CLASS="OPTIONAL"
->no</SPAN
->]</VAR
->vc</CODE
-></DT
-><DD
-><P
->  Always use a virtual circuit when sending requests to the server.
-  </P
-><P
->  (Default = novc)
-  </P
-></DD
-></DL
-></DIV
-></P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN218"
-></A
-><H2
->FILES</H2
-><P
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN222"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dig</SPAN
->(1)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->host</SPAN
->(1)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->named</SPAN
->(8)</SPAN
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN234"
-></A
-><H2
->Author</H2
-><P
->Andrew Cherenson</P
-></DIV
-></BODY
-></HTML
->
+                  </p>
+<p>
+                    (Default = IN; abbreviation = cl)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
+<dd>
+<p>
+		    Turn on or off the display of the full response packet and
+		    any intermediate response packets when searching.
+                  </p>
+<p>
+                    (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
+<dd>
+<p>
+                    Turn debugging mode on or off.  This displays more about
+	            what nslookup is doing.
+                  </p>
+<p>
+                    (Default = nod2)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+                    Sets the search list to <em class="replaceable"><code>name</code></em>.
+                  </p></dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
+<dd>
+<p>
+                    If the lookup request contains at least one period but
+                    doesn't end with a trailing period, append the domain
+                    names in the domain search list to the request until an
+                    answer is received.
+                  </p>
+<p>
+                    (Default = search)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+<p>
+                    Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
+                  </p>
+<p>
+                    (Default = 53; abbreviation = po)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd><p></p></dd>
+<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+<p>
+                    Change the type of the information query.
+                  </p>
+<p>
+                    (Default = A; abbreviations = q, ty)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
+<dd>
+<p>
+                    Tell the name server to query other servers if it does not
+                    have the
+                    information.
+                  </p>
+<p>
+                    (Default = recurse; abbreviation = [no]rec)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
+<dd><p>
+                    Set the number of retries to number.
+                  </p></dd>
+<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
+<dd><p>
+                    Change the initial timeout interval for waiting for a
+                    reply to number seconds.
+                  </p></dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
+<dd>
+<p>
+                    Always use a virtual circuit when sending requests to the
+                    server.
+                  </p>
+<p>
+                    (Default = novc)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
+<dd>
+<p>
+		    Try the next nameserver if a nameserver responds with
+		    SERVFAIL or a referral (nofail) or terminate query
+		    (fail) on such a response.
+		  </p>
+<p>
+                    (Default = nofail)
+                  </p>
+</dd>
+</dl></div>
+<p>
+          </p>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2546279"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2546291"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2546325"></a><h2>Author</h2>
+<p>
+      Andrew Cherenson
+    </p>
+</div>
+</div></body>
+</html>

bin/dig/win32/dig.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
 
 !ELSEIF  "$(CFG)" == "dig - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -90,10 +90,6 @@ LINK32=link.exe
 
 SOURCE=..\dig.c
 # End Source File
-# Begin Source File
-
-SOURCE=..\dighost.c
-# End Source File
 # End Group
 # Begin Group "Header Files"
 

bin/dig/win32/dig.mak

@@ -28,6 +28,81 @@ NULL=nul
 CPP=cl.exe
 RSC=rc.exe
 
+!IF  "$(CFG)" == "dig - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "dig - Win32 Release"
 
 OUTDIR=.\Release
@@ -52,11 +127,12 @@ CLEAN :
 	-@erase "$(INTDIR)\dighost.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\dig.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
 BSC32_SBRS= \
@@ -75,6 +151,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "dig - Win32 Debug"
 
@@ -109,11 +186,12 @@ CLEAN :
 	-@erase "$(OUTDIR)\dig.pdb"
 	-@erase "..\..\..\Build\Debug\dig.exe"
 	-@erase "..\..\..\Build\Debug\dig.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
 BSC32_SBRS= \
@@ -139,6 +217,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -326,3 +405,21 @@ SOURCE=..\dighost.c
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/dig/win32/dighost.dsp

@@ -0,0 +1,113 @@
+# Microsoft Developer Studio Project File - Name="dighost" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104
+
+CFG=dighost - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "dighost.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "dighost.mak" CFG="dighost - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "dighost - Win32 Release" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE "dighost - Win32 Debug" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "dighost - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddighost
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /out:"Release/dighost.lib"
+
+!ELSEIF  "$(CFG)" == "dighost - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddighost
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /debug out:"Debug/dighost.lib"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "dighost - Win32 Release"
+# Name "dighost - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Dns Lib"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\dighost.c
+# End Source File
+# End Group
+# End Target
+# End Project

bin/dig/win32/dighost.dsw

@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00
-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
-
-###############################################################################
-
-Project: "makekeyset"=".\makekeyset.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Global:
-
-Package=<5>
-{{{
-}}}
-
-Package=<3>
-{{{
-}}}
-
-###############################################################################
-
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "dighost"=".\dighost.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+

bin/dig/win32/host.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
 
 !ELSEIF  "$(CFG)" == "host - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -88,10 +88,6 @@ LINK32=link.exe
 # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 # Begin Source File
 
-SOURCE=..\dighost.c
-# End Source File
-# Begin Source File
-
 SOURCE=..\host.c
 # End Source File
 # End Group

bin/dig/win32/host.mak

@@ -28,6 +28,81 @@ NULL=nul
 CPP=cl.exe
 RSC=rc.exe
 
+!IF  "$(CFG)" == "host - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "host - Win32 Release"
 
 OUTDIR=.\Release
@@ -52,11 +127,12 @@ CLEAN :
 	-@erase "$(INTDIR)\host.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\host.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
 BSC32_SBRS= \
@@ -75,6 +151,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "host - Win32 Debug"
 
@@ -109,11 +186,12 @@ CLEAN :
 	-@erase "$(OUTDIR)\host.pdb"
 	-@erase "..\..\..\Build\Debug\host.exe"
 	-@erase "..\..\..\Build\Debug\host.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
 BSC32_SBRS= \
@@ -139,6 +217,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -326,3 +405,21 @@ SOURCE=..\host.c
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/dig/win32/nslookup.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/dig/win32/nslookup.mak

@@ -28,6 +28,81 @@ NULL=nul
 CPP=cl.exe
 RSC=rc.exe
 
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "nslookup - Win32 Release"
 
 OUTDIR=.\Release
@@ -52,11 +127,12 @@ CLEAN :
 	-@erase "$(INTDIR)\nslookup.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\nslookup.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
 BSC32_SBRS= \
@@ -75,6 +151,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
 
@@ -109,11 +186,12 @@ CLEAN :
 	-@erase "$(OUTDIR)\nslookup.pdb"
 	-@erase "..\..\..\Build\Debug\nslookup.exe"
 	-@erase "..\..\..\Build\Debug\nslookup.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
 BSC32_SBRS= \
@@ -139,6 +217,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -326,3 +405,21 @@ SOURCE=..\nslookup.c
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/dnssec/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19.12.9 2004/07/20 07:01:48 marka Exp $
+# $Id: Makefile.in,v 1.30 2005/05/02 00:26:28 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -58,7 +58,8 @@ dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
 	dnssec-keygen.@O@ ${OBJS} ${LIBS}
 
 dnssec-signzone.@O@: dnssec-signzone.c
-	${LIBTOOL_MODE_COMPILE} ${PURIFY} ${CC} ${ALL_CFLAGS} -c $<
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dnssec-signzone.c
 
 dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \

bin/dnssec/dnssec-keygen.8

@@ -1,174 +1,200 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003  Internet Software Consortium.
-.\"
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.19.12.5 2004/06/11 02:32:45 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.37 2007/05/09 03:33:50 marka Exp $
 .\"
-.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
-.SH NAME
-dnssec-keygen \- DNSSEC key generation tool
-.SH SYNOPSIS
-.sp
-\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ]  [ \fB-e\fR ]  [ \fB-f \fIflag\fB\fR ]  [ \fB-g \fIgenerator\fB\fR ]  [ \fB-h\fR ]  [ \fB-k\fR ]  [ \fB-p \fIprotocol\fB\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-s \fIstrength\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBname\fR
+.hy 0
+.ad l
+.\"     Title: dnssec\-keygen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-keygen \- DNSSEC key generation tool
+.SH "SYNOPSIS"
+.HP 14
+\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
-\fBdnssec-keygen\fR generates keys for DNSSEC
-(Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate
-keys for use with TSIG (Transaction Signatures), as
-defined in RFC 2845.
+\fBdnssec\-keygen\fR
+generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
 .SH "OPTIONS"
-.TP
-\fB-a \fIalgorithm\fB\fR
+.PP
+\-a \fIalgorithm\fR
+.RS 4
 Selects the cryptographic algorithm. The value of
-\fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1,
-DSA, DH (Diffie Hellman), or HMAC-MD5. These values
-are case insensitive.
-
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
-
-Note 2: HMAC-MD5 and DH automatically set the -k flag.
-.TP
-\fB-b \fIkeysize\fB\fR
-Specifies the number of bits in the key. The choice of key
-size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between
-512 and 2048 bits. Diffie Hellman keys must be between
-128 and 4096 bits. DSA keys must be between 512 and 1024
-bits and an exact multiple of 64. HMAC-MD5 keys must be
-between 1 and 512 bits.
-.TP
-\fB-n \fInametype\fB\fR
+\fBalgorithm\fR
+must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
+.sp
+Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
+.sp
+Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
+.RE
+.PP
+\-b \fIkeysize\fR
+.RS 4
+Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
+.RE
+.PP
+\-n \fInametype\fR
+.RS 4
 Specifies the owner type of the key. The value of
-\fBnametype\fR must either be ZONE (for a DNSSEC
-zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are
-case insensitive.
-.TP
-\fB-c \fIclass\fB\fR
-Indicates that the DNS record containing the key should have
-the specified class. If not specified, class IN is used.
-.TP
-\fB-e\fR
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
+.RE
+.PP
+\-e
+.RS 4
 If generating an RSAMD5/RSASHA1 key, use a large exponent.
-.TP
-\fB-f \fIflag\fB\fR
-Set the specified flag in the flag field of the KEY/DNSKEY record.
-The only recognized flag is KSK (Key Signing Key) DNSKEY.
-.TP
-\fB-g \fIgenerator\fB\fR
-If generating a Diffie Hellman key, use this generator.
-Allowed values are 2 and 5. If no generator
-is specified, a known prime from RFC 2539 will be used
-if possible; otherwise the default is 2.
-.TP
-\fB-h\fR
+.RE
+.PP
+\-f \fIflag\fR
+.RS 4
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+.RE
+.PP
+\-g \fIgenerator\fR
+.RS 4
+If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
+.RE
+.PP
+\-h
+.RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec-keygen\fR.
-.TP
-\fB-k\fR
+\fBdnssec\-keygen\fR.
+.RE
+.PP
+\-k
+.RS 4
 Generate KEY records rather than DNSKEY records.
-.TP
-\fB-p \fIprotocol\fB\fR
-Sets the protocol value for the generated key. The protocol
-is a number between 0 and 255. The default is 3 (DNSSEC).
-Other possible values for this argument are listed in
-RFC 2535 and its successors.
-.TP
-\fB-r \fIrandomdev\fB\fR
-Specifies the source of randomness. If the operating
-system does not provide a \fI/dev/random\fR
-or equivalent device, the default source of randomness
-is keyboard input. \fIrandomdev\fR specifies
-the name of a character device or file containing random
-data to be used instead of the default. The special value
-\fIkeyboard\fR indicates that keyboard
-input should be used.
-.TP
-\fB-s \fIstrength\fB\fR
-Specifies the strength value of the key. The strength is
-a number between 0 and 15, and currently has no defined
-purpose in DNSSEC.
-.TP
-\fB-t \fItype\fB\fR
-Indicates the use of the key. \fBtype\fR must be
-one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
-is AUTHCONF. AUTH refers to the ability to authenticate
-data, and CONF the ability to encrypt data.
-.TP
-\fB-v \fIlevel\fB\fR
+.RE
+.PP
+\-p \fIprotocol\fR
+.RS 4
+Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+.RE
+.PP
+\-r \fIrandomdev\fR
+.RS 4
+Specifies the source of randomness. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-s \fIstrength\fR
+.RS 4
+Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Indicates the use of the key.
+\fBtype\fR
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
 Sets the debugging level.
+.RE
 .SH "GENERATED KEYS"
 .PP
-When \fBdnssec-keygen\fR completes successfully,
-it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for
-the key it has generated. These strings can be used as arguments
-to \fBdnssec-makekeyset\fR.
-.TP 0.2i
+When
+\fBdnssec\-keygen\fR
+completes successfully, it prints a string of the form
+\fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for the key it has generated.
+.TP 4
 \(bu
-\fInnnn\fR is the key name.
-.TP 0.2i
+\fInnnn\fR
+is the key name.
+.TP 4
 \(bu
-\fIaaa\fR is the numeric representation of the
-algorithm.
-.TP 0.2i
+\fIaaa\fR
+is the numeric representation of the algorithm.
+.TP 4
 \(bu
-\fIiiiii\fR is the key identifier (or footprint).
+\fIiiiii\fR
+is the key identifier (or footprint).
 .PP
-\fBdnssec-keygen\fR creates two file, with names based
-on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
+\fBdnssec\-keygen\fR
+creates two files, with names based on the printed string.
+\fIKnnnn.+aaa+iiiii.key\fR
 contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR contains the private
-key.
+\fIKnnnn.+aaa+iiiii.private\fR
+contains the private key.
 .PP
+The
+\fI.key\fR
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
 .PP
-The \fI.key\fR file contains a DNS KEY record that
-can be inserted into a zone file (directly or with a $INCLUDE
-statement).
-.PP
-.PP
-The \fI.private\fR file contains algorithm specific
-fields. For obvious security reasons, this file does not have
-general read permission.
-.PP
-.PP
-Both \fI.key\fR and \fI.private\fR
-files are generated for symmetric encryption algorithm such as
-HMAC-MD5, even though the public and private key are equivalent.
+The
+\fI.private\fR
+file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
 .PP
+Both
+\fI.key\fR
+and
+\fI.private\fR
+files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
 .SH "EXAMPLE"
 .PP
-To generate a 768-bit DSA key for the domain
-\fBexample.com\fR, the following command would be
-issued:
+To generate a 768\-bit DSA key for the domain
+\fBexample.com\fR, the following command would be issued:
 .PP
-\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR
 .PP
 The command would print a string of the form:
 .PP
 \fBKexample.com.+003+26160\fR
 .PP
-In this example, \fBdnssec-keygen\fR creates
-the files \fIKexample.com.+003+26160.key\fR and
-\fIKexample.com.+003+26160.private\fR
+In this example,
+\fBdnssec\-keygen\fR
+creates the files
+\fIKexample.com.+003+26160.key\fR
+and
+\fIKexample.com.+003+26160.private\fR.
 .SH "SEE ALSO"
 .PP
-\fBdnssec-signzone\fR(8),
-\fIBIND 9 Administrator Reference Manual\fR,
-\fIRFC 2535\fR,
-\fIRFC 2845\fR,
-\fIRFC 2539\fR.
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 2535,
+RFC 2845,
+RFC 2539.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br

bin/dnssec/dnssec-keygen.c

@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,9 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.76 2007/05/21 02:47:25 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -47,7 +49,9 @@
 const char *program = "dnssec-keygen";
 int verbose;
 
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
+			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
+			  " HMAC-SHA384 | HMAC-SHA512";
 
 static isc_boolean_t
 dsa_size_ok(int size) {
@@ -68,10 +72,16 @@ usage(void) {
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
+	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
+	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
+	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
+	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
+	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
 	fprintf(stderr, "    -f keyflag: KSK\n");
 	fprintf(stderr, "    -g <generator> use specified generator "
@@ -115,6 +125,7 @@ main(int argc, char **argv) {
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+	int		dbits = 0;
 
 	if (argc == 1)
 		usage();
@@ -123,8 +134,10 @@ main(int argc, char **argv) {
 
 	dns_result_register();
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
+					 "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -138,6 +151,11 @@ main(int argc, char **argv) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+		case 'd':
+			dbits = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || dbits < 0)
+				fatal("-d requires a non-negative number");
+			break;
 		case 'e':
 			rsa_exp = 1;
 			break;
@@ -186,12 +204,17 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			break;
 
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
 		case 'h':
 			usage();
+
 		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				program, ch);
-			usage();
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
@@ -211,9 +234,29 @@ main(int argc, char **argv) {
 
 	if (algname == NULL)
 		fatal("no algorithm was specified");
-	if (strcasecmp(algname, "HMAC-MD5") == 0) {
+	if (strcasecmp(algname, "RSA") == 0) {
+		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
+				"If you still wish to use RSA (RSAMD5) please "
+				"specify \"-a RSAMD5\"\n");
+		return (1);
+	} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
 		options |= DST_TYPE_KEY;
 		alg = DST_ALG_HMACMD5;
+	} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA1;
+	} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA224;
+	} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA256;
+	} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA384;
+	} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA512;
 	} else {
 		r.base = algname;
 		r.length = strlen(algname);
@@ -260,6 +303,56 @@ main(int argc, char **argv) {
 	case DST_ALG_HMACMD5:
 		if (size < 1 || size > 512)
 			fatal("HMAC-MD5 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 80 || dbits > 128))
+			fatal("HMAC-MD5 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-MD5 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA1:
+		if (size < 1 || size > 160)
+			fatal("HMAC-SHA1 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 80 || dbits > 160))
+			fatal("HMAC-SHA1 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA1 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA224:
+		if (size < 1 || size > 224)
+			fatal("HMAC-SHA224 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 112 || dbits > 224))
+			fatal("HMAC-SHA224 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA224 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA256:
+		if (size < 1 || size > 256)
+			fatal("HMAC-SHA256 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 128 || dbits > 256))
+			fatal("HMAC-SHA256 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA256 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA384:
+		if (size < 1 || size > 384)
+			fatal("HMAC-384 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 192 || dbits > 384))
+			fatal("HMAC-SHA384 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA384 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA512:
+		if (size < 1 || size > 512)
+			fatal("HMAC-SHA512 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 256 || dbits > 512))
+			fatal("HMAC-SHA512 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA512 digest bits %d not divisible by 8",
+			      dbits);
 		break;
 	}
 
@@ -306,7 +399,10 @@ main(int argc, char **argv) {
 	}
 
 	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
+	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 ||
+	     alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 ||
+	     alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 ||
+	     alg == DST_ALG_HMACSHA512))
 		fatal("a key with algorithm '%s' cannot be a zone key",
 		      algname);
 
@@ -330,6 +426,11 @@ main(int argc, char **argv) {
 		break;
 	case DNS_KEYALG_DSA:
 	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
 		param = 0;
 		break;
 	}
@@ -358,6 +459,8 @@ main(int argc, char **argv) {
 			exit(-1);
 		}
 
+		dst_key_setbits(key, dbits);
+
 		/*
 		 * Try to read a key with the same name, alg and id from disk.
 		 * If there is one we must continue generating a new one
@@ -407,6 +510,7 @@ main(int argc, char **argv) {
 	cleanup_logging(&log);
 	cleanup_entropy(&ectx);
 	dst_lib_destroy();
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);

bin/dnssec/dnssec-keygen.docbook

@@ -1,7 +1,9 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001-2003  Internet Software Consortium.
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -16,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.3.12.6 2004/06/11 01:17:34 marka Exp $ -->
-
-<refentry>
+<!-- $Id: dnssec-keygen.docbook,v 1.17 2007/05/09 01:32:08 marka Exp $ -->
+<refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
@@ -34,6 +35,22 @@
     <refpurpose>DNSSEC key generation tool</refpurpose>
   </refnamediv>
 
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
+      <holder>Internet Software Consortium.</holder>
+    </copyright>
+  </docinfo>
+
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-keygen</command>
@@ -57,11 +74,10 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-keygen</command> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
-	keys for use with TSIG (Transaction Signatures), as
-	defined in RFC 2845.
+    <para><command>dnssec-keygen</command>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  It can also generate keys for use with
+      TSIG (Transaction Signatures), as defined in RFC 2845.
     </para>
   </refsect1>
 
@@ -71,168 +87,173 @@
     <variablelist>
       <varlistentry>
         <term>-a <replaceable class="parameter">algorithm</replaceable></term>
-	<listitem>
-	  <para>
-	      Selects the cryptographic algorithm.  The value of
-	      <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
-	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-	      are case insensitive.
-	  </para>
-	  <para>
-	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </para>
-	  <para>
-	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Selects the cryptographic algorithm.  The value of
+            <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
+            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+            are case insensitive.
+          </para>
+          <para>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm,
+            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+          </para>
+          <para>
+            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-b <replaceable class="parameter">keysize</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
-	       512 and 2048 bits.  Diffie Hellman keys must be between
-	       128 and 4096 bits.  DSA keys must be between 512 and 1024
-	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
-	       between 1 and 512 bits.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the number of bits in the key.  The choice of key
+            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            between
+            512 and 2048 bits.  Diffie Hellman keys must be between
+            128 and 4096 bits.  DSA keys must be between 512 and 1024
+            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            between 1 and 512 bits.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n <replaceable class="parameter">nametype</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the owner type of the key.  The value of
-	       <option>nametype</option> must either be ZONE (for a DNSSEC
-	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
-	       case insensitive.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the owner type of the key.  The value of
+            <option>nametype</option> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Indicates that the DNS record containing the key should have
-	       the specified class.  If not specified, class IN is used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-e</term>
-	<listitem>
-	  <para>
-	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            If generating an RSAMD5/RSASHA1 key, use a large exponent.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-f <replaceable class="parameter">flag</replaceable></term>
-	<listitem>
-	  <para>
-		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key) DNSKEY.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g <replaceable class="parameter">generator</replaceable></term>
-	<listitem>
-	  <para>
-	       If generating a Diffie Hellman key, use this generator.
-	       Allowed values are 2 and 5.  If no generator
-	       is specified, a known prime from RFC 2539 will be used
-	       if possible; otherwise the default is 2.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            If generating a Diffie Hellman key, use this generator.
+            Allowed values are 2 and 5.  If no generator
+            is specified, a known prime from RFC 2539 will be used
+            if possible; otherwise the default is 2.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-keygen</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>dnssec-keygen</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k</term>
-	<listitem>
-	  <para>
-	       Generate KEY records rather than DNSKEY records.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Generate KEY records rather than DNSKEY records.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-p <replaceable class="parameter">protocol</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 3 (DNSSEC).
-	       Other possible values for this argument are listed in
-	       RFC 2535 and its successors.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <filename>/dev/random</filename>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <filename>randomdev</filename>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard
+            input should be used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-s <replaceable class="parameter">strength</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the strength value of the key.  The strength is
-	       a number between 0 and 15, and currently has no defined
-	       purpose in DNSSEC.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the strength value of the key.  The strength is
+            a number between 0 and 15, and currently has no defined
+            purpose in DNSSEC.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-t <replaceable class="parameter">type</replaceable></term>
-	<listitem>
-	  <para>
-	       Indicates the use of the key.  <option>type</option> must be
-	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-	       is AUTHCONF.  AUTH refers to the ability to authenticate
-	       data, and CONF the ability to encrypt data.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Indicates the use of the key.  <option>type</option> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -241,83 +262,82 @@
   <refsect1>
     <title>GENERATED KEYS</title>
     <para>
-        When <command>dnssec-keygen</command> completes successfully,
-	it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
-	to the standard output.  This is an identification string for
-	the key it has generated.  These strings can be used as arguments
-	to <command>dnssec-makekeyset</command>.
+      When <command>dnssec-keygen</command> completes
+      successfully,
+      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+      to the standard output.  This is an identification string for
+      the key it has generated.
     </para>
     <itemizedlist>
       <listitem>
-        <para>
-          <filename>nnnn</filename> is the key name.
+        <para><filename>nnnn</filename> is the key name.
         </para>
       </listitem>
       <listitem>
-        <para>
-          <filename>aaa</filename> is the numeric representation of the
+        <para><filename>aaa</filename> is the numeric representation
+          of the
           algorithm.
         </para>
       </listitem>
       <listitem>
-        <para>
-          <filename>iiiii</filename> is the key identifier (or footprint).
+        <para><filename>iiiii</filename> is the key identifier (or
+          footprint).
         </para>
       </listitem>
     </itemizedlist>
-    <para>
-        <command>dnssec-keygen</command> creates two file, with names based
-	on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
-	contains the public key, and
-	<filename>Knnnn.+aaa+iiiii.private</filename> contains the private
-	key.
+    <para><command>dnssec-keygen</command> 
+      creates two files, with names based
+      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
+      contains the public key, and
+      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
+      private
+      key.
     </para>
     <para>
-        The <filename>.key</filename> file contains a DNS KEY record that
-	can be inserted into a zone file (directly or with a $INCLUDE
-	statement).
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </para>
     <para>
-        The <filename>.private</filename> file contains algorithm specific
-	fields.  For obvious security reasons, this file does not have
-	general read permission.
+      The <filename>.private</filename> file contains
+      algorithm-specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
     </para>
     <para>
-        Both <filename>.key</filename> and <filename>.private</filename>
-	files are generated for symmetric encryption algorithm such as
-	HMAC-MD5, even though the public and private key are equivalent.
+      Both <filename>.key</filename> and <filename>.private</filename>
+      files are generated for symmetric encryption algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
     </para>
   </refsect1>
 
   <refsect1>
     <title>EXAMPLE</title>
     <para>
-        To generate a 768-bit DSA key for the domain
-	<userinput>example.com</userinput>, the following command would be
-	issued:
+      To generate a 768-bit DSA key for the domain
+      <userinput>example.com</userinput>, the following command would be
+      issued:
+    </para>
+    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
     </para>
     <para>
-        <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
+      The command would print a string of the form:
+    </para>
+    <para><userinput>Kexample.com.+003+26160</userinput>
     </para>
     <para>
-        The command would print a string of the form:
-    </para>
-    <para>
-        <userinput>Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-        In this example, <command>dnssec-keygen</command> creates
-	the files <filename>Kexample.com.+003+26160.key</filename> and
-	<filename>Kexample.com.+003+26160.private</filename>
+      In this example, <command>dnssec-keygen</command> creates
+      the files <filename>Kexample.com.+003+26160.key</filename>
+      and
+      <filename>Kexample.com.+003+26160.private</filename>.
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
       <citetitle>RFC 2535</citetitle>,
@@ -328,14 +348,11 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:

bin/dnssec/dnssec-keygen.html

@@ -1,544 +1,232 @@
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001-2003  Internet Software Consortium.
- -
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.6 2004/08/22 23:38:58 marka Exp $ -->
-
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->dnssec-keygen</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-></A
-><SPAN
-CLASS="APPLICATION"
->dnssec-keygen</SPAN
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->dnssec-keygen</SPAN
->&nbsp;--&nbsp;DNSSEC key generation tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->dnssec-keygen</B
->  {-a <VAR
-CLASS="REPLACEABLE"
->algorithm</VAR
->} {-b <VAR
-CLASS="REPLACEABLE"
->keysize</VAR
->} {-n <VAR
-CLASS="REPLACEABLE"
->nametype</VAR
->} [<VAR
-CLASS="OPTION"
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-e</VAR
->] [<VAR
-CLASS="OPTION"
->-f <VAR
-CLASS="REPLACEABLE"
->flag</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-g <VAR
-CLASS="REPLACEABLE"
->generator</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-h</VAR
->] [<VAR
-CLASS="OPTION"
->-k</VAR
->] [<VAR
-CLASS="OPTION"
->-p <VAR
-CLASS="REPLACEABLE"
->protocol</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-r <VAR
-CLASS="REPLACEABLE"
->randomdev</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-s <VAR
-CLASS="REPLACEABLE"
->strength</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-t <VAR
-CLASS="REPLACEABLE"
->type</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-v <VAR
-CLASS="REPLACEABLE"
->level</VAR
-></VAR
->] {name}</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN53"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->dnssec-keygen</B
-> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
-	keys for use with TSIG (Transaction Signatures), as
-	defined in RFC 2845.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN57"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-a <VAR
-CLASS="REPLACEABLE"
->algorithm</VAR
-></DT
-><DD
-><P
->	      Selects the cryptographic algorithm.  The value of
-	      <VAR
-CLASS="OPTION"
->algorithm</VAR
-> must be one of RSAMD5 (RSA) or RSASHA1,
-	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-	      are case insensitive.
-	  </P
-><P
->	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </P
-><P
->	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
-	  </P
-></DD
-><DT
->-b <VAR
-CLASS="REPLACEABLE"
->keysize</VAR
-></DT
-><DD
-><P
->	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
-	       512 and 2048 bits.  Diffie Hellman keys must be between
-	       128 and 4096 bits.  DSA keys must be between 512 and 1024
-	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
-	       between 1 and 512 bits.
-	  </P
-></DD
-><DT
->-n <VAR
-CLASS="REPLACEABLE"
->nametype</VAR
-></DT
-><DD
-><P
->	       Specifies the owner type of the key.  The value of
-	       <VAR
-CLASS="OPTION"
->nametype</VAR
-> must either be ZONE (for a DNSSEC
-	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
-	       case insensitive.
-	  </P
-></DD
-><DT
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></DT
-><DD
-><P
->	       Indicates that the DNS record containing the key should have
-	       the specified class.  If not specified, class IN is used.
-	  </P
-></DD
-><DT
->-e</DT
-><DD
-><P
->	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
-	  </P
-></DD
-><DT
->-f <VAR
-CLASS="REPLACEABLE"
->flag</VAR
-></DT
-><DD
-><P
->		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key) DNSKEY.
-	  </P
-></DD
-><DT
->-g <VAR
-CLASS="REPLACEABLE"
->generator</VAR
-></DT
-><DD
-><P
->	       If generating a Diffie Hellman key, use this generator.
-	       Allowed values are 2 and 5.  If no generator
-	       is specified, a known prime from RFC 2539 will be used
-	       if possible; otherwise the default is 2.
-	  </P
-></DD
-><DT
->-h</DT
-><DD
-><P
->	       Prints a short summary of the options and arguments to
-	       <B
-CLASS="COMMAND"
->dnssec-keygen</B
->.
-	  </P
-></DD
-><DT
->-k</DT
-><DD
-><P
->	       Generate KEY records rather than DNSKEY records.
-	  </P
-></DD
-><DT
->-p <VAR
-CLASS="REPLACEABLE"
->protocol</VAR
-></DT
-><DD
-><P
->	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 3 (DNSSEC).
-	       Other possible values for this argument are listed in
-	       RFC 2535 and its successors.
-	  </P
-></DD
-><DT
->-r <VAR
-CLASS="REPLACEABLE"
->randomdev</VAR
-></DT
-><DD
-><P
->	       Specifies the source of randomness.  If the operating
-	       system does not provide a <TT
-CLASS="FILENAME"
->/dev/random</TT
->
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <TT
-CLASS="FILENAME"
->randomdev</TT
-> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <TT
-CLASS="FILENAME"
->keyboard</TT
-> indicates that keyboard
-	       input should be used.
-	  </P
-></DD
-><DT
->-s <VAR
-CLASS="REPLACEABLE"
->strength</VAR
-></DT
-><DD
-><P
->	       Specifies the strength value of the key.  The strength is
-	       a number between 0 and 15, and currently has no defined
-	       purpose in DNSSEC.
-	  </P
-></DD
-><DT
->-t <VAR
-CLASS="REPLACEABLE"
->type</VAR
-></DT
-><DD
-><P
->	       Indicates the use of the key.  <VAR
-CLASS="OPTION"
->type</VAR
-> must be
-	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-	       is AUTHCONF.  AUTH refers to the ability to authenticate
-	       data, and CONF the ability to encrypt data.
-	  </P
-></DD
-><DT
->-v <VAR
-CLASS="REPLACEABLE"
->level</VAR
-></DT
-><DD
-><P
->	       Sets the debugging level.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN136"
-></A
-><H2
->GENERATED KEYS</H2
-><P
->        When <B
-CLASS="COMMAND"
->dnssec-keygen</B
-> completes successfully,
-	it prints a string of the form <TT
-CLASS="FILENAME"
->Knnnn.+aaa+iiiii</TT
->
-	to the standard output.  This is an identification string for
-	the key it has generated.  These strings can be used as arguments
-	to <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->.
-    </P
-><P
-></P
-><UL
-><LI
-><P
->          <TT
-CLASS="FILENAME"
->nnnn</TT
-> is the key name.
-        </P
-></LI
-><LI
-><P
->          <TT
-CLASS="FILENAME"
->aaa</TT
-> is the numeric representation of the
+<!-- $Id: dnssec-keygen.html,v 1.29 2007/05/09 03:33:50 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keygen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543474"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keygen</strong></span>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  It can also generate keys for use with
+      TSIG (Transaction Signatures), as defined in RFC 2845.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543485"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+            Selects the cryptographic algorithm.  The value of
+            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
+            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+            are case insensitive.
+          </p>
+<p>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm,
+            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+          </p>
+<p>
+            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+          </p>
+</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+            Specifies the number of bits in the key.  The choice of key
+            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            between
+            512 and 2048 bits.  Diffie Hellman keys must be between
+            128 and 4096 bits.  DSA keys must be between 512 and 1024
+            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            between 1 and 512 bits.
+          </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd><p>
+            Specifies the owner type of the key.  The value of
+            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+            If generating an RSAMD5/RSASHA1 key, use a large exponent.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd><p>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </p></dd>
+<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
+<dd><p>
+            If generating a Diffie Hellman key, use this generator.
+            Allowed values are 2 and 5.  If no generator
+            is specified, a known prime from RFC 2539 will be used
+            if possible; otherwise the default is 2.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-keygen</strong></span>.
+          </p></dd>
+<dt><span class="term">-k</span></dt>
+<dd><p>
+            Generate KEY records rather than DNSKEY records.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd><p>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
+<dd><p>
+            Specifies the strength value of the key.  The strength is
+            a number between 0 and 15, and currently has no defined
+            purpose in DNSSEC.
+          </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd><p>
+            Indicates the use of the key.  <code class="option">type</code> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543820"></a><h2>GENERATED KEYS</h2>
+<p>
+      When <span><strong class="command">dnssec-keygen</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key it has generated.
+    </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p><code class="filename">nnnn</code> is the key name.
+        </p></li>
+<li><p><code class="filename">aaa</code> is the numeric representation
+          of the
           algorithm.
-        </P
-></LI
-><LI
-><P
->          <TT
-CLASS="FILENAME"
->iiiii</TT
-> is the key identifier (or footprint).
-        </P
-></LI
-></UL
-><P
->        <B
-CLASS="COMMAND"
->dnssec-keygen</B
-> creates two file, with names based
-	on the printed string.  <TT
-CLASS="FILENAME"
->Knnnn.+aaa+iiiii.key</TT
->
-	contains the public key, and
-	<TT
-CLASS="FILENAME"
->Knnnn.+aaa+iiiii.private</TT
-> contains the private
-	key.
-    </P
-><P
->        The <TT
-CLASS="FILENAME"
->.key</TT
-> file contains a DNS KEY record that
-	can be inserted into a zone file (directly or with a $INCLUDE
-	statement).
-    </P
-><P
->        The <TT
-CLASS="FILENAME"
->.private</TT
-> file contains algorithm specific
-	fields.  For obvious security reasons, this file does not have
-	general read permission.
-    </P
-><P
->        Both <TT
-CLASS="FILENAME"
->.key</TT
-> and <TT
-CLASS="FILENAME"
->.private</TT
->
-	files are generated for symmetric encryption algorithm such as
-	HMAC-MD5, even though the public and private key are equivalent.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN163"
-></A
-><H2
->EXAMPLE</H2
-><P
->        To generate a 768-bit DSA key for the domain
-	<KBD
-CLASS="USERINPUT"
->example.com</KBD
->, the following command would be
-	issued:
-    </P
-><P
->        <KBD
-CLASS="USERINPUT"
->dnssec-keygen -a DSA -b 768 -n ZONE example.com</KBD
->
-    </P
-><P
->        The command would print a string of the form:
-    </P
-><P
->        <KBD
-CLASS="USERINPUT"
->Kexample.com.+003+26160</KBD
->
-    </P
-><P
->        In this example, <B
-CLASS="COMMAND"
->dnssec-keygen</B
-> creates
-	the files <TT
-CLASS="FILENAME"
->Kexample.com.+003+26160.key</TT
-> and
-	<TT
-CLASS="FILENAME"
->Kexample.com.+003+26160.private</TT
->
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN176"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-signzone</SPAN
->(8)</SPAN
->,
-      <I
-CLASS="CITETITLE"
->BIND 9 Administrator Reference Manual</I
->,
-      <I
-CLASS="CITETITLE"
->RFC 2535</I
->,
-      <I
-CLASS="CITETITLE"
->RFC 2845</I
->,
-      <I
-CLASS="CITETITLE"
->RFC 2539</I
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN186"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Systems Consortium
-    </P
-></DIV
-></BODY
-></HTML
->
+        </p></li>
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+          footprint).
+        </p></li>
+</ul></div>
+<p><span><strong class="command">dnssec-keygen</strong></span> 
+      creates two files, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private
+      key.
+    </p>
+<p>
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </p>
+<p>
+      The <code class="filename">.private</code> file contains
+      algorithm-specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </p>
+<p>
+      Both <code class="filename">.key</code> and <code class="filename">.private</code>
+      files are generated for symmetric encryption algorithms such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543902"></a><h2>EXAMPLE</h2>
+<p>
+      To generate a 768-bit DSA key for the domain
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
+    </p>
+<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+    </p>
+<p>
+      The command would print a string of the form:
+    </p>
+<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+    </p>
+<p>
+      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
+      the files <code class="filename">Kexample.com.+003+26160.key</code>
+      and
+      <code class="filename">Kexample.com.+003+26160.private</code>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543946"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2535</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 2539</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544045"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>

bin/dnssec/dnssec-makekeyset.8

@@ -1,113 +0,0 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $
-.\"
-.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
-.SH NAME
-dnssec-makekeyset \- DNSSEC zone signing tool
-.SH SYNOPSIS
-.sp
-\fBdnssec-makekeyset\fR [ \fB-a\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-t\fIttl\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkey\fR\fI...\fR
-.SH "DESCRIPTION"
-.PP
-\fBdnssec-makekeyset\fR generates a key set from one
-or more keys created by \fBdnssec-keygen\fR. It creates
-a file containing a KEY record for each key, and self-signs the key
-set with each zone key. The output file is of the form
-\fIkeyset-nnnn.\fR, where \fInnnn\fR
-is the zone name.
-.SH "OPTIONS"
-.TP
-\fB-a\fR
-Verify all generated signatures.
-.TP
-\fB-s \fIstart-time\fB\fR
-Specify the date and time when the generated SIG records
-become valid. This can be either an absolute or relative
-time. An absolute start time is indicated by a number
-in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-14:45:00 UTC on May 30th, 2000. A relative start time is
-indicated by +N, which is N seconds from the current time.
-If no \fBstart-time\fR is specified, the current
-time is used.
-.TP
-\fB-e \fIend-time\fB\fR
-Specify the date and time when the generated SIG records
-expire. As with \fBstart-time\fR, an absolute
-time is indicated in YYYYMMDDHHMMSS notation. A time relative
-to the start time is indicated with +N, which is N seconds from
-the start time. A time relative to the current time is
-indicated with now+N. If no \fBend-time\fR is
-specified, 30 days from the start time is used as a default.
-.TP
-\fB-h\fR
-Prints a short summary of the options and arguments to
-\fBdnssec-makekeyset\fR.
-.TP
-\fB-p\fR
-Use pseudo-random data when signing the zone. This is faster,
-but less secure, than using real random data. This option
-may be useful when signing large zones or when the entropy
-source is limited.
-.TP
-\fB-r \fIrandomdev\fB\fR
-Specifies the source of randomness. If the operating
-system does not provide a \fI/dev/random\fR
-or equivalent device, the default source of randomness
-is keyboard input. \fIrandomdev\fR specifies
-the name of a character device or file containing random
-data to be used instead of the default. The special value
-\fIkeyboard\fR indicates that keyboard
-input should be used.
-.TP
-\fB-t \fIttl\fB\fR
-Specify the TTL (time to live) of the KEY and SIG records.
-The default is 3600 seconds.
-.TP
-\fB-v \fIlevel\fB\fR
-Sets the debugging level.
-.TP
-\fBkey\fR
-The list of keys to be included in the keyset file. These keys
-are expressed in the form \fIKnnnn.+aaa+iiiii\fR
-as generated by \fBdnssec-keygen\fR.
-.SH "EXAMPLE"
-.PP
-The following command generates a keyset containing the DSA key for
-\fBexample.com\fR generated in the
-\fBdnssec-keygen\fR man page.
-.PP
-\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
-.PP
-In this example, \fBdnssec-makekeyset\fR creates
-the file \fIkeyset-example.com.\fR. This file
-contains the specified key and a self-generated signature.
-.PP
-The DNS administrator for \fBexample.com\fR could
-send \fIkeyset-example.com.\fR to the DNS
-administrator for \fB.com\fR for signing, if the
-\&.com zone is DNSSEC-aware and the administrators of the two zones
-have some mechanism for authenticating each other and exchanging
-the keys and signatures securely.
-.SH "SEE ALSO"
-.PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-signkey\fR(8),
-\fIBIND 9 Administrator Reference Manual\fR,
-\fIRFC 2535\fR.
-.SH "AUTHOR"
-.PP
-Internet Software Consortium

bin/dnssec/dnssec-makekeyset.c

@@ -1,401 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/time.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-makekeyset";
-int verbose;
-
-typedef struct keynode keynode_t;
-struct keynode {
-	dst_key_t *key;
-	ISC_LINK(keynode_t) link;
-};
-typedef ISC_LIST(keynode_t) keylist_t;
-
-static isc_stdtime_t starttime = 0, endtime = 0, now;
-static int ttl = -1;
-
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-
-static keylist_t keylist;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] keys\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-a\n");
-	fprintf(stderr, "\t\tverify generated signatures\n");
-	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
-	fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
-	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tSIG end time  - "
-			     "absolute|from start|from now (now + 30 days)\n");
-	fprintf(stderr, "\t-t ttl\n");
-	fprintf(stderr, "\t-p\n");
-	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr, "\t\ta file containing random data\n");
-	fprintf(stderr, "\t-v level:\n");
-	fprintf(stderr, "\t\tverbose level (0)\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "keys:\n");
-	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "\tkeyset (keyset-<name>)\n");
-	exit(0);
-}
-
-static isc_boolean_t
-zonekey_on_list(dst_key_t *key) {
-	keynode_t *keynode;
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-	{
-		if (dst_key_compare(keynode->key, key))
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch;
-	char *startstr = NULL, *endstr = NULL;
-	dns_fixedname_t fdomain;
-	dns_name_t *domain = NULL;
-	char *output = NULL;
-	char *endp;
-	unsigned char data[65536];
-	dns_db_t *db;
-	dns_dbversion_t *version;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple;
-	dns_fixedname_t tname;
-	dst_key_t *key = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	dns_rdataclass_t rdclass;
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_log_t *log = NULL;
-	keynode_t *keynode;
-	unsigned int eflags;
-	isc_boolean_t pseudorandom = ISC_FALSE;
-	isc_boolean_t tryverify = ISC_FALSE;
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create memory context: %s",
-		      isc_result_totext(result));
-
-	dns_result_register();
-
-	while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
-	{
-		switch (ch) {
-		case 'a':
-			tryverify = ISC_TRUE;
-			break;
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-
-		case 'e':
-			endstr = isc_commandline_argument;
-			break;
-
-		case 't':
-			endp = NULL;
-			ttl = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("TTL must be numeric");
-			break;
-
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'p':
-			pseudorandom = ISC_TRUE;
-			break;
-
-		case 'h':
-		default:
-			usage();
-
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage();
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	eflags = ISC_ENTROPY_BLOCKING;
-	if (!pseudorandom)
-		eflags |= ISC_ENTROPY_GOODONLY;
-	result = dst_lib_init(mctx, ectx, eflags);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s", 
-		      isc_result_totext(result));
-
-	isc_stdtime_get(&now);
-
-	if (startstr != NULL)
-		starttime = strtotime(startstr, now, now);
-	else
-		starttime = now;
-
-	if (endstr != NULL)
-		endtime = strtotime(endstr, now, starttime);
-	else
-		endtime = starttime + (30 * 24 * 60 * 60);
-
-	if (ttl == -1) {
-		ttl = 3600;
-		fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
-			program);
-	}
-
-	setup_logging(verbose, mctx, &log);
-
-	dns_diff_init(mctx, &diff);
-	rdclass = 0;
-
-	ISC_LIST_INIT(keylist);
-
-	for (i = 0; i < argc; i++) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		isc_buffer_t namebuf;
-
-		key = NULL;
-		result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
-					       mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			fatal("error loading key from %s: %s", argv[i],
-			      isc_result_totext(result));
-		if (rdclass == 0)
-			rdclass = dst_key_class(key);
-
-		isc_buffer_init(&namebuf, namestr, sizeof(namestr));
-		result = dns_name_tofilenametext(dst_key_name(key),
-						 ISC_FALSE,
-						 &namebuf);
-		check_result(result, "dns_name_tofilenametext");
-		isc_buffer_putuint8(&namebuf, 0);
-
-		if (domain == NULL) {
-			dns_fixedname_init(&fdomain);
-			domain = dns_fixedname_name(&fdomain);
-			dns_name_copy(dst_key_name(key), domain, NULL);
-		} else if (!dns_name_equal(domain, dst_key_name(key))) {
-			char str[DNS_NAME_FORMATSIZE];
-			dns_name_format(domain, str, sizeof(str));
-			fatal("all keys must have the same owner - %s "
-			      "and %s do not match", str, namestr);
-		}
-
-		if (output == NULL) {
-			output = isc_mem_allocate(mctx,
-						  strlen("keyset-") +
-						  strlen(namestr) + 1);
-			if (output == NULL)
-				fatal("out of memory");
-			sprintf(output, "keyset-%s", namestr);
-		}
-
-		if (dst_key_iszonekey(key)) {
-			dst_key_t *zonekey = NULL;
-			result = dst_key_fromnamedfile(argv[i],
-						       DST_TYPE_PUBLIC |
-						       DST_TYPE_PRIVATE,
-						       mctx, &zonekey);
-			if (result != ISC_R_SUCCESS)
-				fatal("failed to read private key %s: %s",
-				      argv[i], isc_result_totext(result));
-			if (!zonekey_on_list(zonekey)) {
-				keynode = isc_mem_get(mctx, sizeof(keynode_t));
-				if (keynode == NULL)
-					fatal("out of memory");
-				keynode->key = zonekey;
-				ISC_LIST_INITANDAPPEND(keylist, keynode, link);
-			} else
-				dst_key_free(&zonekey);
-		}
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, data, sizeof(data));
-		result = dst_key_todns(key, &b);
-		dst_key_free(&key);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to convert key %s to a DNS KEY: %s",
-			      argv[i], isc_result_totext(result));
-		isc_buffer_usedregion(&b, &r);
-		dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      domain, ttl, &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	db = NULL;
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create a database");
-
-	version = NULL;
-	dns_db_newversion(db, &version);
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_fixedname_init(&tname);
-	dns_rdataset_init(&rdataset);
-	result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
-			     NULL, dns_fixedname_name(&tname), &rdataset,
-			     NULL);
-	check_result(result, "dns_db_find");
-
-	if (ISC_LIST_EMPTY(keylist))
-		fprintf(stderr,
-			"%s: no private zone key found; not self-signing\n",
-			program);
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-	{
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, data, sizeof(data));
-		result = dns_dnssec_sign(domain, &rdataset, keynode->key,
-					 &starttime, &endtime, mctx, &b,
-					 &rdata);
-		isc_entropy_stopcallbacksources(ectx);
-		if (result != ISC_R_SUCCESS) {
-			char keystr[KEY_FORMATSIZE];
-			key_format(keynode->key, keystr, sizeof(keystr));
-			fatal("failed to sign keyset with key %s: %s",
-			      keystr, isc_result_totext(result));
-		}
-		if (tryverify) {
-			result = dns_dnssec_verify(domain, &rdataset,
-						   keynode->key, ISC_TRUE,
-						   mctx, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				char keystr[KEY_FORMATSIZE];
-				key_format(keynode->key, keystr, sizeof(keystr));
-				fatal("signature from key '%s' failed to "
-				      "verify: %s",
-				      keystr, isc_result_totext(result));
-			}
-		}
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      domain, ttl, &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_rdataset_disassociate(&rdataset);
-
-	dns_db_closeversion(db, &version, ISC_TRUE);
-	result = dns_db_dump(db, version, output);
-	if (result != ISC_R_SUCCESS) {
-		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof(domainstr));
-		fatal("failed to write database for %s to %s",
-		      domainstr, output);
-	}
-
-	printf("%s\n", output);
-
-	dns_db_detach(&db);
-
-	while (!ISC_LIST_EMPTY(keylist)) {
-		keynode = ISC_LIST_HEAD(keylist);
-		ISC_LIST_UNLINK(keylist, keynode, link);
-		dst_key_free(&keynode->key);
-		isc_mem_put(mctx, keynode, sizeof(keynode_t));
-	}
-
-	cleanup_logging(&log);
-	cleanup_entropy(&ectx);
-
-	isc_mem_free(mctx, output);
-	dst_lib_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-	return (0);
-}

bin/dnssec/dnssec-makekeyset.docbook

@@ -1,233 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-makekeyset</application></refname>
-    <refpurpose>DNSSEC zone signing tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-makekeyset</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="req" rep="repeat">key</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-makekeyset</command> generates a key set from one
-	or more keys created by <command>dnssec-keygen</command>.  It creates
-	a file containing a KEY record for each key, and self-signs the key
-	set with each zone key.  The output file is of the form
-	<filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
-	is the zone name.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time is used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-makekeyset</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">ttl</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the TTL (time to live) of the KEY and SIG records.
-	       The default is 3600 seconds.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>key</term>
-	<listitem>
-	  <para>
-	       The list of keys to be included in the keyset file.  These keys
-	       are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
-	       as generated by <command>dnssec-keygen</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-        The following command generates a keyset containing the DSA key for
-	<userinput>example.com</userinput> generated in the
-	<command>dnssec-keygen</command> man page.
-    </para>
-    <para>
-        <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-        In this example, <command>dnssec-makekeyset</command> creates
-	the file <filename>keyset-example.com.</filename>.  This file
-	contains the specified key and a self-generated signature.
-    </para>
-    <para>
-        The DNS administrator for <userinput>example.com</userinput> could
-	send <filename>keyset-example.com.</filename> to the DNS
-	administrator for <userinput>.com</userinput> for signing, if the
-	.com zone is DNSSEC-aware and the administrators of the two zones
-	have some mechanism for authenticating each other and exchanging
-	the keys and signatures securely.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signkey</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 2535</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->

bin/dnssec/dnssec-makekeyset.html

@@ -1,407 +0,0 @@
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ -->
-
-<HTML
-><HEAD
-><TITLE
->dnssec-makekeyset</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.73
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-><SPAN
-CLASS="APPLICATION"
->dnssec-makekeyset</SPAN
-></A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->dnssec-makekeyset</SPAN
->&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->  [<TT
-CLASS="OPTION"
->-a</TT
->] [<TT
-CLASS="OPTION"
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-h</TT
->] [<TT
-CLASS="OPTION"
->-p</TT
->] [<TT
-CLASS="OPTION"
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-t</TT
-><TT
-CLASS="REPLACEABLE"
-><I
->ttl</I
-></TT
->] [<TT
-CLASS="OPTION"
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></TT
->] {key...}</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN38"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
-> generates a key set from one
-	or more keys created by <B
-CLASS="COMMAND"
->dnssec-keygen</B
->.  It creates
-	a file containing a KEY record for each key, and self-signs the key
-	set with each zone key.  The output file is of the form
-	<TT
-CLASS="FILENAME"
->keyset-nnnn.</TT
->, where <TT
-CLASS="FILENAME"
->nnnn</TT
->
-	is the zone name.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN45"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-a</DT
-><DD
-><P
->	      Verify all generated signatures.
-	  </P
-></DD
-><DT
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <TT
-CLASS="OPTION"
->start-time</TT
-> is specified, the current
-	       time is used.
-	  </P
-></DD
-><DT
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       expire.  As with <TT
-CLASS="OPTION"
->start-time</TT
->, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <TT
-CLASS="OPTION"
->end-time</TT
-> is
-	       specified, 30 days from the start time is used as a default.
-	  </P
-></DD
-><DT
->-h</DT
-><DD
-><P
->	       Prints a short summary of the options and arguments to
-	       <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->.
-	  </P
-></DD
-><DT
->-p</DT
-><DD
-><P
->	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </P
-></DD
-><DT
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></DT
-><DD
-><P
->	       Specifies the source of randomness.  If the operating
-	       system does not provide a <TT
-CLASS="FILENAME"
->/dev/random</TT
->
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <TT
-CLASS="FILENAME"
->randomdev</TT
-> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <TT
-CLASS="FILENAME"
->keyboard</TT
-> indicates that keyboard
-	       input should be used.
-	  </P
-></DD
-><DT
->-t <TT
-CLASS="REPLACEABLE"
-><I
->ttl</I
-></TT
-></DT
-><DD
-><P
->	       Specify the TTL (time to live) of the KEY and SIG records.
-	       The default is 3600 seconds.
-	  </P
-></DD
-><DT
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></DT
-><DD
-><P
->	       Sets the debugging level.
-	  </P
-></DD
-><DT
->key</DT
-><DD
-><P
->	       The list of keys to be included in the keyset file.  These keys
-	       are expressed in the form <TT
-CLASS="FILENAME"
->Knnnn.+aaa+iiiii</TT
->
-	       as generated by <B
-CLASS="COMMAND"
->dnssec-keygen</B
->.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN98"
-></A
-><H2
->EXAMPLE</H2
-><P
->        The following command generates a keyset containing the DSA key for
-	<TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
-> generated in the
-	<B
-CLASS="COMMAND"
->dnssec-keygen</B
-> man page.
-    </P
-><P
->        <TT
-CLASS="USERINPUT"
-><B
->dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
-></TT
->
-    </P
-><P
->        In this example, <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
-> creates
-	the file <TT
-CLASS="FILENAME"
->keyset-example.com.</TT
->.  This file
-	contains the specified key and a self-generated signature.
-    </P
-><P
->        The DNS administrator for <TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
-> could
-	send <TT
-CLASS="FILENAME"
->keyset-example.com.</TT
-> to the DNS
-	administrator for <TT
-CLASS="USERINPUT"
-><B
->.com</B
-></TT
-> for signing, if the
-	.com zone is DNSSEC-aware and the administrators of the two zones
-	have some mechanism for authenticating each other and exchanging
-	the keys and signatures securely.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN112"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-keygen</SPAN
->(8)</SPAN
->,
-      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-signkey</SPAN
->(8)</SPAN
->,
-      <I
-CLASS="CITETITLE"
->BIND 9 Administrator Reference Manual</I
->,
-      <I
-CLASS="CITETITLE"
->RFC 2535</I
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN123"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Software Consortium
-    </P
-></DIV
-></BODY
-></HTML
->

bin/dnssec/dnssec-signkey.8

@@ -1,108 +0,0 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $
-.\"
-.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
-.SH NAME
-dnssec-signkey \- DNSSEC key set signing tool
-.SH SYNOPSIS
-.sp
-\fBdnssec-signkey\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkeyset\fR \fBkey\fR\fI...\fR
-.SH "DESCRIPTION"
-.PP
-\fBdnssec-signkey\fR signs a keyset. Typically
-the keyset will be for a child zone, and will have been generated
-by \fBdnssec-makekeyset\fR. The child zone's keyset
-is signed with the zone keys for its parent zone. The output file
-is of the form \fIsignedkey-nnnn.\fR, where
-\fInnnn\fR is the zone name.
-.SH "OPTIONS"
-.TP
-\fB-a\fR
-Verify all generated signatures.
-.TP
-\fB-c \fIclass\fB\fR
-Specifies the DNS class of the key sets.
-.TP
-\fB-s \fIstart-time\fB\fR
-Specify the date and time when the generated SIG records
-become valid. This can be either an absolute or relative
-time. An absolute start time is indicated by a number
-in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-14:45:00 UTC on May 30th, 2000. A relative start time is
-indicated by +N, which is N seconds from the current time.
-If no \fBstart-time\fR is specified, the current
-time is used.
-.TP
-\fB-e \fIend-time\fB\fR
-Specify the date and time when the generated SIG records
-expire. As with \fBstart-time\fR, an absolute
-time is indicated in YYYYMMDDHHMMSS notation. A time relative
-to the start time is indicated with +N, which is N seconds from
-the start time. A time relative to the current time is
-indicated with now+N. If no \fBend-time\fR is
-specified, 30 days from the start time is used as a default.
-.TP
-\fB-h\fR
-Prints a short summary of the options and arguments to
-\fBdnssec-signkey\fR.
-.TP
-\fB-p\fR
-Use pseudo-random data when signing the zone. This is faster,
-but less secure, than using real random data. This option
-may be useful when signing large zones or when the entropy
-source is limited.
-.TP
-\fB-r \fIrandomdev\fB\fR
-Specifies the source of randomness. If the operating
-system does not provide a \fI/dev/random\fR
-or equivalent device, the default source of randomness
-is keyboard input. \fIrandomdev\fR specifies
-the name of a character device or file containing random
-data to be used instead of the default. The special value
-\fIkeyboard\fR indicates that keyboard
-input should be used.
-.TP
-\fB-v \fIlevel\fB\fR
-Sets the debugging level.
-.TP
-\fBkeyset\fR
-The file containing the child's keyset.
-.TP
-\fBkey\fR
-The keys used to sign the child's keyset.
-.SH "EXAMPLE"
-.PP
-The DNS administrator for a DNSSEC-aware \fB.com\fR
-zone would use the following command to sign the
-\fIkeyset\fR file for \fBexample.com\fR
-created by \fBdnssec-makekeyset\fR with a key generated
-by \fBdnssec-keygen\fR:
-.PP
-\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
-.PP
-In this example, \fBdnssec-signkey\fR creates
-the file \fIsignedkey-example.com.\fR, which
-contains the \fBexample.com\fR keys and the
-signatures by the \fB.com\fR keys.
-.SH "SEE ALSO"
-.PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-makekeyset\fR(8),
-\fBdnssec-signzone\fR(8).
-.SH "AUTHOR"
-.PP
-Internet Software Consortium

bin/dnssec/dnssec-signkey.c

@@ -1,448 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/string.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-signkey";
-int verbose;
-
-typedef struct keynode keynode_t;
-struct keynode {
-	dst_key_t *key;
-	isc_boolean_t verified;
-	ISC_LINK(keynode_t) link;
-};
-typedef ISC_LIST(keynode_t) keylist_t;
-
-static isc_stdtime_t starttime = 0, endtime = 0, now;
-
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-static keylist_t keylist;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] keyset keys\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-a\n");
-	fprintf(stderr, "\t\tverify generated signatures\n");
-	fprintf(stderr, "\t-c class (IN)\n");
-	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
-	fprintf(stderr, "\t\tSIG start time - absolute|offset (from keyset)\n");
-	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tSIG end time  - absolute|from start|from now "
-		"(from keyset)\n");
-	fprintf(stderr, "\t-v level:\n");
-	fprintf(stderr, "\t\tverbose level (0)\n");
-	fprintf(stderr, "\t-p\n");
-	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr, "\t\ta file containing random data\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "keyset:\n");
-	fprintf(stderr, "\tfile with keyset to be signed (keyset-<name>)\n");
-	fprintf(stderr, "keys:\n");
-	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-
-	fprintf(stderr, "\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "\tsigned keyset (signedkey-<name>)\n");
-	exit(0);
-}
-
-static void
-loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
-	dst_key_t *key;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	keynode_t *keynode;
-	isc_result_t result;
-
-	ISC_LIST_INIT(keylist);
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "dns_rdataset_first");
-	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		key = NULL;
-		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		if (!dst_key_iszonekey(key)) {
-			dst_key_free(&key);
-			continue;
-		}
-		keynode = isc_mem_get(mctx, sizeof(keynode_t));
-		if (keynode == NULL)
-			fatal("out of memory");
-		keynode->key = key;
-		keynode->verified = ISC_FALSE;
-		ISC_LIST_INITANDAPPEND(keylist, keynode, link);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("failure traversing key list");
-}
-
-static dst_key_t *
-findkey(dns_rdata_rrsig_t *sig) {
-	keynode_t *keynode;
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-	{
-		if (dst_key_id(keynode->key) == sig->keyid &&
-		    dst_key_alg(keynode->key) == sig->algorithm) {
-			keynode->verified = ISC_TRUE;
-			return (keynode->key);
-		}
-	}
-	fatal("signature generated by non-zone or missing key");
-	return (NULL);
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch;
-	char *startstr = NULL, *endstr = NULL, *classname = NULL;
-	char tdomain[1025];
-	dns_fixedname_t fdomain;
-	dns_name_t *domain;
-	char *output = NULL;
-	char *endp;
-	unsigned char data[65536];
-	dns_db_t *db;
-	dns_dbnode_t *node;
-	dns_dbversion_t *version;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple;
-	dns_dbiterator_t *dbiter;
-	dns_rdatasetiter_t *rdsiter;
-	dst_key_t *key = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset, sigrdataset;
-	dns_rdata_rrsig_t sig;
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_log_t *log = NULL;
-	keynode_t *keynode;
-	isc_boolean_t pseudorandom = ISC_FALSE;
-	unsigned int eflags;
-	dns_rdataclass_t rdclass;
-	isc_boolean_t tryverify = ISC_FALSE;
-	isc_boolean_t settime = ISC_FALSE;
-
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create()");
-
-	dns_result_register();
-
-	while ((ch = isc_commandline_parse(argc, argv, "ac:s:e:pr:v:h")) != -1)
-	{
-		switch (ch) {
-		case 'a':
-			tryverify = ISC_TRUE;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-						
-		case 'e':
-			endstr = isc_commandline_argument;
-			break;
-
-		case 'p':
-			pseudorandom = ISC_TRUE;
-			break;
-
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'h':
-		default:
-			usage();
-
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 2)
-		usage();
-
-	rdclass = strtoclass(classname);
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	eflags = ISC_ENTROPY_BLOCKING;
-	if (!pseudorandom)
-		eflags |= ISC_ENTROPY_GOODONLY;
-	result = dst_lib_init(mctx, ectx, eflags);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s", 
-		      isc_result_totext(result));
-
-	isc_stdtime_get(&now);
-
-	if ((startstr == NULL || endstr == NULL) &&
-	    !(startstr == NULL && endstr == NULL))
-		fatal("if -s or -e is specified, both must be");
-
-	if (startstr != NULL) {
-		starttime = strtotime(startstr, now, now);
-		endtime = strtotime(endstr, now, starttime);
-		settime = ISC_TRUE;
-	}
-
-	setup_logging(verbose, mctx, &log);
-
-	if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0)
-		fatal("keyset file '%s' must start with keyset-", argv[0]);
-
-	db = NULL;
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load(db, argv[0]);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		fatal("failed to load database from '%s': %s", argv[0],
-		      isc_result_totext(result));
-
-	dns_fixedname_init(&fdomain);
-	domain = dns_fixedname_name(&fdomain);
-
-	dbiter = NULL;
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-	while (result == ISC_R_SUCCESS) {
-		node = NULL;
-		dns_dbiterator_current(dbiter, &node, domain);
-		rdsiter = NULL;
-		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
-		check_result(result, "dns_db_allrdatasets()");
-		result = dns_rdatasetiter_first(rdsiter);
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result == ISC_R_SUCCESS)
-			break;
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(dbiter);
-	}
-	dns_dbiterator_destroy(&dbiter);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find data in keyset file");
-
-	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
-	result = dns_name_tofilenametext(domain, ISC_FALSE, &b);
-	check_result(result, "dns_name_tofilenametext()");
-	isc_buffer_putuint8(&b, 0);
-
-	output = isc_mem_allocate(mctx,
-				  strlen("signedkey-") + strlen(tdomain) + 1);
-	if (output == NULL)
-		fatal("out of memory");
-	sprintf(output, "signedkey-%s", tdomain);
-
-	version = NULL;
-	dns_db_newversion(db, &version);
-
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_init(&sigrdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
-				     0, &rdataset, &sigrdataset);
-	if (result != ISC_R_SUCCESS) {
-		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof(domainstr));
-		fatal("failed to find rdataset '%s KEY': %s",
-		      domainstr, isc_result_totext(result));
-	}
-
-	loadkeys(domain, &rdataset);
-
-	dns_diff_init(mctx, &diff);
-
-	if (!dns_rdataset_isassociated(&sigrdataset))
-		fatal("no SIG KEY set present");
-
-	result = dns_rdataset_first(&sigrdataset);
-	check_result(result, "dns_rdataset_first()");
-	do {
-		dns_rdataset_current(&sigrdataset, &sigrdata);
-		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
-		check_result(result, "dns_rdata_tostruct()");
-		key = findkey(&sig);
-		result = dns_dnssec_verify(domain, &rdataset, key,
-					   ISC_TRUE, mctx, &sigrdata);
-		if (result != ISC_R_SUCCESS) {
-			char keystr[KEY_FORMATSIZE];
-			key_format(key, keystr, sizeof(keystr));
-			fatal("signature by key '%s' did not verify: %s",
-			      keystr, isc_result_totext(result));
-		}
-		if (!settime) {
-			starttime = sig.timesigned;
-			endtime = sig.timeexpire;
-			settime = ISC_TRUE;
-		}
-		dns_rdata_freestruct(&sig);
-		dns_rdata_reset(&sigrdata);
-		result = dns_rdataset_next(&sigrdataset);
-	} while (result == ISC_R_SUCCESS);
-
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-		if (!keynode->verified)
-			fatal("not all zone keys self signed the key set");
-
-	argc -= 1;
-	argv += 1;
-
-	for (i = 0; i < argc; i++) {
-		key = NULL;
-		result = dst_key_fromnamedfile(argv[i],
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to read key %s from disk: %s",
-			      argv[i], isc_result_totext(result));
-
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, data, sizeof(data));
-		result = dns_dnssec_sign(domain, &rdataset, key,
-					 &starttime, &endtime,
-					 mctx, &b, &rdata);
-		isc_entropy_stopcallbacksources(ectx);
-		if (result != ISC_R_SUCCESS) {
-			char keystr[KEY_FORMATSIZE];
-			key_format(key, keystr, sizeof(keystr));
-			fatal("key '%s' failed to sign data: %s",
-			      keystr, isc_result_totext(result));
-		}
-		if (tryverify) {
-			result = dns_dnssec_verify(domain, &rdataset, key,
-						   ISC_TRUE, mctx, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				char keystr[KEY_FORMATSIZE];
-				key_format(key, keystr, sizeof(keystr));
-				fatal("signature from key '%s' failed to "
-				      "verify: %s",
-				      keystr, isc_result_totext(result));
-			}
-		}
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      domain, rdataset.ttl,
-					      &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-		dst_key_free(&key);
-	}
-
-	result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig,
-				       dns_rdatatype_dnskey);
-	check_result(result, "dns_db_deleterdataset");
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &version, ISC_TRUE);
-	result = dns_db_dump(db, version, output);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to write database to '%s': %s",
-		      output, isc_result_totext(result));
-
-	printf("%s\n", output);
-
-	dns_rdataset_disassociate(&rdataset);
-	dns_rdataset_disassociate(&sigrdataset);
-
-	dns_db_detach(&db);
-
-	while (!ISC_LIST_EMPTY(keylist)) {
-		keynode = ISC_LIST_HEAD(keylist);
-		ISC_LIST_UNLINK(keylist, keynode, link);
-		dst_key_free(&keynode->key);
-		isc_mem_put(mctx, keynode, sizeof(keynode_t));
-	}
-
-	cleanup_logging(&log);
-
-	isc_mem_free(mctx, output);
-	cleanup_entropy(&ectx);
-	dst_lib_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-	return (0);
-}

bin/dnssec/dnssec-signkey.docbook

@@ -1,237 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-signkey</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-signkey</application></refname>
-    <refpurpose>DNSSEC key set signing tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-signkey</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="req">keyset</arg>
-      <arg choice="req" rep="repeat">key</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-signkey</command> signs a keyset.  Typically
-	the keyset will be for a child zone, and will have been generated
-	by <command>dnssec-makekeyset</command>.  The child zone's keyset
-	is signed with the zone keys for its parent zone.  The output file
-	is of the form <filename>signedkey-nnnn.</filename>, where
-	<filename>nnnn</filename> is the zone name.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the DNS class of the key sets.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time is used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-signkey</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>keyset</term>
-	  <listitem>
-	    <para>
-	        The file containing the child's keyset.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>key</term>
-	  <listitem>
-	    <para>
-	        The keys used to sign the child's keyset.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-        The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
-	zone would use the following command to sign the
-	<filename>keyset</filename> file for <userinput>example.com</userinput>
-	created by <command>dnssec-makekeyset</command> with a key generated
-	by <command>dnssec-keygen</command>:
-    </para>
-    <para>
-        <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
-    </para>
-    <para>
-        In this example, <command>dnssec-signkey</command> creates
-	the file <filename>signedkey-example.com.</filename>, which
-	contains the <userinput>example.com</userinput> keys and the
-	signatures by the <userinput>.com</userinput> keys.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-makekeyset</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->

bin/dnssec/dnssec-signkey.html

@@ -1,407 +0,0 @@
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ -->
-
-<HTML
-><HEAD
-><TITLE
->dnssec-signkey</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.73
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-><SPAN
-CLASS="APPLICATION"
->dnssec-signkey</SPAN
-></A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->dnssec-signkey</SPAN
->&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->dnssec-signkey</B
->  [<TT
-CLASS="OPTION"
->-a</TT
->] [<TT
-CLASS="OPTION"
->-c <TT
-CLASS="REPLACEABLE"
-><I
->class</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-h</TT
->] [<TT
-CLASS="OPTION"
->-p</TT
->] [<TT
-CLASS="OPTION"
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></TT
->] {keyset} {key...}</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN39"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->dnssec-signkey</B
-> signs a keyset.  Typically
-	the keyset will be for a child zone, and will have been generated
-	by <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->.  The child zone's keyset
-	is signed with the zone keys for its parent zone.  The output file
-	is of the form <TT
-CLASS="FILENAME"
->signedkey-nnnn.</TT
->, where
-	<TT
-CLASS="FILENAME"
->nnnn</TT
-> is the zone name.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN46"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-a</DT
-><DD
-><P
->	      Verify all generated signatures.
-	  </P
-></DD
-><DT
->-c <TT
-CLASS="REPLACEABLE"
-><I
->class</I
-></TT
-></DT
-><DD
-><P
->	       Specifies the DNS class of the key sets.
-	  </P
-></DD
-><DT
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <TT
-CLASS="OPTION"
->start-time</TT
-> is specified, the current
-	       time is used.
-	  </P
-></DD
-><DT
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       expire.  As with <TT
-CLASS="OPTION"
->start-time</TT
->, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <TT
-CLASS="OPTION"
->end-time</TT
-> is
-	       specified, 30 days from the start time is used as a default.
-	  </P
-></DD
-><DT
->-h</DT
-><DD
-><P
->	       Prints a short summary of the options and arguments to
-	       <B
-CLASS="COMMAND"
->dnssec-signkey</B
->.
-	  </P
-></DD
-><DT
->-p</DT
-><DD
-><P
->	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </P
-></DD
-><DT
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></DT
-><DD
-><P
->	       Specifies the source of randomness.  If the operating
-	       system does not provide a <TT
-CLASS="FILENAME"
->/dev/random</TT
->
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <TT
-CLASS="FILENAME"
->randomdev</TT
-> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <TT
-CLASS="FILENAME"
->keyboard</TT
-> indicates that keyboard
-	       input should be used.
-	  </P
-></DD
-><DT
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></DT
-><DD
-><P
->	       Sets the debugging level.
-	  </P
-></DD
-><DT
->keyset</DT
-><DD
-><P
->	        The file containing the child's keyset.
-	  </P
-></DD
-><DT
->key</DT
-><DD
-><P
->	        The keys used to sign the child's keyset.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN101"
-></A
-><H2
->EXAMPLE</H2
-><P
->        The DNS administrator for a DNSSEC-aware <TT
-CLASS="USERINPUT"
-><B
->.com</B
-></TT
->
-	zone would use the following command to sign the
-	<TT
-CLASS="FILENAME"
->keyset</TT
-> file for <TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
->
-	created by <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
-> with a key generated
-	by <B
-CLASS="COMMAND"
->dnssec-keygen</B
->:
-    </P
-><P
->        <TT
-CLASS="USERINPUT"
-><B
->dnssec-signkey keyset-example.com. Kcom.+003+51944</B
-></TT
->
-    </P
-><P
->        In this example, <B
-CLASS="COMMAND"
->dnssec-signkey</B
-> creates
-	the file <TT
-CLASS="FILENAME"
->signedkey-example.com.</TT
->, which
-	contains the <TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
-> keys and the
-	signatures by the <TT
-CLASS="USERINPUT"
-><B
->.com</B
-></TT
-> keys.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN116"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-keygen</SPAN
->(8)</SPAN
->,
-      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-makekeyset</SPAN
->(8)</SPAN
->,
-      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-signzone</SPAN
->(8)</SPAN
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN128"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Software Consortium
-    </P
-></DIV
-></BODY
-></HTML
->

bin/dnssec/dnssec-signzone.8

@@ -1,167 +1,272 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003  Internet Software Consortium.
-.\"
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.6 2004/06/11 02:32:46 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.45 2007/05/09 03:33:50 marka Exp $
 .\"
-.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
-.SH NAME
-dnssec-signzone \- DNSSEC zone signing tool
-.SH SYNOPSIS
-.sp
-\fBdnssec-signzone\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-d \fIdirectory\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-f \fIoutput-file\fB\fR ]  [ \fB-g\fR ]  [ \fB-h\fR ]  [ \fB-k \fIkey\fB\fR ]  [ \fB-l \fIdomain\fB\fR ]  [ \fB-i \fIinterval\fB\fR ]  [ \fB-n \fInthreads\fB\fR ]  [ \fB-o \fIorigin\fB\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-t\fR ]  [ \fB-v \fIlevel\fB\fR ]  [ \fB-z\fR ]  \fBzonefile\fR [ \fBkey\fR\fI...\fR ] 
+.hy 0
+.ad l
+.\"     Title: dnssec\-signzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-signzone \- DNSSEC zone signing tool
+.SH "SYNOPSIS"
+.HP 16
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
-\fBdnssec-signzone\fR signs a zone. It generates
-NSEC and RRSIG records and produces a signed version of the
-zone. The security status of delegations from the signed zone
-(that is, whether the child zones are secure or not) is
-determined by the presence or absence of a
-\fIkeyset\fR file for each child zone.
+\fBdnssec\-signzone\fR
+signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
+\fIkeyset\fR
+file for each child zone.
 .SH "OPTIONS"
-.TP
-\fB-a\fR
+.PP
+\-a
+.RS 4
 Verify all generated signatures.
-.TP
-\fB-c \fIclass\fB\fR
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
 Specifies the DNS class of the zone.
-.TP
-\fB-k \fIkey\fB\fR
-Treat specified key as a key signing key ignoring any
-key flags. This option may be specified multiple times.
-.TP
-\fB-l \fIdomain\fB\fR
-Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-The domain is appended to the name of the records.
-.TP
-\fB-d \fIdirectory\fB\fR
-Look for \fIkeyset\fR files in
-\fBdirectory\fR as the directory 
-.TP
-\fB-g\fR
-Generate DS records for child zones from keyset files.
-Existing DS records will be removed.
-.TP
-\fB-s \fIstart-time\fB\fR
-Specify the date and time when the generated RRSIG records
-become valid. This can be either an absolute or relative
-time. An absolute start time is indicated by a number
-in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-14:45:00 UTC on May 30th, 2000. A relative start time is
-indicated by +N, which is N seconds from the current time.
-If no \fBstart-time\fR is specified, the current
-time minus 1 hour (to allow for clock skew) is used.
-.TP
-\fB-e \fIend-time\fB\fR
-Specify the date and time when the generated RRSIG records
-expire. As with \fBstart-time\fR, an absolute
-time is indicated in YYYYMMDDHHMMSS notation. A time relative
-to the start time is indicated with +N, which is N seconds from
-the start time. A time relative to the current time is
-indicated with now+N. If no \fBend-time\fR is
-specified, 30 days from the start time is used as a default.
-.TP
-\fB-f \fIoutput-file\fB\fR
-The name of the output file containing the signed zone. The
-default is to append \fI.signed\fR to the
-input file.
-.TP
-\fB-h\fR
+.RE
+.PP
+\-k \fIkey\fR
+.RS 4
+Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
+.RE
+.PP
+\-l \fIdomain\fR
+.RS 4
+Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
+.RE
+.PP
+\-d \fIdirectory\fR
+.RS 4
+Look for
+\fIkeyset\fR
+files in
+\fBdirectory\fR
+as the directory
+.RE
+.PP
+\-g
+.RS 4
+Generate DS records for child zones from keyset files. Existing DS records will be removed.
+.RE
+.PP
+\-s \fIstart\-time\fR
+.RS 4
+Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
+\fBstart\-time\fR
+is specified, the current time minus 1 hour (to allow for clock skew) is used.
+.RE
+.PP
+\-e \fIend\-time\fR
+.RS 4
+Specify the date and time when the generated RRSIG records expire. As with
+\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
+\fBend\-time\fR
+is specified, 30 days from the start time is used as a default.
+.RE
+.PP
+\-f \fIoutput\-file\fR
+.RS 4
+The name of the output file containing the signed zone. The default is to append
+\fI.signed\fR
+to the input filename.
+.RE
+.PP
+\-h
+.RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec-signzone\fR.
-.TP
-\fB-i \fIinterval\fB\fR
-When a previously signed zone is passed as input, records
-may be resigned. The \fBinterval\fR option
-specifies the cycle interval as an offset from the current
-time (in seconds). If a RRSIG record expires after the
-cycle interval, it is retained. Otherwise, it is considered
-to be expiring soon, and it will be replaced.
-
-The default cycle interval is one quarter of the difference
-between the signature end and start times. So if neither
-\fBend-time\fR or \fBstart-time\fR
-are specified, \fBdnssec-signzone\fR generates
-signatures that are valid for 30 days, with a cycle
-interval of 7.5 days. Therefore, if any existing RRSIG records
-are due to expire in less than 7.5 days, they would be
-replaced.
-.TP
-\fB-n \fIncpus\fB\fR
-Specifies the number of threads to use. By default, one
-thread is started for each detected CPU.
-.TP
-\fB-o \fIorigin\fB\fR
-The zone origin. If not specified, the name of the zone file
-is assumed to be the origin.
-.TP
-\fB-p\fR
-Use pseudo-random data when signing the zone. This is faster,
-but less secure, than using real random data. This option
-may be useful when signing large zones or when the entropy
-source is limited.
-.TP
-\fB-r \fIrandomdev\fB\fR
-Specifies the source of randomness. If the operating
-system does not provide a \fI/dev/random\fR
-or equivalent device, the default source of randomness
-is keyboard input. \fIrandomdev\fR specifies
-the name of a character device or file containing random
-data to be used instead of the default. The special value
-\fIkeyboard\fR indicates that keyboard
-input should be used.
-.TP
-\fB-t\fR
+\fBdnssec\-signzone\fR.
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+When a previously\-signed zone is passed as input, records may be resigned. The
+\fBinterval\fR
+option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
+.sp
+The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
+\fBend\-time\fR
+or
+\fBstart\-time\fR
+are specified,
+\fBdnssec\-signzone\fR
+generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
+.RE
+.PP
+\-I \fIinput\-format\fR
+.RS 4
+The format of the input zone file. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
+.RE
+.PP
+\-j \fIjitter\fR
+.RS 4
+When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
+\fBjitter\fR
+option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
+.sp
+Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
+.RE
+.PP
+\-n \fIncpus\fR
+.RS 4
+Specifies the number of threads to use. By default, one thread is started for each detected CPU.
+.RE
+.PP
+\-N \fIsoa\-serial\-format\fR
+.RS 4
+The SOA serial number format of the signed zone. Possible formats are
+\fB"keep"\fR
+(default),
+\fB"increment"\fR
+and
+\fB"unixtime"\fR.
+.RS 4
+.PP
+\fB"keep"\fR
+.RS 4
+Do not modify the SOA serial number.
+.RE
+.PP
+\fB"increment"\fR
+.RS 4
+Increment the SOA serial number using RFC 1982 arithmetics.
+.RE
+.PP
+\fB"unixtime"\fR
+.RS 4
+Set the SOA serial number to the number of seconds since epoch.
+.RE
+.RE
+.RE
+.PP
+\-o \fIorigin\fR
+.RS 4
+The zone origin. If not specified, the name of the zone file is assumed to be the origin.
+.RE
+.PP
+\-O \fIoutput\-format\fR
+.RS 4
+The format of the output file containing the signed zone. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR.
+.RE
+.PP
+\-p
+.RS 4
+Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
+.RE
+.PP
+\-r \fIrandomdev\fR
+.RS 4
+Specifies the source of randomness. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-t
+.RS 4
 Print statistics at completion.
-.TP
-\fB-v \fIlevel\fB\fR
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
 Sets the debugging level.
-.TP
-\fB-z\fR
+.RE
+.PP
+\-z
+.RS 4
 Ignore KSK flag on key when determining what to sign.
-.TP
-\fBzonefile\fR
+.RE
+.PP
+zonefile
+.RS 4
 The file containing the zone to be signed.
-Sets the debugging level.
-.TP
-\fBkey\fR
-The keys used to sign the zone. If no keys are specified, the
-default all zone keys that have private key files in the
-current directory.
+.RE
+.PP
+key
+.RS 4
+Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
+.RE
 .SH "EXAMPLE"
 .PP
-The following command signs the \fBexample.com\fR
-zone with the DSA key generated in the \fBdnssec-keygen\fR
-man page. The zone's keys must be in the zone. If there are
-\fIkeyset\fR files associated with child zones,
-they must be in the current directory.
-\fBexample.com\fR, the following command would be
-issued:
+The following command signs the
+\fBexample.com\fR
+zone with the DSA key generated by
+\fBdnssec\-keygen\fR
+(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
+\fIkeyset\fR
+files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
+.sp
+.RS 4
+.nf
+% dnssec\-signzone \-g \-o example.com db.example.com \\
+Kexample.com.+003+17247
+db.example.com.signed
+%
+.fi
+.RE
 .PP
-\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
+In the above example,
+\fBdnssec\-signzone\fR
+creates the file
+\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
+\fInamed.conf\fR
+file.
 .PP
-The command would print a string of the form:
-.PP
-In this example, \fBdnssec-signzone\fR creates
-the file \fIdb.example.com.signed\fR. This file
-should be referenced in a zone statement in a
-\fInamed.conf\fR file.
+This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
+.sp
+.RS 4
+.nf
+% cp db.example.com.signed db.example.com
+% dnssec\-signzone \-o example.com db.example.com
+db.example.com.signed
+%
+.fi
+.RE
 .SH "SEE ALSO"
 .PP
-\fBdnssec-keygen\fR(8),
-\fIBIND 9 Administrator Reference Manual\fR,
-\fIRFC 2535\fR.
+\fBdnssec\-keygen\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 2535.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br

bin/dnssec/dnssec-signzone.c

@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,9 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.139.2.2.4.17 2004/10/25 01:36:06 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.202 2007/05/21 02:47:25 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -33,6 +35,7 @@
 #include <isc/mutex.h>
 #include <isc/os.h>
 #include <isc/print.h>
+#include <isc/random.h>
 #include <isc/serial.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -58,6 +61,7 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
+#include <dns/soa.h>
 #include <dns/time.h>
 
 #include <dst/dst.h>
@@ -85,6 +89,10 @@ struct signer_key_struct {
 #define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
 #define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
 
+#define SOA_SERIAL_KEEP		0
+#define SOA_SERIAL_INCREMENT	1
+#define SOA_SERIAL_UNIXTIME	2
+
 typedef struct signer_event sevent_t;
 struct signer_event {
 	ISC_EVENT_COMMON(sevent_t);
@@ -96,6 +104,7 @@ static ISC_LIST(signer_key_t) keylist;
 static unsigned int keycount = 0;
 static isc_stdtime_t starttime = 0, endtime = 0, now;
 static int cycle = -1;
+static int jitter = 0;
 static isc_boolean_t tryverify = ISC_FALSE;
 static isc_boolean_t printstats = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
@@ -104,6 +113,8 @@ static dns_ttl_t zonettl;
 static FILE *fp;
 static char *tempfile = NULL;
 static const dns_master_style_t *masterstyle;
+static dns_masterformat_t inputformat = dns_masterformat_text;
+static dns_masterformat_t outputformat = dns_masterformat_text;
 static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
 static unsigned int nverified = 0, nverifyfailed = 0;
 static const char *directory;
@@ -125,6 +136,7 @@ static isc_boolean_t ignoreksk = ISC_FALSE;
 static dns_name_t *dlv = NULL;
 static dns_fixedname_t dlv_fixed;
 static dns_master_style_t *dsstyle = NULL;
+static unsigned int serialformat = SOA_SERIAL_KEEP;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -154,42 +166,13 @@ static void
 dumpnode(dns_name_t *name, dns_dbnode_t *node) {
 	isc_result_t result;
 
+	if (outputformat != dns_masterformat_text)
+		return;
 	result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
 					     masterstyle, fp);
 	check_result(result, "dns_master_dumpnodetostream");
 }
 
-static void
-dumpdb(dns_db_t *db) {
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	dbiter = NULL;
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	node = NULL;
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter))
-	{
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_result(result, "dns_dbiterator_current()");
-		dumpnode(name, node);
-		dns_db_detachnode(db, &node);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("iterating database: %s", isc_result_totext(result));
-
-	dns_dbiterator_destroy(&dbiter);
-}
-
 static signer_key_t *
 newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
 	signer_key_t *key;
@@ -217,8 +200,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	    dst_key_t *key, isc_buffer_t *b)
 {
 	isc_result_t result;
+	isc_stdtime_t jendtime;
 
-	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
+	jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
+	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
 				 mctx, b, rdata);
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
@@ -253,7 +238,7 @@ iszonekey(signer_key_t *key) {
 		       dst_key_iszonekey(key->key)));
 }
 
-/*
+/*%
  * Finds the key that generated a RRSIG, if possible.  First look at the keys
  * that we've loaded already, and then see if there's a key on disk.
  */
@@ -291,7 +276,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	return (key);
 }
 
-/*
+/*%
  * Check to see if we expect to find a key at this name.  If we see a RRSIG
  * and can't find the signing key that we expect to find, we drop the rrsig.
  * I'm not sure if this is completely correct, but it seems to work.
@@ -337,7 +322,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 	}
 }
 
-/*
+/*%
  * Signs a set.  Goes through contortions to decide if each RRSIG should
  * be dropped or retained, and then determines if any new SIGs need to
  * be generated.
@@ -598,7 +583,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
 		dns_db_detach(dbp);
 }
 
-/*
+/*%
  * Loads the key set for a child zone, if there is one, and builds DS records.
  */
 static isc_result_t
@@ -653,6 +638,16 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 					      ttl, &ds, &tuple);
 		check_result(result, "dns_difftuple_create");
 		dns_diff_append(&diff, &tuple);
+
+		dns_rdata_reset(&ds);
+		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
+					   dsbuf, &ds);
+		check_result(result, "dns_ds_buildrdata");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &ds, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
 	}
 	result = dns_diff_apply(&diff, db, ver);
 	check_result(result, "dns_diff_apply");
@@ -775,7 +770,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
-/*
+/*%
  * Signs all records at a name.  This mostly just signs each set individually,
  * but also adds the RRSIG bit to any NSECs generated earlier, deals with
  * parent/child KEY signatures, and handles other exceptional cases.
@@ -787,7 +782,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 	dns_rdatasetiter_t *rdsiter;
 	isc_boolean_t isdelegation = ISC_FALSE;
 	isc_boolean_t hasds = ISC_FALSE;
-	isc_boolean_t atorigin;
 	isc_boolean_t changed = ISC_FALSE;
 	dns_diff_t del, add;
 	char namestr[DNS_NAME_FORMATSIZE];
@@ -795,8 +789,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 
 	dns_name_format(name, namestr, sizeof(namestr));
 
-	atorigin = dns_name_equal(name, gorigin);
-
 	/*
 	 * Determine if this is a delegation point.
 	 */
@@ -931,13 +923,16 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 
 static inline isc_boolean_t
 active_node(dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdatasetiter_t *rdsiter2 = NULL;
 	isc_boolean_t active = ISC_FALSE;
 	isc_result_t result;
 	dns_rdataset_t rdataset;
+	dns_rdatatype_t type;
+	dns_rdatatype_t covers;
+	isc_boolean_t found;
 
 	dns_rdataset_init(&rdataset);
-	rdsiter = NULL;
 	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets()");
 	result = dns_rdatasetiter_first(rdsiter);
@@ -957,44 +952,71 @@ active_node(dns_dbnode_t *node) {
 		      isc_result_totext(result));
 
 	if (!active) {
-		/*
-		 * Make sure there is no NSEC / RRSIG records for
-		 * this node.
+		/*%
+		 * The node is empty of everything but NSEC / RRSIG records.
 		 */
-		result = dns_db_deleterdataset(gdb, node, gversion,
-					       dns_rdatatype_nsec, 0);
-		if (result == DNS_R_UNCHANGED)
-			result = ISC_R_SUCCESS;
-		check_result(result, "dns_db_deleterdataset(nsec)");
-		
-		result = dns_rdatasetiter_first(rdsiter);
 		for (result = dns_rdatasetiter_first(rdsiter);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdatasetiter_next(rdsiter)) {
 			dns_rdatasetiter_current(rdsiter, &rdataset);
-			if (rdataset.type == dns_rdatatype_rrsig) {
-				dns_rdatatype_t type = rdataset.type;
-				dns_rdatatype_t covers = rdataset.covers;
-				result = dns_db_deleterdataset(gdb, node,
-							       gversion, type,
-							       covers);
-				if (result == DNS_R_UNCHANGED)
-					result = ISC_R_SUCCESS;
-				check_result(result,
-					     "dns_db_deleterdataset(rrsig)");
-			}
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       rdataset.type,
+						       rdataset.covers);
+			check_result(result, "dns_db_deleterdataset()");
 			dns_rdataset_disassociate(&rdataset);
 		}
 		if (result != ISC_R_NOMORE)
 			fatal("rdataset iteration failed: %s",
 			      isc_result_totext(result));
+	} else {
+		/* 
+		 * Delete RRSIGs for types that no longer exist.
+		 */
+		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2);
+		check_result(result, "dns_db_allrdatasets()");
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter)) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			type = rdataset.type;
+			covers = rdataset.covers;
+			dns_rdataset_disassociate(&rdataset);
+			if (type != dns_rdatatype_rrsig)
+				continue;
+			found = ISC_FALSE;
+			for (result = dns_rdatasetiter_first(rdsiter2);
+			     !found && result == ISC_R_SUCCESS;
+			     result = dns_rdatasetiter_next(rdsiter2)) {
+				dns_rdatasetiter_current(rdsiter2, &rdataset);
+				if (rdataset.type == covers)
+					found = ISC_TRUE;
+				dns_rdataset_disassociate(&rdataset);
+			}
+			if (!found) {
+				if (result != ISC_R_NOMORE)
+					fatal("rdataset iteration failed: %s",
+					      isc_result_totext(result));
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion, type,
+							       covers);
+				check_result(result,
+					     "dns_db_deleterdataset(rrsig)");
+			} else if (result != ISC_R_NOMORE &&
+				   result != ISC_R_SUCCESS)
+				fatal("rdataset iteration failed: %s",
+				      isc_result_totext(result));
+		}
+		if (result != ISC_R_NOMORE)
+			fatal("rdataset iteration failed: %s",
+			      isc_result_totext(result));
+		dns_rdatasetiter_destroy(&rdsiter2);
 	}
 	dns_rdatasetiter_destroy(&rdsiter);
 
 	return (active);
 }
 
-/*
+/*%
  * Extracts the TTL from the SOA.
  */
 static dns_ttl_t
@@ -1026,7 +1048,82 @@ soattl(void) {
 	return (ttl);
 }
 
-/*
+/*%
+ * Increment (or set if nonzero) the SOA serial
+ */
+static isc_result_t
+setsoaserial(isc_uint32_t serial) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_uint32_t old_serial, new_serial;
+
+	result = dns_db_getoriginnode(gdb, &node);
+	if (result != ISC_R_SUCCESS)
+		return result;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(gdb, node, gversion,
+				     dns_rdatatype_soa, 0,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_rdataset_first(&rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	old_serial = dns_soa_getserial(&rdata);
+
+	if (serial) {
+		/* Set SOA serial to the value provided. */
+		new_serial = serial;
+	} else {
+		/* Increment SOA serial using RFC 1982 arithmetics */
+		new_serial = (old_serial + 1) & 0xFFFFFFFF;
+		if (new_serial == 0)
+			new_serial = 1;
+	}
+
+	/* If the new serial is not likely to cause a zone transfer
+	 * (a/ixfr) from servers having the old serial, warn the user.
+	 *
+	 * RFC1982 section 7 defines the maximum increment to be
+	 * (2^(32-1))-1.  Using u_int32_t arithmetic, we can do a single
+	 * comparison.  (5 - 6 == (2^32)-1, not negative-one)
+	 */
+	if (new_serial == old_serial ||
+	    (new_serial - old_serial) > 0x7fffffffU)
+		fprintf(stderr, "%s: warning: Serial number not advanced, "
+			"zone may not transfer\n", program);
+
+	dns_soa_setserial(new_serial, &rdata);
+
+	result = dns_db_deleterdataset(gdb, node, gversion,
+				       dns_rdatatype_soa, 0);
+	check_result(result, "dns_db_deleterdataset");
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_db_addrdataset(gdb, node, gversion,
+				    0, &rdataset, 0, NULL);
+	check_result(result, "dns_db_addrdataset");
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+cleanup:
+	dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(gdb, &node);
+	dns_rdata_reset(&rdata);
+
+	return (result);
+}
+
+/*%
  * Delete any RRSIG records at a node.
  */
 static void
@@ -1035,6 +1132,9 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 	dns_rdataset_t set;
 	isc_result_t result, dresult;
 
+	if (outputformat != dns_masterformat_text)
+		return;
+
 	dns_rdataset_init(&set);
 	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets");
@@ -1062,7 +1162,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
-/*
+/*%
  * Set up the iterator and global state before starting the tasks.
  */
 static void
@@ -1077,7 +1177,7 @@ presign(void) {
 	check_result(result, "dns_dbiterator_first()");
 }
 
-/*
+/*%
  * Clean up the iterator and global state after the tasks complete.
  */
 static void
@@ -1085,7 +1185,33 @@ postsign(void) {
 	dns_dbiterator_destroy(&gdbiter);
 }
 
-/*
+/*%
+ * Sign the apex of the zone.
+ */
+static void
+signapex(void) {
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	result = dns_dbiterator_current(gdbiter, &node, name);
+	check_result(result, "dns_dbiterator_current()");
+	signname(node, name);
+	dumpnode(name, node);
+	cleannode(gdb, gversion, node);
+	dns_db_detachnode(gdb, &node);
+	result = dns_dbiterator_next(gdbiter);
+	if (result == ISC_R_NOMORE)
+		finished = ISC_TRUE;
+	else if (result != ISC_R_SUCCESS)
+		fatal("failure iterating database: %s",
+		      isc_result_totext(result));
+}
+
+/*%
  * Assigns a node to a worker thread.  This is protected by the master task's
  * lock.
  */
@@ -1165,7 +1291,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 	assigned++;
 }
 
-/*
+/*%
  * Start a worker task
  */
 static void
@@ -1177,7 +1303,7 @@ startworker(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 }
 
-/*
+/*%
  * Write a node to the output file, and restart the worker task.
  */
 static void
@@ -1195,7 +1321,7 @@ writenode(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 }
 
-/*
+/*%
  *  Sign a database node.
  */
 static void
@@ -1220,7 +1346,7 @@ sign(isc_task_t *task, isc_event_t *event) {
 	isc_task_send(master, ISC_EVENT_PTR(&wevent));
 }
 
-/*
+/*%
  * Generate NSEC records for the zone.
  */
 static void
@@ -1265,10 +1391,6 @@ nsecify(void) {
 				result = dns_dbiterator_next(dbiter);
 				continue;
 			}
-			if (result != ISC_R_SUCCESS) {
-				dns_db_detachnode(gdb, &nextnode);
-				break;
-			}
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
@@ -1295,7 +1417,7 @@ nsecify(void) {
 	dns_dbiterator_destroy(&dbiter);
 }
 
-/*
+/*%
  * Load the zone file from disk
  */
 static void
@@ -1321,13 +1443,13 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 			       rdclass, 0, NULL, db);
 	check_result(result, "dns_db_create()");
 
-	result = dns_db_load(*db, file);
+	result = dns_db_load2(*db, file, inputformat);
 	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
 		fatal("failed loading zone from '%s': %s",
 		      file, isc_result_totext(result));
 }
 
-/*
+/*%
  * Finds all public zone keys in the zone, and attempts to load the
  * private keys from disk.
  */
@@ -1359,14 +1481,14 @@ loadzonekeys(dns_db_t *db) {
 	for (i = 0; i < nkeys; i++) {
 		signer_key_t *key;
 
-		key = newkeystruct(keys[i], ISC_TRUE);
+		key = newkeystruct(keys[i], dst_key_isprivate(keys[i]));
 		ISC_LIST_APPEND(keylist, key, link);
 	}
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &currentversion, ISC_FALSE);
 }
 
-/*
+/*%
  * Finds all public zone keys in the zone.
  */
 static void
@@ -1423,7 +1545,6 @@ warnifallksk(dns_db_t *db) {
 	dns_dbnode_t *node = NULL;
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *pubkey;
 	isc_result_t result;
 	dns_rdata_key_t key;
 	isc_boolean_t have_non_ksk = ISC_FALSE;
@@ -1444,7 +1565,6 @@ warnifallksk(dns_db_t *db) {
 	result = dns_rdataset_first(&rdataset);
 	check_result(result, "dns_rdataset_first");
 	while (result == ISC_R_SUCCESS) {
-		pubkey = NULL;
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &key, NULL);
@@ -1559,6 +1679,19 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 				ds.type = dns_rdatatype_dlv;
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      name, 0, &ds, &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(&diff, &tuple);
+
+			dns_rdata_reset(&ds);
+			result = dns_ds_buildrdata(gorigin, &rdata,
+						   DNS_DSDIGEST_SHA256,
+						   dsbuf, &ds);
+			check_result(result, "dns_ds_buildrdata");
+			if (type == dns_rdatatype_dlv)
+				ds.type = dns_rdatatype_dlv;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      name, 0, &ds, &tuple);
+
 		} else
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      gorigin, zonettl,
@@ -1591,12 +1724,18 @@ static void
 print_time(FILE *fp) {
 	time_t currenttime;
 
+	if (outputformat != dns_masterformat_text)
+		return;
+
 	currenttime = time(NULL);
 	fprintf(fp, "; File written on %s", ctime(&currenttime));
 }
 
 static void
 print_version(FILE *fp) {
+	if (outputformat != dns_masterformat_text)
+		return;
+
 	fprintf(fp, "; dnssec_signzone version " VERSION "\n");
 }
 
@@ -1615,20 +1754,28 @@ usage(void) {
 	fprintf(stderr, "\t\tdirectory to find keyset files (.)\n");
 	fprintf(stderr, "\t-g:\t");
 	fprintf(stderr, "generate DS records from keyset files\n");
-	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
 	fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
-	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
 	fprintf(stderr, "\t\tRRSIG end time  - absolute|from start|from now "
 				"(now + 30 days)\n");
 	fprintf(stderr, "\t-i interval:\n");
 	fprintf(stderr, "\t\tcycle interval - resign "
 				"if < interval from end ( (end-start)/4 )\n");
+	fprintf(stderr, "\t-j jitter:\n");
+	fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
 	fprintf(stderr, "\t-v debuglevel (0)\n");
 	fprintf(stderr, "\t-o origin:\n");
 	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
 	fprintf(stderr, "\t-f outfile:\n");
 	fprintf(stderr, "\t\tfile the signed zone is written in "
 				"(zonefile + .signed)\n");
+	fprintf(stderr, "\t-I format:\n");
+	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
+	fprintf(stderr, "\t-O format:\n");
+	fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
+	fprintf(stderr, "\t-N format:\n");
+	fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
 	fprintf(stderr, "\t-r randomdev:\n");
 	fprintf(stderr,	"\t\ta file containing random data\n");
 	fprintf(stderr, "\t-a:\t");
@@ -1687,6 +1834,8 @@ main(int argc, char *argv[]) {
 	int i, ch;
 	char *startstr = NULL, *endstr = NULL, *classname = NULL;
 	char *origin = NULL, *file = NULL, *output = NULL;
+	char *inputformatstr = NULL, *outputformatstr = NULL;
+	char *serialformatstr = NULL;
 	char *dskeyfile[MAXDSKEYS];
 	int ndskeys = 0;
 	char *endp;
@@ -1699,7 +1848,6 @@ main(int argc, char *argv[]) {
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen;
 	dns_rdataclass_t rdclass;
-	dns_db_t *udb = NULL;
 	isc_task_t **tasks = NULL;
 	isc_buffer_t b;
 	int len;
@@ -1714,8 +1862,10 @@ main(int argc, char *argv[]) {
 
 	dns_result_register();
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
+				    "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
 	       != -1) {
 		switch (ch) {
 		case 'a':
@@ -1742,11 +1892,19 @@ main(int argc, char *argv[]) {
 			generateds = ISC_TRUE;
 			break;
 
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
 		case 'h':
-		default:
 			usage();
 			break;
 
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -1755,6 +1913,17 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;
 
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'j':
+			endp = NULL;
+			jitter = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || jitter < 0)
+				fatal("jitter must be numeric and positive");
+			break;
+
 		case 'l': 
 			dns_fixedname_init(&dlv_fixed);
 			len = strlen(isc_commandline_argument);
@@ -1781,10 +1950,18 @@ main(int argc, char *argv[]) {
 				fatal("number of cpus must be numeric");
 			break;
 
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
 
+		case 'O':
+			outputformatstr = isc_commandline_argument;
+			break;
+
 		case 'p':
 			pseudorandom = ISC_TRUE;
 			break;
@@ -1880,6 +2057,36 @@ main(int argc, char *argv[]) {
 		sprintf(output, "%s.signed", file);
 	}
 
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0)
+			inputformat = dns_masterformat_text;
+		else if (strcasecmp(inputformatstr, "raw") == 0)
+			inputformat = dns_masterformat_raw;
+		else
+			fatal("unknown file format: %s\n", inputformatstr);
+	}
+
+	if (outputformatstr != NULL) {
+		if (strcasecmp(outputformatstr, "text") == 0)
+			outputformat = dns_masterformat_text;
+		else if (strcasecmp(outputformatstr, "raw") == 0)
+			outputformat = dns_masterformat_raw;
+		else
+			fatal("unknown file format: %s\n", outputformatstr);
+	}
+
+	if (serialformatstr != NULL) {
+		if (strcasecmp(serialformatstr, "keep") == 0)
+			serialformat = SOA_SERIAL_KEEP;
+		else if (strcasecmp(serialformatstr, "increment") == 0 ||
+			 strcasecmp(serialformatstr, "incr") == 0)
+			serialformat = SOA_SERIAL_INCREMENT;
+		else if (strcasecmp(serialformatstr, "unixtime") == 0)
+			serialformat = SOA_SERIAL_UNIXTIME;
+		else
+			fatal("unknown soa serial format: %s\n", serialformatstr);
+	}
+
 	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
 					0, 24, 0, 0, 0, 8, mctx);
 	check_result(result, "dns_master_stylecreate");
@@ -1984,6 +2191,19 @@ main(int argc, char *argv[]) {
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
 
+	switch (serialformat) {
+		case SOA_SERIAL_INCREMENT:
+			setsoaserial(0);
+			break;
+		case SOA_SERIAL_UNIXTIME:
+			setsoaserial(now);
+			break;
+		case SOA_SERIAL_KEEP:
+		default:
+			/* do nothing */
+			break;
+	}
+
 	nsecify();
 
 	if (!nokeys) {
@@ -2032,10 +2252,6 @@ main(int argc, char *argv[]) {
 		if (result != ISC_R_SUCCESS)
 			fatal("failed to create task: %s",
 			      isc_result_totext(result));
-		result = isc_app_onrun(mctx, master, startworker, tasks[i]);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to start task: %s",
-			      isc_result_totext(result));
 	}
 
 	RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS);
@@ -2043,9 +2259,24 @@ main(int argc, char *argv[]) {
 		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
 
 	presign();
-	(void)isc_app_run();
-	if (!finished)
-		fatal("process aborted by user");
+	signapex();
+	if (!finished) {
+		/*
+		 * There is more work to do.  Spread it out over multiple
+		 * processors if possible.
+		 */
+		for (i = 0; i < (int)ntasks; i++) {
+			result = isc_app_onrun(mctx, master, startworker,
+					       tasks[i]);
+			if (result != ISC_R_SUCCESS)
+				fatal("failed to start task: %s",
+				      isc_result_totext(result));
+		}
+		(void)isc_app_run();
+		if (!finished)
+			fatal("process aborted by user");
+	} else
+		isc_task_detach(&master);
 	shuttingdown = ISC_TRUE;
 	for (i = 0; i < (int)ntasks; i++)
 		isc_task_detach(&tasks[i]);
@@ -2053,9 +2284,11 @@ main(int argc, char *argv[]) {
 	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
 	postsign();
 
-	if (udb != NULL) {
-		dumpdb(udb);
-		dns_db_detach(&udb);
+	if (outputformat != dns_masterformat_text) {
+		result = dns_master_dumptostream2(mctx, gdb, gversion,
+						  masterstyle, outputformat,
+						  fp);
+		check_result(result, "dns_master_dumptostream2");
 	}
 
 	result = isc_stdio_close(fp);
@@ -2094,6 +2327,7 @@ main(int argc, char *argv[]) {
 	dst_lib_destroy();
 	isc_hash_destroy();
 	cleanup_entropy(&ectx);
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);

bin/dnssec/dnssec-signzone.docbook

@@ -1,7 +1,9 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001-2003  Internet Software Consortium.
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -16,16 +18,15 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.8 2004/06/11 01:17:35 marka Exp $ -->
-
-<refentry>
+<!-- $Id: dnssec-signzone.docbook,v 1.26 2007/05/09 01:32:08 marka Exp $ -->
+<refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
 
   <refmeta>
     <refentrytitle><application>dnssec-signzone</application></refentrytitle>
-    <manvolnum>8</manvolnum>
+   <manvolnum>8</manvolnum>
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
@@ -34,6 +35,23 @@
     <refpurpose>DNSSEC zone signing tool</refpurpose>
   </refnamediv>
 
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
+      <holder>Internet Software Consortium.</holder>
+    </copyright>
+  </docinfo>
+
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-signzone</command>
@@ -47,8 +65,11 @@
       <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
       <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
       <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
+      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
+      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
+      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
       <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
+      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
       <arg><option>-p</option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
@@ -62,13 +83,13 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-signzone</command> signs a zone.  It generates
-	NSEC and RRSIG records and produces a signed version of the
-	zone. The security status of delegations from the signed zone
-	(that is, whether the child zones are secure or not) is
-	determined by the presence or absence of a
-	<filename>keyset</filename> file for each child zone.
+    <para><command>dnssec-signzone</command>
+      signs a zone.  It generates
+      NSEC and RRSIG records and produces a signed version of the
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <filename>keyset</filename> file for each child zone.
     </para>
   </refsect1>
 
@@ -78,232 +99,325 @@
     <variablelist>
       <varlistentry>
         <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Verify all generated signatures.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the DNS class of the zone.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the DNS class of the zone.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k <replaceable class="parameter">key</replaceable></term>
-	<listitem>
-	  <para>
-	       Treat specified key as a key signing key ignoring any
-	       key flags.  This option may be specified multiple times.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Treat specified key as a key signing key ignoring any
+            key flags.  This option may be specified multiple times.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-l <replaceable class="parameter">domain</replaceable></term>
-	<listitem>
-	  <para>
-		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-		The domain is appended to the name of the records.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+            The domain is appended to the name of the records.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-d <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	       Look for <filename>keyset</filename> files in
-	       <option>directory</option> as the directory 
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Look for <filename>keyset</filename> files in
+            <option>directory</option> as the directory
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g</term>
-	<listitem>
-	  <para>
-		Generate DS records for child zones from keyset files.
-		Existing DS records will be removed.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Generate DS records for child zones from keyset files.
+            Existing DS records will be removed.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated RRSIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time minus 1 hour (to allow for clock skew) is used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specify the date and time when the generated RRSIG records
+            become valid.  This can be either an absolute or relative
+            time.  An absolute start time is indicated by a number
+            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+            14:45:00 UTC on May 30th, 2000.  A relative start time is
+            indicated by +N, which is N seconds from the current time.
+            If no <option>start-time</option> is specified, the current
+            time minus 1 hour (to allow for clock skew) is used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated RRSIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specify the date and time when the generated RRSIG records
+            expire.  As with <option>start-time</option>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <option>end-time</option> is
+            specified, 30 days from the start time is used as a default.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-f <replaceable class="parameter">output-file</replaceable></term>
-	<listitem>
-	  <para>
-	       The name of the output file containing the signed zone.  The
-	       default is to append <filename>.signed</filename> to the
-	       input file.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The name of the output file containing the signed zone.  The
+            default is to append <filename>.signed</filename> to
+            the
+            input filename.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-signzone</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>dnssec-signzone</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-i <replaceable class="parameter">interval</replaceable></term>
-	<listitem>
-	  <para>
-	       When a previously signed zone is passed as input, records
-	       may be resigned.  The <option>interval</option> option
-	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a RRSIG record expires after the
-	       cycle interval, it is retained.  Otherwise, it is considered
-	       to be expiring soon, and it will be replaced.
-	  </para>
-	  <para>
-	       The default cycle interval is one quarter of the difference
-	       between the signature end and start times.  So if neither
-	       <option>end-time</option> or <option>start-time</option>
-	       are specified, <command>dnssec-signzone</command> generates
-	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing RRSIG records
-	       are due to expire in less than 7.5 days, they would be
-	       replaced.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            When a previously-signed zone is passed as input, records
+            may be resigned.  The <option>interval</option> option
+            specifies the cycle interval as an offset from the current
+            time (in seconds).  If a RRSIG record expires after the
+            cycle interval, it is retained.  Otherwise, it is considered
+            to be expiring soon, and it will be replaced.
+          </para>
+          <para>
+            The default cycle interval is one quarter of the difference
+            between the signature end and start times.  So if neither
+            <option>end-time</option> or <option>start-time</option>
+            are specified, <command>dnssec-signzone</command>
+            generates
+            signatures that are valid for 30 days, with a cycle
+            interval of 7.5 days.  Therefore, if any existing RRSIG records
+            are due to expire in less than 7.5 days, they would be
+            replaced.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-I <replaceable class="parameter">input-format</replaceable></term>
+        <listitem>
+          <para>
+            The format of the input zone file.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be signed directly.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j <replaceable class="parameter">jitter</replaceable></term>
+        <listitem>
+          <para>
+            When signing a zone with a fixed signature lifetime, all
+            RRSIG records issued at the time of signing expires
+            simultaneously.  If the zone is incrementally signed, i.e.
+            a previously-signed zone is passed as input to the signer,
+            all expired signatures have to be regenerated at about the
+            same time.  The <option>jitter</option> option specifies a
+            jitter window that will be used to randomize the signature
+            expire time, thus spreading incremental signature
+            regeneration over time.
+          </para>
+          <para>
+            Signature lifetime jitter also to some extent benefits
+            validators and servers by spreading out cache expiration,
+            i.e. if large numbers of RRSIGs don't expire at the same time
+            from all caches there will be less congestion than if all
+            validators need to refetch at mostly the same time.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n <replaceable class="parameter">ncpus</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the number of threads to use.  By default, one
-	       thread is started for each detected CPU.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the number of threads to use.  By default, one
+            thread is started for each detected CPU.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
+        <listitem>
+          <para>
+            The SOA serial number format of the signed zone.
+	    Possible formats are <command>"keep"</command> (default),
+            <command>"increment"</command> and
+	    <command>"unixtime"</command>.
+          </para>
+
+          <variablelist>
+	    <varlistentry>
+	      <term><command>"keep"</command></term>
+              <listitem>
+                <para>Do not modify the SOA serial number.</para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>"increment"</command></term>
+              <listitem>
+                <para>Increment the SOA serial number using RFC 1982
+                      arithmetics.</para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>"unixtime"</command></term>
+              <listitem>
+                <para>Set the SOA serial number to the number of seconds
+	        since epoch.</para>
+	      </listitem>
+            </varlistentry>
+	 </variablelist>
+
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-o <replaceable class="parameter">origin</replaceable></term>
-	<listitem>
-	  <para>
-	       The zone origin.  If not specified, the name of the zone file
-	       is assumed to be the origin.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-O <replaceable class="parameter">output-format</replaceable></term>
+        <listitem>
+          <para>
+            The format of the output file containing the signed zone.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Use pseudo-random data when signing the zone.  This is faster,
+            but less secure, than using real random data.  This option
+            may be useful when signing large zones or when the entropy
+            source is limited.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <filename>/dev/random</filename>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <filename>randomdev</filename>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard
+            input should be used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-t</term>
-	<listitem>
-	  <para>
-	       Print statistics at completion.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Print statistics at completion.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-z</term>
-	<listitem>
-	  <para>
-	       Ignore KSK flag on key when determining what to sign.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Ignore KSK flag on key when determining what to sign.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>zonefile</term>
-	<listitem>
-	  <para>
-	       The file containing the zone to be signed.
-	       Sets the debugging level.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The file containing the zone to be signed.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>key</term>
-	<listitem>
-	  <para>
-	       The keys used to sign the zone.  If no keys are specified, the
-	       default all zone keys that have private key files in the
-	       current directory.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+	    Specify which keys should be used to sign the zone.  If
+	    no keys are specified, then the zone will be examined
+	    for DNSKEY records at the zone apex.  If these are found and
+	    there are matching private keys, in the current directory,
+	    then these will be used for signing.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -312,34 +426,37 @@
   <refsect1>
     <title>EXAMPLE</title>
     <para>
-        The following command signs the <userinput>example.com</userinput>
-	zone with the DSA key generated in the <command>dnssec-keygen</command>
-	man page.  The zone's keys must be in the zone.  If there are
-	<filename>keyset</filename> files associated with child zones,
-	they must be in the current directory.
-	<userinput>example.com</userinput>, the following command would be
-	issued:
+      The following command signs the <userinput>example.com</userinput>
+      zone with the DSA key generated by <command>dnssec-keygen</command>
+      (Kexample.com.+003+17247).  The zone's keys must be in the master
+      file (<filename>db.example.com</filename>).  This invocation looks
+      for <filename>keyset</filename> files, in the current directory,
+      so that DS records can be generated from them (<command>-g</command>).
+    </para>
+<programlisting>% dnssec-signzone -g -o example.com db.example.com \
+Kexample.com.+003+17247
+db.example.com.signed
+%</programlisting>
+    <para>
+      In the above example, <command>dnssec-signzone</command> creates
+      the file <filename>db.example.com.signed</filename>.  This
+      file should be referenced in a zone statement in a
+      <filename>named.conf</filename> file.
     </para>
     <para>
-        <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-        The command would print a string of the form:
-    </para>
-    <para>
-        In this example, <command>dnssec-signzone</command> creates
-	the file <filename>db.example.com.signed</filename>.  This file
-	should be referenced in a zone statement in a
-	<filename>named.conf</filename> file.
+      This example re-signs a previously signed zone with default parameters.
+      The private keys are assumed to be in the current directory.
     </para>
+<programlisting>% cp db.example.com.signed db.example.com
+% dnssec-signzone -o example.com db.example.com
+db.example.com.signed
+%</programlisting>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
       <citetitle>RFC 2535</citetitle>.
@@ -348,14 +465,11 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:

bin/dnssec/dnssec-signzone.html

@@ -1,553 +1,285 @@
 <!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001-2003  Internet Software Consortium.
- -
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.7 2004/08/22 23:38:58 marka Exp $ -->
-
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->dnssec-signzone</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-></A
-><SPAN
-CLASS="APPLICATION"
->dnssec-signzone</SPAN
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->dnssec-signzone</SPAN
->&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->dnssec-signzone</B
->  [<VAR
-CLASS="OPTION"
->-a</VAR
->] [<VAR
-CLASS="OPTION"
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-d <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-e <VAR
-CLASS="REPLACEABLE"
->end-time</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-f <VAR
-CLASS="REPLACEABLE"
->output-file</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-g</VAR
->] [<VAR
-CLASS="OPTION"
->-h</VAR
->] [<VAR
-CLASS="OPTION"
->-k <VAR
-CLASS="REPLACEABLE"
->key</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-l <VAR
-CLASS="REPLACEABLE"
->domain</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-i <VAR
-CLASS="REPLACEABLE"
->interval</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-n <VAR
-CLASS="REPLACEABLE"
->nthreads</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-o <VAR
-CLASS="REPLACEABLE"
->origin</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-p</VAR
->] [<VAR
-CLASS="OPTION"
->-r <VAR
-CLASS="REPLACEABLE"
->randomdev</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-s <VAR
-CLASS="REPLACEABLE"
->start-time</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-t</VAR
->] [<VAR
-CLASS="OPTION"
->-v <VAR
-CLASS="REPLACEABLE"
->level</VAR
-></VAR
->] [<VAR
-CLASS="OPTION"
->-z</VAR
->] {zonefile} [key...]</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN66"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->dnssec-signzone</B
-> signs a zone.  It generates
-	NSEC and RRSIG records and produces a signed version of the
-	zone. The security status of delegations from the signed zone
-	(that is, whether the child zones are secure or not) is
-	determined by the presence or absence of a
-	<TT
-CLASS="FILENAME"
->keyset</TT
-> file for each child zone.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN71"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-a</DT
-><DD
-><P
->	      Verify all generated signatures.
-	  </P
-></DD
-><DT
->-c <VAR
-CLASS="REPLACEABLE"
->class</VAR
-></DT
-><DD
-><P
->	       Specifies the DNS class of the zone.
-	  </P
-></DD
-><DT
->-k <VAR
-CLASS="REPLACEABLE"
->key</VAR
-></DT
-><DD
-><P
->	       Treat specified key as a key signing key ignoring any
-	       key flags.  This option may be specified multiple times.
-	  </P
-></DD
-><DT
->-l <VAR
-CLASS="REPLACEABLE"
->domain</VAR
-></DT
-><DD
-><P
->		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-		The domain is appended to the name of the records.
-	  </P
-></DD
-><DT
->-d <VAR
-CLASS="REPLACEABLE"
->directory</VAR
-></DT
-><DD
-><P
->	       Look for <TT
-CLASS="FILENAME"
->keyset</TT
-> files in
-	       <VAR
-CLASS="OPTION"
->directory</VAR
-> as the directory 
-	  </P
-></DD
-><DT
->-g</DT
-><DD
-><P
->		Generate DS records for child zones from keyset files.
-		Existing DS records will be removed.
-	  </P
-></DD
-><DT
->-s <VAR
-CLASS="REPLACEABLE"
->start-time</VAR
-></DT
-><DD
-><P
->	       Specify the date and time when the generated RRSIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <VAR
-CLASS="OPTION"
->start-time</VAR
-> is specified, the current
-	       time minus 1 hour (to allow for clock skew) is used.
-	  </P
-></DD
-><DT
->-e <VAR
-CLASS="REPLACEABLE"
->end-time</VAR
-></DT
-><DD
-><P
->	       Specify the date and time when the generated RRSIG records
-	       expire.  As with <VAR
-CLASS="OPTION"
->start-time</VAR
->, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <VAR
-CLASS="OPTION"
->end-time</VAR
-> is
-	       specified, 30 days from the start time is used as a default.
-	  </P
-></DD
-><DT
->-f <VAR
-CLASS="REPLACEABLE"
->output-file</VAR
-></DT
-><DD
-><P
->	       The name of the output file containing the signed zone.  The
-	       default is to append <TT
-CLASS="FILENAME"
->.signed</TT
-> to the
-	       input file.
-	  </P
-></DD
-><DT
->-h</DT
-><DD
-><P
->	       Prints a short summary of the options and arguments to
-	       <B
-CLASS="COMMAND"
->dnssec-signzone</B
->.
-	  </P
-></DD
-><DT
->-i <VAR
-CLASS="REPLACEABLE"
->interval</VAR
-></DT
-><DD
-><P
->	       When a previously signed zone is passed as input, records
-	       may be resigned.  The <VAR
-CLASS="OPTION"
->interval</VAR
-> option
-	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a RRSIG record expires after the
-	       cycle interval, it is retained.  Otherwise, it is considered
-	       to be expiring soon, and it will be replaced.
-	  </P
-><P
->	       The default cycle interval is one quarter of the difference
-	       between the signature end and start times.  So if neither
-	       <VAR
-CLASS="OPTION"
->end-time</VAR
-> or <VAR
-CLASS="OPTION"
->start-time</VAR
->
-	       are specified, <B
-CLASS="COMMAND"
->dnssec-signzone</B
-> generates
-	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing RRSIG records
-	       are due to expire in less than 7.5 days, they would be
-	       replaced.
-	  </P
-></DD
-><DT
->-n <VAR
-CLASS="REPLACEABLE"
->ncpus</VAR
-></DT
-><DD
-><P
->	       Specifies the number of threads to use.  By default, one
-	       thread is started for each detected CPU.
-	  </P
-></DD
-><DT
->-o <VAR
-CLASS="REPLACEABLE"
->origin</VAR
-></DT
-><DD
-><P
->	       The zone origin.  If not specified, the name of the zone file
-	       is assumed to be the origin.
-	  </P
-></DD
-><DT
->-p</DT
-><DD
-><P
->	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </P
-></DD
-><DT
->-r <VAR
-CLASS="REPLACEABLE"
->randomdev</VAR
-></DT
-><DD
-><P
->	       Specifies the source of randomness.  If the operating
-	       system does not provide a <TT
-CLASS="FILENAME"
->/dev/random</TT
->
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <TT
-CLASS="FILENAME"
->randomdev</TT
-> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <TT
-CLASS="FILENAME"
->keyboard</TT
-> indicates that keyboard
-	       input should be used.
-	  </P
-></DD
-><DT
->-t</DT
-><DD
-><P
->	       Print statistics at completion.
-	  </P
-></DD
-><DT
->-v <VAR
-CLASS="REPLACEABLE"
->level</VAR
-></DT
-><DD
-><P
->	       Sets the debugging level.
-	  </P
-></DD
-><DT
->-z</DT
-><DD
-><P
->	       Ignore KSK flag on key when determining what to sign.
-	  </P
-></DD
-><DT
->zonefile</DT
-><DD
-><P
->	       The file containing the zone to be signed.
-	       Sets the debugging level.
-	  </P
-></DD
-><DT
->key</DT
-><DD
-><P
->	       The keys used to sign the zone.  If no keys are specified, the
-	       default all zone keys that have private key files in the
-	       current directory.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN181"
-></A
-><H2
->EXAMPLE</H2
-><P
->        The following command signs the <KBD
-CLASS="USERINPUT"
->example.com</KBD
->
-	zone with the DSA key generated in the <B
-CLASS="COMMAND"
->dnssec-keygen</B
->
-	man page.  The zone's keys must be in the zone.  If there are
-	<TT
-CLASS="FILENAME"
->keyset</TT
-> files associated with child zones,
-	they must be in the current directory.
-	<KBD
-CLASS="USERINPUT"
->example.com</KBD
->, the following command would be
-	issued:
-    </P
-><P
->        <KBD
-CLASS="USERINPUT"
->dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</KBD
->
-    </P
-><P
->        The command would print a string of the form:
-    </P
-><P
->        In this example, <B
-CLASS="COMMAND"
->dnssec-signzone</B
-> creates
-	the file <TT
-CLASS="FILENAME"
->db.example.com.signed</TT
->.  This file
-	should be referenced in a zone statement in a
-	<TT
-CLASS="FILENAME"
->named.conf</TT
-> file.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN195"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-keygen</SPAN
->(8)</SPAN
->,
-      <I
-CLASS="CITETITLE"
->BIND 9 Administrator Reference Manual</I
->,
-      <I
-CLASS="CITETITLE"
->RFC 2535</I
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN203"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Systems Consortium
-    </P
-></DIV
-></BODY
-></HTML
->
+<!-- $Id: dnssec-signzone.html,v 1.31 2007/05/09 03:33:50 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-signzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543526"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-signzone</strong></span>
+      signs a zone.  It generates
+      NSEC and RRSIG records and produces a signed version of the
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <code class="filename">keyset</code> file for each child zone.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543541"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd><p>
+            Verify all generated signatures.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specifies the DNS class of the zone.
+          </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
+<dd><p>
+            Treat specified key as a key signing key ignoring any
+            key flags.  This option may be specified multiple times.
+          </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+            The domain is appended to the name of the records.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Look for <code class="filename">keyset</code> files in
+            <code class="option">directory</code> as the directory
+          </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+            Generate DS records for child zones from keyset files.
+            Existing DS records will be removed.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
+<dd><p>
+            Specify the date and time when the generated RRSIG records
+            become valid.  This can be either an absolute or relative
+            time.  An absolute start time is indicated by a number
+            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+            14:45:00 UTC on May 30th, 2000.  A relative start time is
+            indicated by +N, which is N seconds from the current time.
+            If no <code class="option">start-time</code> is specified, the current
+            time minus 1 hour (to allow for clock skew) is used.
+          </p></dd>
+<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
+<dd><p>
+            Specify the date and time when the generated RRSIG records
+            expire.  As with <code class="option">start-time</code>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <code class="option">end-time</code> is
+            specified, 30 days from the start time is used as a default.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
+<dd><p>
+            The name of the output file containing the signed zone.  The
+            default is to append <code class="filename">.signed</code> to
+            the
+            input filename.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+            When a previously-signed zone is passed as input, records
+            may be resigned.  The <code class="option">interval</code> option
+            specifies the cycle interval as an offset from the current
+            time (in seconds).  If a RRSIG record expires after the
+            cycle interval, it is retained.  Otherwise, it is considered
+            to be expiring soon, and it will be replaced.
+          </p>
+<p>
+            The default cycle interval is one quarter of the difference
+            between the signature end and start times.  So if neither
+            <code class="option">end-time</code> or <code class="option">start-time</code>
+            are specified, <span><strong class="command">dnssec-signzone</strong></span>
+            generates
+            signatures that are valid for 30 days, with a cycle
+            interval of 7.5 days.  Therefore, if any existing RRSIG records
+            are due to expire in less than 7.5 days, they would be
+            replaced.
+          </p>
+</dd>
+<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
+<dd><p>
+            The format of the input zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be signed directly.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </p></dd>
+<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
+<dd>
+<p>
+            When signing a zone with a fixed signature lifetime, all
+            RRSIG records issued at the time of signing expires
+            simultaneously.  If the zone is incrementally signed, i.e.
+            a previously-signed zone is passed as input to the signer,
+            all expired signatures have to be regenerated at about the
+            same time.  The <code class="option">jitter</code> option specifies a
+            jitter window that will be used to randomize the signature
+            expire time, thus spreading incremental signature
+            regeneration over time.
+          </p>
+<p>
+            Signature lifetime jitter also to some extent benefits
+            validators and servers by spreading out cache expiration,
+            i.e. if large numbers of RRSIGs don't expire at the same time
+            from all caches there will be less congestion than if all
+            validators need to refetch at mostly the same time.
+          </p>
+</dd>
+<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
+<dd><p>
+            Specifies the number of threads to use.  By default, one
+            thread is started for each detected CPU.
+          </p></dd>
+<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
+<dd>
+<p>
+            The SOA serial number format of the signed zone.
+	    Possible formats are <span><strong class="command">"keep"</strong></span> (default),
+            <span><strong class="command">"increment"</strong></span> and
+	    <span><strong class="command">"unixtime"</strong></span>.
+          </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
+<dd><p>Do not modify the SOA serial number.</p></dd>
+<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
+<dd><p>Increment the SOA serial number using RFC 1982
+                      arithmetics.</p></dd>
+<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
+<dd><p>Set the SOA serial number to the number of seconds
+	        since epoch.</p></dd>
+</dl></div>
+</dd>
+<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
+<dd><p>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </p></dd>
+<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
+<dd><p>
+            The format of the output file containing the signed zone.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+          </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+            Use pseudo-random data when signing the zone.  This is faster,
+            but less secure, than using real random data.  This option
+            may be useful when signing large zones or when the entropy
+            source is limited.
+          </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
+<dt><span class="term">-t</span></dt>
+<dd><p>
+            Print statistics at completion.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd><p>
+            Ignore KSK flag on key when determining what to sign.
+          </p></dd>
+<dt><span class="term">zonefile</span></dt>
+<dd><p>
+            The file containing the zone to be signed.
+          </p></dd>
+<dt><span class="term">key</span></dt>
+<dd><p>
+	    Specify which keys should be used to sign the zone.  If
+	    no keys are specified, then the zone will be examined
+	    for DNSKEY records at the zone apex.  If these are found and
+	    there are matching private keys, in the current directory,
+	    then these will be used for signing.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544327"></a><h2>EXAMPLE</h2>
+<p>
+      The following command signs the <strong class="userinput"><code>example.com</code></strong>
+      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
+      (Kexample.com.+003+17247).  The zone's keys must be in the master
+      file (<code class="filename">db.example.com</code>).  This invocation looks
+      for <code class="filename">keyset</code> files, in the current directory,
+      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
+    </p>
+<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
+Kexample.com.+003+17247
+db.example.com.signed
+%</pre>
+<p>
+      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
+      the file <code class="filename">db.example.com.signed</code>.  This
+      file should be referenced in a zone statement in a
+      <code class="filename">named.conf</code> file.
+    </p>
+<p>
+      This example re-signs a previously signed zone with default parameters.
+      The private keys are assumed to be in the current directory.
+    </p>
+<pre class="programlisting">% cp db.example.com.signed db.example.com
+% dnssec-signzone -o example.com db.example.com
+db.example.com.signed
+%</pre>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544378"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2535</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544403"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>

bin/dnssec/dnssectool.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.31.2.3.2.4 2004/03/08 02:07:38 marka Exp $ */
+/* $Id: dnssectool.c,v 1.43 2005/07/01 03:28:42 marka Exp $ */
+
+/*! \file */
+
+/*%
+ * DNSSEC Support Routines.
+ */
 
 #include <config.h>
 
@@ -145,6 +151,8 @@ setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
 	isc_log_t *log = NULL;
 	int level;
 
+	if (verbose < 0)
+		verbose = 0;
 	switch (verbose) {
 	case 0:
 		/*

bin/dnssec/dnssectool.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */
+/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1

bin/dnssec/win32/dnssectool.dsp

@@ -0,0 +1,113 @@
+# Microsoft Developer Studio Project File - Name="dnssectool" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104
+
+CFG=dnssectool - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "dnssectool.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "dnssectool.mak" CFG="dnssectool - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "dnssectool - Win32 Release" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE "dnssectool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "dnssectool - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddnssectool
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /out:"Release/dnssectool.lib"
+
+!ELSEIF  "$(CFG)" == "dnssectool - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddnssectool
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /debug out:"Debug/dnssectool.lib"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "dnssectool - Win32 Release"
+# Name "dnssectool - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Dns Lib"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\dnssectool.c
+# End Source File
+# End Group
+# End Target
+# End Project

bin/dnssec/win32/dnssectool.dsw

@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "dighost"=".\dnssectool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+

bin/dnssec/win32/keygen.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-keygen.exe"
+# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-keygen.exe"
 
 !ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-keygen.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-keygen.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -90,10 +90,6 @@ LINK32=link.exe
 
 SOURCE="..\dnssec-keygen.c"
 # End Source File
-# Begin Source File
-
-SOURCE=..\dnssectool.c
-# End Source File
 # End Group
 # Begin Group "Header Files"
 

bin/dnssec/win32/keygen.mak

@@ -25,6 +25,81 @@ NULL=
 NULL=nul
 !ENDIF 
 
+!IF  "$(CFG)" == "keygen - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "keygen - Win32 Release"
 
 OUTDIR=.\Release
@@ -38,12 +113,13 @@ CLEAN :
 	-@erase "$(INTDIR)\dnssectool.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\dnssec-keygen.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -90,6 +166,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
 
@@ -113,12 +190,13 @@ CLEAN :
 	-@erase "$(OUTDIR)\keygen.bsc"
 	-@erase "..\..\..\Build\Debug\dnssec-keygen.exe"
 	-@erase "..\..\..\Build\Debug\dnssec-keygen.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -172,6 +250,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -225,3 +304,21 @@ SOURCE=..\dnssectool.c
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/dnssec/win32/makekeyset.dsp

@@ -1,107 +0,0 @@
-# Microsoft Developer Studio Project File - Name="makekeyset" - Package Owner=<4>
-# Microsoft Developer Studio Generated Build File, Format Version 6.00
-# ** DO NOT EDIT **
-
-# TARGTYPE "Win32 (x86) Console Application" 0x0103
-
-CFG=makekeyset - Win32 Debug
-!MESSAGE This is not a valid makefile. To build this project using NMAKE,
-!MESSAGE use the Export Makefile command and run
-!MESSAGE 
-!MESSAGE NMAKE /f "makekeyset.mak".
-!MESSAGE 
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "makekeyset.mak" CFG="makekeyset - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "makekeyset - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "makekeyset - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-
-# Begin Project
-# PROP AllowPerConfigDependencies 0
-# PROP Scc_ProjName ""
-# PROP Scc_LocalPath ""
-CPP=cl.exe
-RSC=rc.exe
-
-!IF  "$(CFG)" == "makekeyset - Win32 Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "Release"
-# PROP BASE Intermediate_Dir "Release"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "Release"
-# PROP Intermediate_Dir "Release"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD BASE RSC /l 0x409 /d "NDEBUG"
-# ADD RSC /l 0x409 /d "NDEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-makekeyset.exe"
-
-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "Debug"
-# PROP BASE Intermediate_Dir "Debug"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "Debug"
-# PROP Intermediate_Dir "Debug"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
-# SUBTRACT CPP /X /YX
-# ADD BASE RSC /l 0x409 /d "_DEBUG"
-# ADD RSC /l 0x409 /d "_DEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-makekeyset.exe" /pdbtype:sept
-
-!ENDIF 
-
-# Begin Target
-
-# Name "makekeyset - Win32 Release"
-# Name "makekeyset - Win32 Debug"
-# Begin Group "Source Files"
-
-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
-# Begin Source File
-
-SOURCE="..\dnssec-makekeyset.c"
-# End Source File
-# Begin Source File
-
-SOURCE=..\dnssectool.c
-# End Source File
-# End Group
-# Begin Group "Header Files"
-
-# PROP Default_Filter "h;hpp;hxx;hm;inl"
-# End Group
-# Begin Group "Resource Files"
-
-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
-# End Group
-# End Target
-# End Project

bin/dnssec/win32/makekeyset.mak

@@ -1,227 +0,0 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on makekeyset.dsp
-!IF "$(CFG)" == ""
-CFG=makekeyset - Win32 Debug
-!MESSAGE No configuration specified. Defaulting to makekeyset - Win32 Debug.
-!ENDIF 
-
-!IF "$(CFG)" != "makekeyset - Win32 Release" && "$(CFG)" != "makekeyset - Win32 Debug"
-!MESSAGE Invalid configuration "$(CFG)" specified.
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "makekeyset.mak" CFG="makekeyset - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "makekeyset - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "makekeyset - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-!ERROR An invalid configuration is specified.
-!ENDIF 
-
-!IF "$(OS)" == "Windows_NT"
-NULL=
-!ELSE 
-NULL=nul
-!ENDIF 
-
-!IF  "$(CFG)" == "makekeyset - Win32 Release"
-
-OUTDIR=.\Release
-INTDIR=.\Release
-
-ALL : "..\..\..\Build\Release\dnssec-makekeyset.exe"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\dnssec-makekeyset.obj"
-	-@erase "$(INTDIR)\dnssectool.obj"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "..\..\..\Build\Release\dnssec-makekeyset.exe"
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\makekeyset.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\makekeyset.bsc" 
-BSC32_SBRS= \
-	
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-makekeyset.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-makekeyset.exe" 
-LINK32_OBJS= \
-	"$(INTDIR)\dnssec-makekeyset.obj" \
-	"$(INTDIR)\dnssectool.obj"
-
-"..\..\..\Build\Release\dnssec-makekeyset.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-
-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
-
-OUTDIR=.\Debug
-INTDIR=.\Debug
-# Begin Custom Macros
-OutDir=.\Debug
-# End Custom Macros
-
-ALL : "..\..\..\Build\Debug\dnssec-makekeyset.exe" "$(OUTDIR)\makekeyset.bsc"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\dnssec-makekeyset.obj"
-	-@erase "$(INTDIR)\dnssec-makekeyset.sbr"
-	-@erase "$(INTDIR)\dnssectool.obj"
-	-@erase "$(INTDIR)\dnssectool.sbr"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "$(INTDIR)\vc60.pdb"
-	-@erase "$(OUTDIR)\dnssec-makekeyset.pdb"
-	-@erase "$(OUTDIR)\makekeyset.bsc"
-	-@erase "..\..\..\Build\Debug\dnssec-makekeyset.exe"
-	-@erase "..\..\..\Build\Debug\dnssec-makekeyset.ilk"
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\makekeyset.bsc" 
-BSC32_SBRS= \
-	"$(INTDIR)\dnssec-makekeyset.sbr" \
-	"$(INTDIR)\dnssectool.sbr"
-
-"$(OUTDIR)\makekeyset.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
-    $(BSC32) @<<
-  $(BSC32_FLAGS) $(BSC32_SBRS)
-<<
-
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-makekeyset.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-makekeyset.exe" /pdbtype:sept 
-LINK32_OBJS= \
-	"$(INTDIR)\dnssec-makekeyset.obj" \
-	"$(INTDIR)\dnssectool.obj"
-
-"..\..\..\Build\Debug\dnssec-makekeyset.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-
-!ENDIF 
-
-
-!IF "$(NO_EXTERNAL_DEPS)" != "1"
-!IF EXISTS("makekeyset.dep")
-!INCLUDE "makekeyset.dep"
-!ELSE 
-!MESSAGE Warning: cannot find "makekeyset.dep"
-!ENDIF 
-!ENDIF 
-
-
-!IF "$(CFG)" == "makekeyset - Win32 Release" || "$(CFG)" == "makekeyset - Win32 Debug"
-SOURCE="..\dnssec-makekeyset.c"
-
-!IF  "$(CFG)" == "makekeyset - Win32 Release"
-
-
-"$(INTDIR)\dnssec-makekeyset.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
-
-
-"$(INTDIR)\dnssec-makekeyset.obj"	"$(INTDIR)\dnssec-makekeyset.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-SOURCE=..\dnssectool.c
-
-!IF  "$(CFG)" == "makekeyset - Win32 Release"
-
-
-"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
-
-
-"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-
-!ENDIF 
-

bin/dnssec/win32/nsupdate.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"

bin/dnssec/win32/signkey.dsp

@@ -1,107 +0,0 @@
-# Microsoft Developer Studio Project File - Name="signkey" - Package Owner=<4>
-# Microsoft Developer Studio Generated Build File, Format Version 6.00
-# ** DO NOT EDIT **
-
-# TARGTYPE "Win32 (x86) Console Application" 0x0103
-
-CFG=signkey - Win32 Debug
-!MESSAGE This is not a valid makefile. To build this project using NMAKE,
-!MESSAGE use the Export Makefile command and run
-!MESSAGE 
-!MESSAGE NMAKE /f "signkey.mak".
-!MESSAGE 
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "signkey.mak" CFG="signkey - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "signkey - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "signkey - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-
-# Begin Project
-# PROP AllowPerConfigDependencies 0
-# PROP Scc_ProjName ""
-# PROP Scc_LocalPath ""
-CPP=cl.exe
-RSC=rc.exe
-
-!IF  "$(CFG)" == "signkey - Win32 Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "Release"
-# PROP BASE Intermediate_Dir "Release"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "Release"
-# PROP Intermediate_Dir "Release"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD BASE RSC /l 0x409 /d "NDEBUG"
-# ADD RSC /l 0x409 /d "NDEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signkey.exe"
-
-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "Debug"
-# PROP BASE Intermediate_Dir "Debug"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "Debug"
-# PROP Intermediate_Dir "Debug"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
-# SUBTRACT CPP /X /YX
-# ADD BASE RSC /l 0x409 /d "_DEBUG"
-# ADD RSC /l 0x409 /d "_DEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signkey.exe" /pdbtype:sept
-
-!ENDIF 
-
-# Begin Target
-
-# Name "signkey - Win32 Release"
-# Name "signkey - Win32 Debug"
-# Begin Group "Source Files"
-
-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
-# Begin Source File
-
-SOURCE="..\dnssec-signkey.c"
-# End Source File
-# Begin Source File
-
-SOURCE=..\dnssectool.c
-# End Source File
-# End Group
-# Begin Group "Header Files"
-
-# PROP Default_Filter "h;hpp;hxx;hm;inl"
-# End Group
-# Begin Group "Resource Files"
-
-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
-# End Group
-# End Target
-# End Project

bin/dnssec/win32/signkey.mak

@@ -1,227 +0,0 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on signkey.dsp
-!IF "$(CFG)" == ""
-CFG=signkey - Win32 Debug
-!MESSAGE No configuration specified. Defaulting to signkey - Win32 Debug.
-!ENDIF 
-
-!IF "$(CFG)" != "signkey - Win32 Release" && "$(CFG)" != "signkey - Win32 Debug"
-!MESSAGE Invalid configuration "$(CFG)" specified.
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "signkey.mak" CFG="signkey - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "signkey - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "signkey - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-!ERROR An invalid configuration is specified.
-!ENDIF 
-
-!IF "$(OS)" == "Windows_NT"
-NULL=
-!ELSE 
-NULL=nul
-!ENDIF 
-
-!IF  "$(CFG)" == "signkey - Win32 Release"
-
-OUTDIR=.\Release
-INTDIR=.\Release
-
-ALL : "..\..\..\Build\Release\dnssec-signkey.exe"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\dnssec-signkey.obj"
-	-@erase "$(INTDIR)\dnssectool.obj"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "..\..\..\Build\Release\dnssec-signkey.exe"
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signkey.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\signkey.bsc" 
-BSC32_SBRS= \
-	
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-signkey.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-signkey.exe" 
-LINK32_OBJS= \
-	"$(INTDIR)\dnssec-signkey.obj" \
-	"$(INTDIR)\dnssectool.obj"
-
-"..\..\..\Build\Release\dnssec-signkey.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-
-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
-
-OUTDIR=.\Debug
-INTDIR=.\Debug
-# Begin Custom Macros
-OutDir=.\Debug
-# End Custom Macros
-
-ALL : "..\..\..\Build\Debug\dnssec-signkey.exe" "$(OUTDIR)\signkey.bsc"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\dnssec-signkey.obj"
-	-@erase "$(INTDIR)\dnssec-signkey.sbr"
-	-@erase "$(INTDIR)\dnssectool.obj"
-	-@erase "$(INTDIR)\dnssectool.sbr"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "$(INTDIR)\vc60.pdb"
-	-@erase "$(OUTDIR)\dnssec-signkey.pdb"
-	-@erase "$(OUTDIR)\signkey.bsc"
-	-@erase "..\..\..\Build\Debug\dnssec-signkey.exe"
-	-@erase "..\..\..\Build\Debug\dnssec-signkey.ilk"
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\signkey.bsc" 
-BSC32_SBRS= \
-	"$(INTDIR)\dnssec-signkey.sbr" \
-	"$(INTDIR)\dnssectool.sbr"
-
-"$(OUTDIR)\signkey.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
-    $(BSC32) @<<
-  $(BSC32_FLAGS) $(BSC32_SBRS)
-<<
-
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-signkey.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signkey.exe" /pdbtype:sept 
-LINK32_OBJS= \
-	"$(INTDIR)\dnssec-signkey.obj" \
-	"$(INTDIR)\dnssectool.obj"
-
-"..\..\..\Build\Debug\dnssec-signkey.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-
-!ENDIF 
-
-
-!IF "$(NO_EXTERNAL_DEPS)" != "1"
-!IF EXISTS("signkey.dep")
-!INCLUDE "signkey.dep"
-!ELSE 
-!MESSAGE Warning: cannot find "signkey.dep"
-!ENDIF 
-!ENDIF 
-
-
-!IF "$(CFG)" == "signkey - Win32 Release" || "$(CFG)" == "signkey - Win32 Debug"
-SOURCE="..\dnssec-signkey.c"
-
-!IF  "$(CFG)" == "signkey - Win32 Release"
-
-
-"$(INTDIR)\dnssec-signkey.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
-
-
-"$(INTDIR)\dnssec-signkey.obj"	"$(INTDIR)\dnssec-signkey.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-SOURCE=..\dnssectool.c
-
-!IF  "$(CFG)" == "signkey - Win32 Release"
-
-
-"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
-
-
-"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-
-!ENDIF 
-

bin/dnssec/win32/signzone.dsp

@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signzone.exe"
+# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signzone.exe"
 
 !ELSEIF  "$(CFG)" == "signzone - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signzone.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signzone.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -90,10 +90,6 @@ LINK32=link.exe
 
 SOURCE="..\dnssec-signzone.c"
 # End Source File
-# Begin Source File
-
-SOURCE=..\dnssectool.c
-# End Source File
 # End Group
 # Begin Group "Header Files"
 

bin/dnssec/win32/signzone.mak

@@ -25,6 +25,81 @@ NULL=
 NULL=nul
 !ENDIF 
 
+!IF  "$(CFG)" == "signzone - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
 !IF  "$(CFG)" == "signzone - Win32 Release"
 
 OUTDIR=.\Release
@@ -38,12 +113,13 @@ CLEAN :
 	-@erase "$(INTDIR)\dnssectool.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\dnssec-signzone.exe"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -90,6 +166,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ELSEIF  "$(CFG)" == "signzone - Win32 Debug"
 
@@ -113,12 +190,13 @@ CLEAN :
 	-@erase "$(OUTDIR)\signzone.bsc"
 	-@erase "..\..\..\Build\Debug\dnssec-signzone.exe"
 	-@erase "..\..\..\Build\Debug\dnssec-signzone.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
 
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -172,6 +250,7 @@ LINK32_OBJS= \
     $(LINK32) @<<
   $(LINK32_FLAGS) $(LINK32_OBJS)
 <<
+    $(_VC_MANIFEST_EMBED_EXE)
 
 !ENDIF 
 
@@ -225,3 +304,21 @@ SOURCE=..\dnssectool.c
 
 !ENDIF 
 
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP

bin/named/.cvsignore

@@ -4,3 +4,4 @@ Makefile
 *.lo
 named
 lwresd
+bind9.xsl.h

bin/named/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.74.12.11 2004/09/06 21:47:25 marka Exp $
+# $Id: Makefile.in,v 1.94 2007/05/18 06:12:51 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -31,12 +31,20 @@ DBDRIVER_SRCS =
 DBDRIVER_INCLUDES =
 DBDRIVER_LIBS =
 
+DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+
+DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
+DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
+DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DBDRIVER_INCLUDES}
+		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
+
+CDEFINES =      @USE_DLZ@
 
-CDEFINES =
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
@@ -57,13 +65,14 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
-		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
 SUBDIRS =	unix
 
 TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
 
-OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
+OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		controlconf.@O@ interfacemgr.@O@ \
 		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
 		query.@O@ server.@O@ sortlist.@O@ \
@@ -71,11 +80,13 @@ OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
 		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-		$(DBDRIVER_OBJS)
+		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
 
 UOBJS =		unix/os.@O@
 
-SRCS =		aclconf.c builtin.c client.c config.c control.c \
+GENERATED =	bind9.xsl.h
+
+SRCS =		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
 		query.c server.c sortlist.c \
@@ -83,7 +94,7 @@ SRCS =		aclconf.c builtin.c client.c config.c control.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
 		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-		$(DBDRIVER_SRCS)
+		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
 
 MANPAGES =	named.8 lwresd.8 named.conf.5
 
@@ -119,7 +130,13 @@ docclean manclean maintainer-clean::
 	rm -f ${MANOBJS}
 
 clean distclean maintainer-clean::
-	rm -f ${TARGETS} ${OBJS}
+	rm -f ${TARGETS} ${OBJS} ${GENERATED}
+
+bind9.xsl.h: bind9.xsl convertxsl.pl
+	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
+
+depend: bind9.xsl.h
+server.@O@: bind9.xsl.h
 
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -133,3 +150,4 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
 	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
 
+@DLZ_DRIVER_RULES@

bin/named/bind9.xsl

@@ -0,0 +1,281 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: bind9.xsl,v 1.12 2007/02/13 02:49:08 marka Exp $ -->
+
+<xsl:stylesheet version="1.0"
+   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+   xmlns="http://www.w3.org/1999/xhtml">
+  <xsl:template match="isc/bind/statistics">
+    <html>
+      <head>
+        <style type="text/css">
+body {
+	font-family: sans-serif;
+	background-color: #ffffff;
+	color: #000000;
+}
+
+table {
+	border-collapse: collapse;
+}
+
+tr.rowh {
+	text-align: center;
+	border: 1px solid #000000;
+	background-color: #8080ff;
+	color: #ffffff;
+}
+
+tr.row {
+	text-align: right;
+	border: 1px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+}
+
+tr.lrow {
+	text-align: left;
+	border: 1px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+}
+
+.header {
+	background-color: teal;
+	color: #ffffff;
+	padding: 4px;
+}
+
+.content {
+	background-color: #ffffff;
+	color: #000000;
+	padding: 4px;
+}
+
+.item {
+	padding: 4px;
+	align: right;
+}
+
+.value {
+	padding: 4px;
+	font-weight: bold;
+}
+        </style>
+        <title>BIND 9 Statistics</title>
+      </head>
+      <body>
+        <div class="header">Bind 9 Configuration and Statistics</div>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Times</th></tr>
+	  <tr class="lrow">
+	    <td>boot-time</td>
+	    <td><xsl:value-of select="server/boot-time"/></td>
+	  </tr>
+	  <tr class="lrow">
+	    <td>current-time</td>
+	    <td><xsl:value-of select="server/current-time"/></td>
+	  </tr>
+	</table>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Server statistics</th></tr>
+	  <xsl:for-each select="server/counters/*">
+	    <tr class="lrow">
+	      <td><xsl:value-of select="name()"/></td>
+	      <td><xsl:value-of select="."/></td>
+	    </tr>
+	  </xsl:for-each>
+	</table>
+
+	<br/>	
+
+        <xsl:for-each select="views/view">
+          <table>
+            <tr class="rowh">
+              <th colspan="11">Zones for View <xsl:value-of select="name"/></th>
+            </tr>
+            <tr class="rowh">
+              <th>Name</th>
+              <th>Class</th>
+              <th>Serial</th>
+              <th>Success</th>
+              <th>Referral</th>
+              <th>NXRRSET</th>
+              <th>NXDOMAIN</th>
+              <th>Recursion</th>
+              <th>Failure</th>
+              <th>Duplicate</th>
+              <th>Dropped</th>
+            </tr>
+            <xsl:for-each select="zones/zone">
+              <tr class="lrow">
+                <td>
+                  <xsl:value-of select="name"/>
+                </td>
+                <td>
+                  <xsl:value-of select="rdataclass"/>
+                </td>
+                <td>
+                  <xsl:value-of select="serial"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/success"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/referral"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/nxrrset"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/nxdomain"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/recursion"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/failure"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/duplicate"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/dropped"/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:for-each>
+
+        <br/>
+
+        <table>
+          <tr class="rowh">
+            <th colspan="7">Network Status</th>
+          </tr>
+          <tr class="rowh">
+            <th>ID</th>
+	    <th>Name</th>
+            <th>Type</th>
+            <th>References</th>
+            <th>LocalAddress</th>
+            <th>PeerAddress</th>
+            <th>State</th>
+          </tr>
+          <xsl:for-each select="socketmgr/sockets/socket">
+            <tr class="lrow">
+              <td>
+                <xsl:value-of select="id"/>
+              </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+              <td>
+                <xsl:value-of select="type"/>
+              </td>
+              <td>
+                <xsl:value-of select="references"/>
+              </td>
+              <td>
+                <xsl:value-of select="local-address"/>
+              </td>
+              <td>
+                <xsl:value-of select="peer-address"/>
+              </td>
+              <td>
+                <xsl:for-each select="states">
+                  <xsl:value-of select="."/>
+                </xsl:for-each>
+              </td>
+            </tr>
+          </xsl:for-each>
+        </table>
+        <br/>
+        <table>
+          <tr class="rowh">
+            <th colspan="2">Task Manager Configuration</th>
+          </tr>
+          <tr class="lrow">
+            <td>Thread-Model</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/type"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Worker Threads</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Default Quantum</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Tasks Running</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
+            </td>
+          </tr>
+        </table>
+        <br/>
+        <table>
+          <tr class="rowh">
+            <th colspan="5">Tasks</th>
+          </tr>
+          <tr class="rowh">
+            <th>ID</th>
+            <th>Name</th>
+            <th>References</th>
+            <th>State</th>
+            <th>Quantum</th>
+          </tr>
+          <xsl:for-each select="taskmgr/tasks/task">
+            <tr class="lrow">
+              <td>
+                <xsl:value-of select="id"/>
+              </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+              <td>
+                <xsl:value-of select="references"/>
+              </td>
+              <td>
+                <xsl:value-of select="state"/>
+              </td>
+              <td>
+                <xsl:value-of select="quantum"/>
+              </td>
+            </tr>
+          </xsl:for-each>
+        </table>
+
+      </body>
+    </html>
+  </xsl:template>
+</xsl:stylesheet>

bin/named/builtin.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */
+/* $Id: builtin.c,v 1.10 2005/08/23 04:07:57 marka Exp $ */
 
-/*
- * The built-in "version", "hostname", "id" and "authors" databases.
+/*! \file
+ * \brief
+ * The built-in "version", "hostname", "id", "authors" and "empty" databases.
  */
 
 #include <config.h>
@@ -26,12 +27,13 @@
 #include <string.h>
 #include <stdio.h>
 
+#include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/result.h>
 #include <isc/util.h>
 
-#include <dns/sdb.h>
 #include <dns/result.h>
+#include <dns/sdb.h>
 
 #include <named/builtin.h>
 #include <named/globals.h>
@@ -44,6 +46,7 @@ static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup);
 
 /*
  * We can't use function pointers as the db_data directly
@@ -53,12 +56,15 @@ static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
 
 struct builtin {
 	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
+	char *server;
+	char *contact;
 };
 
-static builtin_t version_builtin = { do_version_lookup };
-static builtin_t hostname_builtin = { do_hostname_lookup };
-static builtin_t authors_builtin = { do_authors_lookup };
-static builtin_t id_builtin = { do_id_lookup };
+static builtin_t version_builtin = { do_version_lookup,  NULL, NULL };
+static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
+static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
+static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
+static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
 
 static dns_sdbimplementation_t *builtin_impl;
 
@@ -166,17 +172,38 @@ do_id_lookup(dns_sdblookup_t *lookup) {
 		return (put_txt(lookup, ns_g_server->server_id));
 }
 
+static isc_result_t
+do_empty_lookup(dns_sdblookup_t *lookup) {
+
+	UNUSED(lookup);
+	return (ISC_R_SUCCESS);
+}
+
 static isc_result_t
 builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
 	isc_result_t result;
+	const char *contact = "hostmaster";
+	const char *server = "@";
+	builtin_t *b = (builtin_t *) dbdata;
 
 	UNUSED(zone);
 	UNUSED(dbdata);
 
-	result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0);
+	if (b == &empty_builtin) {
+		server = ".";
+		contact = ".";
+	} else {
+		if (b->server != NULL)
+			server = b->server;
+		if (b->contact != NULL)
+			contact = b->contact;
+	}
+	
+	result = dns_sdb_putsoa(lookup, server, contact, 0);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_R_FAILURE);
-	result = dns_sdb_putrr(lookup, "ns", 0, "@");
+
+	result = dns_sdb_putrr(lookup, "ns", 0, server);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_R_FAILURE);
 
@@ -187,10 +214,17 @@ static isc_result_t
 builtin_create(const char *zone, int argc, char **argv,
 	       void *driverdata, void **dbdata)
 {
+	REQUIRE(argc >= 1);
+
 	UNUSED(zone);
 	UNUSED(driverdata);
-	if (argc != 1)
+
+	if (strcmp(argv[0], "empty") == 0) {
+		if (argc != 3)
+			return (DNS_R_SYNTAX);
+	} else if (argc != 1)
 		return (DNS_R_SYNTAX);
+
 	if (strcmp(argv[0], "version") == 0)
 		*dbdata = &version_builtin;
 	else if (strcmp(argv[0], "hostname") == 0)
@@ -199,17 +233,62 @@ builtin_create(const char *zone, int argc, char **argv,
 		*dbdata = &authors_builtin;
 	else if (strcmp(argv[0], "id") == 0)
 		*dbdata = &id_builtin;
-	else
+	else if (strcmp(argv[0], "empty") == 0) { 
+		builtin_t *empty;
+		char *server;
+		char *contact;
+		/*
+		 * We don't want built-in zones to fail.  Fallback to
+		 * the static configuration if memory allocation fails.
+		 */
+		empty = isc_mem_get(ns_g_mctx, sizeof(*empty));
+		server = isc_mem_strdup(ns_g_mctx, argv[1]);
+		contact = isc_mem_strdup(ns_g_mctx, argv[2]);
+		if (empty == NULL || server == NULL || contact == NULL) {
+			*dbdata = &empty_builtin;
+			if (server != NULL)
+				isc_mem_free(ns_g_mctx, server);
+			if (contact != NULL)
+				isc_mem_free(ns_g_mctx, contact);
+			if (empty != NULL)
+				isc_mem_put(ns_g_mctx, empty, sizeof (*empty));
+		} else {
+			memcpy(empty, &empty_builtin, sizeof (empty_builtin));
+			empty->server = server;
+			empty->contact = contact;
+			*dbdata = empty;
+		}
+	} else
 		return (ISC_R_NOTIMPLEMENTED);
 	return (ISC_R_SUCCESS);
 }
 
+static void
+builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
+	builtin_t *b = (builtin_t *) *dbdata;
+
+	UNUSED(zone);
+	UNUSED(driverdata);
+
+	/*
+	 * Don't free the static versions.
+	 */
+	if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
+	    *dbdata == &authors_builtin || *dbdata == &id_builtin ||
+	    *dbdata == &empty_builtin)
+		return;
+
+	isc_mem_free(ns_g_mctx, b->server);
+	isc_mem_free(ns_g_mctx, b->contact);
+	isc_mem_put(ns_g_mctx, b, sizeof (*b));
+}
+
 static dns_sdbmethods_t builtin_methods = {
 	builtin_lookup,
 	builtin_authority,
 	NULL,		/* allnodes */
 	builtin_create,
-	NULL		/* destroy */
+	builtin_destroy
 };
 
 isc_result_t

bin/named/client.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.176.2.13.4.23 2004/09/26 22:37:43 marka Exp $ */
+/* $Id: client.c,v 1.246 2007/05/15 21:54:08 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/formatcheck.h>
 #include <isc/mutex.h>
 #include <isc/once.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -33,12 +34,13 @@
 #include <dns/dispatch.h>
 #include <dns/events.h>
 #include <dns/message.h>
+#include <dns/peer.h>
 #include <dns/rcode.h>
-#include <dns/resolver.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/resolver.h>
 #include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
@@ -53,7 +55,9 @@
  *** Client
  ***/
 
-/*
+/*! \file
+ * Client Routines
+ *
  * Important note!
  *
  * All client state changes, other than that from idle to listening, occur
@@ -87,6 +91,25 @@
 #define SEND_BUFFER_SIZE		4096
 #define RECV_BUFFER_SIZE		4096
 
+#ifdef ISC_PLATFORM_USETHREADS
+#define NMCTXS				100
+/*%<
+ * Number of 'mctx pools' for clients. (Should this be configurable?)
+ * When enabling threads, we use a pool of memory contexts shared by
+ * client objects, since concurrent access to a shared context would cause
+ * heavy contentions.  The above constant is expected to be enough for
+ * completely avoiding contentions among threads for an authoritative-only
+ * server.
+ */
+#else
+#define NMCTXS				0
+/*%<
+ * If named with built without thread, simply share manager's context.  Using
+ * a separate context in this case would simply waste memory.
+ */
+#endif
+
+/*% nameserver client manager structure */
 struct ns_clientmgr {
 	/* Unlocked. */
 	unsigned int			magic;
@@ -96,15 +119,20 @@ struct ns_clientmgr {
 	isc_mutex_t			lock;
 	/* Locked by lock. */
 	isc_boolean_t			exiting;
-	client_list_t			active; 	/* Active clients */
-	client_list_t			recursing; 	/* Recursing clients */
-	client_list_t 			inactive;	/* To be recycled */
+	client_list_t			active;		/*%< Active clients */
+	client_list_t			recursing;	/*%< Recursing clients */
+	client_list_t			inactive;	/*%< To be recycled */
+#if NMCTXS > 0
+	/*%< mctx pool for clients. */
+	unsigned int			nextmctx;
+	isc_mem_t *			mctxpool[NMCTXS];
+#endif
 };
 
 #define MANAGER_MAGIC			ISC_MAGIC('N', 'S', 'C', 'm')
 #define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, MANAGER_MAGIC)
 
-/*
+/*! 
  * Client object states.  Ordering is significant: higher-numbered
  * states are generally "more active", meaning that the client can
  * have more dynamically allocated data, outstanding events, etc.
@@ -117,12 +145,12 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_FREED    0
-/*
+/*%<
  * The client object no longer exists.
  */
 
 #define NS_CLIENTSTATE_INACTIVE 1
-/*
+/*%<
  * The client object exists and has a task and timer.
  * Its "query" struct and sendbuf are initialized.
  * It is on the client manager's list of inactive clients.
@@ -130,7 +158,7 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_READY    2
-/*
+/*%<
  * The client object is either a TCP or a UDP one, and
  * it is associated with a network interface.  It is on the
  * client manager's list of active clients.
@@ -143,7 +171,7 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_READING  3
-/*
+/*%<
  * The client object is a TCP client object that has received
  * a connection.  It has a tcpsocket, tcpmsg, TCP quota, and an
  * outstanding TCP read request.  This state is not used for
@@ -151,19 +179,27 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_WORKING  4
-/*
+/*%<
  * The client object has received a request and is working
  * on it.  It has a view, and it may have any of a non-reset OPT,
  * recursion quota, and an outstanding write request.
  */
 
 #define NS_CLIENTSTATE_MAX      9
-/*
+/*%<
  * Sentinel value used to indicate "no state".  When client->newstate
  * has this value, we are not attempting to exit the current state.
  * Must be greater than any valid state.
  */
 
+/*
+ * Enable ns_client_dropport() by default.
+ */
+#ifndef NS_CLIENT_DROPPORT
+#define NS_CLIENT_DROPPORT 1
+#endif
+
+unsigned int ns_client_requests;
 
 static void client_read(ns_client_t *client);
 static void client_accept(ns_client_t *client);
@@ -177,23 +213,29 @@ static void client_request(isc_task_t *task, isc_event_t *event);
 static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
 
 void
-ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) {
+ns_client_recursing(ns_client_t *client) {
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	LOCK(&client->manager->lock);
+	ISC_LIST_UNLINK(*client->list, client, link);
+	ISC_LIST_APPEND(client->manager->recursing, client, link);
+	client->list = &client->manager->recursing;
+	UNLOCK(&client->manager->lock);
+}
+
+void
+ns_client_killoldestquery(ns_client_t *client) {
 	ns_client_t *oldest;
 	REQUIRE(NS_CLIENT_VALID(client));
 
 	LOCK(&client->manager->lock);
-	if (killoldest) {
-		oldest = ISC_LIST_HEAD(client->manager->recursing);
-		if (oldest != NULL) {
-			ns_query_cancel(oldest);
-			ISC_LIST_UNLINK(*oldest->list, oldest, link);
-			ISC_LIST_APPEND(client->manager->active, oldest, link);
-			oldest->list = &client->manager->active;
-		}
+	oldest = ISC_LIST_HEAD(client->manager->recursing);
+	if (oldest != NULL) {
+		ns_query_cancel(oldest);
+		ISC_LIST_UNLINK(*oldest->list, oldest, link);
+		ISC_LIST_APPEND(client->manager->active, oldest, link);
+		oldest->list = &client->manager->active;
 	}
-	ISC_LIST_UNLINK(*client->list, client, link);
-	ISC_LIST_APPEND(client->manager->recursing, client, link);
-	client->list = &client->manager->recursing;
 	UNLOCK(&client->manager->lock);
 }
 
@@ -215,7 +257,7 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
 	}
 }
 
-/*
+/*%
  * Check for a deactivation or shutdown request and take appropriate
  * action.  Returns ISC_TRUE if either is in progress; in this case
  * the caller must no longer use the client object as it may have been
@@ -279,8 +321,17 @@ exit_check(ns_client_t *client) {
 		}
 		/*
 		 * I/O cancel is complete.  Burn down all state
-		 * related to the current request.
+		 * related to the current request.  Ensure that
+		 * the client is on the active list and not the
+		 * recursing list.
 		 */
+		LOCK(&client->manager->lock);
+		if (client->list == &client->manager->recursing) {
+			ISC_LIST_UNLINK(*client->list, client, link);
+			ISC_LIST_APPEND(client->manager->active, client, link);
+			client->list = &client->manager->active;
+		}
+		UNLOCK(&client->manager->lock);
 		ns_client_endrequest(client);
 
 		client->state = NS_CLIENTSTATE_READING;
@@ -468,7 +519,7 @@ exit_check(ns_client_t *client) {
 
 		CTRACE("free");
 		client->magic = 0;
-		isc_mem_put(client->mctx, client, sizeof(*client));
+		isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 
 		goto unlock;
 	}
@@ -489,7 +540,7 @@ exit_check(ns_client_t *client) {
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * The client's task has received the client's control event
  * as part of the startup process.
  */
@@ -515,7 +566,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
 }
 
 
-/*
+/*%
  * The client's task has received a shutdown event.
  */
 static void
@@ -570,6 +621,7 @@ ns_client_endrequest(ns_client_t *client) {
 
 	client->udpsize = 512;
 	client->extflags = 0;
+	client->ednsversion = -1;
 	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
 
 	if (client->recursionquota != NULL)
@@ -588,7 +640,7 @@ ns_client_checkactive(ns_client_t *client) {
 		/*
 		 * This client object should normally go inactive
 		 * at this point, but if we have fewer active client
-		 * objects than  desired due to earlier quota exhaustion,
+		 * objects than desired due to earlier quota exhaustion,
 		 * keep it active to make up for the shortage.
 		 */
 		isc_boolean_t need_another_client = ISC_FALSE;
@@ -684,7 +736,7 @@ client_senddone(isc_task_t *task, isc_event_t *event) {
 	ns_client_next(client, ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * We only want to fail with ISC_R_NOSPACE when called from
  * ns_client_sendraw() and not when called from ns_client_send(),
  * tcpbuffer is NULL when called from ns_client_sendraw() and
@@ -765,7 +817,7 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
 		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 		if (ns_g_server->blackholeacl != NULL &&
 		    dns_acl_match(&netaddr, NULL,
-			    	  ns_g_server->blackholeacl,
+				  ns_g_server->blackholeacl,
 				  &ns_g_server->aclenv,
 				  &match, NULL) == ISC_R_SUCCESS &&
 		    match > 0)
@@ -966,6 +1018,34 @@ ns_client_send(ns_client_t *client) {
 	ns_client_next(client, result);
 }
 
+#if NS_CLIENT_DROPPORT
+#define DROPPORT_NO		0
+#define DROPPORT_REQUEST	1
+#define DROPPORT_RESPONSE	2
+/*%
+ * ns_client_dropport determines if certain requests / responses
+ * should be dropped based on the port number.
+ *
+ * Returns:
+ * \li	0:	Don't drop.
+ * \li	1:	Drop request.
+ * \li	2:	Drop (error) response.
+ */
+static int
+ns_client_dropport(in_port_t port) {
+	switch (port) {
+	case 7: /* echo */
+	case 13: /* daytime */
+	case 19: /* chargen */
+	case 37: /* time */
+		return (DROPPORT_REQUEST);
+	case 464: /* kpasswd */
+		return (DROPPORT_RESPONSE);
+	}
+	return (DROPPORT_NO);
+}
+#endif
+
 void
 ns_client_error(ns_client_t *client, isc_result_t result) {
 	dns_rcode_t rcode;
@@ -978,6 +1058,28 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 	message = client->message;
 	rcode = dns_result_torcode(result);
 
+#if NS_CLIENT_DROPPORT
+	/*
+	 * Don't send FORMERR to ports on the drop port list.
+	 */
+	if (rcode == dns_rcode_formerr &&
+	    ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) !=
+	    DROPPORT_NO) {
+		char buf[64];
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, buf, sizeof(buf) - 1);
+		if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS)
+			isc_buffer_putstr(&b, "UNKNOWN RCODE");
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped error (%.*s) response: suspicious port",
+			      (int)isc_buffer_usedlength(&b), buf);
+		ns_client_next(client, ISC_R_SUCCESS);
+		return;
+	}
+#endif
+
 	/*
 	 * Message may be an in-progress reply that we had trouble
 	 * with, in which case QR will be set.  We need to clear QR before
@@ -1078,7 +1180,7 @@ client_addopt(ns_client_t *client) {
 	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
 
 	/*
-	 * No ENDS options in the default case.
+	 * No EDNS options in the default case.
 	 */
 	rdata->data = NULL;
 	rdata->length = 0;
@@ -1110,6 +1212,64 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
 	return (ISC_FALSE);
 }
 
+/*
+ * Callback to see if a non-recursive query coming from 'srcaddr' to
+ * 'destaddr', with optional key 'mykey' for class 'rdclass' would be
+ * delivered to 'myview'.
+ *
+ * We run this unlocked as both the view list and the interface list
+ * are updated when the approprite task has exclusivity.
+ */
+isc_boolean_t
+ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
+		 isc_sockaddr_t *srcaddr, isc_sockaddr_t *dstaddr,
+		 dns_rdataclass_t rdclass, void *arg)
+{
+	dns_view_t *view;
+	dns_tsigkey_t *key = NULL;
+	dns_name_t *tsig = NULL;
+	isc_netaddr_t netsrc;
+	isc_netaddr_t netdst;
+
+	UNUSED(arg);
+
+	if (!ns_interfacemgr_listeningon(ns_g_server->interfacemgr, dstaddr))
+		return (ISC_FALSE);
+
+	isc_netaddr_fromsockaddr(&netsrc, srcaddr);
+	isc_netaddr_fromsockaddr(&netdst, dstaddr);
+
+	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+
+		if (view->matchrecursiveonly)
+			continue;
+
+		if (rdclass != view->rdclass)
+			continue;
+
+		if (mykey != NULL) {
+			isc_boolean_t match;
+			isc_result_t result;
+
+			result = dns_view_gettsig(view, &mykey->name, &key);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			match = dst_key_compare(mykey->key, key->key);
+			dns_tsigkey_detach(&key);
+			if (!match)
+				continue;
+			tsig = dns_tsigkey_identity(mykey);
+		}
+
+		if (allowed(&netsrc, tsig, view->matchclients) &&
+		    allowed(&netdst, tsig, view->matchdestinations))
+			break;
+	}
+	return (ISC_TF(view == myview));
+}
+
 /*
  * Handle an incoming request event from the socket (UDP case)
  * or tcpmsg (TCP case).
@@ -1124,7 +1284,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t tbuffer;
 	dns_view_t *view;
 	dns_rdataset_t *opt;
-	isc_boolean_t ra; 	/* Recursion available. */
+	isc_boolean_t ra;	/* Recursion available. */
 	isc_netaddr_t netaddr;
 	isc_netaddr_t destaddr;
 	int match;
@@ -1144,6 +1304,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	       NS_CLIENTSTATE_READING :
 	       NS_CLIENTSTATE_READY);
 
+	ns_client_requests++;
+
 	if (event->ev_type == ISC_SOCKEVENT_RECVDONE) {
 		INSIST(!TCP_CLIENT(client));
 		sevent = (isc_socketevent_t *)event;
@@ -1202,6 +1364,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 
+#if NS_CLIENT_DROPPORT
+	if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) ==
+	    DROPPORT_REQUEST) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped request: suspicious port");
+		ns_client_next(client, ISC_R_SUCCESS);
+		goto cleanup;
+	}
+#endif
+
 	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 		      "%s request",
@@ -1236,6 +1409,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
 			      "dropping multicast request");
 		ns_client_next(client, DNS_R_REFUSED);
+		goto cleanup;
 	}
 
 	result = dns_message_peekheader(buffer, &id, &flags);
@@ -1301,8 +1475,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 */
 	opt = dns_message_getopt(client->message);
 	if (opt != NULL) {
-		unsigned int version;
-
 		/*
 		 * Set the client's UDP buffer size.
 		 */
@@ -1320,6 +1492,19 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		 */
 		client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
 
+		/*
+		 * Do we understand this version of EDNS?
+		 *
+		 * XXXRTH need library support for this!
+		 */
+		client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
+		if (client->ednsversion > 0) {
+			result = client_addopt(client);
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_BADVERS;
+			ns_client_error(client, result);
+			goto cleanup;
+		}
 		/*
 		 * Create an OPT for our reply.
 		 */
@@ -1328,17 +1513,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			ns_client_error(client, result);
 			goto cleanup;
 		}
-
-		/*
-		 * Do we understand this version of ENDS?
-		 *
-		 * XXXRTH need library support for this!
-		 */
-		version = (opt->ttl & 0x00FF0000) >> 16;
-		if (version != 0) {
-			ns_client_error(client, DNS_R_BADVERS);
-			goto cleanup;
-		}
 	}
 
 	if (client->message->rdclass == 0) {
@@ -1402,6 +1576,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 					 "failed to get request's "
 					 "destination: %s",
 					 isc_result_totext(result));
+			ns_client_next(client, ISC_R_SUCCESS);
 			goto cleanup;
 		}
 	}
@@ -1416,11 +1591,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		    client->message->rdclass == dns_rdataclass_any)
 		{
 			dns_name_t *tsig = NULL;
+
 			sigresult = dns_message_rechecksig(client->message,
 							   view);
 			if (sigresult == ISC_R_SUCCESS)
-				tsig = client->message->tsigname;
-				
+				tsig = dns_tsigkey_identity(client->message->tsigkey);
+
 			if (allowed(&netaddr, tsig, view->matchclients) &&
 			    allowed(&destaddr, tsig, view->matchdestinations) &&
 			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
@@ -1498,12 +1674,28 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		/* There is a signature, but it is bad. */
 		if (dns_message_gettsig(client->message, &name) != NULL) {
 			char namebuf[DNS_NAME_FORMATSIZE];
+			char cnamebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(name, namebuf, sizeof(namebuf));
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "request has invalid signature: "
-				      "TSIG %s: %s (%s)", namebuf,
-				      isc_result_totext(result), tsigrcode);
+			if (client->message->tsigkey->generated) {
+				dns_name_format(client->message->tsigkey->creator,
+						cnamebuf, sizeof(cnamebuf));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "request has invalid signature: "
+					      "TSIG %s (%s): %s (%s)", namebuf,
+					      cnamebuf,
+					      isc_result_totext(result),
+					      tsigrcode);
+			} else {
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "request has invalid signature: "
+					      "TSIG %s: %s (%s)", namebuf,
+					      isc_result_totext(result),
+					      tsigrcode);
+			}
 		} else {
 			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
@@ -1526,12 +1718,23 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * Decide whether recursive service is available to this client.
 	 * We do this here rather than in the query code so that we can
 	 * set the RA bit correctly on all kinds of responses, not just
-	 * responses to ordinary queries.
+	 * responses to ordinary queries.  Note if you can't query the
+	 * cache there is no point in setting RA.
 	 */
 	ra = ISC_FALSE;
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
-	    ns_client_checkaclsilent(client, client->view->recursionacl,
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->recursionacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->queryacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->recursiononacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->queryonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
@@ -1540,7 +1743,20 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
 		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
-		      			     "recursion not available");
+					     "recursion not available");
+
+	/*
+	 * Adjust maximum UDP response size for this client.
+	 */
+	if (client->udpsize > 512) {
+		dns_peer_t *peer = NULL;
+		isc_uint16_t udpsize = view->maxudp;
+		(void) dns_peerlist_peerbyaddr(view->peers, &netaddr, &peer);
+		if (peer != NULL)
+			dns_peer_getmaxudp(peer, &udpsize);
+		if (client->udpsize > udpsize)
+			client->udpsize = udpsize;
+	}
 
 	/*
 	 * Dispatch the request.
@@ -1603,10 +1819,42 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
 }
 
 static isc_result_t
-client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
-{
+get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
+	isc_mem_t *clientmctx;
+#if NMCTXS > 0
+	isc_result_t result;
+#endif
+
+	/*
+	 * Caller must be holding the manager lock.
+	 */
+#if NMCTXS > 0
+	INSIST(manager->nextmctx < NMCTXS);
+	clientmctx = manager->mctxpool[manager->nextmctx];
+	if (clientmctx == NULL) {
+		result = isc_mem_create(0, 0, &clientmctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		manager->mctxpool[manager->nextmctx] = clientmctx;
+		manager->nextmctx++;
+		if (manager->nextmctx == NMCTXS)
+			manager->nextmctx = 0;
+	}
+#else
+	clientmctx = manager->mctx;
+#endif
+
+	isc_mem_attach(clientmctx, mctxp);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	ns_client_t *client;
 	isc_result_t result;
+	isc_mem_t *mctx = NULL;
 
 	/*
 	 * Caller must be holding the manager lock.
@@ -1618,9 +1866,16 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 
 	REQUIRE(clientp != NULL && *clientp == NULL);
 
-	client = isc_mem_get(manager->mctx, sizeof(*client));
-	if (client == NULL)
+	result = get_clientmctx(manager, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	client = isc_mem_get(mctx, sizeof(*client));
+	if (client == NULL) {
+		isc_mem_detach(&mctx);
 		return (ISC_R_NOMEMORY);
+	}
+	client->mctx = mctx;
 
 	client->task = NULL;
 	result = isc_task_create(manager->taskmgr, 0, &client->task);
@@ -1637,7 +1892,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	client->timerset = ISC_FALSE;
 
 	client->message = NULL;
-	result = dns_message_create(manager->mctx, DNS_MESSAGE_INTENTPARSE,
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
 				    &client->message);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_timer;
@@ -1645,7 +1900,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	/* XXXRTH  Hardwired constants */
 
 	client->sendevent = (isc_socketevent_t *)
-			    isc_event_allocate(manager->mctx, client,
+			    isc_event_allocate(client->mctx, client,
 					       ISC_SOCKEVENT_SENDDONE,
 					       client_senddone, client,
 					       sizeof(isc_socketevent_t));
@@ -1654,14 +1909,14 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 		goto cleanup_message;
 	}
 
-	client->recvbuf = isc_mem_get(manager->mctx, RECV_BUFFER_SIZE);
+	client->recvbuf = isc_mem_get(client->mctx, RECV_BUFFER_SIZE);
 	if  (client->recvbuf == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_sendevent;
 	}
 
 	client->recvevent = (isc_socketevent_t *)
-			    isc_event_allocate(manager->mctx, client,
+			    isc_event_allocate(client->mctx, client,
 					       ISC_SOCKEVENT_RECVDONE,
 					       client_request, client,
 					       sizeof(isc_socketevent_t));
@@ -1671,7 +1926,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	}
 
 	client->magic = NS_CLIENT_MAGIC;
-	client->mctx = manager->mctx;
 	client->manager = NULL;
 	client->state = NS_CLIENTSTATE_INACTIVE;
 	client->newstate = NS_CLIENTSTATE_MAX;
@@ -1693,6 +1947,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	client->opt = NULL;
 	client->udpsize = 512;
 	client->extflags = 0;
+	client->ednsversion = -1;
 	client->next = NULL;
 	client->shutdown = NULL;
 	client->shutdown_arg = NULL;
@@ -1741,7 +1996,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	isc_event_free((isc_event_t **)&client->recvevent);
 
  cleanup_recvbuf:
-	isc_mem_put(manager->mctx, client->recvbuf, RECV_BUFFER_SIZE);
+	isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
 
  cleanup_sendevent:
 	isc_event_free((isc_event_t **)&client->sendevent);
@@ -1758,7 +2013,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	isc_task_detach(&client->task);
 
  cleanup_client:
-	isc_mem_put(manager->mctx, client, sizeof(*client));
+	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 
 	return (result);
 }
@@ -1818,6 +2073,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (nevent->result == ISC_R_SUCCESS) {
 		client->tcpsocket = nevent->newsocket;
+		isc_socket_setname(client->tcpsocket, "client-tcp", NULL);
 		client->state = NS_CLIENTSTATE_READING;
 		INSIST(client->recursionquota == NULL);
 
@@ -1830,7 +2086,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	} else {
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
+		 *	   it didn't work.  If we just give up, then TCP
 		 *	   service may eventually stop.
 		 *
 		 *	   For now, we just go idle.
@@ -1855,7 +2111,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 
 		if (ns_g_server->blackholeacl != NULL &&
 		    dns_acl_match(&netaddr, NULL,
-			    	  ns_g_server->blackholeacl,
+				  ns_g_server->blackholeacl,
 				  &ns_g_server->aclenv,
 				  &match, NULL) == ISC_R_SUCCESS &&
 		    match > 0)
@@ -1911,7 +2167,7 @@ client_accept(ns_client_t *client) {
 				 isc_result_totext(result));
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
+		 *	   it didn't work.  If we just give up, then TCP
 		 *	   service may eventually stop.
 		 *
 		 *	   For now, we just go idle.
@@ -2011,12 +2267,23 @@ ns_client_replace(ns_client_t *client) {
 
 static void
 clientmgr_destroy(ns_clientmgr_t *manager) {
+#if NMCTXS > 0
+	int i;
+#endif
+
 	REQUIRE(ISC_LIST_EMPTY(manager->active));
 	REQUIRE(ISC_LIST_EMPTY(manager->inactive));
 	REQUIRE(ISC_LIST_EMPTY(manager->recursing));
 
 	MTRACE("clientmgr_destroy");
 
+#if NMCTXS > 0
+	for (i = 0; i < NMCTXS; i++) {
+		if (manager->mctxpool[i] != NULL)
+			isc_mem_detach(&manager->mctxpool[i]);
+	}
+#endif
+
 	DESTROYLOCK(&manager->lock);
 	manager->magic = 0;
 	isc_mem_put(manager->mctx, manager, sizeof(*manager));
@@ -2028,6 +2295,9 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 {
 	ns_clientmgr_t *manager;
 	isc_result_t result;
+#if NMCTXS > 0
+	int i;
+#endif
 
 	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
@@ -2044,6 +2314,11 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ISC_LIST_INIT(manager->active);
 	ISC_LIST_INIT(manager->inactive);
 	ISC_LIST_INIT(manager->recursing);
+#if NMCTXS > 0
+	manager->nextmctx = 0;
+	for (i = 0; i < NMCTXS; i++)
+		manager->mctxpool[i] = NULL; /* will be created on-demand */
+#endif
 	manager->magic = MANAGER_MAGIC;
 
 	MTRACE("create");
@@ -2185,8 +2460,8 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
-			 isc_boolean_t default_allow)
+ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl, isc_boolean_t default_allow)
 {
 	isc_result_t result;
 	int match;
@@ -2199,11 +2474,16 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 			goto deny;
 	}
 
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
+  
+	if (sockaddr == NULL)
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	else
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+  
 	result = dns_acl_match(&netaddr, client->signer, acl,
 			       &ns_g_server->aclenv,
 			       &match, NULL);
+
 	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
 	if (match > 0)
@@ -2218,12 +2498,12 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 }
 
 isc_result_t
-ns_client_checkacl(ns_client_t *client,
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow, int log_level)
 {
 	isc_result_t result =
-		ns_client_checkaclsilent(client, acl, default_allow);
+		ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
 
 	if (result == ISC_R_SUCCESS) 
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -2246,7 +2526,7 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
 
 void
 ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
 {
 	char msgbuf[2048];
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -2283,14 +2563,14 @@ void
 ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
 		 dns_rdataclass_t rdclass, char *buf, size_t len) 
 {
-        char namebuf[DNS_NAME_FORMATSIZE];
-        char typebuf[DNS_RDATATYPE_FORMATSIZE];
-        char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
 
-        dns_name_format(name, namebuf, sizeof(namebuf));
-        dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-        dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-        (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+	(void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
 		       classbuf);
 }
 
@@ -2318,7 +2598,7 @@ ns_client_dumpmessage(ns_client_t *client, const char *reason) {
 			isc_mem_put(client->mctx, buf, len);
 			len += 1024;
 		} else if (result == ISC_R_SUCCESS)
-		        ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
+			ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
 				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
 				      "%s\n%.*s", reason,
 				       (int)isc_buffer_usedlength(&buffer),
@@ -2338,7 +2618,7 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 	const char *sep;
 
 	REQUIRE(VALID_MANAGER(manager));
-	      
+
 	LOCK(&manager->lock);
 	client = ISC_LIST_HEAD(manager->recursing);
 	while (client != NULL) {
@@ -2359,3 +2639,20 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 	}
 	UNLOCK(&manager->lock);
 }
+
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) {
+
+	if (client->manager != NULL)
+		LOCK(&client->manager->lock);
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message,
+					&client->query.qname);
+	}
+	client->query.qname = name;
+	if (client->manager != NULL)
+		UNLOCK(&client->manager->lock);
+}

bin/named/config.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.11.2.4.8.29 2004/10/05 02:52:26 marka Exp $ */
+/* $Id: config.c,v 1.77 2007/03/29 23:47:04 tbox Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,6 +27,7 @@
 #include <isc/buffer.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/parseint.h>
 #include <isc/region.h>
 #include <isc/result.h>
 #include <isc/sockaddr.h>
@@ -42,6 +45,7 @@
 #include <named/config.h>
 #include <named/globals.h>
 
+/*% default configuration */
 static char defaultconf[] = "\
 options {\n\
 #	blackhole {none;};\n"
@@ -76,7 +80,7 @@ options {\n\
 #endif
 "\
 	recursive-clients 1000;\n\
-	rrset-order {order cyclic;};\n\
+	rrset-order {type NS order random; order cyclic; };\n\
 	serial-queries 20;\n\
 	serial-query-rate 20;\n\
 	server-id none;\n\
@@ -94,11 +98,15 @@ options {\n\
 	use-id-pool true;\n\
 	use-ixfr true;\n\
 	edns-udp-size 4096;\n\
+	max-udp-size 4096;\n\
 \n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
-	allow-recursion {any;};\n\
+	allow-query-cache { localnets; localhost; };\n\
+	allow-query-cache-on { any; };\n\
+	allow-recursion { localnets; localhost; };\n\
+	allow-recursion-on { any; };\n\
 #	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
@@ -125,14 +133,25 @@ options {\n\
 	check-names master fail;\n\
 	check-names slave warn;\n\
 	check-names response ignore;\n\
-	dnssec-enable no; /* Make yes for 9.4. */ \n\
+	check-mx warn;\n\
+	acache-enable no;\n\
+	acache-cleaning-interval 60;\n\
+	max-acache-size 0;\n\
+	dnssec-enable yes;\n\
+	dnssec-validation no; /* Make yes for 9.5. */ \n\
+	dnssec-accept-expired no;\n\
+	clients-per-query 10;\n\
+	max-clients-per-query 100;\n\
+	zero-no-soa-ttl-cache no;\n\
 "
 
 "	/* zone */\n\
 	allow-query {any;};\n\
+	allow-query-on {any;};\n\
 	allow-transfer {any;};\n\
 	notify yes;\n\
 #	also-notify <none>\n\
+	notify-delay 5;\n\
 	dialup no;\n\
 #	forward <none>\n\
 #	forwarders <none>\n\
@@ -155,6 +174,14 @@ options {\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
+	check-wildcard yes;\n\
+	check-sibling yes;\n\
+	check-integrity yes;\n\
+	check-mx-cname warn;\n\
+	check-srv-cname warn;\n\
+	zero-no-soa-ttl yes;\n\
+	update-check-ksk yes;\n\
+	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "
 
@@ -196,7 +223,7 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
 }
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
+ns_config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0;; i++) {
@@ -208,11 +235,13 @@ ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
 }
 
 isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
-	cfg_listelt_t *element;
-	cfg_obj_t *checknames;
-	cfg_obj_t *type;
-	cfg_obj_t *value;
+ns_checknames_get(const cfg_obj_t **maps, const char *which,
+		  const cfg_obj_t **obj)
+{
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
 	int i;
 
 	for (i = 0;; i++) {
@@ -243,8 +272,8 @@ ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
 }
 
 int
-ns_config_listcount(cfg_obj_t *list) {
-	cfg_listelt_t *e;
+ns_config_listcount(const cfg_obj_t *list) {
+	const cfg_listelt_t *e;
 	int i = 0;
 
 	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
@@ -254,9 +283,8 @@ ns_config_listcount(cfg_obj_t *list) {
 }
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp) {
-	char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -264,20 +292,18 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		*classp = defclass;
 		return (ISC_R_SUCCESS);
 	}
-	str = cfg_obj_asstring(classobj);
-	r.base = str;
-	r.length = strlen(str);
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
+	r.length = strlen(r.base);
 	result = dns_rdataclass_fromtext(classp, &r);
 	if (result != ISC_R_SUCCESS)
 		cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown class '%s'", str);
+			    "unknown class '%s'", r.base);
 	return (result);
 }
 
 isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		   dns_rdatatype_t *typep) {
-	char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -285,20 +311,19 @@ ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		*typep = deftype;
 		return (ISC_R_SUCCESS);
 	}
-	str = cfg_obj_asstring(typeobj);
-	r.base = str;
-	r.length = strlen(str);
+	DE_CONST(cfg_obj_asstring(typeobj), r.base);
+	r.length = strlen(r.base);
 	result = dns_rdatatype_fromtext(typep, &r);
 	if (result != ISC_R_SUCCESS)
 		cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown type '%s'", str);
+			    "unknown type '%s'", r.base);
 	return (result);
 }
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
 	dns_zonetype_t ztype = dns_zone_none;
-	char *str;
+	const char *str;
 
 	str = cfg_obj_asstring(zonetypeobj);
 	if (strcasecmp(str, "master") == 0)
@@ -313,14 +338,14 @@ ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
 }
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
 {
 	int count, i = 0;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
 	isc_sockaddr_t *addrs;
 	in_port_t port;
 	isc_result_t result;
@@ -380,10 +405,12 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 static isc_result_t
-get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+get_masters_def(const cfg_obj_t *cctx, const char *name,
+	        const cfg_obj_t **ret)
+{
 	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *masters = NULL;
+	const cfg_listelt_t *elt;
 
 	result = cfg_map_get(cctx, "masters", &masters);
 	if (result != ISC_R_SUCCESS)
@@ -391,7 +418,7 @@ get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(masters);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
+		const cfg_obj_t *list;
 		const char *listname;
 
 		list = cfg_listelt_value(elt);
@@ -406,24 +433,24 @@ get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 }
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
-			  isc_uint32_t *countp)
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keysp, isc_uint32_t *countp)
 {
 	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
 	isc_uint32_t listcount = 0, l = 0, j;
 	isc_uint32_t stackcount = 0, pushed = 0;
 	isc_result_t result;
-	cfg_listelt_t *element;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
 	dns_name_t **keys = NULL;
-	char **lists = NULL;
+	struct { const char *name; } *lists = NULL;
 	struct {
-		cfg_listelt_t *element;
+		const cfg_listelt_t *element;
 		in_port_t port;
 	} *stack = NULL;
 
@@ -439,13 +466,14 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 		if (val > ISC_UINT16_MAX) {
 			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
 				    "port '%u' out of range", val);
-			return (ISC_R_RANGE);
+			result = ISC_R_RANGE;
+			goto cleanup;
 		}
 		port = (in_port_t) val;
 	} else {
 		result = ns_config_getport(config, &port);
 		if (result != ISC_R_SUCCESS)
-			return (result);
+			goto cleanup;
 	}
 
 	result = ISC_R_NOMEMORY;
@@ -456,9 +484,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
-		char *keystr;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
+		const char *keystr;
 		isc_buffer_t b;
 
 		addr = cfg_tuple_get(cfg_listelt_value(element),
@@ -466,7 +494,7 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 		key = cfg_tuple_get(cfg_listelt_value(element), "key");
 
 		if (!cfg_obj_issockaddr(addr)) {
-			char *listname = cfg_obj_asstring(addr);
+			const char *listname = cfg_obj_asstring(addr);
 			isc_result_t tresult;
 
 			/* Grow lists? */
@@ -489,7 +517,7 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 			}
 			/* Seen? */
 			for (j = 0; j < l; j++)
-				if (strcasecmp(lists[j], listname) == 0)
+				if (strcasecmp(lists[j].name, listname) == 0)
 					break;
 			if (j < l)
 				continue;
@@ -503,7 +531,7 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 			}
 			if (tresult != ISC_R_SUCCESS)
 				goto cleanup;
-			lists[l++] = listname;
+			lists[l++].name = listname;
 			/* Grow stack? */
 			if (stackcount == pushed) {
 				void * new;
@@ -606,9 +634,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 			if (new == NULL)
 				goto cleanup;
 			memcpy(new, addrs, newsize);
-			isc_mem_put(mctx, addrs, oldsize);
 		} else
 			new = NULL;
+		isc_mem_put(mctx, addrs, oldsize);
 		addrs = new;
 		addrcount = i;
 
@@ -619,9 +647,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 			if (new == NULL)
 				goto cleanup;
 			memcpy(new, keys,  newsize);
-			isc_mem_put(mctx, keys, oldsize);
 		} else
 			new = NULL;
+		isc_mem_put(mctx, keys, oldsize);
 		keys = new;
 		keycount = i;
 	}
@@ -682,10 +710,10 @@ ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *portobj = NULL;
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *portobj = NULL;
 	isc_result_t result;
 	int i;
 
@@ -708,16 +736,65 @@ ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
 	return (ISC_R_SUCCESS);
 }
 
+struct keyalgorithms {
+	const char *str;
+	enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
+	       hmacsha256, hmacsha384, hmacsha512 } hmac;
+	isc_uint16_t size;
+} algorithms[] = {
+	{ "hmac-md5", hmacmd5, 128 },
+	{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
+	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
+	{ "hmac-sha1", hmacsha1, 160 },
+	{ "hmac-sha224", hmacsha224, 224 },
+	{ "hmac-sha256", hmacsha256, 256 },
+	{ "hmac-sha384", hmacsha384, 384 },
+	{ "hmac-sha512", hmacsha512, 512 },
+	{  NULL, hmacnone, 0 }
+};
+
 isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name)
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+			  isc_uint16_t *digestbits)
 {
-	if (strcasecmp(str, "hmac-md5") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0)
-	{
-		if (name != NULL)
-			*name = dns_tsig_hmacmd5_name;
-		return (ISC_R_SUCCESS);
+	int i;
+	size_t len = 0;
+	isc_uint16_t bits;
+	isc_result_t result;
+
+	for (i = 0; algorithms[i].str != NULL; i++) {
+		len = strlen(algorithms[i].str);
+		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
+		    (str[len] == '\0' ||
+		     (algorithms[i].size != 0 && str[len] == '-')))
+			break;
 	}
-	return (ISC_R_NOTFOUND);
+	if (algorithms[i].str == NULL)
+		return (ISC_R_NOTFOUND);
+	if (str[len] == '-') {
+		result = isc_parse_uint16(&bits, str + len + 1, 10);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (bits > algorithms[i].size)
+			return (ISC_R_RANGE);
+	} else if (algorithms[i].size == 0)
+		bits = 128;
+	else
+		bits = algorithms[i].size;
+
+	if (name != NULL) {
+		switch (algorithms[i].hmac) {
+		case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
+		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
+		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
+		case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
+		case hmacsha384: *name = dns_tsig_hmacsha384_name; break;
+		case hmacsha512: *name = dns_tsig_hmacsha512_name; break;
+		default:
+			INSIST(0);
+		}
+	}
+	if (digestbits != NULL)
+		*digestbits = bits;
+	return (ISC_R_SUCCESS);
 }

bin/named/control.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.7.2.2.2.11 2004/09/03 03:43:31 marka Exp $ */
+/* $Id: control.c,v 1.31 2007/02/26 23:46:54 tbox Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -37,6 +39,9 @@
 #include <named/log.h>
 #include <named/os.h>
 #include <named/server.h>
+#ifdef HAVE_LIBSCF
+#include <named/ns_smf_globals.h>
+#endif
 
 static isc_boolean_t
 command_compare(const char *text, const char *command) {
@@ -49,7 +54,7 @@ command_compare(const char *text, const char *command) {
 	return (ISC_FALSE);
 }
 
-/*
+/*%
  * This function is called to process the incoming command
  * when a control channel message is received.  
  */
@@ -58,6 +63,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
 	char *command;
 	isc_result_t result;
+	int log_level;
+#ifdef HAVE_LIBSCF
+	ns_smf_want_disable = 0;
+#endif
 
 	data = isccc_alist_lookup(message, "_data");
 	if (data == NULL) {
@@ -75,14 +84,20 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		return (result);
 	}
 
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1),
-		      "received control channel command '%s'",
-		      command);
-
 	/*
 	 * Compare the 'command' parameter against all known control commands.
 	 */
+	if (command_compare(command, NS_COMMAND_NULL) ||
+	    command_compare(command, NS_COMMAND_STATUS)) {
+		log_level = ISC_LOG_DEBUG(1);
+	} else {
+		log_level = ISC_LOG_INFO;
+	}
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_CONTROL, log_level,
+		      "received control channel command '%s'",
+		      command);
+
 	if (command_compare(command, NS_COMMAND_RELOAD)) {
 		result = ns_server_reloadcommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
@@ -92,11 +107,41 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
 		result = ns_server_retransfercommand(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_HALT)) {
+#ifdef HAVE_LIBSCF
+		/*
+		 * If we are managed by smf(5), AND in chroot, then
+		 * we cannot connect to the smf repository, so just
+		 * return with an appropriate message back to rndc.
+		 */
+		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
+			result = ns_smf_add_message(text);
+			return (result);
+		}
+		/*
+		 * If we are managed by smf(5) but not in chroot,
+		 * try to disable ourselves the smf way.
+		 */
+		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
+			ns_smf_want_disable = 1;
+		/*
+		 * If ns_smf_got_instance = 0, ns_smf_chroot
+		 * is not relevant and we fall through to
+		 * isc_app_shutdown below.
+		 */
+#endif
 		ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
 		ns_os_shutdownmsg(command, text);
 		isc_app_shutdown();
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_STOP)) {
+#ifdef HAVE_LIBSCF
+		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
+			result = ns_smf_add_message(text);
+			return (result);
+		}
+		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
+			ns_smf_want_disable = 1;
+#endif
 		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
 		ns_os_shutdownmsg(command, text);
 		isc_app_shutdown();
@@ -120,6 +165,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_flushname(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_STATUS)) {
 		result = ns_server_status(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
+		result = ns_server_tsiglist(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
+		result = ns_server_tsigdelete(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
 		result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
 	} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
@@ -127,8 +176,15 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_freeze(ns_g_server, ISC_FALSE, command);
 	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
 		result = ns_server_dumprecursing(ns_g_server);
+	} else if (command_compare(command, NS_COMMAND_TIMERPOKE)) {
+		result = ISC_R_SUCCESS;
+		isc_timermgr_poke(ns_g_timermgr);
 	} else if (command_compare(command, NS_COMMAND_NULL)) {
 		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
+		result = ns_server_notifycommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
+		result = ns_server_validation(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,

bin/named/controlconf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.28.2.9.2.6 2004/03/08 09:04:14 marka Exp $ */
+/* $Id: controlconf.c,v 1.53 2007/02/14 00:27:26 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -96,6 +98,10 @@ struct controllistener {
 	isc_boolean_t			exiting;
 	controlkeylist_t		keys;
 	controlconnectionlist_t		connections;
+	isc_sockettype_t		type;
+	isc_uint32_t			perm;
+	isc_uint32_t			owner;
+	isc_uint32_t			group;
 	ISC_LINK(controllistener_t)	link;
 };
 
@@ -191,6 +197,8 @@ shutdown_listener(controllistener_t *listener) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
 			      "stopping command channel on %s", socktext);
+		if (listener->type == isc_sockettype_unix)
+			isc_socket_cleanunix(&listener->address, ISC_TRUE);
 		listener->exiting = ISC_TRUE;
 	}
 
@@ -356,6 +364,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	{
 		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
 		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
+		if (secret.rstart != NULL)
+			isc_mem_put(listener->mctx, secret.rstart,
+				    REGION_SIZE(secret));
 		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
 		if (secret.rstart == NULL)
 			goto cleanup;
@@ -371,8 +382,6 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 			 */
 			if (request != NULL)
 				isccc_sexpr_free(&request);
-			isc_mem_put(listener->mctx, secret.rstart,
-				    REGION_SIZE(secret));
 		} else {
 			log_invalid(&conn->ccmsg, result);
 			goto cleanup;
@@ -594,8 +603,10 @@ control_newconn(isc_task_t *task, isc_event_t *event) {
 	}
 
 	sock = nevent->newsocket;
+	isc_socket_setname(sock, "control", NULL);
 	(void)isc_socket_getpeername(sock, &peeraddr);
-	if (!address_ok(&peeraddr, listener->acl)) {
+	if (listener->type == isc_sockettype_tcp &&
+	    !address_ok(&peeraddr, listener->acl)) {
 		char socktext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -649,10 +660,12 @@ ns_controls_shutdown(ns_controls_t *controls) {
 }
 
 static isc_result_t
-cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
-	cfg_listelt_t *element;
+cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
+	        const cfg_obj_t **objp)
+{
+	const cfg_listelt_t *element;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -671,14 +684,14 @@ cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
 }
 
 static isc_result_t
-controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
+controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		       controlkeylist_t *keyids)
 {
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	char *newstr = NULL;
 	const char *str;
-	cfg_obj_t *obj;
-	controlkey_t *key = NULL;
+	const cfg_obj_t *obj;
+	controlkey_t *key;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -697,7 +710,6 @@ controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
 		key->secret.length = 0;
 		ISC_LINK_INIT(key, link);
 		ISC_LIST_APPEND(*keyids, key, link);
-		key = NULL;
 		newstr = NULL;
 	}
 	return (ISC_R_SUCCESS);
@@ -705,18 +717,16 @@ controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
  cleanup:
 	if (newstr != NULL)
 		isc_mem_free(mctx, newstr);
-	if (key != NULL)
-		isc_mem_put(mctx, key, sizeof(*key));
 	free_controlkeylist(keyids, mctx);
 	return (ISC_R_NOMEMORY);
 }
 
 static void
-register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
+register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
 {
 	controlkey_t *keyid, *next;
-	cfg_obj_t *keydef;
+	const cfg_obj_t *keydef;
 	char secret[1024];
 	isc_buffer_t b;
 	isc_result_t result;
@@ -736,10 +746,10 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 			ISC_LIST_UNLINK(*keyids, keyid, link);
 			free_controlkey(keyid, mctx);
 		} else {
-			cfg_obj_t *algobj = NULL;
-			cfg_obj_t *secretobj = NULL;
-			char *algstr = NULL;
-			char *secretstr = NULL;
+			const cfg_obj_t *algobj = NULL;
+			const cfg_obj_t *secretobj = NULL;
+			const char *algstr = NULL;
+			const char *secretstr = NULL;
 
 			(void)cfg_map_get(keydef, "algorithm", &algobj);
 			(void)cfg_map_get(keydef, "secret", &secretobj);
@@ -748,7 +758,7 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 			algstr = cfg_obj_asstring(algobj);
 			secretstr = cfg_obj_asstring(secretobj);
 
-			if (ns_config_getkeyalgorithm(algstr, NULL) !=
+			if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
 			    ISC_R_SUCCESS)
 			{
 				cfg_obj_log(control, ns_g_lctx,
@@ -805,11 +815,11 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	isc_result_t result;
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
-	char *algstr = NULL;
-	char *secretstr = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const char *algstr = NULL;
+	const char *secretstr = NULL;
 	controlkey_t *keyid = NULL;
 	char secret[1024];
 	isc_buffer_t b;
@@ -838,7 +848,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	algstr = cfg_obj_asstring(algobj);
 	secretstr = cfg_obj_asstring(secretobj);
 
-	if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) {
+	if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
 		cfg_obj_log(key, ns_g_lctx,
 			    ISC_LOG_WARNING,
 			    "unsupported algorithm '%s' in "
@@ -888,12 +898,13 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
  * valid or both are NULL.
  */
 static void
-get_key_info(cfg_obj_t *config, cfg_obj_t *control,
-	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
+get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
+	     const cfg_obj_t **global_keylistp,
+	     const cfg_obj_t **control_keylistp)
 {
 	isc_result_t result;
-	cfg_obj_t *control_keylist = NULL;
-	cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *global_keylist = NULL;
 
 	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
 	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
@@ -912,15 +923,15 @@ get_key_info(cfg_obj_t *config, cfg_obj_t *control,
 }
 
 static void
-update_listener(ns_controls_t *cp,
-		controllistener_t **listenerp, cfg_obj_t *control,
-		cfg_obj_t *config, isc_sockaddr_t *addr,
-		ns_aclconfctx_t *aclconfctx, const char *socktext)
+update_listener(ns_controls_t *cp, controllistener_t **listenerp,
+		const cfg_obj_t *control, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	        const char *socktext, isc_sockettype_t type)
 {
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	controlkeylist_t keys;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -977,26 +988,34 @@ update_listener(ns_controls_t *cp,
 		result = get_rndckey(listener->mctx, &listener->keys);
 	}
 
-	if (result != ISC_R_SUCCESS && global_keylist != NULL)
+	if (result != ISC_R_SUCCESS && global_keylist != NULL) {
 		/*
 		 * This message might be a little misleading since the
 		 * "new keys" might in fact be identical to the old ones,
 		 * but tracking whether they are identical just for the
 		 * sake of avoiding this message would be too much trouble.
 		 */
-		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-			    "couldn't install new keys for "
-			    "command channel %s: %s",
-			    socktext, isc_result_totext(result));
-
+		if (control != NULL)
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't install new keys for "
+				    "command channel %s: %s",
+				    socktext, isc_result_totext(result));
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+				      "couldn't install new keys for "
+				      "command channel %s: %s",
+				      socktext, isc_result_totext(result));
+	}
 
 	/*
 	 * Now, keep the old access list unless a new one can be made.
 	 */
-	if (control != NULL) {
+	if (control != NULL && type == isc_sockettype_tcp) {
 		allow = cfg_tuple_get(control, "allow");
-		result = ns_acl_fromconfig(allow, config, aclconfctx,
-					   listener->mctx, &new_acl);
+		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
+					    aclconfctx, listener->mctx,
+					    &new_acl);
 	} else {
 		result = dns_acl_any(listener->mctx, &new_acl);
 	}
@@ -1005,26 +1024,53 @@ update_listener(ns_controls_t *cp,
 		dns_acl_detach(&listener->acl);
 		dns_acl_attach(new_acl, &listener->acl);
 		dns_acl_detach(&new_acl);
-	} else
 		/* XXXDCL say the old acl is still used? */
+	} else if (control != NULL)
 		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
 			    "couldn't install new acl for "
 			    "command channel %s: %s",
 			    socktext, isc_result_totext(result));
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "couldn't install new acl for "
+			      "command channel %s: %s",
+			      socktext, isc_result_totext(result));
+
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		isc_uint32_t perm, owner, group;
+		perm  = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+		owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
+		group = cfg_obj_asuint32(cfg_tuple_get(control, "group"));
+		result = ISC_R_SUCCESS;
+		if (listener->perm != perm || listener->owner != owner ||
+		    listener->group != group)
+			result = isc_socket_permunix(&listener->address, perm,
+						     owner, group);
+		if (result == ISC_R_SUCCESS) {
+			listener->perm = perm;
+			listener->owner = owner;
+			listener->group = group;
+		} else if (control != NULL)
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't update ownership/permission for "
+				    "command channel %s", socktext);
+	}
 
 	*listenerp = listener;
 }
 
 static void
 add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
-	     ns_aclconfctx_t *aclconfctx, const char *socktext)
+	     const cfg_obj_t *control, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	     const char *socktext, isc_sockettype_t type)
 {
 	isc_mem_t *mctx = cp->server->mctx;
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 
@@ -1041,6 +1087,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		listener->listening = ISC_FALSE;
 		listener->exiting = ISC_FALSE;
 		listener->acl = NULL;
+		listener->type = type;
+		listener->perm = 0;
+		listener->owner = 0;
+		listener->group = 0;
 		ISC_LINK_INIT(listener, link);
 		ISC_LIST_INIT(listener->keys);
 		ISC_LIST_INIT(listener->connections);
@@ -1048,10 +1098,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		/*
 		 * Make the acl.
 		 */
-		if (control != NULL) {
+		if (control != NULL && type == isc_sockettype_tcp) {
 			allow = cfg_tuple_get(control, "allow");
-			result = ns_acl_fromconfig(allow, config, aclconfctx,
-						   mctx, &new_acl);
+			result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
+						    aclconfctx, mctx, &new_acl);
 		} else {
 			result = dns_acl_any(mctx, &new_acl);
 		}
@@ -1086,20 +1136,37 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 	if (result == ISC_R_SUCCESS) {
 		int pf = isc_sockaddr_pf(&listener->address);
 		if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		    (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) ||
+#endif
 		    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
 			result = ISC_R_FAMILYNOSUPPORT;
 	}
 
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix)
+		isc_socket_cleanunix(&listener->address, ISC_FALSE);
+
 	if (result == ISC_R_SUCCESS)
 		result = isc_socket_create(ns_g_socketmgr,
 					   isc_sockaddr_pf(&listener->address),
-					   isc_sockettype_tcp,
-					   &listener->sock);
+					   type, &listener->sock);
+	if (result == ISC_R_SUCCESS)
+		isc_socket_setname(listener->sock, "control", NULL);
 
 	if (result == ISC_R_SUCCESS)
 		result = isc_socket_bind(listener->sock,
 					 &listener->address);
 
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		listener->perm = cfg_obj_asuint32(cfg_tuple_get(control,
+								"perm"));
+		listener->owner = cfg_obj_asuint32(cfg_tuple_get(control,
+								 "owner"));
+		listener->group = cfg_obj_asuint32(cfg_tuple_get(control,
+								 "group"));
+		result = isc_socket_permunix(&listener->address, listener->perm,
+					     listener->owner, listener->group);
+	}
 	if (result == ISC_R_SUCCESS)
 		result = control_listen(listener);
 
@@ -1135,13 +1202,13 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 }
 
 isc_result_t
-ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
-		      ns_aclconfctx_t *aclconfctx)
+ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
+		      cfg_aclconfctx_t *aclconfctx)
 {
 	controllistener_t *listener;
 	controllistenerlist_t new_listeners;
-	cfg_obj_t *controlslist = NULL;
-	cfg_listelt_t *element, *element2;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_listelt_t *element, *element2;
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
 	ISC_LIST_INIT(new_listeners);
@@ -1163,8 +1230,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 		for (element = cfg_list_first(controlslist);
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			cfg_obj_t *controls;
-			cfg_obj_t *inetcontrols = NULL;
+			const cfg_obj_t *controls;
+			const cfg_obj_t *inetcontrols = NULL;
 
 			controls = cfg_listelt_value(element);
 			(void)cfg_map_get(controls, "inet", &inetcontrols);
@@ -1174,27 +1241,24 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 			for (element2 = cfg_list_first(inetcontrols);
 			     element2 != NULL;
 			     element2 = cfg_list_next(element2)) {
-				cfg_obj_t *control;
-				cfg_obj_t *obj;
-				isc_sockaddr_t *addr;
+				const cfg_obj_t *control;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
 
 				/*
 				 * The parser handles BIND 8 configuration file
 				 * syntax, so it allows unix phrases as well
 				 * inet phrases with no keys{} clause.
-				 *
-				 * "unix" phrases have been reported as
-				 * unsupported by the parser.
 				 */
 				control = cfg_listelt_value(element2);
 
 				obj = cfg_tuple_get(control, "address");
-				addr = cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(addr) == 0)
-					isc_sockaddr_setport(addr,
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0)
+					isc_sockaddr_setport(&addr,
 							     NS_CONTROL_PORT);
 
-				isc_sockaddr_format(addr, socktext,
+				isc_sockaddr_format(&addr, socktext,
 						    sizeof(socktext));
 
 				isc_log_write(ns_g_lctx,
@@ -1205,7 +1269,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					      socktext);
 
 				update_listener(cp, &listener, control, config,
-						addr, aclconfctx, socktext);
+						&addr, aclconfctx, socktext,
+						isc_sockettype_tcp);
 
 				if (listener != NULL)
 					/*
@@ -1219,8 +1284,82 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					 * This is a new listener.
 					 */
 					add_listener(cp, &listener, control,
-						     config, addr, aclconfctx,
-						     socktext);
+						     config, &addr, aclconfctx,
+						     socktext,
+						     isc_sockettype_tcp);
+
+				if (listener != NULL)
+					ISC_LIST_APPEND(new_listeners,
+							listener, link);
+			}
+		}
+		for (element = cfg_list_first(controlslist);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			const cfg_obj_t *controls;
+			const cfg_obj_t *unixcontrols = NULL;
+
+			controls = cfg_listelt_value(element);
+			(void)cfg_map_get(controls, "unix", &unixcontrols);
+			if (unixcontrols == NULL)
+				continue;
+
+			for (element2 = cfg_list_first(unixcontrols);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2)) {
+				const cfg_obj_t *control;
+				const cfg_obj_t *path;
+				isc_sockaddr_t addr;
+				isc_result_t result;
+
+				/*
+				 * The parser handles BIND 8 configuration file
+				 * syntax, so it allows unix phrases as well
+				 * inet phrases with no keys{} clause.
+				 */
+				control = cfg_listelt_value(element2);
+
+				path = cfg_tuple_get(control, "path");
+				result = isc_sockaddr_frompath(&addr,
+						      cfg_obj_asstring(path));
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "control channel '%s': %s",
+					      cfg_obj_asstring(path),
+					      isc_result_totext(result));
+					continue;
+				}
+
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "processing control channel '%s'",
+					      cfg_obj_asstring(path));
+
+				update_listener(cp, &listener, control, config,
+						&addr, aclconfctx,
+					        cfg_obj_asstring(path),
+						isc_sockettype_unix);
+
+				if (listener != NULL)
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(cp->listeners,
+							listener, link);
+				else
+					/*
+					 * This is a new listener.
+					 */
+					add_listener(cp, &listener, control,
+						     config, &addr, aclconfctx,
+						     cfg_obj_asstring(path),
+						     isc_sockettype_unix);
 
 				if (listener != NULL)
 					ISC_LIST_APPEND(new_listeners,
@@ -1251,7 +1390,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 			isc_sockaddr_format(&addr, socktext, sizeof(socktext));
 			
 			update_listener(cp, &listener, NULL, NULL,
-					&addr, NULL, socktext);
+					&addr, NULL, socktext,
+				        isc_sockettype_tcp);
 
 			if (listener != NULL)
 				/*
@@ -1265,7 +1405,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 				 * This is a new listener.
 				 */
 				add_listener(cp, &listener, NULL, NULL,
-					     &addr, NULL, socktext);
+					     &addr, NULL, socktext,
+					     isc_sockettype_tcp);
 
 			if (listener != NULL)
 				ISC_LIST_APPEND(new_listeners,

bin/named/convertxsl.pl

@@ -0,0 +1,36 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: convertxsl.pl,v 1.6 2006/12/22 01:59:43 marka Exp $
+
+use strict;
+use warnings;
+
+print 'static char msg[] = "';
+
+my $lines = '';
+
+while (<>) {
+    chomp;
+    $lines .= $_;
+}
+
+$lines =~ s/[\ \t]+/ /g;
+$lines =~ s/\>\ \</\>\</g;
+$lines =~ s/\"/\\\"/g;
+print $lines;
+
+print '\\n";', "\n";

bin/named/include/named/builtin.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */
+/* $Id: builtin.h,v 1.4 2005/04/29 00:22:29 marka Exp $ */
 
 #ifndef NAMED_BUILTIN_H
 #define NAMED_BUILTIN_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 
 isc_result_t ns_builtin_init(void);

bin/named/include/named/client.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.60.2.2.10.8 2004/07/23 02:56:52 marka Exp $ */
+/* $Id: client.h,v 1.81 2007/03/29 23:47:04 tbox Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * Client
- *
+/*! \file 
+ * \brief
  * This module defines two objects, ns_client_t and ns_clientmgr_t.
  *
  * An ns_client_t object handles incoming DNS requests from clients
@@ -44,12 +43,12 @@
  * fully handled (which can be much later), the ns_client_t must be
  * notified of this by calling one of the following functions
  * exactly once in the context of its task:
- *
+ * \code
  *   ns_client_send()	(sending a non-error response)
  *   ns_client_sendraw() (sending a raw response)
  *   ns_client_error()	(sending an error response)
  *   ns_client_next()	(sending no response)
- *
+ *\endcode
  * This will release any resources used by the request and
  * and allow the ns_client_t to listen for the next request.
  *
@@ -84,6 +83,7 @@
 
 typedef ISC_LIST(ns_client_t) client_list_t;
 
+/*% nameserver client structure */
 struct ns_client {
 	unsigned int		magic;
 	isc_mem_t *		mctx;
@@ -116,15 +116,16 @@ struct ns_client {
 	dns_rdataset_t *	opt;
 	isc_uint16_t		udpsize;
 	isc_uint16_t		extflags;
+	isc_int16_t		ednsversion;	/* -1 noedns */
 	void			(*next)(ns_client_t *);
 	void			(*shutdown)(void *arg, isc_result_t result);
 	void 			*shutdown_arg;
 	ns_query_t		query;
 	isc_stdtime_t		requesttime;
 	isc_stdtime_t		now;
-	dns_name_t		signername;   /* [T]SIG key name */
-	dns_name_t *		signer;	      /* NULL if not valid sig */
-	isc_boolean_t		mortal;	      /* Die after handling request */
+	dns_name_t		signername;   /*%< [T]SIG key name */
+	dns_name_t *		signer;	      /*%< NULL if not valid sig */
+	isc_boolean_t		mortal;	      /*%< Die after handling request */
 	isc_quota_t		*tcpquota;
 	isc_quota_t		*recursionquota;
 	ns_interface_t		*interface;
@@ -132,7 +133,7 @@ struct ns_client {
 	isc_boolean_t		peeraddr_valid;
 	struct in6_pktinfo	pktinfo;
 	isc_event_t		ctlevent;
-	/*
+	/*%
 	 * Information about recent FORMERR response(s), for
 	 * FORMERR loop avoidance.  This is separate for each
 	 * client object rather than global only to avoid
@@ -144,7 +145,7 @@ struct ns_client {
 		dns_messageid_t		id;
 	} formerrcache;
 	ISC_LINK(ns_client_t)	link;
-	/*
+	/*%
 	 * The list 'link' is part of, or NULL if not on any list.
 	 */
 	client_list_t		*list;
@@ -154,38 +155,42 @@ struct ns_client {
 #define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
 
 #define NS_CLIENTATTR_TCP		0x01
-#define NS_CLIENTATTR_RA		0x02 /* Client gets recusive service */
-#define NS_CLIENTATTR_PKTINFO		0x04 /* pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST		0x08 /* recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC	0x10 /* include dnssec records */
+#define NS_CLIENTATTR_RA		0x02 /*%< Client gets recusive service */
+#define NS_CLIENTATTR_PKTINFO		0x04 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
 
+extern unsigned int ns_client_requests;
 
 /***
  *** Functions
  ***/
 
-/*
+/*%
  * Note!  These ns_client_ routines MUST be called ONLY from the client's
  * task in order to ensure synchronization.
  */
 
 void
 ns_client_send(ns_client_t *client);
-/*
+/*%
  * Finish processing the current client request and
  * send client->message as a response.
+ * \brief
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
  */
 
 void
 ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
-/*
+/*%
  * Finish processing the current client request and
  * send msg as a response using client->message->id for the id.
  */
 
 void
 ns_client_error(ns_client_t *client, isc_result_t result);
-/*
+/*%
  * Finish processing the current client request and return
  * an error response to the client.  The error response
  * will have an RCODE determined by 'result'.
@@ -193,32 +198,32 @@ ns_client_error(ns_client_t *client, isc_result_t result);
 
 void
 ns_client_next(ns_client_t *client, isc_result_t result);
-/*
+/*%
  * Finish processing the current client request,
  * return no response to the client.
  */
 
 isc_boolean_t
 ns_client_shuttingdown(ns_client_t *client);
-/*
+/*%
  * Return ISC_TRUE iff the client is currently shutting down.
  */
 
 void
 ns_client_attach(ns_client_t *source, ns_client_t **target);
-/*
+/*%
  * Attach '*targetp' to 'source'.
  */
 
 void
 ns_client_detach(ns_client_t **clientp);
-/*
+/*%
  * Detach '*clientp' from its client.
  */
 
 isc_result_t
 ns_client_replace(ns_client_t *client);
-/*
+/*%
  * Try to replace the current client with a new one, so that the
  * current one can go off and do some lengthy work without
  * leaving the dispatch/socket without service.
@@ -226,20 +231,20 @@ ns_client_replace(ns_client_t *client);
 
 void
 ns_client_settimeout(ns_client_t *client, unsigned int seconds);
-/*
+/*%
  * Set a timer in the client to go off in the specified amount of time.
  */
 
 isc_result_t
 ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
-/*
+/*%
  * Create a client manager.
  */
 
 void
 ns_clientmgr_destroy(ns_clientmgr_t **managerp);
-/*
+/*%
  * Destroy a client manager and all ns_client_t objects
  * managed by it.
  */
@@ -247,7 +252,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp);
 isc_result_t
 ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
 			   ns_interface_t *ifp, isc_boolean_t tcp);
-/*
+/*%
  * Create up to 'n' clients listening on interface 'ifp'.
  * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
  * otherwise for UDP requests.
@@ -255,53 +260,59 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
 
 isc_sockaddr_t *
 ns_client_getsockaddr(ns_client_t *client);
-/*
+/*%
  * Get the socket address of the client whose request is
  * currently being processed.
  */
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+ns_client_checkaclsilent(ns_client_t *client,
+			 isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl,
 			 isc_boolean_t default_allow);
 
-/*
+/*%
  * Convenience function for client request ACL checking.
  *
  * Check the current client request against 'acl'.  If 'acl'
  * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
  *
  * Notes:
- *	This is appropriate for checking allow-update,
+ *\li	This is appropriate for checking allow-update,
  * 	allow-query, allow-transfer, etc.  It is not appropriate
  * 	for checking the blackhole list because we treat positive
  * 	matches as "allow" and negative matches as "deny"; in
  *	the case of the blackhole list this would be backwards.
  *
  * Requires:
- *	'client' points to a valid client.
- *	'acl' points to a valid ACL, or is NULL.
+ *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS	if the request should be allowed
- * 	ISC_R_REFUSED	if the request should be denied
- *	No other return values are possible.
+ *\li	ISC_R_SUCCESS	if the request should be allowed
+ * \li	ISC_R_REFUSED	if the request should be denied
+ *\li	No other return values are possible.
  */
 
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
+		   isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow,
 		   int log_level);
-/*
- * Like ns_client_checkacl, but also logs the outcome of the
- * check at log level 'log_level' if denied, and at debug 3
- * if approved.  Log messages will refer to the request as
- * an 'opname' request.
+/*%
+ * Like ns_client_checkaclsilent, except the outcome of the check is
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
+ * Log messages will refer to the request as an 'opname' request.
  *
  * Requires:
- *	Those of ns_client_checkaclsilent(), and:
- *
- *	'opname' points to a null-terminated string.
+ *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
+ *\li	'opname' points to a null-terminated string.
  */
 
 void
@@ -322,16 +333,35 @@ ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
 	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
 
 void
-ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest);
-/*
- * Add client to end of recursing list.  If 'killoldest' is true
- * kill the oldest recursive client (list head). 
+ns_client_recursing(ns_client_t *client);
+/*%
+ * Add client to end of th recursing list.
+ */
+
+void
+ns_client_killoldestquery(ns_client_t *client);
+/*%
+ * Kill the oldest recursive query (recursing list head).
  */
 
 void
 ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
-/*
+/*%
  * Dump the outstanding recursive queries to 'f'.
  */
 
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
+/*%
+ * Replace the qname.
+ */
+
+isc_boolean_t
+ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
+                 isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+                 dns_rdataclass_t rdclass, void *arg);
+/*%
+ * Isself callback.
+ */
+
 #endif /* NAMED_CLIENT_H */

bin/named/include/named/config.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.4.12.4 2004/04/20 14:12:10 marka Exp $ */
+/* $Id: config.h,v 1.12 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
 
+/*! \file */
+
 #include <isccfg/cfg.h>
 
 #include <dns/types.h>
@@ -29,27 +31,28 @@ isc_result_t
 ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj);
 
 isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_checknames_get(const cfg_obj_t **maps, const char* name,
+		  const cfg_obj_t **obj);
 
 int
-ns_config_listcount(cfg_obj_t *list);
+ns_config_listcount(const cfg_obj_t *list);
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp);
 
 isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		  dns_rdatatype_t *typep);
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj);
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj);
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
 
@@ -58,18 +61,19 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 		    isc_uint32_t count);
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
-			  isc_uint32_t *countp);
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keys, isc_uint32_t *countp);
 
 void
 ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 			  dns_name_t ***keys, isc_uint32_t count);
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp);
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 
 isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+			  isc_uint16_t *digestbits);
 
 #endif /* NAMED_CONFIG_H */

bin/named/include/named/control.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,18 +15,20 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.6.2.2.2.7 2004/09/03 03:43:32 marka Exp $ */
+/* $Id: control.h,v 1.23 2006/12/04 01:52:45 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
 
-/*
+/*! \file
+ * \brief
  * The name server command channel.
  */
 
 #include <isccc/types.h>
 
-#include <named/aclconf.h>
+#include <isccfg/aclconf.h>
+
 #include <named/types.h>
 
 #define NS_CONTROL_PORT			953
@@ -45,21 +47,26 @@
 #define NS_COMMAND_FLUSH	"flush"
 #define NS_COMMAND_FLUSHNAME	"flushname"
 #define NS_COMMAND_STATUS	"status"
+#define NS_COMMAND_TSIGLIST	"tsig-list"
+#define NS_COMMAND_TSIGDELETE	"tsig-delete"
 #define NS_COMMAND_FREEZE	"freeze"
 #define NS_COMMAND_UNFREEZE	"unfreeze"
 #define NS_COMMAND_THAW		"thaw"
+#define NS_COMMAND_TIMERPOKE	"timerpoke"
 #define NS_COMMAND_RECURSING	"recursing"
 #define NS_COMMAND_NULL		"null"
+#define NS_COMMAND_NOTIFY	"notify"
+#define NS_COMMAND_VALIDATION	"validation"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
-/*
+/*%<
  * Create an initial, empty set of command channels for 'server'.
  */
 
 void
 ns_controls_destroy(ns_controls_t **ctrlsp);
-/*
+/*%<
  * Destroy a set of command channels.
  *
  * Requires:
@@ -67,9 +74,9 @@ ns_controls_destroy(ns_controls_t **ctrlsp);
  */
 
 isc_result_t
-ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
-		      ns_aclconfctx_t *aclconfctx);
-/*
+ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
+		      cfg_aclconfctx_t *aclconfctx);
+/*%<
  * Configure zero or more command channels into 'controls'
  * as defined in the configuration parse tree 'config'.
  * The channels will evaluate ACLs in the context of
@@ -78,7 +85,7 @@ ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
 
 void
 ns_controls_shutdown(ns_controls_t *controls);
-/*
+/*%<
  * Initiate shutdown of all the command channels in 'controls'.
  */
 

bin/named/include/named/globals.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.59.68.5 2004/03/08 04:04:20 marka Exp $ */
+/* $Id: globals.h,v 1.70 2006/12/22 03:07:57 explorer Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
 
+/*! \file */
+
 #include <isc/rwlock.h>
 #include <isc/log.h>
 #include <isc/net.h>
@@ -75,7 +77,7 @@ EXTERN unsigned int		ns_g_debuglevel		INIT(0);
  * Current configuration information.
  */
 EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
+EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
@@ -111,6 +113,7 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 EXTERN const char *		ns_g_username		INIT(NULL);
 
 EXTERN int			ns_g_listen		INIT(3);
+EXTERN isc_time_t		ns_g_boottime;
 
 #undef EXTERN
 #undef INIT

bin/named/include/named/interfacemgr.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */
+/* $Id: interfacemgr.h,v 1.31 2005/07/18 05:58:57 marka Exp $ */
 
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
@@ -24,24 +24,23 @@
  ***** Module Info
  *****/
 
-/*
- * Interface manager
- *
+/*! \file
+ * \brief
  * The interface manager monitors the operating system's list
  * of network interfaces, creating and destroying listeners
  * as needed.
  *
  * Reliability:
- *	No impact expected.
+ *\li	No impact expected.
  *
  * Resources:
  *
  * Security:
- * 	The server will only be able to bind to the DNS port on
+ * \li	The server will only be able to bind to the DNS port on
  *	newly discovered interfaces if it is running as root.
  *
  * Standards:
- *	The API for scanning varies greatly among operating systems.
+ *\li	The API for scanning varies greatly among operating systems.
  *	This module attempts to hide the differences.
  */
 
@@ -65,23 +64,24 @@
 #define IFACE_MAGIC		ISC_MAGIC('I',':','-',')')
 #define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
 
-#define NS_INTERFACEFLAG_ANYADDR	0x01U	/* bound to "any" address */
+#define NS_INTERFACEFLAG_ANYADDR	0x01U	/*%< bound to "any" address */
 
+/*% The nameserver interface structure */
 struct ns_interface {
-	unsigned int		magic;		/* Magic number. */
-	ns_interfacemgr_t *	mgr;		/* Interface manager. */
+	unsigned int		magic;		/*%< Magic number. */
+	ns_interfacemgr_t *	mgr;		/*%< Interface manager. */
 	isc_mutex_t		lock;
-	int			references;	/* Locked */
-	unsigned int		generation;     /* Generation number. */
-	isc_sockaddr_t		addr;           /* Address and port. */
-	unsigned int		flags;		/* Interface characteristics */
-	char 			name[32];	/* Null terminated. */
-	dns_dispatch_t *	udpdispatch;	/* UDP dispatcher. */
-	isc_socket_t *		tcpsocket;	/* TCP socket. */
-	int			ntcptarget;	/* Desired number of concurrent
-						   TCP accepts */
-	int			ntcpcurrent;	/* Current ditto, locked */
-	ns_clientmgr_t *	clientmgr;	/* Client manager. */
+	int			references;	/*%< Locked */
+	unsigned int		generation;     /*%< Generation number. */
+	isc_sockaddr_t		addr;           /*%< Address and port. */
+	unsigned int		flags;		/*%< Interface characteristics */
+	char 			name[32];	/*%< Null terminated. */
+	dns_dispatch_t *	udpdispatch;	/*%< UDP dispatcher. */
+	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
+	int			ntcptarget;	/*%< Desired number of concurrent
+						     TCP accepts */
+	int			ntcpcurrent;	/*%< Current ditto, locked */
+	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
 	ISC_LINK(ns_interface_t) link;
 };
 
@@ -94,7 +94,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		       isc_socketmgr_t *socketmgr,
 		       dns_dispatchmgr_t *dispatchmgr,
 		       ns_interfacemgr_t **mgrp);
-/*
+/*%
  * Create a new interface manager.
  *
  * Initially, the new manager will not listen on any interfaces.
@@ -113,7 +113,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
 
 void
 ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
-/*
+/*%
  * Scan the operatings system's list of network interfaces
  * and create listeners when new interfaces are discovered.
  * Shut down the sockets for interfaces that go away.
@@ -126,7 +126,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
 void
 ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
 		       isc_boolean_t verbose);
-/*
+/*%
  * Similar to ns_interfacemgr_scan(), but this function also tries to see the
  * need for an explicit listen-on when a list element in 'list' is going to
  * override an already-listening a wildcard interface.
@@ -139,14 +139,14 @@ ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
 
 void
 ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*
+/*%
  * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
  * The previous IPv4 listen-on list is freed.
  */
 
 void
 ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*
+/*%
  * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
  * The previous IPv6 listen-on list is freed.
  */
@@ -162,7 +162,7 @@ ns_interface_detach(ns_interface_t **targetp);
 
 void
 ns_interface_shutdown(ns_interface_t *ifp);
-/*
+/*%
  * Stop listening for queries on interface 'ifp'.
  * May safely be called multiple times.
  */
@@ -170,4 +170,7 @@ ns_interface_shutdown(ns_interface_t *ifp);
 void
 ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
 
+isc_boolean_t
+ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr);
+
 #endif /* NAMED_INTERFACEMGR_H */

bin/named/include/named/listenlist.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: listenlist.h,v 1.13 2005/04/29 00:22:30 marka Exp $ */
 
 #ifndef NAMED_LISTENLIST_H
 #define NAMED_LISTENLIST_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * "Listen lists", as in the "listen-on" configuration statement.
  */
 
@@ -62,38 +63,38 @@ struct ns_listenlist {
 isc_result_t
 ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
 		    dns_acl_t *acl, ns_listenelt_t **target);
-/*
+/*%
  * Create a listen-on list element.
  */
 
 void
 ns_listenelt_destroy(ns_listenelt_t *elt);
-/*
+/*%
  * Destroy a listen-on list element.
  */
 
 isc_result_t
 ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
-/*
+/*%
  * Create a new, empty listen-on list.
  */
 
 void
 ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
-/*
+/*%
  * Attach '*target' to '*source'.
  */
 
 void
 ns_listenlist_detach(ns_listenlist_t **listp);
-/*
+/*%
  * Detach 'listp'.
  */
 
 isc_result_t
 ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
 		      isc_boolean_t enabled, ns_listenlist_t **target);
-/*
+/*%
  * Create a listen-on list with default contents, matching
  * all addresses with port 'port' (if 'enabled' is ISC_TRUE),
  * or no addresses (if 'enabled' is ISC_FALSE).

bin/named/include/named/log.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */
+/* $Id: log.h,v 1.23 2005/04/29 00:22:30 marka Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
 
+/*! \file */
+
 #include <isc/log.h>
 #include <isc/types.h>
 
@@ -54,7 +56,7 @@
 
 isc_result_t
 ns_log_init(isc_boolean_t safe);
-/*
+/*%
  * Initialize the logging system and set up an initial default
  * logging default configuration that will be used until the
  * config file has been read.
@@ -66,7 +68,7 @@ ns_log_init(isc_boolean_t safe);
 
 isc_result_t
 ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
-/*
+/*%
  * Set up logging channels according to the named defaults, which
  * may differ from the logging library defaults.  Currently,
  * this just means setting up default_debug.
@@ -74,19 +76,19 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
 
 isc_result_t
 ns_log_setsafechannels(isc_logconfig_t *lcfg);
-/*
+/*%
  * Like ns_log_setdefaultchannels(), but omits any logging to files.
  */
 
 isc_result_t
 ns_log_setdefaultcategory(isc_logconfig_t *lcfg);
-/*
+/*%
  * Set up "category default" to go to the right places.
  */
 
 isc_result_t
 ns_log_setunmatchedcategory(isc_logconfig_t *lcfg);
-/*
+/*%
  * Set up "category unmatched" to go to the right places.
  */
 

bin/named/include/named/logconf.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: logconf.h,v 1.15 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
 
+/*! \file */
+
 #include <isc/log.h>
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
-/*
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
+/*%<
  * Set up the logging configuration in '*logconf' according to
  * the named.conf data in 'logstmt'.
  */

bin/named/include/named/lwaddr.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: lwaddr.h,v 1.6 2005/04/29 00:22:31 marka Exp $ */
+
+/*! \file */
 
 #include <lwres/lwres.h>
 #include <lwres/net.h>

bin/named/include/named/lwdclient.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: lwdclient.h,v 1.16 2005/04/29 00:22:31 marka Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
 
+/*! \file */
+
 #include <isc/event.h>
 #include <isc/eventclass.h>
 #include <isc/netaddr.h>
@@ -37,23 +39,24 @@
 
 #define LWRD_SHUTDOWN		(LWRD_EVENTCLASS + 0x0001)
 
+/*% Lighweight Resolver Daemon Client */
 struct ns_lwdclient {
-	isc_sockaddr_t		address;	/* where to reply */
+	isc_sockaddr_t		address;	/*%< where to reply */
 	struct in6_pktinfo	pktinfo;
 	isc_boolean_t		pktinfo_valid;
-	ns_lwdclientmgr_t	*clientmgr;	/* our parent */
+	ns_lwdclientmgr_t	*clientmgr;	/*%< our parent */
 	ISC_LINK(ns_lwdclient_t) link;
 	unsigned int		state;
-	void			*arg;		/* packet processing state */
+	void			*arg;		/*%< packet processing state */
 
 	/*
 	 * Received data info.
 	 */
-	unsigned char		buffer[LWRES_RECVLENGTH]; /* receive buffer */
-	isc_uint32_t		recvlength;	/* length recv'd */
+	unsigned char		buffer[LWRES_RECVLENGTH]; /*%< receive buffer */
+	isc_uint32_t		recvlength;	/*%< length recv'd */
 	lwres_lwpacket_t	pkt;
 
-	/*
+	/*%
 	 * Send data state.  If sendbuf != buffer (that is, the send buffer
 	 * isn't our receive buffer) it will be freed to the lwres_context_t.
 	 */
@@ -61,19 +64,19 @@ struct ns_lwdclient {
 	isc_uint32_t		sendlength;
 	isc_buffer_t		recv_buffer;
 
-	/*
+	/*%
 	 * gabn (get address by name) state info.
 	 */
 	dns_adbfind_t		*find;
 	dns_adbfind_t		*v4find;
 	dns_adbfind_t		*v6find;
-	unsigned int		find_wanted;	/* Addresses we want */
+	unsigned int		find_wanted;	/*%< Addresses we want */
 	dns_fixedname_t		query_name;
 	dns_fixedname_t		target_name;
 	ns_lwsearchctx_t	searchctx;
 	lwres_gabnresponse_t	gabn;
 
-	/*
+	/*%
 	 * gnba (get name by address) state info.
 	 */
 	lwres_gnbaresponse_t	gnba;
@@ -81,7 +84,7 @@ struct ns_lwdclient {
 	unsigned int		options;
 	isc_netaddr_t		na;
 
-	/*
+	/*%
 	 * grbn (get rrset by name) state info.
 	 *
 	 * Note: this also uses target_name and searchctx.
@@ -90,7 +93,7 @@ struct ns_lwdclient {
 	dns_lookup_t	       *lookup;
 	dns_rdatatype_t		rdtype;
 
-	/*
+	/*%
 	 * Alias and address info.  This is copied up to the gabn/gnba
 	 * structures eventually.
 	 *
@@ -103,7 +106,7 @@ struct ns_lwdclient {
 	lwres_addr_t		addrs[LWRES_MAX_ADDRS];
 };
 
-/*
+/*%
  * Client states.
  *
  * _IDLE	The client is not doing anything at all.
@@ -156,7 +159,7 @@ struct ns_lwdclient {
 #define NS_LWDCLIENT_ISSEND(c)		\
 			((c)->state == NS_LWDCLIENT_STATESEND)
 
-/*
+/*%
  * Overall magic test that means we're not idle.
  */
 #define NS_LWDCLIENT_ISRUNNING(c)	(!NS_LWDCLIENT_ISIDLE(c))
@@ -174,17 +177,18 @@ struct ns_lwdclient {
 #define NS_LWDCLIENT_SETSENDDONE(c)	\
 			((c)->state = NS_LWDCLIENT_STATESENDDONE)
 
+/*% lightweight daemon client manager */
 struct ns_lwdclientmgr {
 	ns_lwreslistener_t     *listener;
 	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;		/* socket to use */
+	isc_socket_t	       *sock;		/*%< socket to use */
 	dns_view_t	       *view;
-	lwres_context_t	       *lwctx;		/* lightweight proto context */
-	isc_task_t	       *task;		/* owning task */
+	lwres_context_t	       *lwctx;		/*%< lightweight proto context */
+	isc_task_t	       *task;		/*%< owning task */
 	unsigned int		flags;
 	ISC_LINK(ns_lwdclientmgr_t)	link;
-	ISC_LIST(ns_lwdclient_t)	idle;		/* idle client slots */
-	ISC_LIST(ns_lwdclient_t)	running;	/* running clients */
+	ISC_LIST(ns_lwdclient_t)	idle;		/*%< idle client slots */
+	ISC_LIST(ns_lwdclient_t)	running;	/*%< running clients */
 };
 
 #define NS_LWDCLIENTMGR_FLAGRECVPENDING		0x00000001