add dns_trust_totext to def file

3121.   [security]      An authoritative name server sending a negative
                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]

3120.	[bug]		Named could fail to validate zones listed in a DLV
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

CHANGES

@@ -1,3 +1,16 @@
+	--- 9.6-ESV-R4-P1 released ---
+
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
+
+3120.	[bug]		Named could fail to validate zones listed in a DLV
+			that validated insecure without using DLV and had
+			DS records in the parent zone. [RT #24631]
+
+	--- 9.6-ESV-R4 released ---
+
 	--- 9.6.3 released ---
 
 3009.	[bug]		clients-per-query code didn't work as expected with
@@ -50,51 +63,9 @@
 			wrong lock which could lead to server deadlock.
 			[RT #22614]
 
-2972.	[bug]		win32: address windows socket errors. [RT #21906]
-
-2971.	[bug]		Fixed a bug that caused journal files not to be
-			compacted on Windows systems as a result of
-			non-POSIX-compliant rename() semantics. [RT #22434]
-
-2970.	[security]	Adding a NO DATA negative cache entry failed to clear
-			any matching RRSIG records.  A subsequent lookup of
-			of NO DATA cache entry could trigger a INSIST when the
-			unexpected RRSIG was also returned with the NO DATA
-			cache entry.
-
-			CVE-2010-3613, VU#706148. [RT #22288]
-
-2969.	[security]	Fix acl type processing so that allow-query works
-			in options and view statements.  Also add a new
-			set of tests to verify proper functioning.
-
-			CVE-2010-3615, VU#510208. [RT #22418]
-
-2968.	[security]	Named could fail to prove a data set was insecure
-			before marking it as insecure.  One set of conditions
-			that can trigger this occurs naturally when rolling
-			DNSKEY algorithms.
-
-			CVE-2010-3614, VU#837744. [RT #22309]
-
-2967.	[bug]		'host -D' now turns on debugging messages earlier.
-			[RT #22361]
-
-2966.	[bug]		isc_print_vsnprintf() failed to check if there was
-			space available in the buffer when adding a left
-			justified character with a non zero width,
-			(e.g. "%-1c"). [RT #22270]
-
 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 			RFC 4634. [RT #21702]
 
-2964.	[bug]		view->queryacl was being overloaded.  Seperate the
-			usage into view->queryacl, view->cacheacl and
-			view->queryonacl. [RT #22114]
-
-2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
-			[RT #22062]
-
 2960.	[func]		Check that named accepts non-authoritative answers.
 			[RT #21594]
 
@@ -114,13 +85,6 @@
 			exact match" message when returning a wildcard
 			no data response. [RT #21744]
 
-2952.	[port]		win32: named-checkzone and named-checkconf failed
-			to initialise winsock. [RT #21932]
-
-2951.	[bug]		named failed to generate a correct signed response
-			in a optout, delegation only zone with no secure
-			delegations. [RT #22007]
-
 2950.	[bug]		named failed to perform a SOA up to date check when
 			falling back to TCP on UDP timeouts when
 			ixfr-from-differences was set. [RT #21595]
@@ -139,27 +103,6 @@
 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 			DNAME at the zone apex.  [RT #21610]
 
-2939.	[func]		Check that named successfully skips NSEC3 records
-			that fail to match the NSEC3PARAM record currently
-			in use. [RT# 21868]
-
-2937.	[bug]		Worked around an apparent race condition in over
-			memory conditions.  Without this fix a DNS cache DB or
-			ADB could incorrectly stay in an over memory state,
-			effectively refusing further caching, which
-			subsequently made a BIND 9 caching server unworkable.
-			This fix prevents this problem from happening by
-			polling the state of the memory context, rather than
-			making a copy of the state, which appeared to cause
-			a race.  This is a "workaround" in that it doesn't
-			solve the possible race per se, but several experiments
-			proved this change solves the symptom.  Also, the
-			polling overhead hasn't been reported to be an issue.
-			This bug should only affect a caching server that
-			specifies a finite max-cache-size.  It's also quite
-			likely that the bug happens only when enabling threads,
-			but it's not confirmed yet. [RT #21818]
-
 2935.	[bug]		nsupdate: improve 'file not found' error message.
 			[RT #21871]
 
@@ -189,17 +132,11 @@
 			   smaller)
 			[RT #19737]
 
-2925.	[bug]		Named failed to accept uncachable negative responses
-			from insecure zones. [RT# 21555]
-
 2923.	[bug]		'dig +trace' could drop core after "connection
 			timeout". [RT #21514]
 
 2922.	[contrib]	Update zkt to version 1.0.
 
-2921.	[bug]		The resolver could attempt to destroy a fetch context
-			too soon.  [RT #19878]
-
 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 
 2916.	[func]		Add framework to use IPv6 in tests.
@@ -229,10 +166,6 @@
 
 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 
-2900.	[bug]		The placeholder negative caching element was not
-			properly constructed triggering a INSIST in
-			dns_ncache_towire(). [RT #21346]
-
 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 
 2898.	[bug]		nslookup leaked memory when -domain=value was
@@ -243,9 +176,6 @@
 2891.	[maint]		Update empty-zones list to match
 			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
 
-2890.	[bug]		Handle the introduction of new trusted-keys and
-			DS, DLV RRsets better. [RT #21097]
-
 2889.	[bug]		Elements of the grammar where not properly reported.
 			[RT #21046]
 
@@ -272,9 +202,6 @@
 2877.	[bug]		The validator failed to skip obviously mismatching
 			RRSIGs. [RT #21138]
 
-2876.	[bug]		Named could return SERVFAIL for negative responses
-			from unsigned zones. [RT #21131]
-
 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 			[RT #21033]
 
@@ -284,9 +211,6 @@
 
 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 
-2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
-			[RT #20877]
-
 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 			any changes made by configure are integrated.
 			Use --with-make-clean=no to disable.  [RT #20994]
@@ -322,11 +246,108 @@
 
 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 
-2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
-
 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
 			source as it produced bad nroff.  [RT #21007]
 
+	--- 9.6-ESV-R3 released ---
+
+2972.	[bug]		win32: address windows socket errors. [RT #21906]
+
+2971.	[bug]		Fixed a bug that caused journal files not to be
+			compacted on Windows systems as a result of
+			non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970.	[security]	Adding a NO DATA negative cache entry failed to clear
+			any matching RRSIG records.  A subsequent lookup of
+			of NO DATA cache entry could trigger a INSIST when the
+			unexpected RRSIG was also returned with the NO DATA
+			cache entry.
+
+			CVE-2010-3613, VU#706148. [RT #22288]
+
+2969.	[security]	Fix acl type processing so that allow-query works
+			in options and view statements.  Also add a new
+			set of tests to verify proper functioning.
+
+			CVE-2010-3615, VU#510208. [RT #22418]
+
+2968.	[security]	Named could fail to prove a data set was insecure
+			before marking it as insecure.  One set of conditions
+			that can trigger this occurs naturally when rolling
+			DNSKEY algorithms.
+
+			CVE-2010-3614, VU#837744. [RT #22309]
+
+2967.	[bug]		'host -D' now turns on debugging messages earlier.
+			[RT #22361]
+
+2966.	[bug]		isc_print_vsnprintf() failed to check if there was
+			space available in the buffer when adding a left
+			justified character with a non zero width,
+			(e.g. "%-1c"). [RT #22270]
+
+2964.	[bug]		view->queryacl was being overloaded.  Seperate the
+			usage into view->queryacl, view->cacheacl and
+			view->queryonacl. [RT #22114]
+
+2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
+			[RT #22062]
+
+2952.	[port]		win32: named-checkzone and named-checkconf failed
+			to initialise winsock. [RT #21932]
+
+2951.	[bug]		named failed to generate a correct signed response
+			in a optout, delegation only zone with no secure
+			delegations. [RT #22007]
+
+	--- 9.6-ESV-R2 released ---
+
+2939.	[func]		Check that named successfully skips NSEC3 records
+			that fail to match the NSEC3PARAM record currently
+			in use. [RT# 21868]
+
+2937.	[bug]		Worked around an apparent race condition in over
+			memory conditions.  Without this fix a DNS cache DB or
+			ADB could incorrectly stay in an over memory state,
+			effectively refusing further caching, which
+			subsequently made a BIND 9 caching server unworkable.
+			This fix prevents this problem from happening by
+			polling the state of the memory context, rather than
+			making a copy of the state, which appeared to cause
+			a race.  This is a "workaround" in that it doesn't
+			solve the possible race per se, but several experiments
+			proved this change solves the symptom.  Also, the
+			polling overhead hasn't been reported to be an issue.
+			This bug should only affect a caching server that
+			specifies a finite max-cache-size.  It's also quite
+			likely that the bug happens only when enabling threads,
+			but it's not confirmed yet. [RT #21818]
+
+2925.	[bug]		Named failed to accept uncachable negative responses
+			from insecure zones. [RT# 21555]
+
+2921.	[bug]		The resolver could attempt to destroy a fetch context
+			too soon.  [RT #19878]
+
+2900.	[bug]		The placeholder negative caching element was not
+			properly constructed triggering a INSIST in
+			dns_ncache_towire(). [RT #21346]
+
+2890.	[bug]		Handle the introduction of new trusted-keys and
+			DS, DLV RRsets better. [RT #21097]
+
+2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
+			[RT #20877]
+
+	--- 9.6-ESV-R1 released ---
+
+2876.	[bug]		Named could return SERVFAIL for negative responses
+			from unsigned zones. [RT #21131]
+
+	--- 9.6-ESV released ---
+
+2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
+
 	--- 9.6.2 released ---
 
 2850.	[bug]		If isc_heap_insert() failed due to memory shortage

RELEASE-NOTES-BIND-9.6.3.html

@@ -1,165 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
-  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3026830"></a>Introduction</h2></div></div></div>
-    
-    <p>
-			BIND 9.6.3 is the current release of BIND 9.6.
-		</p>
-    <p>
-			This document summarizes changes from BIND 9.6.2-P2 to BIND 9.6.3.
-			Please see the CHANGES file in the source code release for a
-			complete list of all changes.
-		</p>
-  </div>
-
-  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893341"></a>Download</h2></div></div></div>
-    
-    <p>
-			The latest development version of BIND 9 software can always be found
-	 		on our web site at
-      <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
-  		There you will find additional information about each release,
- 			source code, and some pre-compiled versions for certain operating
- 			systems.
-		</p>
-  </div>
-
-  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3026768"></a>Support</h2></div></div></div>
-    
-    <p>Product support information is available on
-      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
-      for paid support options.  Free support is provided by our user
- 			community via a mailing list.  Information on all public email
- 			lists is available at
-      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
-    </p>
-  </div>
-
-  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893404"></a>New Features</h2></div></div></div>
-    
-		<div class="section" title="9.6.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893409"></a>9.6.3</h3></div></div></div>
-			
-			<p>None.</p>
-		</div>
-	</div>
-
-  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893420"></a>Feature Changes</h2></div></div></div>
-    
-		<div class="section" title="9.6.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893425"></a>9.6.3</h3></div></div></div>
-			
-			<p>None.</p>
-		</div>
-  </div>
-
-  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893436"></a>Security Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.6.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893441"></a>9.6.2-P3</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-				 	Adding a NO DATA signed negative response to cache failed to clear
-				  any matching RRSIG records already in cache. A subsequent lookup
-				  of the cached NO DATA entry could crash named (INSIST) when the
-				  unexpected RRSIG was also returned with the NO DATA cache entry.
-				  [RT #22288] [CVE-2010-3613] [VU#706148]
-				</li><li class="listitem">
-					BIND, acting as a DNSSEC validator, was determining if the NS RRset
-				  is insecure based on a value that could mean either that the RRset
-				  is actually insecure or that there wasn't a matching key for the RRSIG
-				  in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
-				  This can happen when in the middle of a DNSKEY algorithm rollover,
-				  when two different algorithms were used to sign a zone but only the
-				  new set of keys are in the zone DNSKEY RRset.
-					[RT #22309] [CVE-2010-3614] [VU#837744]
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3026756"></a>Bug Fixes</h2></div></div></div>
-    
-			<div class="section" title="9.6.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3026817"></a>9.6.3</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-				BIND now builds with threads disabled in versions of NetBSD earlier
-                                than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
-                                and higher. Also removes support for unproven-pthreads, mit-pthreads
-                                and ptl2. [RT #19203]
-				</li><li class="listitem">
-				HPUX now correctly defaults to using /dev/poll, which should
-				increase performance. [RT #21919]
-				</li><li class="listitem">
-			        If named is running as a threaded application, after an "rndc stop"
-			        command has been issued, other inbound TCP requests can cause named
-			        to hang and never complete shutdown. [RT #22108]
-				</li><li class="listitem">
-				When performing a GSS-TSIG signed dynamic zone update, memory could be
-				leaked. This causes an unclean shutdown and may affect long-running
-				servers. [RT #22573]
-				</li><li class="listitem">
-                                A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
-                                for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
-                                SO_ACCEPTFILTER support in BIND. [RT #22589]
-				</li><li class="listitem">
-				Corrected a defect where a combination of dynamic updates and zone 
-				transfers incorrectly locked the in-memory zone database, causing
-				named to freeze. [RT #22614]
-				</li><li class="listitem">
-                                Don't run MX checks (check-mx) when the MX record points to ".".
-                                [RT #22645]
-				</li><li class="listitem">
-                                DST key reference counts can now be incremented via dst_key_attach.
-                                [RT #22672]
-				</li><li class="listitem">
-				isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
-				</li><li class="listitem">
-                                 The Kerberos realm was being truncated when being pulled from the
-                                 the host prinicipal, make krb5-self updates fail. [RT #22770]
-				</li><li class="listitem">
-				named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863]
-				</li><li class="listitem">
-There was a bug in how the clients-per-query code worked with some
-query patterns. This could result, in rare circumstances, in having all
-the client query slots filled with queries for the same DNS label,
-essentially ignoring the max-clients-per-query setting.
-[RT #22972]
-				</li></ul></div>
-		</div>
-		<div class="section" title="9.6.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893557"></a>9.6.2-P3</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-					Worked around a race condition in the cache database memory
-					handling.  Without this fix a DNS cache DB or ADB could
-					incorrectly stay in an over memory state, effectively refusing
-					further caching, which subsequently made a BIND 9 caching
-					server unworkable.
-					[RT #21818]
-				</li><li class="listitem">
-					Microsoft changed the behavior of sockets between NT/XP based
-				  stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
-				  behavior, 2008r2 has the new behavior. With the change, different
-				  error results are possible, so ISC adapted BIND to handle the new
-				  error results.
-				  This resolves an issue where sockets would shut down on
-				  Windows servers causing named to stop responding to queries.
-					[RT #21906]
-				</li><li class="listitem">
-				 	Windows has non-POSIX compliant behavior in its rename() and unlink()
-				  calls. This caused journal compaction to fail on Windows BIND servers
-				  with the log error: "dns_journal_compact failed: failure".
-					[RT #22434]
-				</li></ul></div>
-
-		</div>
-  </div>
-
-  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893594"></a>Thank You</h2></div></div></div>
-    
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to make
-      quality open source software, please visit our donations page at
-      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
-    </p>
-  </div>
-</div></body></html>

RELEASE-NOTES-BIND-9.6.3.txt

@@ -1,118 +0,0 @@
-     __________________________________________________________________
-
-Introduction
-
-   BIND 9.6.3 is the current release of BIND 9.6.
-
-   This document summarizes changes from BIND 9.6.2-P2 to BIND 9.6.3.
-   Please see the CHANGES file in the source code release for a complete
-   list of all changes.
-
-Download
-
-   The latest development version of BIND 9 software can always be found
-   on our web site at http://www.isc.org/downloads/development. There you
-   will find additional information about each release, source code, and
-   some pre-compiled versions for certain operating systems.
-
-Support
-
-   Product support information is available on
-   http://www.isc.org/services/support for paid support options. Free
-   support is provided by our user community via a mailing list.
-   Information on all public email lists is available at
-   https://lists.isc.org/mailman/listinfo.
-
-New Features
-
-9.6.3
-
-   None.
-
-Feature Changes
-
-9.6.3
-
-   None.
-
-Security Fixes
-
-9.6.2-P3
-
-     * Adding a NO DATA signed negative response to cache failed to clear
-       any matching RRSIG records already in cache. A subsequent lookup of
-       the cached NO DATA entry could crash named (INSIST) when the
-       unexpected RRSIG was also returned with the NO DATA cache entry.
-       [RT #22288] [CVE-2010-3613] [VU#706148]
-     * BIND, acting as a DNSSEC validator, was determining if the NS RRset
-       is insecure based on a value that could mean either that the RRset
-       is actually insecure or that there wasn't a matching key for the
-       RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
-       RRset. This can happen when in the middle of a DNSKEY algorithm
-       rollover, when two different algorithms were used to sign a zone
-       but only the new set of keys are in the zone DNSKEY RRset. [RT
-       #22309] [CVE-2010-3614] [VU#837744]
-
-Bug Fixes
-
-9.6.3
-
-     * BIND now builds with threads disabled in versions of NetBSD earlier
-       than 5.0 and with pthreads enabled by default in NetBSD versions
-       5.0 and higher. Also removes support for unproven-pthreads,
-       mit-pthreads and ptl2. [RT #19203]
-     * HPUX now correctly defaults to using /dev/poll, which should
-       increase performance. [RT #21919]
-     * If named is running as a threaded application, after an "rndc stop"
-       command has been issued, other inbound TCP requests can cause named
-       to hang and never complete shutdown. [RT #22108]
-     * When performing a GSS-TSIG signed dynamic zone update, memory could
-       be leaked. This causes an unclean shutdown and may affect
-       long-running servers. [RT #22573]
-     * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
-       allows for a TCP DoS attack. Until there is a kernel fix, ISC is
-       disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
-     * Corrected a defect where a combination of dynamic updates and zone
-       transfers incorrectly locked the in-memory zone database, causing
-       named to freeze. [RT #22614]
-     * Don't run MX checks (check-mx) when the MX record points to ".".
-       [RT #22645]
-     * DST key reference counts can now be incremented via dst_key_attach.
-       [RT #22672]
-     * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
-       attr. [RT #22766]
-     * The Kerberos realm was being truncated when being pulled from the
-       the host prinicipal, make krb5-self updates fail. [RT #22770]
-     * named failed to preserve the case of domain names in RDATA which is
-       not compressible when writing master files. [RT #22863]
-     * There was a bug in how the clients-per-query code worked with some
-       query patterns. This could result, in rare circumstances, in having
-       all the client query slots filled with queries for the same DNS
-       label, essentially ignoring the max-clients-per-query setting. [RT
-       #22972]
-
-9.6.2-P3
-
-     * Worked around a race condition in the cache database memory
-       handling. Without this fix a DNS cache DB or ADB could incorrectly
-       stay in an over memory state, effectively refusing further caching,
-       which subsequently made a BIND 9 caching server unworkable. [RT
-       #21818]
-     * Microsoft changed the behavior of sockets between NT/XP based
-       stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
-       behavior, 2008r2 has the new behavior. With the change, different
-       error results are possible, so ISC adapted BIND to handle the new
-       error results. This resolves an issue where sockets would shut down
-       on Windows servers causing named to stop responding to queries. [RT
-       #21906]
-     * Windows has non-POSIX compliant behavior in its rename() and
-       unlink() calls. This caused journal compaction to fail on Windows
-       BIND servers with the log error: "dns_journal_compact failed:
-       failure". [RT #22434]
-
-Thank You
-
-   Thank you to everyone who assisted us in making this release possible.
-   If you would like to contribute to ISC to assist us in continuing to
-   make quality open source software, please visit our donations page at
-   http://www.isc.org/supportisc.

bin/tests/system/dlv/clean.sh

@@ -14,17 +14,30 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.5.250.2 2010/05/27 23:48:19 tbox Exp $
+# $Id: clean.sh,v 1.5.250.2.6.1 2011/05/27 00:19:17 each Exp $
 
 rm -f random.data
 rm -f ns*/named.run
+rm -f ns1/K*
+rm -f ns1/dsset-*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/root.db
+rm -f ns2/K*
+rm -f ns2/dlvset-*
+rm -f ns2/dsset-*
+rm -f ns2/*.signed
+rm -f ns2/*.pre
+rm -f ns2/signer.err
+rm -f ns2/druz.db
 rm -f ns3/K*
 rm -f ns3/*.db
 rm -f ns3/*.signed
 rm -f ns3/dlvset-*
 rm -f ns3/dsset-*
 rm -f ns3/keyset-*
-rm -f ns3/trusted.conf ns5/trusted.conf
+rm -f ns1/trusted.conf ns5/trusted.conf
+rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
 rm -f ns3/signer.err
 rm -f ns6/K*
 rm -f ns6/*.db

bin/tests/system/dlv/ns1/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.964.1 2011/05/27 00:19:17 each Exp $ */
 
 controls { /* empty */ };
 
@@ -28,8 +28,8 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	dnssec-enable no;
+	dnssec-enable yes;
 };
 
-zone "." { type master; file "root.db"; };
+zone "." { type master; file "root.signed"; };
 zone "rootservers.utld" { type master; file "rootservers.utld.db"; };

bin/tests/system/dlv/ns1/root.db.in

@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.4 2007/06/19 23:47:02 tbox Exp $
+; $Id: root.db.in,v 1.3.2.2 2011/05/27 00:19:17 each Exp $
 
 $TTL	120
 @		SOA	ns.rootservers.utld hostmaster.ns.rootservers.utld (
@@ -22,3 +22,5 @@ ns		A	10.53.0.1
 ;
 utld		NS	ns.utld
 ns.utld		A	10.53.0.2
+druz		NS	ns.druz
+ns.druz		A	10.53.0.2

bin/tests/system/dlv/ns1/sign.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.2.2 2011/05/27 00:19:17 each Exp $
+
+(cd ../ns2 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns1/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+outfile=root.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+echo "I: signed $zone"
+
+grep -v '^;' $keyname2.key | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns5
+

bin/tests/system/dlv/ns2/druz.db.in

@@ -0,0 +1,54 @@
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: druz.db.in,v 1.4.2.2 2011/05/27 00:19:18 each Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.2
+;
+rootservers	NS	ns.rootservers
+ns.rootservers	A	10.53.0.1
+;
+;
+child1		NS	ns.child1
+ns.child1	A	10.53.0.3
+;
+child2		NS	ns.child2
+ns.child2	A	10.53.0.4
+;
+child3		NS	ns.child3
+ns.child3	A	10.53.0.3
+;
+child4		NS	ns.child4
+ns.child4	A	10.53.0.3
+;
+child5		NS	ns.child5
+ns.child5	A	10.53.0.3
+;
+child6		NS	ns.child6
+ns.child6	A	10.53.0.4
+;
+child7		NS	ns.child7
+ns.child7	A	10.53.0.3
+;
+child8		NS	ns.child8
+ns.child8	A	10.53.0.3
+;
+child9		NS	ns.child9
+ns.child9	A	10.53.0.3
+;
+child10		NS	ns.child10
+ns.child10	A	10.53.0.3

bin/tests/system/dlv/ns2/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.964.1 2011/05/27 00:19:18 each Exp $ */
 
 controls { /* empty */ };
 
@@ -28,8 +28,9 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	dnssec-enable no;
+	dnssec-enable yes;
 };
 
 zone "." { type hint; file "hints"; };
 zone "utld" { type master; file "utld.db"; };
+zone "druz" { type master; file "druz.signed"; };

bin/tests/system/dlv/ns2/sign.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.2.2 2011/05/27 00:19:18 each Exp $
+
+(cd ../ns3 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns2/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=druz.
+infile=druz.db.in
+zonefile=druz.db
+outfile=druz.pre
+dlvzone=utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+$CHECKZONE -q -D -i none druz druz.pre |
+sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
+
+echo "I: signed $zone"

bin/tests/system/dlv/ns3/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.964.1 2011/05/27 00:19:18 each Exp $ */
 
 controls { /* empty */ };
 
@@ -41,3 +41,11 @@ zone "child7.utld" { type master; file "child7.signed"; };	// no dlv
 zone "child8.utld" { type master; file "child8.signed"; };	// no dlv
 zone "child9.utld" { type master; file "child9.signed"; };	// dlv
 zone "child10.utld" { type master; file "child.db.in"; }; 	// dlv unsigned
+zone "child1.druz" { type master; file "child1.druz.signed"; };	// dlv
+zone "child3.druz" { type master; file "child3.druz.signed"; };	// dlv
+zone "child4.druz" { type master; file "child4.druz.signed"; };	// dlv
+zone "child5.druz" { type master; file "child5.druz.signed"; };	// dlv
+zone "child7.druz" { type master; file "child7.druz.signed"; };	// no dlv
+zone "child8.druz" { type master; file "child8.druz.signed"; };	// no dlv
+zone "child9.druz" { type master; file "child9.druz.signed"; };	// dlv
+zone "child10.druz" { type master; file "child.db.in"; }; 	// dlv unsigned

bin/tests/system/dlv/ns3/sign.sh

@@ -14,21 +14,24 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.4.332.2 2010/05/27 23:48:19 tbox Exp $
+# $Id: sign.sh,v 1.4.332.2.6.1 2011/05/27 00:19:18 each Exp $
 
 (cd ../ns6 && sh -e sign.sh)
 
+echo "I:dlv/ns3/sign.sh"
+
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
 RANDFILE=../random.data
+dlvzone=dlv.utld.
 dlvsets=
+dssets=
 
 zone=child1.utld.
 infile=child.db.in
 zonefile=child1.utld.db
 outfile=child1.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
@@ -44,7 +47,6 @@ zone=child3.utld.
 infile=child.db.in
 zonefile=child3.utld.db
 outfile=child3.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -60,7 +62,6 @@ zone=child4.utld.
 infile=child.db.in
 zonefile=child4.utld.db
 outfile=child4.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -76,7 +77,6 @@ zone=child5.utld.
 infile=child.db.in
 zonefile=child5.utld.db
 outfile=child5.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -92,7 +92,6 @@ zone=child7.utld.
 infile=child.db.in
 zonefile=child7.utld.db
 outfile=child7.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -107,7 +106,6 @@ zone=child8.utld.
 infile=child.db.in
 zonefile=child8.utld.db
 outfile=child8.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -122,7 +120,6 @@ zone=child9.utld.
 infile=child.db.in
 zonefile=child9.utld.db
 outfile=child9.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -137,7 +134,6 @@ zone=child10.utld.
 infile=child.db.in
 zonefile=child10.utld.db
 outfile=child10.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -148,12 +144,133 @@ cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
 $SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
+zone=child1.druz.
+infile=child.db.in
+zonefile=child1.druz.db
+outfile=child1.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child3.druz.
+infile=child.db.in
+zonefile=child3.druz.db
+outfile=child3.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child4.druz.
+infile=child.db.in
+zonefile=child4.druz.db
+outfile=child4.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child5.druz.
+infile=child.db.in
+zonefile=child5.druz.db
+outfile=child5.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child7.druz.
+infile=child.db.in
+zonefile=child7.druz.db
+outfile=child7.druz.signed
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child8.druz.
+infile=child.db.in
+zonefile=child8.druz.db
+outfile=child8.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child9.druz.
+infile=child.db.in
+zonefile=child9.druz.db
+outfile=child9.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=child10.druz.
+infile=child.db.in
+zonefile=child10.druz.db
+outfile=child10.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
 
 zone=dlv.utld.
 infile=dlv.db.in
 zonefile=dlv.utld.db
 outfile=dlv.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -172,5 +289,7 @@ trusted-keys {
     "$dn" $flags $proto $alg "$key";
 };
 EOF
-' > trusted.conf
-cp trusted.conf ../ns5
+' > trusted-dlv.conf
+cp trusted-dlv.conf ../ns5
+
+cp $dssets ../ns2

bin/tests/system/dlv/ns5/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.8 2007/06/18 23:47:28 tbox Exp $ */
+/* $Id: named.conf,v 1.8.964.1 2011/05/27 00:19:18 each Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
@@ -46,6 +46,7 @@ controls {
 };
 
 include "trusted.conf";
+include "trusted-dlv.conf";
 
 options {
 	query-source address 10.53.0.5;

bin/tests/system/dlv/ns6/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.4.2 2010/05/27 23:48:19 tbox Exp $ */
+/* $Id: named.conf,v 1.2.4.2.6.1 2011/05/27 00:19:18 each Exp $ */
 
 controls { /* empty */ };
 
@@ -40,3 +40,11 @@ zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
 zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
 zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
 zone "grand.child10.utld" { type master; file "grand.child.db.in"; };
+zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; };
+zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; };
+zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; };
+zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; };
+zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; };
+zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; };
+zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; };
+zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; };

bin/tests/system/dlv/ns6/sign.sh

@@ -14,11 +14,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.2.4.2 2010/05/27 23:48:19 tbox Exp $
+# $Id: sign.sh,v 1.2.4.2.6.1 2011/05/27 00:19:18 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
+echo "I:dlv/ns6/sign.sh"
+
 RANDFILE=../random.data
 
 zone=grand.child1.utld.
@@ -137,3 +139,120 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 
 $SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
+
+zone=grand.child1.druz.
+infile=child.db.in
+zonefile=grand.child1.druz.db
+outfile=grand.child1.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child3.druz.
+infile=child.db.in
+zonefile=grand.child3.druz.db
+outfile=grand.child3.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child4.druz.
+infile=child.db.in
+zonefile=grand.child4.druz.db
+outfile=grand.child4.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child5.druz.
+infile=child.db.in
+zonefile=grand.child5.druz.db
+outfile=grand.child5.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child7.druz.
+infile=child.db.in
+zonefile=grand.child7.druz.db
+outfile=grand.child7.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child8.druz.
+infile=child.db.in
+zonefile=grand.child8.druz.db
+outfile=grand.child8.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child9.druz.
+infile=child.db.in
+zonefile=grand.child9.druz.db
+outfile=grand.child9.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=grand.child10.druz.
+infile=child.db.in
+zonefile=grand.child10.druz.db
+outfile=grand.child10.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"

bin/tests/system/dlv/setup.sh

@@ -14,8 +14,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.4 2007/06/19 23:47:02 tbox Exp $
+# $Id: setup.sh,v 1.4.424.1 2011/05/27 00:19:17 each Exp $
 
 ../../genrandom 400 random.data
 
-(cd ns3 && sh -e sign.sh)
+(cd ns1 && sh -e sign.sh)

bin/tests/system/dlv/tests.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4.332.2 2010/05/27 23:48:19 tbox Exp $
+# $Id: tests.sh,v 1.4.332.2.6.1 2011/05/27 00:19:17 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -42,5 +42,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

lib/dns/api

@@ -1,3 +1,3 @@
 LIBINTERFACE = 59
-LIBREVISION = 2
+LIBREVISION = 4
 LIBAGE = 1

lib/dns/include/dns/masterdump.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.42 2008/09/24 02:46:23 marka Exp $ */
+/* $Id: masterdump.h,v 1.42.602.1 2011/05/27 00:19:19 each Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
@@ -332,9 +332,6 @@ dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
 void
 dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
 
-const char *
-dns_trust_totext(dns_trust_t trust);
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_MASTERDUMP_H */

lib/dns/include/dns/rdataset.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.65.50.4 2010/02/25 10:56:41 tbox Exp $ */
+/* $Id: rdataset.h,v 1.65.50.4.6.1 2011/05/27 00:19:19 each Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -650,6 +650,12 @@ dns_rdataset_expire(dns_rdataset_t *rdataset);
  * Mark the rdataset to be expired in the backing database.
  */
 
+const char *
+dns_trust_totext(dns_trust_t trust);
+/*%<
+ * Display trust in textual form.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATASET_H */

lib/dns/masterdump.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.94.50.3 2009/11/18 00:15:37 marka Exp $ */
+/* $Id: masterdump.c,v 1.94.50.3.18.1 2011/05/27 00:19:19 each Exp $ */
 
 /*! \file */
 
@@ -773,26 +773,6 @@ dump_order_compare(const void *a, const void *b) {
 
 #define MAXSORT 64
 
-static const char *trustnames[] = {
-	"none",
-	"pending-additional",
-	"pending-answer",
-	"additional",
-	"glue",
-	"answer",
-	"authauthority",
-	"authanswer",
-	"secure",
-	"local" /* aka ultimate */
-};
-
-const char *
-dns_trust_totext(dns_trust_t trust) {
-	if (trust >= sizeof(trustnames)/sizeof(*trustnames))
-		return ("bad");
-	return (trustnames[trust]);
-}
-
 static isc_result_t
 dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
 		    dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
@@ -832,10 +812,7 @@ dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
 	for (i = 0; i < n; i++) {
 		dns_rdataset_t *rds = sorted[i];
 		if (ctx->style.flags & DNS_STYLEFLAG_TRUST) {
-			unsigned int trust = rds->trust;
-			INSIST(trust < (sizeof(trustnames) /
-					sizeof(trustnames[0])));
-			fprintf(f, "; %s\n", trustnames[trust]);
+			fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
 		}
 		if (rds->type == 0 &&
 		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {

lib/dns/ncache.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.43.48.7 2010/05/19 09:53:46 marka Exp $ */
+/* $Id: ncache.c,v 1.43.48.7.6.1 2011/05/27 00:19:19 each Exp $ */
 
 /*! \file */
 
@@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);

lib/dns/rdataset.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.82.50.4 2010/02/25 10:56:41 tbox Exp $ */
+/* $Id: rdataset.c,v 1.82.50.4.6.1 2011/05/27 00:19:19 each Exp $ */
 
 /*! \file */
 
@@ -34,6 +34,26 @@
 #include <dns/rdataset.h>
 #include <dns/compress.h>
 
+static const char *trustnames[] = {
+	"none",
+	"pending-additional",
+	"pending-answer",
+	"additional",
+	"glue",
+	"answer",
+	"authauthority",
+	"authanswer",
+	"secure",
+	"local" /* aka ultimate */
+};
+
+const char *
+dns_trust_totext(dns_trust_t trust) {
+	if (trust >= sizeof(trustnames)/sizeof(*trustnames))
+		return ("bad");
+	return (trustnames[trust]);
+}
+
 void
 dns_rdataset_init(dns_rdataset_t *rdataset) {
 

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.164.12.23 2010/11/16 02:23:44 marka Exp $ */
+/* $Id: validator.c,v 1.164.12.23.4.1 2011/05/27 00:19:19 each Exp $ */
 
 #include <config.h>
 
@@ -420,7 +420,8 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", rdataset->trust);
+			      "keyset with trust %s",
+			      dns_trust_totext(rdataset->trust));
 		/*
 		 * Only extract the dst key if the keyset is secure.
 		 */
@@ -497,7 +498,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsset with trust %d", rdataset->trust);
+			      "dsset with trust %s",
+			       dns_trust_totext(rdataset->trust));
 		val->dsset = &val->frdataset;
 		result = validatezonekey(val);
 		if (result != DNS_R_WAIT)
@@ -651,7 +653,8 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", val->frdataset.trust);
+			      "keyset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
 		/*
 		 * Only extract the dst key if the keyset is secure.
 		 */
@@ -722,10 +725,10 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
 		isc_boolean_t have_dsset;
 		dns_name_t *name;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "%s with trust %d",
+			      "%s with trust %s",
 			      val->frdataset.type == dns_rdatatype_ds ?
 			      "dsset" : "ds non-existance",
-			      val->frdataset.trust);
+			      dns_trust_totext(val->frdataset.trust));
 		have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
 		name = dns_fixedname_name(&val->fname);
 		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
@@ -1376,8 +1379,8 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 		INSIST(type == dns_rdatatype_dlv);
 		if (val->frdataset.trust != dns_trust_secure) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: trust %u",
-				      val->frdataset.trust);
+				      "covering nsec: trust %s",
+				      dns_trust_totext(val->frdataset.trust));
 			goto notfound;
 		}
 		result = dns_rdataset_first(&val->frdataset);
@@ -1706,8 +1709,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 			 * See if we've got the key used in the signature.
 			 */
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "keyset with trust %d",
-				      val->frdataset.trust);
+				      "keyset with trust %s",
+				      dns_trust_totext(val->frdataset.trust));
 			result = get_dst_key(val, siginfo, val->keyset);
 			if (result != ISC_R_SUCCESS) {
 				/*
@@ -2411,8 +2414,11 @@ validatezonekey(dns_validator_t *val) {
 				      "must be secure failure");
 			return (DNS_R_MUSTBESECURE);
 		}
-		markanswer(val, "validatezonekey (2)");
-		return (ISC_R_SUCCESS);
+		if (val->view->dlv == NULL || DLVTRIED(val)) {
+			markanswer(val, "validatezonekey (2)");
+			return (ISC_R_SUCCESS);
+		}
+		return (startfinddlvsep(val, val->event->name));
 	}
 
 	/*
@@ -3195,7 +3201,8 @@ dlvvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dlvset with trust %d", val->frdataset.trust);
+			      "dlvset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
 		if (dlv_algorithm_supported(val))

lib/dns/win32/libdns.def

@@ -607,6 +607,7 @@ dns_tkey_processgssresponse
 dns_tkey_processquery
 dns_tkeyctx_create
 dns_tkeyctx_destroy
+dns_trust_totext
 dns_tsig_sign
 dns_tsig_verify
 dns_tsigkey_attach

version

@@ -1,10 +1,10 @@
-# $Id: version,v 1.43.12.11 2011/01/30 06:38:13 marka Exp $
+# $Id: version,v 1.43.12.11.2.2.2.1 2011/05/27 00:19:16 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=6
-PATCHVER=3
-RELEASETYPE=
-RELEASEVER=
+PATCHVER=
+RELEASETYPE=-ESV
+RELEASEVER=-R4-P1