silence compiler warning

(cherry picked from commit 01b7d52a9f)

CHANGES

@@ -1,3 +1,97 @@
+	--- 9.7.7 released ---
+
+3383.	[security]	A certain combination of records in the RBT could
+                        cause named to hang while populating the additional
+                        section of a response. [RT #31090]
+
+3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
+
+3364.	[security]	Named could die on specially crafted record.
+			[RT #30416]
+
+	--- 9.7.7rc1 released ---
+
+3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
+			if built with readline support. [RT #29550]
+
+3368.	[bug]		<dns/iptable.h> and <dns/zone.h> were not C++ safe.
+
+3367.	[bug]		dns_dnsseckey_create() result was not being checked.
+			[RT #30685]
+
+3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
+			atomic operations. [RT #25181]
+
+3365.	[bug]		Removed spurious newlines from log messages in
+			zone.c [RT #30675]
+
+3362.	[bug]		Setting some option values to 0 in named.conf
+			could trigger an assertion failure on startup.
+			[RT #27730]
+
+3360.	[bug]		'host -w' could die.  [RT #18723]
+
+3359.	[bug]		An improperly-formed TSIG secret could cause a
+			memory leak. [RT #30607]
+
+3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
+
+3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
+			approaching their expiry, so they don't remain
+			in caches after expiry. [RT #26429]
+
+	--- 9.7.7b1 released ---
+
+3354.	[func]		Improve OpenSSL error logging. [RT #29932]
+
+3352.	[bug]		Ensure that learned server attributes timeout of the
+			adb cache. [RT #29856]
+
+3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
+			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
+			memory debugging flags are set. [RT #30243]
+
+3350.	[bug]		Memory read overrun in isc___mem_reallocate if
+			ISC_MEM_DEBUGCTX memory debugging flag is set.
+			[RT #30240]
+
+3348.	[bug]		Prevent RRSIG data from being cached if a negative
+			record matching the covering type exists at a higher
+			trust level. Such data already can't be retrieved from
+			the cache since change 3218 -- this prevents it
+			being inserted into the cache as well. [RT #26809]
+
+3347.	[bug]		dnssec-settime: Issue a warning when writing a new
+			private key file would cause a change in the
+			permissions of the existing file. [RT #27724]
+
+3346.	[security]	Bad-cache data could be used before it was
+			initialized, causing an assert. [RT #30025]
+
+3342.	[bug]		Change #3314 broke saving of stub zones to disk
+			resulting in excessive cpu usage in some cases.
+			[RT #29952]
+
+3337.	[bug]		Change #3294 broke support for the multiple keys
+			in controls. [RT #29694]
+
+3335.	[func]		nslookup: return a nonzero exit code when unable
+			to get an answer. [RT #29492]
+
+3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
+
+3331.	[security]	dns_rdataslab_fromrdataset could produce bad
+			rdataslabs. [RT #29644]
+
+3329.	[bug]		Handle RRSIG signer-name case consistently: We
+			generate RRSIG records with the signer-name in
+			lower case.  We accept them with any case, but if
+			they fail to validate, we try again in lower case.
+			[RT #27451]
+
+3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
+			[RT #29401]
+
 	--- 9.7.6 released ---
 
 3318.	[tuning]	Reduce the amount of work performed while holding a

EXCLUDED

@@ -1,3 +1,48 @@
+3370.   [bug]           Address use after free while shutting down. [RT #30241]
+
+3368.   [bug]           <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
+                        were not C++ safe.
+
+3363.   [bug]           Need to allow "forward" and "fowarders" options
+                        in static-stub zones; this had been overlooked.
+                        [RT #30482]
+
+3361.   [bug]           "rndc signing -nsec3param" didn't work correctly
+                        when salt was set to '-' (no salt). [RT #30099]
+
+3355.   [port]          Use more portable awk in verify system test.
+
+3353.   [bug]           Use a single task for task exclusive operations.
+                        [RT #29872]
+
+3349.   [bug]           Change #3345 was incomplete. [RT #30233]
+
+3345.   [bug]           Addressed race condition when removing the last item
+                        or inserting the first item in an ISC_QUEUE.
+                        [RT #29539]
+
+3338.   [bug]           Address race condition in units tests: asyncload_zone
+                        and asyncload_zt. [RT #26100]
+
+3334.   [bug]           Hold a zone table reference while performing a
+                        asyncronous load of a zone. [RT #28326]
+
+3333.   [bug]           Setting resolver-query-timeout too low can cause
+                        named to not recover if it loses connectivity.
+                        [RT #29623]
+
+3324.   [test]          Add better tests for ADB stats [RT #27057]
+
+3317.   [protocol]      Add ECDSA support (RFC 6605). [RT #21918]
+
+3316.   [tuning]        Improved locking performance when recursing.
+                        [RT #28836]
+
+3315.   [tuning]        Use multiple dispatch objects for sending upstream
+                        queries; this can improve performance on busy
+                        multiprocessor systems by reducing lock contention.
+                        [RT #28605]
+
 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 			[RT #27631]
 

Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

README

@@ -48,8 +48,15 @@ BIND 9
 	For a detailed list of user-visible changes from
 	previous releases, see the CHANGES file.
 
-        For up-to-date release notes and errata, see
-        http://www.isc.org/software/bind9/releasenotes
+	For up-to-date release notes and errata, see
+	http://www.isc.org/software/bind9/releasenotes
+
+BIND 9.7.7
+
+	BIND 9.7.7 includes several bug fixes and patches security
+	flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244.
+
+	This is the last maintainence release for BIND 9.7.
 
 BIND 9.7.6
 
@@ -71,25 +78,25 @@ BIND 9.7.3
 BIND 9.7.2
 
 	BIND 9.7.2 will address bugs in 9.7.1, and also introduces
-        some new functionality:
+	some new functionality:
 
 	- "rndc loadkeys" to allow new keys to be added to a managed
 	  zone without having them sign the content immediately.
-        - "rndc addzone" and "rndc delzone" allow adding and deleting
-          zones at runtime.  This requires the view to have the
-          "new-zone-file" option set to a filename.  Zone configuration
-          information for new zones is specified in the 'rndc addzone'
-          command line, and is stored in that file.  To make new
+	- "rndc addzone" and "rndc delzone" allow adding and deleting
+	  zones at runtime.  This requires the view to have the
+	  "new-zone-file" option set to a filename.  Zone configuration
+	  information for new zones is specified in the 'rndc addzone'
+	  command line, and is stored in that file.  To make new
 	  zones persist after a restart, "include" the file
 	  into named.conf in the appropriate view.  (Note:
 	  This feature is not yet documented, and its syntax
-          is expected to change.)
-        - "rndc secroots" dumps a list of the current trusted and
-          managed DNSSEC keys for each view.
-        - "filter-aaaa-on-v4" can now be applied selectively to
-          some IPv4 clients but not others, using the "filter-aaaa"
-          ACL.  (This feature requires BIND 9 to be built with
-          the --enable-filter-aaaa configure option.)
+	  is expected to change.)
+	- "rndc secroots" dumps a list of the current trusted and
+	  managed DNSSEC keys for each view.
+	- "filter-aaaa-on-v4" can now be applied selectively to
+	  some IPv4 clients but not others, using the "filter-aaaa"
+	  ACL.  (This feature requires BIND 9 to be built with
+	  the --enable-filter-aaaa configure option.)
 
 BIND 9.7.1
 
@@ -137,7 +144,7 @@ BIND 9.7.0
 	  and update your configuration in a timely manner when keys
 	  roll over.
 
-	- In rare cases, DNSSEC validation can leak memory.  When this 
+	- In rare cases, DNSSEC validation can leak memory.  When this
 	  happens, it will cause an assertion failure when named exits,
 	  but is otherwise harmless.  A fix exists, but was too late for
 	  this release; it will be included in BIND 9.7.1.
@@ -221,15 +228,15 @@ Building
 	configure will affect compilation:
 
 	    CC
-		The C compiler to use.	configure tries to figure
+		The C compiler to use.  configure tries to figure
 		out the right one for supported systems.
 
 	    CFLAGS
 		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.  
+		as supported by the compiler.
 
 	    STD_CINCLUDES
-		System header file directories.	 Can be used to specify
+		System header file directories.  Can be used to specify
 		where add-on thread or IPv6 support is, for example.
 		Defaults to empty string.
 
@@ -239,13 +246,13 @@ Building
 
 		Possible settings:
 		Change the default syslog facility of named/lwresd.
-		  -DISC_FACILITY=LOG_LOCAL0	
+		  -DISC_FACILITY=LOG_LOCAL0
 		Enable DNSSEC signature chasing support in dig.
 		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
 				    -DDIG_SIGCHASE_BU=1)
 		Disable dropping queries from particular well known ports.
 		  -DNS_CLIENT_DROPPORT=0
-	        Sibling glue checking in named-checkzone is enabled by default.
+		Sibling glue checking in named-checkzone is enabled by default.
 		To disable the default check set.  -DCHECK_SIBLING=0
 		named-checkzone checks out-of-zone addresses by default.
 		To disable this default set.  -DCHECK_LOCAL=0
@@ -267,7 +274,7 @@ Building
 	    BUILD_CFLAGS (optional)
 	    BUILD_CPPFLAGS (optional)
 		Possible Settings:
-		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
+		-DNEED_OPTARG=1         (optarg is not declared in <unistd.h>)
 	    BUILD_LDFLAGS (optional)
 	    BUILD_LIBS (optional)
 
@@ -287,7 +294,7 @@ Building
 
 	On some platforms, BIND 9 can be built with multithreading
 	support, allowing it to take advantage of multiple CPUs.
-	You can specify whether to build a multithreaded BIND 9 
+	You can specify whether to build a multithreaded BIND 9
 	by specifying "--enable-threads" or "--disable-threads"
 	on the configure command line.  The default is operating
 	system dependent.
@@ -305,7 +312,7 @@ Building
 	By default, installation is into /usr/local, but this can be changed
 	with the "--prefix" option when running "configure".
 
-	You may specify the option "--sysconfdir" to set the directory 
+	You may specify the option "--sysconfdir" to set the directory
 	where configuration files like "named.conf" go by default,
 	and "--localstatedir" to set the default parent directory
 	of "run/named.pid".   For backwards compatibility with BIND 8,
@@ -315,7 +322,7 @@ Building
 	defaults to "$prefix/var".
 
 	To see additional configure options, run "configure --help".
-	Note that the help message does not reflect the BIND 8 
+	Note that the help message does not reflect the BIND 8
 	compatibility defaults for sysconfdir and localstatedir.
 
 	If you're planning on making changes to the BIND 9 source, you
@@ -327,7 +334,7 @@ Building
 
 	Building with gcc is not supported, unless gcc is the vendor's usual
 	compiler (e.g. the various BSD systems, Linux).
-	
+
 	Known compiler issues:
 	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
 	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
@@ -367,38 +374,38 @@ Documentation
 
 Change Log
 
-	A detailed list of all changes to BIND 9 is included in the 
+	A detailed list of all changes to BIND 9 is included in the
 	file CHANGES, with the most recent changes listed first.
 	Change notes include tags indicating the category of the
 	change that was made; these categories are:
 
-	   [func]	  New feature
+	   [func]         New feature
 
-	   [bug]	  General bug fix
+	   [bug]          General bug fix
 
-	   [security]	  Fix for a significant security flaw
+	   [security]     Fix for a significant security flaw
 
 	   [experimental] Used for new features when the syntax
-	   		  or other aspects of the design are still
+			  or other aspects of the design are still
 			  in flux and may change
 
-	   [port]	  Portability enhancement
+	   [port]         Portability enhancement
 
-	   [maint]	  Updates to built-in data such as root
+	   [maint]        Updates to built-in data such as root
 			  server addresses and keys
 
-	   [tuning]	  Changes to built-in configuration defaults
-	   		  and constants to improve performanceo
+	   [tuning]       Changes to built-in configuration defaults
+			  and constants to improve performanceo
 
-	   [protocol]	  Updates to the DNS protocol such as new
+	   [protocol]     Updates to the DNS protocol such as new
 			  RR types
 
-           [test]         Changes to the automatic tests, not
-                          affecting server functionality
+	   [test]         Changes to the automatic tests, not
+			  affecting server functionality
 
-           [cleanup]      Minor corrections and refactoring
+	   [cleanup]      Minor corrections and refactoring
 
-	   [doc]	  Documentation
+	   [doc]          Documentation
 
 	In general, [func] and [experimental] tags will only appear
 	in new-feature releases (i.e., those with version numbers

bin/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/check/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/check/check-tool.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -639,6 +639,9 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 {
 	isc_result_t result;
 	FILE *output = stdout;
+	const char *flags;
+
+	flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
 
 	if (debug) {
 		if (filename != NULL && strcmp(filename, "-") != 0)
@@ -649,7 +652,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	}
 
 	if (filename != NULL && strcmp(filename, "-") != 0) {
-		result = isc_stdio_open(filename, "w+", &output);
+		result = isc_stdio_open(filename, flags, &output);
 
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stderr, "could not open output "

bin/confgen/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/confgen/unix/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/dig/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/dig/nslookup.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -57,6 +57,7 @@ static isc_boolean_t in_use = ISC_FALSE;
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
 static isc_event_t *global_event = NULL;
+static int query_error = 1, print_error = 0;
 
 static char domainopt[DNS_NAME_MAXTEXT];
 
@@ -406,6 +407,9 @@ isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
+	/* I've we've gotten this far, we've reached a server. */
+	query_error = 0;
+
 	debug("printmessage()");
 
 	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
@@ -433,6 +437,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
 		       query->lookup->textname, rcode_totext(msg->rcode));
 		debug("returning with rcode == 0");
+
+		/* the lookup failed */
+		print_error |= 1;
 		return (ISC_R_SUCCESS);
 	}
 
@@ -887,5 +894,5 @@ main(int argc, char **argv) {
 	destroy_libs();
 	isc_app_finish();
 
-	return (0);
+	return (query_error | print_error);
 }

bin/dnssec/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/dnssec/dnssec-settime.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -38,6 +38,7 @@
 
 #include <dns/keyvalues.h>
 #include <dns/result.h>
+#include <dns/log.h>
 
 #include <dst/dst.h>
 
@@ -151,6 +152,7 @@ main(int argc, char **argv) {
 	isc_boolean_t	force = ISC_FALSE;
 	isc_boolean_t   epoch = ISC_FALSE;
 	isc_boolean_t   changed = ISC_FALSE;
+	isc_log_t       *log = NULL;
 
 	if (argc == 1)
 		usage();
@@ -159,6 +161,8 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("Out of memory");
 
+	setup_logging(verbose, mctx, &log);
+
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
@@ -578,6 +582,7 @@ main(int argc, char **argv) {
 	cleanup_entropy(&ectx);
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
+	cleanup_logging(&log);
 	isc_mem_free(mctx, directory);
 	isc_mem_destroy(&mctx);
 

bin/dnssec/dnssec-signzone.c

@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -3893,7 +3893,10 @@ main(int argc, char *argv[]) {
 	check_result(result, "isc_file_mktemplate");
 
 	fp = NULL;
-	result = isc_file_openunique(tempfile, &fp);
+	if (outputformat == dns_masterformat_text)
+		result = isc_file_openunique(tempfile, &fp);
+	else
+		result = isc_file_bopenunique(tempfile, &fp);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to open temporary output file: %s",
 		      isc_result_totext(result));

bin/named/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/named/bindkeys.pl

@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/named/controlconf.c

@@ -373,8 +373,10 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 		if (result == ISC_R_SUCCESS)
 			break;
 		isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
-		log_invalid(&conn->ccmsg, result);
-		goto cleanup;
+		if (result != ISCCC_R_BADAUTH) {
+			log_invalid(&conn->ccmsg, result);
+			goto cleanup;
+		}
 	}
 
 	if (key == NULL) {

bin/named/convertxsl.pl

@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2006-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/named/query.c

@@ -25,6 +25,7 @@
 
 #include <isc/hex.h>
 #include <isc/mem.h>
+#include <isc/serial.h>
 #include <isc/stats.h>
 #include <isc/util.h>
 
@@ -1025,13 +1026,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	if (mnamep != NULL)
 		*mnamep = mname;
 
@@ -1230,6 +1224,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, &fname);
 			fname = mname;
 		} else
@@ -1299,11 +1294,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 #endif
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
+				if (mname != fname) {
+					if (mname != NULL) {
+						query_releasename(client, &fname);
+						fname = mname;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1356,11 +1353,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 #endif
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
+				if (mname != fname) {
+					if (mname != NULL) {
+						query_releasename(client, &fname);
+						fname = mname;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1883,22 +1882,24 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		    crdataset->type == dns_rdatatype_aaaa) {
 			if (!query_isduplicate(client, fname, crdataset->type,
 					       &mname)) {
-				if (mname != NULL) {
-					/*
-					 * A different type of this name is
-					 * already stored in the additional
-					 * section.  We'll reuse the name.
-					 * Note that this should happen at most
-					 * once.  Otherwise, fname->link could
-					 * leak below.
-					 */
-					INSIST(mname0 == NULL);
+				if (mname != fname) {
+					if (mname != NULL) {
+						/*
+						 * A different type of this name is
+						 * already stored in the additional
+						 * section.  We'll reuse the name.
+						 * Note that this should happen at most
+						 * once.  Otherwise, fname->link could
+						 * leak below.
+						 */
+						INSIST(mname0 == NULL);
 
-					query_releasename(client, &fname);
-					fname = mname;
-					mname0 = mname;
-				} else
-					need_addname = ISC_TRUE;
+						query_releasename(client, &fname);
+						fname = mname;
+						mname0 = mname;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
 				ISC_LIST_APPEND(fname->list, crdataset, link);
 				added_something = ISC_TRUE;
@@ -2351,12 +2352,14 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
  */
 static void
 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	    isc_uint32_t ttl, dns_rdataset_t *rdataset,
+	    dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
 	    dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
 
+	isc_stdtime_t now;
+
 	rdataset->trust = dns_trust_secure;
 	sigrdataset->trust = dns_trust_secure;
 
@@ -2366,17 +2369,10 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	result = dns_db_findnode(db, name, ISC_TRUE, &node);
 	if (result != ISC_R_SUCCESS)
 		return;
-	/*
-	 * Bound the validated ttls then minimise.
-	 */
-	if (sigrdataset->ttl > ttl)
-		sigrdataset->ttl = ttl;
-	if (rdataset->ttl > ttl)
-		rdataset->ttl = ttl;
-	if (rdataset->ttl > sigrdataset->ttl)
-		rdataset->ttl = sigrdataset->ttl;
-	else
-		sigrdataset->ttl = rdataset->ttl;
+
+	isc_stdtime_get(&now);
+	dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
+			     client->view->acceptexpired);
 
 	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
 				 0, NULL);
@@ -2501,8 +2497,7 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 				   client->view->acceptexpired)) {
 				dst_key_free(&key);
 				dns_rdataset_disassociate(&keyrdataset);
-				mark_secure(client, db, name,
-					    rrsig.originalttl,
+				mark_secure(client, db, name, &rrsig,
 					    rdataset, sigrdataset);
 				return (ISC_TRUE);
 			}

bin/named/statschannel.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -85,16 +85,19 @@ static const char *nsstats_desc[dns_nsstatscounter_max];
 static const char *resstats_desc[dns_resstatscounter_max];
 static const char *zonestats_desc[dns_zonestatscounter_max];
 static const char *sockstats_desc[isc_sockstatscounter_max];
+static const char *dnssecstats_desc[dns_dnssecstats_max];
 #ifdef HAVE_LIBXML2
 static const char *nsstats_xmldesc[dns_nsstatscounter_max];
 static const char *resstats_xmldesc[dns_resstatscounter_max];
 static const char *zonestats_xmldesc[dns_zonestatscounter_max];
 static const char *sockstats_xmldesc[isc_sockstatscounter_max];
+static const char *dnssecstats_xmldesc[dns_dnssecstats_max];
 #else
 #define nsstats_xmldesc NULL
 #define resstats_xmldesc NULL
 #define zonestats_xmldesc NULL
 #define sockstats_xmldesc NULL
+#define dnssecstats_xmldesc NULL
 #endif	/* HAVE_LIBXML2 */
 
 #define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
@@ -108,6 +111,7 @@ static int nsstats_index[dns_nsstatscounter_max];
 static int resstats_index[dns_resstatscounter_max];
 static int zonestats_index[dns_zonestatscounter_max];
 static int sockstats_index[isc_sockstatscounter_max];
+static int dnssecstats_index[dns_dnssecstats_max];
 
 static inline void
 set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs,
@@ -409,6 +413,33 @@ init_desc(void) {
 			 "FDwatchRecvErr");
 	INSIST(i == isc_sockstatscounter_max);
 
+	/* Initialize DNSSEC statistics */
+	for (i = 0; i < dns_dnssecstats_max; i++)
+		dnssecstats_desc[i] = NULL;
+#ifdef  HAVE_LIBXML2
+	for (i = 0; i < dns_dnssecstats_max; i++)
+		dnssecstats_xmldesc[i] = NULL;
+#endif
+
+#define SET_DNSSECSTATDESC(counterid, desc, xmldesc) \
+	do { \
+		set_desc(dns_dnssecstats_ ## counterid, \
+			 dns_dnssecstats_max, \
+			 desc, dnssecstats_desc,\
+			 xmldesc, dnssecstats_xmldesc); \
+		dnssecstats_index[i++] = dns_dnssecstats_ ## counterid; \
+	} while (0)
+
+	i = 0;
+	SET_DNSSECSTATDESC(asis, "dnssec validation success with signer "
+			   "\"as is\"", "DNSSECasis");
+	SET_DNSSECSTATDESC(downcase, "dnssec validation success with signer "
+			   "lower cased", "DNSSECdowncase");
+	SET_DNSSECSTATDESC(wildcard, "dnssec validation of wildcard signature",
+			   "DNSSECwild");
+	SET_DNSSECSTATDESC(fail, "dnssec validation failures", "DNSSECfail");
+	INSIST(i == dns_dnssecstats_max);
+
 	/* Sanity check */
 	for (i = 0; i < dns_nsstatscounter_max; i++)
 		INSIST(nsstats_desc[i] != NULL);
@@ -418,6 +449,8 @@ init_desc(void) {
 		INSIST(zonestats_desc[i] != NULL);
 	for (i = 0; i < isc_sockstatscounter_max; i++)
 		INSIST(sockstats_desc[i] != NULL);
+	for (i = 0; i < dns_dnssecstats_max; i++)
+		INSIST(dnssecstats_desc[i] != NULL);
 #ifdef  HAVE_LIBXML2
 	for (i = 0; i < dns_nsstatscounter_max; i++)
 		INSIST(nsstats_xmldesc[i] != NULL);
@@ -427,6 +460,8 @@ init_desc(void) {
 		INSIST(zonestats_xmldesc[i] != NULL);
 	for (i = 0; i < isc_sockstatscounter_max; i++)
 		INSIST(sockstats_xmldesc[i] != NULL);
+	for (i = 0; i < dns_dnssecstats_max; i++)
+		INSIST(dnssecstats_xmldesc[i] != NULL);
 #endif
 }
 

bin/named/unix/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/nsupdate/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/nsupdate/nsupdate.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -1121,7 +1121,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
 	isc_buffer_t source;
 
 	word = nsu_strsep(cmdlinep, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read owner name\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1153,6 +1153,11 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
 	dns_rdatacallbacks_t callbacks;
 	isc_result_t result;
 
+	if (cmdline == NULL) {
+		rdata->flags = DNS_RDATA_UPDATE;
+		return (STATUS_MORE);
+	}
+
 	while (*cmdline != 0 && isspace((unsigned char)*cmdline))
 		cmdline++;
 
@@ -1219,7 +1224,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
 	 */
 	if (isrrset) {
 		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (*word == 0) {
+		if (word == NULL || *word == 0) {
 			fprintf(stderr, "could not read class or type\n");
 			goto failure;
 		}
@@ -1235,7 +1240,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
 			 * Now read the type.
 			 */
 			word = nsu_strsep(&cmdline, " \t\r\n");
-			if (*word == 0) {
+			if (word == NULL || *word == 0) {
 				fprintf(stderr, "could not read type\n");
 				goto failure;
 			}
@@ -1309,7 +1314,7 @@ evaluate_prereq(char *cmdline) {
 
 	ddebug("evaluate_prereq()");
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read operation code\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1343,14 +1348,14 @@ evaluate_server(char *cmdline) {
 	}
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read server name\n");
 		return (STATUS_SYNTAX);
 	}
 	server = word;
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0)
+	if (word == NULL || *word == 0)
 		port = dnsport;
 	else {
 		char *endp;
@@ -1384,14 +1389,14 @@ evaluate_local(char *cmdline) {
 	struct in6_addr in6;
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read server name\n");
 		return (STATUS_SYNTAX);
 	}
 	local = word;
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0)
+	if (word == NULL || *word == 0)
 		port = 0;
 	else {
 		char *endp;
@@ -1440,7 +1445,7 @@ evaluate_key(char *cmdline) {
 	char *n;
 
 	namestr = nsu_strsep(&cmdline, " \t\r\n");
-	if (*namestr == 0) {
+	if (namestr == NULL || *namestr == 0) {
 		fprintf(stderr, "could not read key name\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1464,7 +1469,7 @@ evaluate_key(char *cmdline) {
 	}
 
 	secretstr = nsu_strsep(&cmdline, "\r\n");
-	if (*secretstr == 0) {
+	if (secretstr == NULL || *secretstr == 0) {
 		fprintf(stderr, "could not read key secret\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1505,7 +1510,7 @@ evaluate_zone(char *cmdline) {
 	isc_result_t result;
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read zone name\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1531,7 +1536,7 @@ evaluate_realm(char *cmdline) {
 	char buf[1024];
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		if (realm != NULL)
 			isc_mem_free(mctx, realm);
 		realm = NULL;
@@ -1556,7 +1561,7 @@ evaluate_ttl(char *cmdline) {
 	isc_uint32_t ttl;
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not ttl\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1590,7 +1595,7 @@ evaluate_class(char *cmdline) {
 	dns_rdataclass_t rdclass;
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read class name\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1648,7 +1653,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	 * If it's a delete, ignore a TTL if present (for compatibility).
 	 */
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		if (!isdelete) {
 			fprintf(stderr, "could not read owner ttl\n");
 			goto failure;
@@ -1689,7 +1694,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	 */
 	word = nsu_strsep(&cmdline, " \t\r\n");
  parseclass:
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		if (isdelete) {
 			rdataclass = dns_rdataclass_any;
 			rdatatype = dns_rdatatype_any;
@@ -1713,7 +1718,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 		 * Now read the type.
 		 */
 		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (*word == 0) {
+		if (word == NULL || *word == 0) {
 			if (isdelete) {
 				rdataclass = dns_rdataclass_any;
 				rdatatype = dns_rdatatype_any;
@@ -1793,7 +1798,7 @@ evaluate_update(char *cmdline) {
 
 	ddebug("evaluate_update()");
 	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
+	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read operation code\n");
 		return (STATUS_SYNTAX);
 	}
@@ -1883,6 +1888,7 @@ get_next_command(void) {
 	char cmdlinebuf[MAXCMD];
 	char *cmdline;
 	char *word;
+	char *tmp;
 
 	ddebug("get_next_command()");
 	if (interactive) {
@@ -1894,11 +1900,18 @@ get_next_command(void) {
 	isc_app_unblock();
 	if (cmdline == NULL)
 		return (STATUS_QUIT);
+
+	/*
+	 * Normalize input by removing any eol.
+	 */
+	tmp = cmdline;
+	(void)nsu_strsep(&tmp, "\r\n");
+
 	word = nsu_strsep(&cmdline, " \t\r\n");
 
 	if (feof(input))
 		return (STATUS_QUIT);
-	if (*word == 0)
+	if (word == NULL || *word == 0)
 		return (STATUS_SEND);
 	if (word[0] == ';')
 		return (STATUS_MORE);

bin/pkcs11/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/rndc/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/b8t.mk

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/b9t.mk

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/db/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/dnssec-signzone/run-test.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/dst/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/dst/t_dst.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -179,7 +179,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 	if (p == NULL) {
 		t_info("getcwd failed %d\n", errno);
 		++*nprobs;
-		return;
+		goto cleanup;
 	}
 
 	ret = dst_key_fromfile(name1, id1, alg, type, current, mctx, &key1);
@@ -187,7 +187,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("dst_key_fromfile(%d) returned: %s\n",
 		       alg, dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	ret = dst_key_fromfile(name2, id2, alg, type, current, mctx, &key2);
@@ -195,7 +195,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("dst_key_fromfile(%d) returned: %s\n",
 		       alg, dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	ret = isc_file_mktemplate("/tmp/", tmp, sizeof(tmp));
@@ -203,7 +203,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("isc_file_mktemplate failed %s\n",
 		       isc_result_totext(ret));
 		++*nprobs;
-		return;
+		goto cleanup;
 	}
 
 	ret = isc_dir_createunique(tmp);
@@ -211,7 +211,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("isc_dir_createunique failed %s\n",
 		       isc_result_totext(ret));
 		++*nprobs;
-		return;
+		goto cleanup;
 	}
 
 	ret = dst_key_tofile(key1, type, tmp);
@@ -219,7 +219,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("dst_key_tofile(%d) returned: %s\n",
 		       alg, dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	ret = dst_key_tofile(key2, type, tmp);
@@ -227,7 +227,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("dst_key_tofile(%d) returned: %s\n",
 		       alg, dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	cleandir(tmp);
@@ -238,7 +238,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("dst_computesecret() returned: %s\n",
 		       dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	isc_buffer_init(&b2, array2, sizeof(array2));
@@ -247,7 +247,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 		t_info("dst_computesecret() returned: %s\n",
 		       dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	isc_buffer_usedregion(&b1, &r1);
@@ -256,11 +256,14 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
 	{
 		t_info("computed secrets don't match\n");
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
-	dst_key_free(&key1);
-	dst_key_free(&key2);
+ cleanup:
+	if (key1 != NULL)
+		dst_key_free(&key1);
+	if (key2 != NULL)
+		dst_key_free(&key2);
 }
 
 static void
@@ -330,12 +333,14 @@ generate(int alg, isc_mem_t *mctx, int size, int *nfails) {
 		t_info("dst_key_generate(%d) returned: %s\n", alg,
 		       dst_result_totext(ret));
 		++*nfails;
-		return;
+		goto cleanup;
 	}
 
 	if (alg != DST_ALG_DH)
 		use(key, mctx, ISC_R_SUCCESS, nfails);
-	dst_key_free(&key);
+ cleanup:
+	if (key != NULL)
+		dst_key_free(&key);
 }
 
 #define	DBUFSIZ	25
@@ -787,14 +792,20 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_context_create returned %s\n",
 			isc_result_totext(isc_result));
+		(void) free(data);
+		dst_key_free(&key);
 		++*nfails;
+		return;
 	}
 	isc_result = dst_context_adddata(ctx, &datareg);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_context_adddata returned %s\n",
 			isc_result_totext(isc_result));
+		(void) free(data);
 		dst_context_destroy(&ctx);
+		dst_key_free(&key);
 		++*nfails;
+		return;
 	}
 	isc_result = dst_context_verify(ctx, &sigreg);
 	if (	((exp_res == 0) && (isc_result != ISC_R_SUCCESS))	||
@@ -803,7 +814,6 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 		t_info("dst_context_verify returned %s, expected %s\n",
 			isc_result_totext(isc_result),
 			expected_result);
-		dst_context_destroy(&ctx);
 		++*nfails;
 	}
 

bin/tests/hashes/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/headerdep_test.sh.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/master/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/mem/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/names/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/names/t_names.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -121,20 +121,30 @@ chkdata(unsigned char *buf, size_t buflen, char *exp_data,
 
 			if (('0' <= *q) && (*q <= '9'))
 				*p = *q - '0';
-			else if (('a' <= *q) && (*q <= 'z'))
+			else if (('a' <= *q) && (*q <= 'f'))
 				*p = *q - 'a' + 10;
-			else if (('A' <= *q) && (*q <= 'Z'))
+			else if (('A' <= *q) && (*q <= 'F'))
 				*p = *q - 'A' + 10;
+			else {
+				t_info("malformed comparison data\n");
+				free(data);
+				return (-1);
+			}
 			++q;
 
 			*p <<= 4;
 
 			if (('0' <= *q) && (*q <= '9'))
 				*p |= ((*q - '0') & 0x0f);
-			else if (('a' <= *q) && (*q <= 'z'))
+			else if (('a' <= *q) && (*q <= 'f'))
 				*p |= ((*q - 'a' + 10) & 0x0f);
-			else if (('A' <= *q) && (*q <= 'Z'))
+			else if (('A' <= *q) && (*q <= 'F'))
 				*p |= ((*q - 'A' + 10) & 0x0f);
+			else {
+				t_info("malformed comparison data\n");
+				free(data);
+				return (-1);
+			}
 			++p;
 			++q;
 			++cnt;
@@ -203,9 +213,9 @@ getmsg(char *datafile_name, unsigned char *buf, int buflen, isc_buffer_t *pbuf)
 		}
 		if (('0' <= c) && (c <= '9'))
 			val = c - '0';
-		else if (('a' <= c) && (c <= 'z'))
+		else if (('a' <= c) && (c <= 'f'))
 			val = c - 'a' + 10;
-		else if (('A' <= c) && (c <= 'Z'))
+		else if (('A' <= c) && (c <= 'F'))
 			val = c - 'A'+ 10;
 		else {
 			(void)fclose(fp);

bin/tests/net/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/rbt/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/rbt_test.txt

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/resolv.conf.sample

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/sockaddr/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/startperf/makenames.pl

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/startperf/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2008, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/acl/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/acl/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/acl/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/addzone/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/addzone/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/addzone/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010-2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/allow_query/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/allow_query/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/allow_query/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/autosign/ns1/keygen.sh

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/autosign/ns2/keygen.sh

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/autosign/prereq.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/autosign/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/builtin/tests.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/cacheclean/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/cacheclean/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/checkconf/badtsig.conf

@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Bad secret */
+key "badtsig" {
+	algorithm hmac-md5;
+	secret "jEdD+BPKg==";
+};
+

bin/tests/system/checkconf/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -16,4 +16,4 @@
 
 # $Id: clean.sh,v 1.1.4.2 2011/05/07 05:52:58 each Exp $
 
-rm -f good.conf.in good.conf.out
+rm -f good.conf.in good.conf.out badzero.conf

bin/tests/system/checkconf/tests.sh

@@ -37,7 +37,13 @@ status=`expr $status + $ret`
 echo "I: checking that named-checkconf handles a known bad config"
 ret=0
 $CHECKCONF bad.conf > /dev/null 2>&1 && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
+if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
+echo "I: checking that named-checkconf handles a known bad tsig secret"
+ret=0
+$CHECKCONF badtsig.conf > /dev/null 2>&1
+if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
 status=`expr $status + $ret`
 
 echo "I: checking named-checkconf dnssec warnings"
@@ -50,5 +56,44 @@ $CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I: range checking fields that do not allow zero"
+ret=0
+for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
+    cat > badzero.conf << EOF
+options {
+    $field 0;
+};
+EOF
+    $CHECKCONF badzero.conf > /dev/null 2>&1
+    [ $? -eq 1 ] || { echo "I: options $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+view dummy {
+    $field 0;
+};
+EOF
+    $CHECKCONF badzero.conf > /dev/null 2>&1
+    [ $? -eq 1 ] || { echo "I: view $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+options {
+    $field 0;
+};
+view dummy {
+};
+EOF
+    $CHECKCONF badzero.conf > /dev/null 2>&1
+    [ $? -eq 1 ] || { echo "I: options + view $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+zone dummy {
+    type slave;
+    masters { 0.0.0.0; };
+    $field 0;
+};
+EOF
+    $CHECKCONF badzero.conf > /dev/null 2>&1
+    [ $? -eq 1 ] || { echo "I: zone $field failed" ; ret=1; }
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

bin/tests/system/checknames/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/checknames/setup.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/checknames/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/checkzone/tests.sh

@@ -24,7 +24,7 @@ for db in zones/good*.db
 do
 	echo "I:checking $db ($n)"
 	ret=0
-	$CHECKZONE example $db > test.out.$n 2>&1 || ret=1
+	$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
 	n=`expr $n + 1`
 	if [ $ret != 0 ]; then echo "I:failed"; fi
 	status=`expr $status + $ret`

bin/tests/system/cleanall.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/cleanpkcs11.sh

@@ -18,4 +18,4 @@
 
 if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
 
-../../pkcs11/pkcs11-destroy -s 0 -p 1234
+../../pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234

bin/tests/system/conf.sh.in

@@ -44,9 +44,9 @@ SETTIME=$TOP/bin/dnssec/dnssec-settime
 DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
 CHECKZONE=$TOP/bin/check/named-checkzone
 CHECKCONF=$TOP/bin/check/named-checkconf
-PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s 0 -p 1234"
-PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s 0 -p 1234"
-PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s 0 -p 1234"
+PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s ${SLOT:-0} -p 1234"
+PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234"
+PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
 JOURNALPRINT=$TOP/bin/tools/named-journalprint
 
 # The "stress" test is not run by default since it creates enough
@@ -56,7 +56,7 @@ SUBDIRS="acl allow_query addzone autosign builtin cacheclean checkconf
 	 checknames checkzone database dlv dlvauto dlz
 	 dname dnssec forward glue ixfr limits logfileconfig lwresd
 	 masterfile masterformat metadata notify nsupdate pending
-	 pkcs11 resolver rrsetorder sortlist smartsign stub tkey
+	 pkcs11 resolver rndc rrsetorder sortlist smartsign stub tkey
 	 unknown upforwd views xfer xferquota zonechecks"
 
 # PERL will be an empty string if no perl interpreter was found.

bin/tests/system/dialup/setup.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/dialup/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/digcomp.pl

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/dnssec/clean.sh

@@ -17,6 +17,7 @@
 
 # $Id$
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
+rm -f ns1/managed.conf
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
 rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
@@ -24,6 +25,7 @@ rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
 rm -f ns2/private.secure.example.db
 rm -f ns2/badparam.db ns2/badparam.db.bad
 rm -f ns2/single-nsec3.db
+rm -f ns2/nsec3chain-test.db
 rm -f */example.bk
 rm -f dig.out.*
 rm -f random.data
@@ -48,10 +50,8 @@ rm -f signer/example.db.after signer/example.db.before
 rm -f signer/example.db.changed
 rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
 rm -f ns3/ttlpatch.example.db.patched
-rm -f ns4/managed-keys.bind*
-rm -f ns4/named.conf
-rm -f */managed.conf
-rm -f ns2/nsec3chain-test.db
+rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
+rm -f ns4/named.conf ns4/managed.conf
 rm -f ns3/auto-nsec.example.db
 rm -f ns3/auto-nsec3.example.db
 rm -f ns3/expiring.example.db

bin/tests/system/dnssec/ns2/example.db.in

@@ -132,3 +132,12 @@ ns.secure.below-cname	A	10.53.0.3
 
 ttlpatch		NS	ns.ttlpatch
 ns.ttlpatch		A	10.53.0.3
+
+upper			NS	ns.upper
+ns.upper		A	10.53.0.3
+
+LOWER			NS	NS.LOWER
+NS.LOWER		A	10.53.0.3
+
+expiring                 NS      ns.expiring
+ns.expiring              A       10.53.0.3

bin/tests/system/dnssec/ns2/sign.sh

@@ -32,7 +32,8 @@ zonefile=example.db
 
 for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
     optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
-    auto-nsec auto-nsec3 secure.below-cname ttlpatch expired
+    auto-nsec auto-nsec3 secure.below-cname ttlpatch expired expiring upper \
+    lower
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done

bin/tests/system/dnssec/ns3/expired.example.db.in

@@ -23,7 +23,9 @@ $TTL 300	; 5 minutes
 				3600       ; minimum (1 hour)
 				)
 			NS	ns
+			MX	10 mx
 ns			A	10.53.0.3
+mx 		 	A 	10.0.0.30
 
 a			A	10.0.0.1
 b			A	10.0.0.2
@@ -43,3 +45,5 @@ ns.nosoa		A	10.53.0.7
 
 normalthenrrsig		A	10.0.0.28
 rrsigonly		A	10.0.0.29
+
+

bin/tests/system/dnssec/ns3/expiring.example.db.in

@@ -23,7 +23,9 @@ $TTL 300	; 5 minutes
 				3600       ; minimum (1 hour)
 				)
 			NS	ns
+			MX	10 mx
 ns			A	10.53.0.3
+mx 		 	A 	10.0.0.30
 
 a			A	10.0.0.1
 b			A	10.0.0.2

bin/tests/system/dnssec/ns3/lower.example.db.in

@@ -0,0 +1,26 @@
+; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: lower.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	MNAME1. . (
+				2012042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	NS
+NS			A	10.53.0.3

bin/tests/system/dnssec/ns3/named.conf

@@ -35,6 +35,15 @@ options {
 	dnssec-validation yes;
 };
 
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "../../common/root.hint";
@@ -219,4 +228,14 @@ zone "expiring.example" {
 	file "expiring.example.db.signed";
 };
 
+zone "upper.example" {
+	type master;
+	file "upper.example.db.signed";
+};
+
+zone "LOWER.EXAMPLE" {
+	type master;
+	file "lower.example.db.signed";
+};
+
 include "trusted.conf";

bin/tests/system/dnssec/ns3/sign.sh

@@ -350,5 +350,33 @@ kskname=`$KEYGEN -q -r $RANDFILE $zone`
 zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 cp $infile $zonefile
 $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
-rm -f ${zskname}.private ${kskname}.private
+mv -f ${zskname}.private ${zskname}.private.moved
+mv -f ${kskname}.private ${kskname}.private.moved
 
+#
+# A zone where the signer's name has been forced to uppercase.
+#
+zone="upper.example."
+infile="upper.example.db.in"
+zonefile="upper.example.db"
+lower="upper.example.db.lower"
+signedfile="upper.example.db.signed"
+kskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+cp $infile $zonefile
+$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
+$CHECKZONE -D upper.example $lower 2>&- | \
+	sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
+
+#
+# Check that the signer's name is in lower case when zone name is in
+# upper case.
+#
+zone="LOWER.EXAMPLE."
+infile="lower.example.db.in"
+zonefile="lower.example.db"
+signedfile="lower.example.db.signed"
+kskname=`$KEYGEN -q -r $RANDFILE $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+cp $infile $zonefile
+$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1

bin/tests/system/dnssec/ns3/upper.example.db.in

@@ -0,0 +1,26 @@
+; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: upper.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2012042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	ns
+ns			A	10.53.0.3

bin/tests/system/dnssec/ns4/named3.conf

@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
+
+// NS4
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	acache-enable yes;
+	dnssec-enable yes;
+	dnssec-validation yes;
+	dnssec-accept-expired yes;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "managed.conf";

bin/tests/system/dnssec/prereq.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2006, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/dnssec/tests.sh

@@ -1299,6 +1299,26 @@ $DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:testing legacy upper case signer name validation ($n)"
+ret=0
+$DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \
+        > dig.out.ns4.test$n 2>&1
+grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing that we lower case signer name ($n)"
+ret=0
+$DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \
+        > dig.out.ns4.test$n 2>&1
+grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking managed key maintenance has not started yet ($n)"
 ret=0
 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1
@@ -1319,5 +1339,104 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:testing TTL is capped at RRSIG expiry time ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze expiring.example 2>&1 | sed 's/^/I:ns3 /'
+(
+cd ns3
+RANDFILE=../random.data
+for file in K*.moved; do
+  mv $file `basename $file .moved`
+done
+$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
+) || ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload expiring.example 2>&1 | sed 's/^/I:ns3 /'
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
+$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
+$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
+ttls=`awk '{print $2}' dig.out.ns4.1.$n`
+ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
+for ttl in $ttls; do
+    [ $ttl -eq 300 ] || ret=1
+done
+for ttl in $ttls2; do
+    [ $ttl -le 60 ] || ret=1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
+$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+ttls=`awk '{print $2}' dig.out.ns4.1.$n`
+ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
+for ttl in $ttls; do
+    [ $ttl -eq 300 ] || ret=1
+done
+for ttl in $ttls2; do
+    [ $ttl -le 60 ] || ret=1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+cp ns4/named3.conf ns4/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
+sleep 3
+
+echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
+$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
+$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
+ttls=`awk '{print $2}' dig.out.ns4.1.$n`
+ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
+for ttl in $ttls; do
+    [ $ttl -eq 300 ] || ret=1
+done
+for ttl in $ttls2; do
+    [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)"
+ret=0
+$DIG +noall +answer +dnssec +cd -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.1.$n
+$DIG +noall +answer +dnssec -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.2.$n
+ttls=`awk '{print $2}' dig.out.ns4.1.$n`
+ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
+for ttl in $ttls; do
+    [ $ttl -eq 300 ] || ret=1
+done
+for ttl in $ttls2; do
+    [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
+$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+ttls=`awk '{print $2}' dig.out.ns4.1.$n`
+ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
+for ttl in $ttls; do
+    [ $ttl -eq 300 ] || ret=1
+done
+for ttl in $ttls2; do
+    [ $ttl -le 120  -a $ttl -gt 60 ] || ret=1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

bin/tests/system/forward/clean.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/glue/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/glue/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/glue/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/ixfr/prereq.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/limits/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/lwresd/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/lwresd/lwresd1/resolv.conf

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/lwresd/resolv.conf

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/metadata/clean.sh

@@ -21,3 +21,4 @@ rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key
 rm -f pending.key rolling.key standby.key inact.key
 rm -f prerev.key postrev.key oldstyle.key
 rm -f keys sigs
+rm -f tmp.out

bin/tests/system/metadata/prereq.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/tests/system/metadata/tests.sh

@@ -134,7 +134,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking update of an old-style key"
+echo "I:checking update of an old-style key ($n)"
 ret=0
 # printing metadata should not work with an old-style key
 $SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1
@@ -145,5 +145,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking warning about permissions change on key with dnssec-settime ($n)"
+ret=0
+# settime should print a warning about changing the permissions
+chmod 644 `cat oldstyle.key`.private
+$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 || ret=1
+$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

bin/tests/system/notify/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any