add dns_trust_totext to def file

3121.   [security]      An authoritative name server sending a negative
                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]

3120.	[bug]		Named could fail to validate zones listed in a DLV
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

CHANGES

@@ -1,3 +1,20 @@
+	--- 9.8.0-P2 released ---
+
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
+
+3120.	[bug]		Named could fail to validate zones listed in a DLV
+			that validated insecure without using DLV and had
+			DS records in the parent zone. [RT #24631]
+
+	--- 9.8.0-P1 released ---
+
+3100.	[security]	Certain response policy zone configurations could
+			trigger an INSIST when receiving a query of type
+			RRSIG. [RT #24280]
+
 	--- 9.8.0 released ---
 
 3025.	[bug]		Fixed a possible deadlock due to zone resigning.

RELEASE-NOTES-BIND-9.8.html

@@ -1,308 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
-  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2609042"></a>Introduction</h2></div></div></div>
-    
-    <p>
-			BIND 9.8.0 is the first production release of BIND 9.8.
-		</p>
-    <p>
-			This document summarizes changes from BIND 9.7 to BIND 9.8.
-			Please see the CHANGES file in the source code release for a
-			complete list of all changes.
-		</p>
-  </div>
-
-  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475544"></a>Download</h2></div></div></div>
-    
-    <p>
-			The latest development versions of BIND 9 software can always be found
-	 		on our web site at
-      <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
-  		There you will find additional information about each release,
- 			source code, and some pre-compiled versions for certain operating
- 			systems.
-		</p>
-  </div>
-
-  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475577"></a>Support</h2></div></div></div>
-    
-    <p>Product support information is available on
-      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
-      for paid support options.  Free support is provided by our user
- 			community via a mailing list.  Information on all public email
- 			lists is available at
-      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
-    </p>
-  </div>
-
-  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475533"></a>New Features</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id2609063"></a>9.8.0</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-The ADB hash table stores informations about which authoritative
-servers to query about particular domains. Previous versions of BIND
-had the hash table size as a fixed value. On a busy recursive server,
-this could lead to hash table collisions in the ADB cache, resulting
-in degraded response time to queries. Bind 9.8 now has a dynamically
-scalable ADB hash table, which helps a busy server to avoid hash
-table collisions and maintain a consistent query response time.
-[RT #21186]
-</li><li class="listitem">
-				BIND now supports a new zone type, static-stub. This allows the
-				administrator of a recursive nameserver to force queries for
-				a particular zone to go to IP addresses of the administrator's
-				choosing, on a per zone basis, both globally or per view. I.e. if the
-				administrator wishes to have their recursive server query 192.0.2.1
-				and 192.0.2.2 for zone example.com rather than the servers listed by
-				the .com gTLDs, they would configure example.com as a static-stub zone
-				in their recursive server. [RT #21474]
-				</li><li class="listitem">
-				BIND now supports Response Policy Zones, a way of expressing "reputation"
-				in real time via specially constructed DNS zones. See the draft specification
-				here:
-<a class="ulink" href="http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt" target="_top">http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt</a>
-				[RT #21726]
-				</li><li class="listitem">
-				BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from
-				specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized
-				from corresponding IN-ADDR.ARPA. [RT #21991/22769]
-				</li><li class="listitem">
-				Dynamically Loadable Zones (DLZ) now support dynamic updates.
-				Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-				</li><li class="listitem">
-				Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers
-				that can be loaded as shared objects at runtime rather than having to be
-				linked with named at compile time. Currently this is switched on via a
-				compile-time option, "configure --with-dlz-dlopen".
-				Note: the syntax for configuring DLZ zones is likely to be refined in future releases.
-				Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-				</li><li class="listitem">
-				named now retains GSS-TSIG keys across restarts. This is for
-				compatibility with Microsoft DHCP servers doing dynamic DNS
-				updates for clients, which don't know to renegotiate the GSS-TSIG
-				session key when named restarts. [RT #22639]
-				</li><li class="listitem">
-				There is a new update-policy match type "external". This
-				allows named to decide whether to allow a dynamic update
-				by checking with an external daemon.
-				Contributed by Andrew Tridgell of the Samba Project. [RT #22758]
-				</li><li class="listitem">
-				There have been a number of bug fixes and ease of use enhancements
-				for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
-	    <div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem">
-Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
-allowed for any key matching a Kerberos principal in the specified keytab
-file. "tkey-gssapi-credential" is no longer required and is expected to
-be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-</li><li class="listitem">
-It is no longer necessary to have a valid /etc/krb5.conf file. Using
-the syntax DNS/hostname@REALM in nsupdate is sufficient for
-to correctly set the default realm. [RT #22795]
-</li><li class="listitem">
-Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
-</li><li class="listitem">
-DLZ correctly deals with NULL zone in a query. [RT 22795]
-</li><li class="listitem">
-TSIG correctly deals with a NULL tkey-&gt;creator. [RT 22795]
-</li></ul></div>
-</li><li class="listitem">
-A new test has been added to check the apex NSEC3 records after DNSKEY
-records have been added via dynamic update. [RT #23229]
-</li><li class="listitem">
-<p>
-RTT banding (randomized server selection on queries) was introduced in
-BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead
-of always picking the authoritative server with the lowest RTT to the
-caching resolver, all the authoritative servers within an RTT range were
-randomly used by the recursive server.
-</p>
-<p>
-While this did add an extra bit of randomness that an attacker had to
-overcome to poison a recursive server's cache, it also impacts the
-resolver's speed in answering end customer queries, since it's no
-longer the fastest auth server that gets asked. This means that
-performance optimizations, such using topologically close
-authoritative servers, are rendered ineffective.
-</p>
-<p>
-ISC has evaluated the amount of security added versus the performance
-hit to end users and has decided that RTT banding is causing more harm
-than good. Therefore, with this release, BIND is going back to the server
-selection used prior to adding RTT banding.
-[RT #23310]
-</p>
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475792"></a>Feature Changes</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475798"></a>9.8.0</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-					There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929
-				</li><li class="listitem">
-					There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043]
-				</li><li class="listitem">
-Added option 'resolver-query-timeout' in named.conf (max query timeout
-in seconds) to set a different value than the default (30 seconds). A
-value of 0 means 'use the compiled in default'; anything longer than 30
-will be silently set to 30.
-[RT #22852]
-                                </li><li class="listitem">
-					For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475834"></a>Security Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475839"></a>9.8.0</h3></div></div></div>
-			
-			<p>None.</p>
-		</div>
-  </div>
-
-  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475850"></a>Bug Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475855"></a>9.8.0</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-				BIND now builds with threads disabled in versions of NetBSD earlier
-				than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
-				and higher. Also removes support for unproven-pthreads, mit-pthreads
-				and ptl2. [RT #19203]
-				</li><li class="listitem">
-				If BIND has openssl compiled in (the default) and has any permission
-				problems opening the openssl.cnf file, BIND utilities fail. Currently
-				ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch
-				but ISC is working on a better solution until openssl fixes this.
-				[RT #20668]
-				</li><li class="listitem">
-				nsupdate will now preserve the entered case of domain names in
-				update requests it sends. [RT #20928]
-				</li><li class="listitem">
-				Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
-				to properly update the zone when adding a DNSKEY for publication
-				only). [RT #21324]
-				</li><li class="listitem">
-				"nsupdate -l" now gives error message if "session.key" file is not
-				found. [RT #21670]
-				</li><li class="listitem">
-				HPUX now correctly defaults to using /dev/poll, which should
-				increase performance. [RT #21919]
-				</li><li class="listitem">
-				If named is running as a threaded application, after an "rndc stop"
-				command has been issued, other inbound TCP requests can cause named
-				to hang and never complete shutdown. [RT #22108]
-				</li><li class="listitem">
-                                After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
-                                not being refreshed until named is restarted. [RT #22296]
-                                </li><li class="listitem">
-				An NSEC3PARAM record placed inside a zone which is not properly
-				signed with NSEC3 could cause named to crash, if changed via dynamic
-				update. [RT #22363]				
-				</li><li class="listitem">
-				"rndc -h" now includes "loadkeys" option. [RT #22493]
-				</li><li class="listitem">
-				When performing a GSS-TSIG signed dynamic zone update, memory could be
-				leaked. This causes an unclean shutdown and may affect long-running
-				servers. [RT #22573]
-				</li><li class="listitem">
-				A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
-				for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
-				SO_ACCEPTFILTER support in BIND. [RT #22589]
-				</li><li class="listitem">
-When signing records, named didn't filter out any TTL changes
-to DNSKEY records. This resulted in an incomplete key set. TTL
-changes are now dealt with before signing. [RT #22590]
-                                </li><li class="listitem">
-				Corrected a defect where a combination of dynamic updates and zone 
-				transfers incorrectly locked the in-memory zone database, causing
-				named to freeze. [RT #22614]
-				</li><li class="listitem">
-				Don't run MX checks (check-mx) when the MX record points to ".".
-[RT #22645]
-				</li><li class="listitem">
-				DST key reference counts can now be incremented via dst_key_attach.
-[RT #22672]
-				</li><li class="listitem">
-The IN6_IS_ADDR_LINKLOCAL and
-IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
-per current Windows OS. [RT #22724]
-                                </li><li class="listitem">
-				"dnssec-settime -S" no longer tests prepublication interval validity
-				when the interval is set to 0. [RT #22761]
-				</li><li class="listitem">
-				isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
-				</li><li class="listitem">
-				The Kerberos realm was being truncated when being pulled from the
-				the host prinicipal, make krb5-self updates fail. [RT #22770]
-				</li><li class="listitem">
-				Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
-				</li><li class="listitem">
-Prior to this fix, when named was was writing a zone to disk (as slave,
-when resigning, etc.), it might not correctly preserve the case of domain
-name labels within RDATA, if the RDATA was not compressible. The result is
-that when reloading the zone from disk would, named could serve data
-that did not match the RRSIG for that data, due to case mismatch. named
-now correctly preserves case. After upgrading to fixed code, the
-operator should either resign the data (on the master) or delete the
-disk file on the slave and reload the zone. [RT #22863]
-                                </li><li class="listitem">
-The man page for dnssec-keyfromlabel incorrectly had "-U" rather
-than the correct option "-I". [RT #22887]
-                                </li><li class="listitem">
-The "rndc" command usage statement was missing the "-b" option.
-[RT #22937]
-                                </li><li class="listitem">
-Fixed a possible deadlock due to zone re-signing.
-[RT #22964]
-                                </li><li class="listitem">
-The TTL for DNS64 synthesized answers was not always set correctly.
-[RT #23034]
-                                </li><li class="listitem">
-The secure zone update feature in named is based on the zone
-being signed and configured for dynamic updates. A bug in the ACL
-processing for "allow-update { none; };" resulted in a zone that is
-supposed to be static being treated as a dynamic zone. Thus, name
-would try to sign/re-sign that zone erroneously. [RT #23120]
-                                </li><li class="listitem">
-When using auto-dnssec and updating DNSKEY records, named did correctly
-update the zone. [RT #23232]
-                                </li><li class="listitem">
-After a failed zone transfer of an RPZ (response policy zone), named
-would respond with SERVFAIL for subsequent queries in the RPZ zone. 
-[RT #23246]
-                                </li><li class="listitem">
-If a slave initiates a TSIG signed AXFR from the master and the master
-fails to correctly TSIG sign the final message, the slave would be left
-with the zone in an unclean state. named detected this error too late
-and named would crash with an INSIST. The order dependancy has been
-fixed. [RT #23254]
-                                </li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475865"></a>Known issues in this release</h2></div></div></div>
-    
-    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-        <p>
-          None.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3476076"></a>Thank You</h2></div></div></div>
-    
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to make
-      quality open source software, please visit our donations page at
-      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
-    </p>
-  </div>
-</div></body></html>

RELEASE-NOTES-BIND-9.8.txt

@@ -1,227 +0,0 @@
-     __________________________________________________________________
-
-Introduction
-
-   BIND 9.8.0 is the first production release of BIND 9.8.
-
-   This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
-   the CHANGES file in the source code release for a complete list of all
-   changes.
-
-Download
-
-   The latest development versions of BIND 9 software can always be found
-   on our web site at http://www.isc.org/downloads/development. There you
-   will find additional information about each release, source code, and
-   some pre-compiled versions for certain operating systems.
-
-Support
-
-   Product support information is available on
-   http://www.isc.org/services/support for paid support options. Free
-   support is provided by our user community via a mailing list.
-   Information on all public email lists is available at
-   https://lists.isc.org/mailman/listinfo.
-
-New Features
-
-9.8.0
-
-     * The ADB hash table stores informations about which authoritative
-       servers to query about particular domains. Previous versions of
-       BIND had the hash table size as a fixed value. On a busy recursive
-       server, this could lead to hash table collisions in the ADB cache,
-       resulting in degraded response time to queries. Bind 9.8 now has a
-       dynamically scalable ADB hash table, which helps a busy server to
-       avoid hash table collisions and maintain a consistent query
-       response time. [RT #21186]
-     * BIND now supports a new zone type, static-stub. This allows the
-       administrator of a recursive nameserver to force queries for a
-       particular zone to go to IP addresses of the administrator's
-       choosing, on a per zone basis, both globally or per view. I.e. if
-       the administrator wishes to have their recursive server query
-       192.0.2.1 and 192.0.2.2 for zone example.com rather than the
-       servers listed by the .com gTLDs, they would configure example.com
-       as a static-stub zone in their recursive server. [RT #21474]
-     * BIND now supports Response Policy Zones, a way of expressing
-       "reputation" in real time via specially constructed DNS zones. See
-       the draft specification here:
-       http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
-     * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
-       from specified A records if no AAAA record exists. IP6.ARPA CNAME
-       records will be synthesized from corresponding IN-ADDR.ARPA. [RT
-       #21991/22769]
-     * Dynamically Loadable Zones (DLZ) now support dynamic updates.
-       Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-     * Added a "dlopen" DLZ driver, allowing the creation of external DLZ
-       drivers that can be loaded as shared objects at runtime rather than
-       having to be linked with named at compile time. Currently this is
-       switched on via a compile-time option, "configure
-       --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
-       likely to be refined in future releases. Contributed by Andrew
-       Tridgell of the Samba Project. [RT #22629]
-     * named now retains GSS-TSIG keys across restarts. This is for
-       compatibility with Microsoft DHCP servers doing dynamic DNS updates
-       for clients, which don't know to renegotiate the GSS-TSIG session
-       key when named restarts. [RT #22639]
-     * There is a new update-policy match type "external". This allows
-       named to decide whether to allow a dynamic update by checking with
-       an external daemon. Contributed by Andrew Tridgell of the Samba
-       Project. [RT #22758]
-     * There have been a number of bug fixes and ease of use enhancements
-       for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
-       include:
-          + Added a "tkey-gssapi-keytab" option. If set, dynamic updates
-            will be allowed for any key matching a Kerberos principal in
-            the specified keytab file. "tkey-gssapi-credential" is no
-            longer required and is expected to be deprecated. Contributed
-            by Andrew Tridgell of the Samba Project. [RT #22629]
-          + It is no longer necessary to have a valid /etc/krb5.conf file.
-            Using the syntax DNS/hostname@REALM in nsupdate is sufficient
-            for to correctly set the default realm. [RT #22795]
-          + Documentation updated new gssapi configuration options (new
-            option tkey-gssapi-keytab and changes in
-            tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
-          + DLZ correctly deals with NULL zone in a query. [RT 22795]
-          + TSIG correctly deals with a NULL tkey->creator. [RT 22795]
-     * A new test has been added to check the apex NSEC3 records after
-       DNSKEY records have been added via dynamic update. [RT #23229]
-     * RTT banding (randomized server selection on queries) was introduced
-       in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
-       Instead of always picking the authoritative server with the lowest
-       RTT to the caching resolver, all the authoritative servers within
-       an RTT range were randomly used by the recursive server.
-       While this did add an extra bit of randomness that an attacker had
-       to overcome to poison a recursive server's cache, it also impacts
-       the resolver's speed in answering end customer queries, since it's
-       no longer the fastest auth server that gets asked. This means that
-       performance optimizations, such using topologically close
-       authoritative servers, are rendered ineffective.
-       ISC has evaluated the amount of security added versus the
-       performance hit to end users and has decided that RTT banding is
-       causing more harm than good. Therefore, with this release, BIND is
-       going back to the server selection used prior to adding RTT
-       banding. [RT #23310]
-
-Feature Changes
-
-9.8.0
-
-     * There is a new option in dig, +onesoa, that allows the final SOA
-       record in an AXFR response to be suppressed. [RT #20929
-     * There is additional information displayed in the recursing log
-       (qtype, qclass, qid and whether we are following the original
-       name). [RT #22043]
-     * Added option 'resolver-query-timeout' in named.conf (max query
-       timeout in seconds) to set a different value than the default (30
-       seconds). A value of 0 means 'use the compiled in default';
-       anything longer than 30 will be silently set to 30. [RT #22852]
-     * For Mac OS X, you can now have the test interfaces used during
-       "make test" stay beyond reboot. See bin/tests/system/README for
-       details.
-
-Security Fixes
-
-9.8.0
-
-   None.
-
-Bug Fixes
-
-9.8.0
-
-     * BIND now builds with threads disabled in versions of NetBSD earlier
-       than 5.0 and with pthreads enabled by default in NetBSD versions
-       5.0 and higher. Also removes support for unproven-pthreads,
-       mit-pthreads and ptl2. [RT #19203]
-     * If BIND has openssl compiled in (the default) and has any
-       permission problems opening the openssl.cnf file, BIND utilities
-       fail. Currently ISC is including a patch to openssl in
-       bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better
-       solution until openssl fixes this. [RT #20668]
-     * nsupdate will now preserve the entered case of domain names in
-       update requests it sends. [RT #20928]
-     * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
-       to properly update the zone when adding a DNSKEY for publication
-       only). [RT #21324]
-     * "nsupdate -l" now gives error message if "session.key" file is not
-       found. [RT #21670]
-     * HPUX now correctly defaults to using /dev/poll, which should
-       increase performance. [RT #21919]
-     * If named is running as a threaded application, after an "rndc stop"
-       command has been issued, other inbound TCP requests can cause named
-       to hang and never complete shutdown. [RT #22108]
-     * After an "rndc reconfig", the refresh timer for managed-keys is
-       ignored, resulting in managed-keys not being refreshed until named
-       is restarted. [RT #22296]
-     * An NSEC3PARAM record placed inside a zone which is not properly
-       signed with NSEC3 could cause named to crash, if changed via
-       dynamic update. [RT #22363]
-     * "rndc -h" now includes "loadkeys" option. [RT #22493]
-     * When performing a GSS-TSIG signed dynamic zone update, memory could
-       be leaked. This causes an unclean shutdown and may affect
-       long-running servers. [RT #22573]
-     * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
-       allows for a TCP DoS attack. Until there is a kernel fix, ISC is
-       disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
-     * When signing records, named didn't filter out any TTL changes to
-       DNSKEY records. This resulted in an incomplete key set. TTL changes
-       are now dealt with before signing. [RT #22590]
-     * Corrected a defect where a combination of dynamic updates and zone
-       transfers incorrectly locked the in-memory zone database, causing
-       named to freeze. [RT #22614]
-     * Don't run MX checks (check-mx) when the MX record points to ".".
-       [RT #22645]
-     * DST key reference counts can now be incremented via dst_key_attach.
-       [RT #22672]
-     * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
-       were updated/corrected per current Windows OS. [RT #22724]
-     * "dnssec-settime -S" no longer tests prepublication interval
-       validity when the interval is set to 0. [RT #22761]
-     * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
-       attr. [RT #22766]
-     * The Kerberos realm was being truncated when being pulled from the
-       the host prinicipal, make krb5-self updates fail. [RT #22770]
-     * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
-     * Prior to this fix, when named was was writing a zone to disk (as
-       slave, when resigning, etc.), it might not correctly preserve the
-       case of domain name labels within RDATA, if the RDATA was not
-       compressible. The result is that when reloading the zone from disk
-       would, named could serve data that did not match the RRSIG for that
-       data, due to case mismatch. named now correctly preserves case.
-       After upgrading to fixed code, the operator should either resign
-       the data (on the master) or delete the disk file on the slave and
-       reload the zone. [RT #22863]
-     * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
-       than the correct option "-I". [RT #22887]
-     * The "rndc" command usage statement was missing the "-b" option. [RT
-       #22937]
-     * Fixed a possible deadlock due to zone re-signing. [RT #22964]
-     * The TTL for DNS64 synthesized answers was not always set correctly.
-       [RT #23034]
-     * The secure zone update feature in named is based on the zone being
-       signed and configured for dynamic updates. A bug in the ACL
-       processing for "allow-update { none; };" resulted in a zone that is
-       supposed to be static being treated as a dynamic zone. Thus, name
-       would try to sign/re-sign that zone erroneously. [RT #23120]
-     * When using auto-dnssec and updating DNSKEY records, named did
-       correctly update the zone. [RT #23232]
-     * After a failed zone transfer of an RPZ (response policy zone),
-       named would respond with SERVFAIL for subsequent queries in the RPZ
-       zone. [RT #23246]
-     * If a slave initiates a TSIG signed AXFR from the master and the
-       master fails to correctly TSIG sign the final message, the slave
-       would be left with the zone in an unclean state. named detected
-       this error too late and named would crash with an INSIST. The order
-       dependancy has been fixed. [RT #23254]
-
-Known issues in this release
-
-     * None.
-
-Thank You
-
-   Thank you to everyone who assisted us in making this release possible.
-   If you would like to contribute to ISC to assist us in continuing to
-   make quality open source software, please visit our donations page at
-   http://www.isc.org/supportisc.

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.353.8.2 2011/02/18 15:27:58 smann Exp $ */
+/* $Id: query.c,v 1.353.8.2.2.1 2011/04/27 17:06:27 each Exp $ */
 
 /*! \file */
 
@@ -4087,9 +4087,15 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 			if (dns_rdataset_isassociated(*rdatasetp))
 				dns_rdataset_disassociate(*rdatasetp);
 			dns_db_detachnode(*dbp, nodep);
-			result = dns_db_find(*dbp, qnamef, version, qtype, 0,
-					     client->now, nodep, found,
-					     *rdatasetp, NULL);
+
+			if (qtype == dns_rdatatype_rrsig ||
+			    qtype == dns_rdatatype_sig)
+				result = DNS_R_NXRRSET;
+			else 
+				result = dns_db_find(*dbp, qnamef, version,
+						     qtype, 0, client->now,
+						     nodep, found, *rdatasetp,
+						     NULL);
 		}
 	}
 	switch (result) {

bin/tests/system/dlv/clean.sh

@@ -14,17 +14,30 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7 2010/05/27 23:51:08 tbox Exp $
+# $Id: clean.sh,v 1.7.242.1 2011/05/27 00:57:30 each Exp $
 
 rm -f random.data
 rm -f ns*/named.run
+rm -f ns1/K*
+rm -f ns1/dsset-*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/root.db
+rm -f ns2/K*
+rm -f ns2/dlvset-*
+rm -f ns2/dsset-*
+rm -f ns2/*.signed
+rm -f ns2/*.pre
+rm -f ns2/signer.err
+rm -f ns2/druz.db
 rm -f ns3/K*
 rm -f ns3/*.db
 rm -f ns3/*.signed
 rm -f ns3/dlvset-*
 rm -f ns3/dsset-*
 rm -f ns3/keyset-*
-rm -f ns3/trusted.conf ns5/trusted.conf
+rm -f ns1/trusted.conf ns5/trusted.conf
+rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
 rm -f ns3/signer.err
 rm -f ns6/K*
 rm -f ns6/*.db

bin/tests/system/dlv/ns1/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.950.1 2011/05/27 00:57:30 each Exp $ */
 
 controls { /* empty */ };
 
@@ -28,8 +28,8 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	dnssec-enable no;
+	dnssec-enable yes;
 };
 
-zone "." { type master; file "root.db"; };
+zone "." { type master; file "root.signed"; };
 zone "rootservers.utld" { type master; file "rootservers.utld.db"; };

bin/tests/system/dlv/ns1/root.db.in

@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.4 2007/06/19 23:47:02 tbox Exp $
+; $Id: root.db.in,v 1.3.8.2 2011/05/27 00:57:30 each Exp $
 
 $TTL	120
 @		SOA	ns.rootservers.utld hostmaster.ns.rootservers.utld (
@@ -22,3 +22,5 @@ ns		A	10.53.0.1
 ;
 utld		NS	ns.utld
 ns.utld		A	10.53.0.2
+druz		NS	ns.druz
+ns.druz		A	10.53.0.2

bin/tests/system/dlv/ns1/sign.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.8.2 2011/05/27 00:57:30 each Exp $
+
+(cd ../ns2 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns1/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+outfile=root.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+echo "I: signed $zone"
+
+grep -v '^;' $keyname2.key | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns5
+

bin/tests/system/dlv/ns2/druz.db.in

@@ -0,0 +1,54 @@
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: druz.db.in,v 1.4.8.2 2011/05/27 00:57:30 each Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.2
+;
+rootservers	NS	ns.rootservers
+ns.rootservers	A	10.53.0.1
+;
+;
+child1		NS	ns.child1
+ns.child1	A	10.53.0.3
+;
+child2		NS	ns.child2
+ns.child2	A	10.53.0.4
+;
+child3		NS	ns.child3
+ns.child3	A	10.53.0.3
+;
+child4		NS	ns.child4
+ns.child4	A	10.53.0.3
+;
+child5		NS	ns.child5
+ns.child5	A	10.53.0.3
+;
+child6		NS	ns.child6
+ns.child6	A	10.53.0.4
+;
+child7		NS	ns.child7
+ns.child7	A	10.53.0.3
+;
+child8		NS	ns.child8
+ns.child8	A	10.53.0.3
+;
+child9		NS	ns.child9
+ns.child9	A	10.53.0.3
+;
+child10		NS	ns.child10
+ns.child10	A	10.53.0.3

bin/tests/system/dlv/ns2/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.950.1 2011/05/27 00:57:30 each Exp $ */
 
 controls { /* empty */ };
 
@@ -28,8 +28,9 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	dnssec-enable no;
+	dnssec-enable yes;
 };
 
 zone "." { type hint; file "hints"; };
 zone "utld" { type master; file "utld.db"; };
+zone "druz" { type master; file "druz.signed"; };

bin/tests/system/dlv/ns2/sign.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.8.2 2011/05/27 00:57:31 each Exp $
+
+(cd ../ns3 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns2/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=druz.
+infile=druz.db.in
+zonefile=druz.db
+outfile=druz.pre
+dlvzone=utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+$CHECKZONE -q -D -i none druz druz.pre |
+sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
+
+echo "I: signed $zone"

bin/tests/system/dlv/ns3/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2007/06/19 23:47:02 tbox Exp $ */
+/* $Id: named.conf,v 1.4.950.1 2011/05/27 00:57:31 each Exp $ */
 
 controls { /* empty */ };
 
@@ -41,3 +41,11 @@ zone "child7.utld" { type master; file "child7.signed"; };	// no dlv
 zone "child8.utld" { type master; file "child8.signed"; };	// no dlv
 zone "child9.utld" { type master; file "child9.signed"; };	// dlv
 zone "child10.utld" { type master; file "child.db.in"; }; 	// dlv unsigned
+zone "child1.druz" { type master; file "child1.druz.signed"; };	// dlv
+zone "child3.druz" { type master; file "child3.druz.signed"; };	// dlv
+zone "child4.druz" { type master; file "child4.druz.signed"; };	// dlv
+zone "child5.druz" { type master; file "child5.druz.signed"; };	// dlv
+zone "child7.druz" { type master; file "child7.druz.signed"; };	// no dlv
+zone "child8.druz" { type master; file "child8.druz.signed"; };	// no dlv
+zone "child9.druz" { type master; file "child9.druz.signed"; };	// dlv
+zone "child10.druz" { type master; file "child.db.in"; }; 	// dlv unsigned

bin/tests/system/dlv/ns3/sign.sh

@@ -14,21 +14,24 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.9 2010/05/27 23:51:08 tbox Exp $
+# $Id: sign.sh,v 1.9.242.1 2011/05/27 00:57:31 each Exp $
 
 (cd ../ns6 && sh -e ./sign.sh)
 
+echo "I:dlv/ns3/sign.sh"
+
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
 RANDFILE=../random.data
+dlvzone=dlv.utld.
 dlvsets=
+dssets=
 
 zone=child1.utld.
 infile=child.db.in
 zonefile=child1.utld.db
 outfile=child1.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
@@ -44,7 +47,6 @@ zone=child3.utld.
 infile=child.db.in
 zonefile=child3.utld.db
 outfile=child3.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -60,7 +62,6 @@ zone=child4.utld.
 infile=child.db.in
 zonefile=child4.utld.db
 outfile=child4.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -76,7 +77,6 @@ zone=child5.utld.
 infile=child.db.in
 zonefile=child5.utld.db
 outfile=child5.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -92,7 +92,6 @@ zone=child7.utld.
 infile=child.db.in
 zonefile=child7.utld.db
 outfile=child7.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -107,7 +106,6 @@ zone=child8.utld.
 infile=child.db.in
 zonefile=child8.utld.db
 outfile=child8.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -122,7 +120,6 @@ zone=child9.utld.
 infile=child.db.in
 zonefile=child9.utld.db
 outfile=child9.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -137,7 +134,6 @@ zone=child10.utld.
 infile=child.db.in
 zonefile=child10.utld.db
 outfile=child10.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -148,12 +144,133 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 $SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
+zone=child1.druz.
+infile=child.db.in
+zonefile=child1.druz.db
+outfile=child1.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child3.druz.
+infile=child.db.in
+zonefile=child3.druz.db
+outfile=child3.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child4.druz.
+infile=child.db.in
+zonefile=child4.druz.db
+outfile=child4.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child5.druz.
+infile=child.db.in
+zonefile=child5.druz.db
+outfile=child5.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child7.druz.
+infile=child.db.in
+zonefile=child7.druz.db
+outfile=child7.druz.signed
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child8.druz.
+infile=child.db.in
+zonefile=child8.druz.db
+outfile=child8.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child9.druz.
+infile=child.db.in
+zonefile=child9.druz.db
+outfile=child9.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=child10.druz.
+infile=child.db.in
+zonefile=child10.druz.db
+outfile=child10.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
 
 zone=dlv.utld.
 infile=dlv.db.in
 zonefile=dlv.utld.db
 outfile=dlv.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -172,5 +289,7 @@ trusted-keys {
     "$dn" $flags $proto $alg "$key";
 };
 EOF
-' > trusted.conf
-cp trusted.conf ../ns5
+' > trusted-dlv.conf
+cp trusted-dlv.conf ../ns5
+
+cp $dssets ../ns2

bin/tests/system/dlv/ns5/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.8 2007/06/18 23:47:28 tbox Exp $ */
+/* $Id: named.conf,v 1.8.950.1 2011/05/27 00:57:31 each Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
@@ -46,6 +46,7 @@ controls {
 };
 
 include "trusted.conf";
+include "trusted-dlv.conf";
 
 options {
 	query-source address 10.53.0.5;

bin/tests/system/dlv/ns6/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2010/07/11 01:18:24 each Exp $ */
+/* $Id: named.conf,v 1.4.210.1 2011/05/27 00:57:31 each Exp $ */
 
 controls { /* empty */ };
 
@@ -40,3 +40,11 @@ zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
 zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
 zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
 zone "grand.child10.utld" { type master; file "grand.child10.signed"; };
+zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; };
+zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; };
+zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; };
+zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; };
+zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; };
+zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; };
+zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; };
+zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; };

bin/tests/system/dlv/ns6/sign.sh

@@ -14,11 +14,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.3 2010/05/27 23:51:08 tbox Exp $
+# $Id: sign.sh,v 1.3.250.1 2011/05/27 00:57:31 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
+echo "I:dlv/ns6/sign.sh"
+
 RANDFILE=../random.data
 
 zone=grand.child1.utld.
@@ -137,3 +139,120 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 
 $SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
+
+zone=grand.child1.druz.
+infile=child.db.in
+zonefile=grand.child1.druz.db
+outfile=grand.child1.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child3.druz.
+infile=child.db.in
+zonefile=grand.child3.druz.db
+outfile=grand.child3.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child4.druz.
+infile=child.db.in
+zonefile=grand.child4.druz.db
+outfile=grand.child4.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child5.druz.
+infile=child.db.in
+zonefile=grand.child5.druz.db
+outfile=grand.child5.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child7.druz.
+infile=child.db.in
+zonefile=grand.child7.druz.db
+outfile=grand.child7.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child8.druz.
+infile=child.db.in
+zonefile=grand.child8.druz.db
+outfile=grand.child8.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child9.druz.
+infile=child.db.in
+zonefile=grand.child9.druz.db
+outfile=grand.child9.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=grand.child10.druz.
+infile=child.db.in
+zonefile=grand.child10.druz.db
+outfile=grand.child10.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"

bin/tests/system/dlv/setup.sh

@@ -14,8 +14,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.6 2009/03/02 23:47:43 tbox Exp $
+# $Id: setup.sh,v 1.6.528.1 2011/05/27 00:57:30 each Exp $
 
 ../../../tools/genrandom 400 random.data
 
-(cd ns3 && sh -e sign.sh)
+(cd ns1 && sh -e sign.sh)

bin/tests/system/dlv/tests.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.6 2010/05/27 23:51:08 tbox Exp $
+# $Id: tests.sh,v 1.6.242.1 2011/05/27 00:57:30 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -42,5 +42,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

bin/tests/system/rpz/ns3/base.db

@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: base.db,v 1.3 2011/01/13 04:59:25 tbox Exp $
+; $Id: base.db,v 1.3.130.1 2011/04/27 17:06:28 each Exp $
 
 ; RPZ test
 
@@ -29,3 +29,7 @@ $TTL	120
 128.zz.3333.4444.0.7777.8888.rpz-ip			CNAME	.
 128.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
 127.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
+
+; for testing rrset replacement
+redirect	IN      A       127.0.0.1
+*.redirect	IN      A       127.0.0.1

bin/tests/system/rpz/tests.sh

@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.3 2011/01/13 04:59:24 tbox Exp $
+# $Id: tests.sh,v 1.3.130.1 2011/04/27 17:06:27 each Exp $
 
 # test response policy zones (RPZ)
 
@@ -215,6 +215,38 @@ if grep CNAME $DIGNM >/dev/null; then : ; else
 fi
 end_test
 
+ret=0
+echo "I:checking RRSIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles RRSIG queries okay
+$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
+ret=0
+echo "I:checking SIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles SIG queries okay
+$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
 if test "$status" -eq 0; then
     rm -f dig.out*
 fi

bin/tests/system/start.pl

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.16 2010/09/15 12:07:55 marka Exp $
+# $Id: start.pl,v 1.16.114.1 2011/04/27 17:06:27 each Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
@@ -34,9 +34,10 @@ use Getopt::Long;
 #   server - name of the server directory
 #   options - alternate options for the server
 
-my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
-my $noclean;
-GetOptions('noclean' => \$noclean);
+my $usage = "usage: $0 [--noclean] [--restart] test-directory [server-directory [server-options]]";
+my $noclean = '';
+my $restart = '';
+GetOptions('noclean' => \$noclean, 'restart' => \$restart);
 my $test = $ARGV[0];
 my $server = $ARGV[1];
 my $options = $ARGV[2];
@@ -137,7 +138,11 @@ sub start_server {
 				if (-e "$testdir/$server/named.noaa");
 			$command .= "-c named.conf -d 99 -g";
 		}
-		$command .= " >named.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>named.run 2>&1 &";
+		} else {
+			$command .= " >named.run 2>&1 &";
+		}
 		$pid_file = "named.pid";
 	} elsif ($server =~ /^lwresd/) {
 		$cleanup_files = "{lwresd.run}";
@@ -150,7 +155,11 @@ sub start_server {
 			$command .= "-C resolv.conf -d 99 -g ";
 			$command .= "-i lwresd.pid -P 9210 -p 5300";
 		}
-		$command .= " >lwresd.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>lwresd.run 2>&1 &";
+		} else {
+			$command .= " >lwresd.run 2>&1 &";
+		}
 		$pid_file = "lwresd.pid";
 	} elsif ($server =~ /^ans/) {
 		$cleanup_files = "{ans.run}";
@@ -160,7 +169,11 @@ sub start_server {
 		} else {
 			$command .= "";
 		}
-		$command .= " >ans.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>ans.run 2>&1 &";
+		} else {
+			$command .= " >ans.run 2>&1 &";
+		}
 		$pid_file = "ans.pid";
 	} else {
 		print "I:Unknown server type $server\n";
@@ -200,8 +213,8 @@ sub verify_server {
 	while (1) {
 		my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
 		last if ($return == 0);
-		print `grep ";" dig.out`;
 		if (++$tries >= 30) {
+			print `grep ";" dig.out > /dev/null`;
 			print "I:no response from $server\n";
 			print "R:FAIL\n";
 			system("$PERL $topdir/stop.pl $testdir");

lib/dns/api

@@ -1,3 +1,3 @@
 LIBINTERFACE = 82
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 1

lib/dns/ncache.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.50.124.1 2011/02/03 07:39:03 marka Exp $ */
+/* $Id: ncache.c,v 1.50.124.1.2.1 2011/05/27 00:57:31 each Exp $ */
 
 /*! \file */
 
@@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.197 2010/12/23 04:07:58 marka Exp $ */
+/* $Id: validator.c,v 1.197.40.1 2011/05/27 00:57:31 each Exp $ */
 
 #include <config.h>
 
@@ -428,7 +428,8 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", rdataset->trust);
+			      "keyset with trust %s",
+			      dns_trust_totext(rdataset->trust));
 		/*
 		 * Only extract the dst key if the keyset is secure.
 		 */
@@ -505,7 +506,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsset with trust %d", rdataset->trust);
+			      "dsset with trust %s",
+			       dns_trust_totext(rdataset->trust));
 		val->dsset = &val->frdataset;
 		result = validatezonekey(val);
 		if (result != DNS_R_WAIT)
@@ -660,7 +662,8 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", val->frdataset.trust);
+			      "keyset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
 		/*
 		 * Only extract the dst key if the keyset is secure.
 		 */
@@ -731,10 +734,10 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
 		isc_boolean_t have_dsset;
 		dns_name_t *name;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "%s with trust %d",
+			      "%s with trust %s",
 			      val->frdataset.type == dns_rdatatype_ds ?
 			      "dsset" : "ds non-existance",
-			      val->frdataset.trust);
+			      dns_trust_totext(val->frdataset.trust));
 		have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
 		name = dns_fixedname_name(&val->fname);
 		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
@@ -1385,8 +1388,8 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 		INSIST(type == dns_rdatatype_dlv);
 		if (val->frdataset.trust != dns_trust_secure) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: trust %u",
-				      val->frdataset.trust);
+				      "covering nsec: trust %s",
+				      dns_trust_totext(val->frdataset.trust));
 			goto notfound;
 		}
 		result = dns_rdataset_first(&val->frdataset);
@@ -1721,8 +1724,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 			 * See if we've got the key used in the signature.
 			 */
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "keyset with trust %d",
-				      val->frdataset.trust);
+				      "keyset with trust %s",
+				      dns_trust_totext(val->frdataset.trust));
 			result = get_dst_key(val, siginfo, val->keyset);
 			if (result != ISC_R_SUCCESS) {
 				/*
@@ -2492,8 +2495,11 @@ validatezonekey(dns_validator_t *val) {
 				      " insecure DS");
 			return (DNS_R_MUSTBESECURE);
 		}
-		markanswer(val, "validatezonekey (2)");
-		return (ISC_R_SUCCESS);
+		if (val->view->dlv == NULL || DLVTRIED(val)) {
+			markanswer(val, "validatezonekey (2)");
+			return (ISC_R_SUCCESS);
+		}
+		return (startfinddlvsep(val, val->event->name));
 	}
 
 	/*
@@ -3231,7 +3237,8 @@ dlvvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dlvset with trust %d", val->frdataset.trust);
+			      "dlvset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
 		if (dlv_algorithm_supported(val))

lib/dns/win32/libdns.def

@@ -675,6 +675,7 @@ dns_tkey_processgssresponse
 dns_tkey_processquery
 dns_tkeyctx_create
 dns_tkeyctx_destroy
+dns_trust_totext
 dns_tsig_sign
 dns_tsig_verify
 dns_tsigkey_attach

version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.53.8.2 2011/02/19 08:21:16 each Exp $
+# $Id: version,v 1.53.8.2.2.2 2011/05/27 00:57:29 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=8
 PATCHVER=0
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=2