Merge branch 'fix-atffile' into 'v9_9'

fix Atffile/Kyuafile

See merge request isc-projects/bind9!457

.gitattributes

@@ -1,2 +1,3 @@
+*.sln.in eol=crlf
 *.vcxproj.in eol=crlf
 *.vcxproj.filters.in eol=crlf

.gitlab-ci.yml

@@ -0,0 +1,207 @@
+variables:
+  DEBIAN_FRONTEND: noninteractive
+  LC_ALL: C
+  DOCKER_DRIVER: overlay2
+  CI_REGISTRY_IMAGE: oerdnj/bind9
+  CCACHE_DIR: "/ccache"
+
+stages:
+  - precheck
+  - build
+  - test
+
+.debian-jessie-amd64: &debian_jessie_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-jessie-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.debian-jessie-i386: &debian_jessie_i386_image
+  image: "$CI_REGISTRY_IMAGE:debian-jessie-i386"
+  tags:
+    - linux
+    - docker
+    - i386
+
+.debian-stretch-amd64: &debian_stretch_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-stretch-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.debian-stretch-i386:: &debian_stretch_i386_image
+  image: "$CI_REGISTRY_IMAGE:debian-stretch-i386"
+  tags:
+    - linux
+    - docker
+    - i386
+
+.debian-buster-amd64: &debian_buster_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.debian-buster-i386:: &debian_buster_i386_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-i386"
+  tags:
+    - linux
+    - docker
+    - i386
+
+.debian-sid-amd64: &debian_sid_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.debian-sid-i386: &debian_sid_i386_image
+  image: "$CI_REGISTRY_IMAGE:debian-sid-i386"
+  tags:
+    - linux
+    - docker
+    - i386
+
+.ubuntu-trusty-amd64: &ubuntu_trusty_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-trusty-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.ubuntu-trusty-i386: &ubuntu_trusty_i386_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-trusty-i386"
+  tags:
+    - linux
+    - docker
+    - i386
+
+.ubuntu-xenial-amd64: &ubuntu_xenial_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-amd64"
+  tags:
+    - linux
+    - docker
+    - amd64
+
+.ubuntu-xenial-i386: &ubuntu_xenial_i386_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-i386"
+  tags:
+    - linux
+    - docker
+    - i386
+
+.build: &build_job
+  stage: build
+  before_script:
+    - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
+    - autoreconf -fi
+  script:
+    - ./configure --enable-developer --with-libtool --disable-static --with-atf=/usr/local
+    - make -j${PARALLEL_JOBS_BUILD:-1} -k all V=1
+  artifacts:
+    expire_in: '1 hour'
+    untracked: true
+
+.system_test: &system_test_job
+  stage: test
+  before_script:
+    - rm -rf .ccache
+    - bash -x bin/tests/system/ifconfig.sh up
+  script:
+    - ( cd bin/tests && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
+    - test -s bin/tests/system/systests.output
+  artifacts:
+    untracked: true
+    expire_in: '1 week'
+    when: on_failure
+
+.unit_test: &unit_test_job
+  stage: test
+  before_script:
+    - export KYUA_RESULT="$CI_PROJECT_DIR/kyua.results"
+  script:
+    - make unit
+  after_script:
+    - kyua report-html --force --results-file kyua.results --results-filter "" --output kyua_html
+  artifacts:
+    paths:
+    - atf.out
+    - kyua.log
+    - kyua.results
+    - kyua_html/
+    expire_in: '1 week'
+    when: on_failure
+
+precheck:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  stage: precheck
+  script:
+    - perl util/check-changes CHANGES
+    - perl -w util/merge_copyrights
+    - diff -urNap util/copyrights util/newcopyrights
+    - rm util/newcopyrights
+  artifacts:
+    paths:
+    - util/newcopyrights
+    expire_in: '1 week'
+    when: on_failure
+
+#build:debian:jessie:amd64:
+#  <<: *debian_jessie_amd64_image
+#  <<: *build_job
+#
+#build:debian:jessie:i386:
+#  <<: *debian_jessie_i386_image
+#  <<: *build_job
+#
+#build:debian:stretch:amd64:
+#  <<: *debian_stretch_amd64_image
+#  <<: *build_job
+#
+#build:debian:buster:i386:
+#  <<: *debian_buster_i386_image
+#  <<: *build_job
+#
+#build:ubuntu:trusty:amd64:
+#  <<: *ubuntu_trusty_amd64_image
+#  <<: *build_job
+#
+#build:ubuntu:xenial:i386:
+#  <<: *ubuntu_xenial_i386_image
+#  <<: *build_job
+
+build:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *build_job
+    
+build:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *build_job
+
+unittest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:sid:amd64
+    
+unittest:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *unit_test_job
+  dependencies:
+    - build:debian:sid:i386
+
+systemtest:debian:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:sid:amd64
+    
+systemtest:debian:sid:i386:
+  <<: *debian_sid_i386_image
+  <<: *system_test_job
+  dependencies:
+    - build:debian:sid:i386

CHANGES

@@ -1,3 +1,706 @@
+	--- 9.9.13rc2 released ---
+
+4984.	[bug]		Improve handling of very large incremental
+			zone transfers to prevent journal corruption. [GL #339]
+
+4979.	[bug]		Non-libcap builds were not checking whether all
+			requested capabilities are present in the permitted
+			capability set. [GL #321]
+
+4977.	[func]		When starting up, log the same details that
+			would be reported by 'named -V'. [GL #247]
+
+4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
+			to be const. [GL #341]
+
+4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
+			below a DNAME as out-of-zone data. [GL #298]
+
+	--- 9.9.13rc1 released ---
+
+4968.	[bug]		If glue records are signed, attempt to validate them.
+			[GL #209]
+
+4965.	[func]		Add support for marking options as deprecated.
+			[GL #322]
+
+4964.	[bug]		Reduce the probabilty of double signature when deleting
+			a DNSKEY by checking if the node is otherwise signed
+			by the algorithm of the key to be deleted. [GL #240]
+
+4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
+			if available, to configure the test interfaces on
+			linux.  [GL #302]
+
+4962.	[cleanup]	Move 'named -T' processing to its own function.
+			[GL #316]
+
+4960.	[security]	When recursion is enabled, but the "allow-recursion"
+			and "allow-query-cache" ACLs are not specified,
+			they should be limited to local networks,
+			but were inadvertently set to match the default
+			"allow-query", thus allowing remote queries.
+			(CVE-2018-5738) [GL #309]
+
+4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
+
+4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
+			[GL #286]
+
+4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
+			per RFC 8375. [GL #273]
+
+4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
+
+4949.	[bug]		lib/isc/print.c failed to handle floating point
+			output correctly. [GL #261]
+
+4946.	[bug]		Additional glue was not being returned by resolver
+			for unsigned zones since change 4596. [GL #209]
+
+4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
+
+4933.	[bug]		Not creating signing keys for an inline signed zone
+			prevented changes applied to the raw zone from being
+			reflected in the secure zone until signing keys were
+			made available. [GL #159]
+
+4932.	[bug]		Bumped signed serial of an inline signed zone was
+			logged even when an error occurred while updating
+			signatures. [GL #159]
+
+4926.	[func]		Add root key sentinel support.  To disable, add
+			'root-key-sentinel no;' to named.conf. [GL #37]
+
+4918.	[bug]		Fix double free after keygen error in dnssec-keygen
+			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
+			fails. [GL #109]
+
+4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
+			removed the lib/tests unit testing library. [GL #115]
+
+4910.	[func]		Update util/check-changes to work on release branches.
+			[GL #113]
+
+4908.	[test]		Eliminated unnecessary waiting in the allow_query
+			system test. Also changed its name to allow-query.
+			[GL #81]
+
+4907.	[test]		Improved the reliabilty of the 'notify' system
+			test. [GL #59]
+
+4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
+			when "domain" or "search" options were present in that
+			file. [GL #110]
+
+4903.	[bug]		"check-mx fail;" did not prevent MX records containing
+			IP addresses from being added to a zone by a dynamic
+			update. [GL #112]
+
+4902.	[test]		Improved the reliability of the 'ixfr' system
+			test. [GL #66]
+
+4899.	[test]		Convert most of the remaining system tests to be able
+			to run in parallel, continuing the work from change
+			#4895. To take advantage of this, use "make -jN check",
+			where N is the number of processors to use. [GL #91]
+
+4895.	[test]		Allow some system tests to run in parallel.
+			[RT #46602]
+
+4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
+
+4892.	[bug]		named could leak memory when "rndc reload" was invoked
+			before all zone loading actions triggered by a previous
+			"rndc reload" command were completed. [RT #47076]
+
+	--- 9.9.12 released ---
+
+	--- 9.9.12rc2 released ---
+
+4904.	[bug]		Temporarily revert change #4859. [GL #124]
+
+	--- 9.9.12rc1 released ---
+
+4889.	[func]		Warn about the use of old root keys without the new
+			root key being present.  Warn about dlv.isc.org's
+			key being present. Warn about both managed and
+			trusted root keys being present. [RT #43670]
+
+4888.	[test]		Initialize sockets correctly in sample-update so
+			that the nsupdate system test will run on Windows.
+			[RT #47097]
+
+4885.	[security]	update-policy rules that otherwise ignore the name
+			field now require that it be set to "." to ensure
+			that any type list present is properly interpreted.
+			[RT #47126]
+
+4882.	[bug]		Address potential memory leak in
+			dns_update_signaturesinc. [RT #47084]
+
+4879.	[bug]		dns_rdata_caa:value_len field was too small.
+			[RT #47086]
+
+	--- 9.9.12b1 released ---
+
+4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
+
+4874.	[bug]		Wrong time display when reporting new keywarntime.
+			[RT #47042]
+
+4872.	[bug]		Don't permit loading meta RR types such as TKEY
+			from master files. [RT #47009]
+
+4871.	[bug]		Fix configure glitch in detecting stdatomic.h
+			support on systems with multiple compilers.
+			[RT #46959]
+
+4870.	[test]		Update included ATF library to atf-0.21 preserving
+			the ATF tool. [RT #46967]
+
+4869.	[bug]		Address some cases where NULL with zero length could
+			be passed to memmove which is undefined behaviour and
+			can lead to bad optimisation. [RT #46888]
+
+4867.	[cleanup]	Normalize rndc on/off commands (validation and
+			querylog) so they accept the same synonyms
+			for on/off (yes/no, true/false, enable/disable).
+			Thanks to Tony Finch. [RT #47022]
+
+4863.	[bug]		Fix various other bugs reported by Valgrind's
+			memcheck tool. [RT #46978]
+
+4862.	[bug]		The rdata flags for RRSIG were not being properly set
+			when constructing a rdataslab. [RT #46978]
+
+4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
+
+4859.	[bug]		A loop was possible when attempting to validate
+			unsigned CNAME responses from secure zones;
+			this caused a delay in returning SERVFAIL and
+			also increased the chances of encountering
+			CVE-2017-3145. [RT #46839]
+
+4858.	[security]	Addresses could be referenced after being freed
+			in resolver.c, causing an assertion failure.
+			(CVE-2017-3145) [RT #46839]
+
+4857.	[bug]		Maintain attach/detach semantics for event->db,
+			event->node, event->rdataset and event->sigrdataset
+			in query.c. [RT #46891]
+
+4852.	[bug]		Add REQUIRE's and INSIST's to isc_time_formattimestamp,
+			isc_time_formathttptimestamp, isc_time_formatISO8601.
+			[RT #46892]
+
+4851.	[port]		Support using kyua as well as atf-run to run the unit
+			tests. [RT #46853]
+
+4846.	[test]		Adjust timing values in runtime system test. Address
+			named.pid removal races in runtime system test.
+			[RT #46800]
+
+4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
+
+4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
+
+4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
+			warnings about unused function. [RT #46790]
+
+4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
+
+4840.	[test]		Add tests to cover fallback to using ZSK on inactive
+			KSK. [RT #46787]
+
+4839.	[bug]		zone.c:zone_sign was not properly determining
+			if there were active KSK and ZSK keys for
+			a algorithm when update-check-ksk is true
+			(default) leaving records unsigned with one or
+			more DNSKEY algorithms. [RT #46774]
+
+4838.	[bug]		zone.c:add_sigs was not properly determining
+			if there were active KSK and ZSK keys for
+			a algorithm when update-check-ksk is true
+			(default) leaving records unsigned with one or
+			more DNSKEY algorithms. [RT #46754]
+
+4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
+			properly determining if there were active KSK and
+			ZSK keys for a algorithm when update-check-ksk is
+			true (default) leaving records unsigned when there
+			were multiple DNSKEY algorithms for the zone.
+			[RT #46743]
+
+4836.	[bug]		Zones created using "rndc addzone" could
+			temporarily fail to inherit an "allow-transfer"
+			ACL that had been configured in the options
+			statement. [RT #46603]
+
+4833.	[bug]		isc_event_free should check that the event is not
+			linked when called. [RT #46725]
+
+4832.	[bug]		Events were not being removed from zone->rss_events.
+			[RT #46725]
+
+4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
+			comparisions in diff.c:resign. [RT #46710]
+
+4830.	[bug]		Failure to configure ATF when requested did not cause
+			an error in top-level configure script. [RT #46655]
+
+4829.	[bug]		isc_heap_delete did not zero the index value when
+			the heap was created with a callback to do that.
+			[RT #46709]
+
+4827.	[misc]		Add a precommit check script util/checklibs.sh
+			[RT #46215]
+
+4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
+			bin/named/ when using parallel make. [RT #46648]
+
+4823.	[test]		Refactor reclimit system test to improve its
+			reliability and speed. [RT #46632]
+
+4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
+
+4821.	[bug]		When resigning ensure that the SOA's expire time is
+			always later that the resigning time of other records.
+			[RT #46473]
+
+4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
+			information to the new header. [RT #46473]
+
+4819.	[bug]		Fully backout the transaction when adding a RRset
+			to the resigning / removal heaps fails. [RT #46473]
+
+4818.	[test]		The logfileconfig system test could intermittently
+			report false negatives on some platforms. [RT #46615]
+
+4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
+			[RT #45433]
+
+4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
+
+4812.	[bug]		Minor improvements to stability and consistency of code
+			handling managed keys. [RT #46468]
+
+4810.	[test]		The chain system test failed if the IPv6 interfaces
+			were not configured. [RT #46508]
+
+4809.	[port]		Check at configure time whether -latomic is needed
+			for stdatomic.h. [RT #46324]
+
+4804.	[port]		win32: access() does not work on directories as
+			required by POSIX.  Supply a alternative in
+			isc_file_isdirwritable. [RT #46394]
+
+4803.   [bug]		Backport fix for RT #46055 from RT #46267. [RT #46430]
+
+4790.	[bug]		nsupdate could trigger a require when sending a
+			update to the second address of the server.
+			[RT #45731]
+
+4788.	[cleanup]	When using "update-policy local", log a warning
+			when an update matching the session key is received
+			from a remote host. [RT #46213]
+
+4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
+			dns_nsec3param_salttotext(), and add unit tests for it.
+			[RT #46289]
+
+4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
+			NSEC3 chain generation failed' required more time
+			on some machines for the IXFR to complete. [RT #46388]
+
+4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
+
+4780.	[bug]		When answering ANY queries, don't include the NS
+			RRset in the authority section if it was already
+			in the answer section. [RT #44543]
+
+4777.	[cleanup]	Removed a redundant call to configure_view_acl().
+			[RT #46369]
+
+4774.	[bug]		<isc/util.h> was incorrectly included in several
+			header files. [RT #46311]
+
+4773.	[doc]		Fixed generating Doxygen documentation for functions
+			annotated using certain macros.  Miscellaneous
+			Doxygen-related cleanups. [RT #46276]
+
+4771.	[bug]		When sending RFC 5011 refresh queries, disregard
+			cached DNSKEY rrsets. [RT #46251]
+
+4770.	[bug]		Cache additional data from priming queries as glue.
+			Previously they were ignored as unsigned
+			non-answer data from a secure zone, and never
+			actually got added to the cache, causing hints
+			to be used frequently for root-server
+			addresses, which triggered re-priming. [RT #45241]
+
+4769.	[bug]		Enforce the requirement that the managed keys
+			directory (specified by "managed-keys-directory",
+			and defaulting to the working directory if not
+			specified) must be writable. [RT #46077]
+
+4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]
+
+4762.	[func]		"update-policy local" is now restricted to updates
+			from local addresses. (Previously, other addresses
+			were allowed so long as updates were signed by the
+			local session key.) [RT #45492]
+
+4761.	[protocol]	Add support for DOA. [RT #45612]
+
+4758.	[doc]		Remove documentation of unimplemented "topology".
+			[RT #46161]
+
+4756.	[bug]		Interrupting dig could lead to an INSIST failure after
+			certain errors were encountered while querying a host
+			whose name resolved to more than one address.  Change
+			4537 increased the odds of triggering this issue by
+			causing dig to hang indefinitely when certain error
+			paths were evaluated.  dig now also retries TCP queries
+			(once) if the server gracefully closes the connection
+			before sending a response. [RT #42832, #45159]
+
+4754.	[bug]		dns_zone_setview needs a two stage commit to properly
+			handle errors. [RT #45841]
+
+4753.	[contrib]	Software obtainable from known upstream locations
+			(i.e., zkt, nslint, query-loc) has been removed.
+			Links to these and other packages can be found at
+			https://www.isc.org/community/tools [RT #46182]
+
+4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
+
+4749.	[func]		The ISC DLV service has been shut down, and all
+			DLV records have been removed from dlv.isc.org.
+			- Removed references to ISC DLV in documentation
+			- Removed DLV key from bind.keys
+			[RT #46155]
+
+4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
+
+4746.	[cleanup]	Add configured prefixes to configure summary
+			output. [RT #46153]
+
+4745.	[test]		Add color-coded pass/fail messages to system
+			tests when running on terminals that support them.
+			[RT #45977]
+
+4741.	[bug]		Make isc_refcount_current() atomically read the
+			counter value. [RT #46074]
+
+4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
+
+4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
+
+4737.	[cleanup]	Address Coverity warnings. [RT #46012]
+
+4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
+			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
+			code.  (c) Minor tweaks to lock and result handling.
+			[RT #46053]
+
+4730.	[bug]		Fix out of bounds access in DHCID totext() method.
+			[RT #46001]
+
+4729.	[bug]		Don't use memset() to wipe memory, as it may be
+			removed by compiler optimizations when the
+			memset() occurs on automatic stack allocation
+			just before function return. [RT #45947]
+
+4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
+			where available. [RT #40668]
+
+4727.	[bug]		Retransferring an inline-signed slave using NSEC3
+			around the time its NSEC3 salt was changed could result
+			in an infinite signing loop. [RT #45080]
+
+4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
+			failures in sending the update message.  The correct
+			location to be reported is "update_completed".
+			[RT #46014]
+
+4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
+			strlcpy() and strlcat() for safety. [RT #45981]
+
+4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
+
+4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
+			FORMERR if TC=0, and log the error correctly.
+			[RT #45836]
+
+4714.	[port]		openbsd/libressl: add support for building with
+			--enable-openssl-hash. [RT #45982]
+
+4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
+			search domain when retrying with TCP. [RT #45547]
+
+4711.	[test]		Some RR types were missing from genzones.sh.
+			[RT #45782]
+
+4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
+			[RT #45435]
+
+4705.   [bug]		Remove some name server statistics counters that
+			were accidentally back ported to the BIND 9.9 branch
+			in change 3938. [RT #45919]
+
+4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
+			[RT #45898]
+
+4698.	[port]		Add --with-python-install-dir configure option to allow
+			specifying a nonstandard installation directory for
+			Python modules. [RT #45407]
+
+4696.	[port]		Enable filter-aaaa support by default on Windows
+			builds. [RT #45883]
+
+4692.	[bug]		Fix build failures with libressl introduced in 4676.
+			[RT #45879]
+
+4690.	[doc]		Command line options -4/-6 for various tools are
+			mutually exclusive. [RT #45632]
+
+4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
+			addition to DNSKEY and DS. Thanks to Tony Finch.
+			[RT #45690]
+
+4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
+			messages. [RT #44804]
+
+4686.	[bug]		dnssec-settime -p could print a bogus warning about
+			key deletion scheduled before its inactivation when a
+			key had an inactivation date set but no deletion date
+			set. [RT #45807]
+
+4685.	[bug]		dnssec-settime incorrectly calculated publication and
+			activation dates for a successor key. [RT #45806]
+
+4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
+			user input in interactive mode. [RT #28194]
+
+4682.	[bug]		Don't report errors on records below a DNAME.
+			[RT #44880]
+
+4680.	[bug]		Fix failing over to another master server address when
+			nsupdate is used with GSS-API. [RT #45380]
+
+4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
+			not at top of zone and -o is not used. [RT #45519]
+
+4677.	[cleanup]	Split up the main function in dig to better support
+			the iOS app version. [RT #45508]
+
+4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
+			deprecated functions removed. [RT #45706]
+
+4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
+
+4673.	[port]		Silence GCC 7 warnings. [RT #45592]
+
+4672.	[bug]		Fix a regression introduced by change 3938 (when
+			--enable-fetchlimit is NOT in use), where named
+			as resolver would, upon fetch timeout, repeat
+			fetching from the same nameserver address. This
+			also broke "forward first;" configurations (as
+			forwarders are also treated as nameservers when
+			fetching). [RT #45321]
+
+4671.	[bug]		Fix a race condition that could cause the
+			resolver to crash with assertion failure when
+			chasing DS in specific conditions with a very
+			short RTT to the upstream nameserver. [RT #45168]
+
+4670.	[cleanup]	Ensure that a request MAC is never sent back
+			in an XFR response unless the signature was
+			verified. [RT #45494]
+
+4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
+			[RT #45664]
+
+4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
+
+4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
+			algorithms (RFC 8080). (Note: these algorithms
+			depend on code currently in the development branch
+			of OpenSSL which has not yet been released.)
+			[RT #44696]
+
+4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
+			[RT #21731]
+
+4662.	[performance]	Improve cache memory cleanup of zero TTL records
+			by putting them at the tail of LRU header lists.
+			[RT #45274]
+
+4661.	[bug]		A race condition could occur if a zone was reloaded
+			while resigning, triggering a crash in
+			rbtdb.c:closeversion(). [RT #45276]
+
+4660.	[bug]		Remove spurious "peer" from Windows socket log
+			messages. [RT #45617]
+
+4658.	[bug]		Clean up build directory created by "setup.py install"
+			immediately.  [RT #45628]
+
+4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
+			[RT #45538]
+
+4652.	[bug]		Nsupdate could attempt to use a zeroed address on
+			server timeout. [RT #45417]
+
+4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
+
+	--- 9.9.11 released ---
+
+	--- 9.9.11rc2 released ---
+
+4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
+			@ISC_OPENSSL_INC@ after shipped include directories.
+			[RT #45581]
+
+	--- 9.9.11rc1 released ---
+
+4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
+			message sequences where not all the messages contain
+			TSIG records.  These may be used in AXFR and IXFR
+			responses. [RT #45509]
+
+4646.	[bug]		Install lib/export libraries with ${INSTALL_LIBRARY}.
+			[RT #45497]
+
+4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
+			will not fit into a single IPv4 encapsulated IPv6
+			UDP packet when transmitted over a Ethernet link.
+			[RT #42871]
+
+	--- 9.9.11b1 released ---
+
+4643.	[security]	An error in TSIG handling could permit unauthorized
+			zone transfers or zone updates. (CVE-2017-3142)
+			(CVE-2017-3143) [RT #45383]
+
+4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
+			status of managed keys: newly observed keys,
+			deletion of revoked keys, etc. [RT #45354]
+
+4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
+			--enable-developer. [RT #45373]
+
+4640.	[bug]		If query_findversion failed in query_getdb due to
+			memory failure the error status was incorrectly
+			discarded. [RT #45331]
+
+4636.	[bug]		Normalize rpz policy zone names when checking for
+			existence. [RT #45358]
+
+4634.	[contrib]	check5011.pl needs to handle optional space before
+			semi-colon in +multi-line output. [RT #45352]
+
+4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
+
+4632.	[security]	The BIND installer on Windows used an unquoted
+			service path, which can enable privilege escalation.
+			(CVE-2017-3141) [RT #45229]
+
+4631.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
+4629.	[bug]		dns_client_startupdate could not be called with a
+			running client. [RT #45277]
+
+4628.	[bug]		Fixed a potential reference leak in query_getdb().
+			[RT #45247]
+
+4626.	[test]		Added more tests for handling of different record
+			ordering in CNAME and DNAME responses. [QA #430]
+
+4624.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
+			[RT #45210]
+
+4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
+			URI records. [RT #45216]
+
+4621.	[port]		Force alignment of oid arrays to silence loader
+			warnings. [RT #45131]
+
+4620.	[port]		Handle EPFNOSUPPORT being returned when probing
+			to see if a socket type is supported. [RT #45214]
+
+4617.	[test]		Update rndc system test to be more delay tolerant.
+			[RT #45177]
+
+4615.	[bug]		AD could be set on truncated answer with no records
+			present in the answer and authority sections.
+			[RT #45140]
+
+4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
+
+4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
+			the code in lwres/getaddinfo:process_answer.
+			[RT #45158]
+
+4609.	[cleanup]	Rearrange makefiles to enable parallel execution
+			(i.e. "make -j"). [RT #45078]
+
+4608.	[func]		DiG now warns about .local queries which are reserved
+			for Multicast DNS. [RT #44783]
+
+4604.	[bug]		Don't use ERR_load_crypto_strings() when building
+			with OpenSSL 1.1.0. [RT #45117]
+
+4603.	[doc]		Automatically generate named.conf(5) man page
+			from doc/misc/options. Thanks to Tony Finch.
+			[RT #43525]
+
+4602.	[func]		Threads are now set to human-readable
+			names to assist debugging, when supported by
+			the OS. [RT #43234]
+
+4601.	[bug]		Reject incorrect RSA key lengths during key
+			generation and and sign/verify context
+			creation. [RT #45043]
+
+4599.	[bug]		Fix inconsistencies in inline signing time
+			comparison that were introduced with the
+			introduction of rdatasetheader->resign_lsb.
+			[RT #42112]
+
+4597.	[bug]		The validator now ignores SHA-1 DS digest type
+			when a DS record with SHA-384 digest type is
+			present and is a supported digest type.
+			[RT #45017]
+
+4596.	[bug]		Validate glue before adding it to the additional
+			section. This also fixes incorrect TTL capping
+			when the RRSIG expired earlier than the TTL.
+			[RT #45062]
+
+4593.	[doc]		Update README using markdown, remove outdated FAQ
+			file in favor of the knowledge base.
+
+4592.	[bug]		A race condition on shutdown could trigger an
+			assertion failure in dispatch.c. [RT #43822]
+
+4591.	[port]		Addressed some python 3 compatibility issues.
+			Thanks to Ville Skytta. [RT #44955] [RT #44956]
+
+4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
+
+4588.	[bug]		nsupdate could send queries for TKEY to the wrong
+			server when using GSSAPI. Thanks to Tomas Hozza.
+			[RT #39893]
+
+4587.	[bug]		named-checkzone failed to handle occulted data below
+			DNAMEs correctly. [RT #44877]
+
+4585.	[port]		win32: Set CompileAS value. [RT #42474]
+
 	--- 9.9.10 released ---
 
 	--- 9.9.10rc3 released ---
@@ -158,7 +861,7 @@
 
 4503.	[cleanup]	"make uninstall" now removes files installed by
 			BIND. (This currently excludes Python files
-			due to lack of support in setup.py.) [RT #42912]
+			due to lack of support in setup.py.) [RT #42192]
 
 4502.	[func]		Report multiple and experimental options when printing
 			grammar. [RT #43134]
@@ -1020,13 +1723,13 @@
 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 			number generator context. [RT #38578]
 
+4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
+			[RT #38565]
+
 4056.	[bug]		Fixed several small bugs in automatic trust anchor
 			management, including a memory leak and a possible
 			loss of key state information. [RT #38458]
 
-4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
-			[RT #38565]
-
 4053.	[security]	Revoking a managed trust anchor and supplying
 			an untrusted replacement could cause named
 			to crash with an assertion failure.
@@ -11407,7 +12110,7 @@
 
  586.	[bug]		multiple views with the same name were fatal. [RT #516]
 
- 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
+ 585.	[func]		dns_db_addrdataset() and dns_rdataslab_merge()
 			now support 'exact' additions in a similar manner to
 			dns_db_subtractrdataset() and dns_rdataslab_subtract().
 

CONTRIBUTING

@@ -0,0 +1,186 @@
+BIND Source Access and Contributor Guidelines
+
+Feb 22, 2018
+
+Contents
+
+ 1. Access to source code
+ 2. Reporting bugs
+ 3. Contributing code
+
+Introduction
+
+Thank you for using BIND!
+
+BIND is open source software that implements the Domain Name System (DNS)
+protocols for the Internet. It is a reference implementation of those
+protocols, but it is also production-grade software, suitable for use in
+high-volume and high-reliability applications. It is by far the most
+widely used DNS software, providing a robust and stable platform on top of
+which organizations can build distributed computing systems with the
+knowledge that those systems are fully compliant with published DNS
+standards.
+
+BIND is and will always remain free and openly available. It can be used
+and modified in any way by anyone.
+
+BIND is maintained by the Internet Systems Consortium, a public-benefit
+501(c)(3) nonprofit, using a "managed open source" approach: anyone can
+see the source, but only ISC employees have commit access. Until recently,
+the source could only be seen once ISC had published a release: read
+access to the source repository was restricted just as commit access was.
+That's now changing, with the opening of a public git mirror to the BIND
+source tree (see below).
+
+Access to source code
+
+Public BIND releases are always available from the ISC FTP site.
+
+A public-access GIT repository is also available at https://gitlab.isc.org
+. This repository is a mirror, updated several times per day, of the
+source repository maintained by ISC. It contains all the public release
+branches; upcoming releases can be viewed in their current state at any
+time. It does not contain development branches or unreviewed work in
+progress. Commits which address security vulnerablilities are withheld
+until after public disclosure.
+
+You can browse the source online via https://gitlab.isc.org/isc-projects/
+bind9
+
+To clone the repository, use:
+
+      $ git clone https://gitlab.isc.org/isc-projects/bind9.git
+
+Release branch names are of the form v9_X, where X represents the second
+number in the BIND 9 version number. So, to check out the BIND 9.12
+branch, use:
+
+      $ git checkout v9_12
+
+Whenever a branch is ready for publication, a tag will be placed of the
+form v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
+
+The branch in which the next major release is being developed is called
+master.
+
+Reporting bugs
+
+Reports of flaws in the BIND package, including software bugs, errors in
+the documentation, missing files in the tarball, suggested changes or
+requests for new features, etc, can be filed using https://gitlab.isc.org/
+isc-projects/bind9/issues.
+
+Due to a large ticket backlog, we are sometimes slow to respond,
+especially if a bug is cosmetic or if a feature request is vague or low in
+priority, but we will try at least to acknowledge legitimate bug reports
+within a week.
+
+ISC's ticketing system is publicly readable; however, you must have an
+account to file a new issue. You can either register locally or use
+credentials from an existing account at GitHub, GitLab, Google, Twitter,
+or Facebook.
+
+Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the ISC Security Officer public key.
+
+Do not discuss undisclosed security vulnerabilites on any public mailing
+list. ISC has a long history of handling reported vulnerabilities promptly
+and effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at https://
+kb.isc.org/article/AA-00861/0.
+
+If you have a crash, you may want to consult ?What to do if your BIND or
+DHCP server has crashed.?
+
+Contributing code
+
+BIND is licensed under the Mozilla Public License 2.0. Earier versions
+(BIND 9.10 and earlier) were licensed under the ISC License
+
+ISC does not require an explicit copyright assignment for patch
+contributions. However, by submitting a patch to ISC, you implicitly
+certify that you are the author of the code, that you intend to reliquish
+exclusive copyright, and that you grant permission to publish your work
+under the open source license used for the BIND version(s) to which your
+patch will be applied.
+
+BIND code
+
+Patches for BIND may be submitted directly via merge requests in ISC's
+Gitlab source repository for BIND.
+
+Patches can also be submitted as diffs against a specific version of BIND
+-- preferably the current top of the master branch. Diffs may be generated
+using either git format-patch or git diff.
+
+Those wanting to write code for BIND may be interested in the developer
+information page, which includes information about BIND design and coding
+practices, including discussion of internal APIs and overall system
+architecture. (This is a work in progress, and still quite preliminary.)
+
+Every patch submitted will be reviewed by ISC engineers following our code
+review process before it is merged.
+
+It may take considerable time to review patch submissions, especially if
+they don't meet ISC style and quality guidelines. If a patch is a good
+idea, we can and will do additional work to bring it up to par, but if
+we're busy with other work, it may take us a long time to get to it.
+
+To ensure your patch is acted on as promptly as possible, please:
+
+  * Try to adhere to the BIND 9 coding style.
+  * Run make check to ensure your change hasn't caused any functional
+    regressions.
+  * Document your work, both in the patch itself and in the accompanying
+    email.
+  * In patches that make non-trivial functional changes, include system
+    tests if possible; when introducing or substantially altering a
+    library API, include unit tests. See Testing for more information.
+
+Changes to configure
+
+If you need to make changes to configure, you should not edit it directly;
+instead, edit configure.in, then run autoconf. Similarly, instead of
+editing config.h.in directly, edit configure.in and run autoheader.
+
+When submitting a patch as a diff, it's fine to omit the configure diffs
+to save space. Just send the configure.in diffs and we'll generate the new
+configure during the review process.
+
+Documentation
+
+All functional changes should be documented. There are three types of
+documentation in the BIND source tree:
+
+  * Man pages are kept alongside the source code for the commands they
+    document, in files ending in .docbook; for example, the named man page
+    is bin/named/named.docbook.
+  * The BIND 9 Administrator Reference Manual is mostly in doc/arm/
+    Bv9ARM-book.xml, plus a few other XML files that are included in it.
+  * API documentation is in the header file describing the API, in
+    Doxygen-formatted comments.
+
+It is not necessary to edit any documentation files other than these; all
+PDF, HTML, and nroff-format man page files will be updated automatically
+from the docbook and XML files after merging.
+
+Patches to improve existing documentation are also very welcome!
+
+Tests
+
+BIND is a large and complex project. We rely heavily on continuous
+automated testing and cannot merge new code without adequate test
+coverage. Please see the 'Testing' section of doc/dev/dev.md for more
+information.
+
+Thanks
+
+Thank you for your interest in contributing to the ongoing development of
+BIND.

CONTRIBUTING.md

@@ -1,5 +1,5 @@
-<!---
- - Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,9 @@
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
---->
+-->
 ## BIND Source Access and Contributor Guidelines
-*May 8, 2014*
+*Feb 22, 2018*
 
 ### Contents
 
@@ -52,7 +52,7 @@ Public BIND releases are always available from the
 [ISC FTP site](ftp://ftp.isc.org/isc/bind9).
 
 A public-access GIT repository is also available at
-[https://bindmember.isc.org](https://bindmember.isc.org).
+[https://gitlab.isc.org](https://gitlab.isc.org).
 This repository is a mirror, updated several times per day, of the
 source repository maintained by ISC.  It contains all the public release
 branches; upcoming releases can be viewed in their current state at any
@@ -61,102 +61,105 @@ progress.  Commits which address security vulnerablilities are withheld
 until after public disclosure.
 
 You can browse the source online via
-[https://bindmember.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=summary](https://bindmember.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=summary)
+[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
 
 To clone the repository, use:
 
->       $ git clone https://bindmember.isc.org/git/bind9.git
+>       $ git clone https://gitlab.isc.org/isc-projects/bind9.git
 
-Branch names are of the form `v9_X`, where X represents the second number in the BIND 9 version number.  So, to check out the BIND 9.10 branch, use:
+Release branch names are of the form `v9_X`, where X represents the second
+number in the BIND 9 version number.  So, to check out the BIND 9.12
+branch, use:
 
->       $ git checkout v9_10
+>       $ git checkout v9_12
 
 Whenever a branch is ready for publication, a tag will be placed of the
-form `v9_X_Y`.  The 9.9.5 release, for instance, is tagged as `v9_9_5`.
+form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
 `master`.
 
 ### <a name="bugs"></a>Reporting bugs
 
-Reports of flaws in the BIND package, including software bugs, errors in
-the documentation, missing files in the tarball, etc, can be emailed to
-`bind9-bugs@isc.org`, or reported via the
-[bug submission form](http://www.isc.org/community/report-bug) at
-[http://www.isc.org/community/report-bug](http://www.isc.org/community/report-bug).
+Reports of flaws in the BIND package, including software bugs, errors
+in the documentation, missing files in the tarball, suggested changes
+or requests for new features, etc, can be filed using
+[https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
 
-Suggested changes or requests for new features can be emailed to
-`bind-suggest@isc.org`.  Both bugs and suggestions are stored in the
-ticketing system used by the software engineering team at ISC.
+Due to a large ticket backlog, we are sometimes slow to respond,
+especially if a bug is cosmetic or if a feature request is vague or
+low in priority, but we will try at least to acknowledge legitimate
+bug reports within a week.
 
-All submissions to the ticketing system receive an automatic response.
-Any followup email sent to the ticketing system should use the same subject
-header, so that it will be routed to the same ticket.
+ISC's ticketing system is publicly readable; however, you must have
+an account to file a new issue. You can either register locally or
+use credentials from an existing account at GitHub, GitLab, Google,
+Twitter, or Facebook.
 
-Due to a large ticket backlog and an even larger quantity of incoming spam,
-we are sometimes slow to respond, especially if a bug is cosmetic or if a
-feature request is vague or low in priority, but we will try at least to
-acknowledge legitimate bug reports within a week.
+### Reporting possible security issues
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
 
-The bug database is not publicly readable. Information about your
-system that you submit in bug reports will not be divulged outside ISC.
+Do not discuss undisclosed security vulnerabilites on any public mailing list.
+ISC has a long history of handling reported vulnerabilities promptly and
+effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
+
+If you have a crash, you may want to consult
+[‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
 
 ### <a name="bugs"></a>Contributing code
 
-BIND's [open source
-license](http://www.isc.org/downloads/software-support-policy/isc-license/)
-does not require changes to be contributed back to ISC, but this page
-includes some guidelines for those who would like to do so.
-
-We accept two different types of code contribution:  Code intended for
-inclusion in [BIND](#bind) itself, and code intended for the
-[`contrib`](#contrib) directory.
-
-#### <a name="bind"></a>BIND code
-
-Patches for BIND itself may be submitted using the same methods as bug
-reports or suggestions.  When submitting a patch, please prepend the
-subject header with "`[PATCH]`" so it will be easier for us to find.  If
-your patch introduces a new feature in BIND, please submit it to
-`bind-suggest@isc.org`; if it fixes a bug, please submit it to
-`bind9-bugs@isc.org`.
+BIND is licensed under the
+[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
+Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
 certify that you are the author of the code, that you intend to reliquish
-exclusive copyright, and that you grant permission to publish your
-work under the
-[ISC license](http://www.isc.org/downloads/software-support-policy/isc-license/).
+exclusive copyright, and that you grant permission to publish your work
+under the open source license used for the BIND version(s) to which your
+patch will be applied.
 
-Patches should be submitted as diffs against a specific version of BIND --
-preferably the current top of the `master` branch.  Diffs may be
-generated using either `git format-patch` or `git diff`.
+#### <a name="bind"></a>BIND code
 
-Those wanting to write code for BIND may be interested
-in the [developer information](dev.html) page, which includes
-information about BIND design and coding practices, including
-discussion of internal APIs and overall system architecture.
-(This is a work in progress, and still quite preliminary.)
+Patches for BIND may be submitted directly via merge requests in
+[ISC's Gitlab](https://gitlab.isc.org/isc-projects/bind9/) source
+repository for BIND.
 
-Every patch submitted will be reviewed by ISC engineers following
-our [code review process](dev.html#reviews) before it is merged.
+Patches can also be submitted as diffs against a specific version of
+BIND -- preferably the current top of the `master` branch.  Diffs may
+be generated using either `git format-patch` or `git diff`.
 
-It may take considerable time to review patch submissions, especially
-if they don't meet ISC style and quality guidelines.  If the patch
-is a good idea, we can and will do additional work to bring them up
-to par, but if we're busy with other work, it may take us a long
-time to get to it.
+Those wanting to write code for BIND may be interested in the
+[developer information](doc/dev/dev.md) page, which includes information
+about BIND design and coding practices, including discussion of internal
+APIs and overall system architecture.  (This is a work in progress, and
+still quite preliminary.)
+
+Every patch submitted will be reviewed by ISC engineers following our
+[code review process](doc/dev/dev.md#reviews) before it is merged.
+
+It may take considerable time to review patch submissions, especially if
+they don't meet ISC style and quality guidelines.  If a patch is a good
+idea, we can and will do additional work to bring it up to par, but if
+we're busy with other work, it may take us a long time to get to it.
 
 To ensure your patch is acted on as promptly as possible, please:
 
-* Try to adhere to the [BIND 9 coding style](style.html).
+* Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
 * Run `make` `check` to ensure your change hasn't caused any
   functional regressions.
 * Document your work, both in the patch itself and in the
   accompanying email.
 * In patches that make non-trivial functional changes, include system
   tests if possible; when introducing or substantially altering a
-  library API, include unit tests. See [Testing](dev.html#testing)
+  library API, include unit tests. See [Testing](doc/dev/dev.md#testing)
   for more information.
 
 ##### Changes to `configure`
@@ -166,9 +169,9 @@ directly; instead, edit `configure.in`, then run `autoconf`.  Similarly,
 instead of editing `config.h.in` directly, edit `configure.in` and run
 `autoheader`.
 
-When submitting your patch, it is fine to omit the `configure` diffs.
-Just send the `configure.in` diffs and we'll generate the new `configure`
-during the review process.
+When submitting a patch as a diff, it's fine to omit the `configure`
+diffs to save space.  Just send the `configure.in` diffs and we'll
+generate the new `configure` during the review process.
 
 ##### Documentation
 
@@ -184,24 +187,20 @@ of documentation in the BIND source tree:
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.
 
-It is not necessary to edit any documentation files other than these; the
-PDF, HTML, and `nroff`-format files will be generated automatically
-from the `docbook` and `XML` files by a script whenever a documentation
-change is merged to a release branch.
+It is not necessary to edit any documentation files other than these;
+all PDF, HTML, and `nroff`-format man page files will be updated
+automatically from the `docbook` and `XML` files after merging.
 
-#### <a name="contrib"></a>Contrib code
+Patches to improve existing documentation are also very welcome!
 
-The software in the `contrib` directory of the BIND 9 `tar` archive is not
-formally supported by ISC, but is included for the convenience of users.
-These are things we consider useful or informative, but are not able to
-support at the same level as BIND.
+##### Tests
 
-`contrib` includes some useful DNS-related open source tools such as `zkt`,
-`nslint`, and the `idnkit` library for internationalized domain name
-support; useful scripts such as `nanny.pl` and `mkdane.sh`; performance
-testers including `queryperf` and `perftcpdns`; and drivers and modules for
-DLZ.
+BIND is a large and complex project. We rely heavily on continuous
+automated testing and cannot merge new code without adequate test coverage.
+Please see [the 'Testing' section of doc/dev/dev.md](doc/dev/dev.md#testing)
+for more information.
 
-If you have code with a BSD-compatible license that you would like us to
-includ in `contrib`, please send it to `bind-suggest@isc.org`, with
-"`[CONTRIB]`" in the subject header.
+#### Thanks
+
+Thank you for your interest in contributing to the ongoing development
+of BIND.

COPYRIGHT

@@ -1,5 +1,4 @@
-Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 1996-2003  Internet Software Consortium.
+Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

FAQ

@@ -1,890 +0,0 @@
-Copyright ? 2000-2010, 2013-2016 Internet Systems Consortium, Inc.
-("ISC")
-
------------------------------------------------------------------------
-
-1. Compilation and Installation Questions
-
-Q: I'm trying to compile BIND 9, and "make" is failing due to files not
-   being found. Why?
-
-A: Using a parallel or distributed "make" to build BIND 9 is not
-   supported, and doesn't work. If you are using one of these, use normal
-   make or gmake instead.
-
-Q: Isn't "make install" supposed to generate a default named.conf?
-
-A: Short Answer: No.
-
-   Long Answer: There really isn't a default configuration which fits any
-   site perfectly. There are lots of decisions that need to be made and
-   there is no consensus on what the defaults should be. For example
-   FreeBSD uses /etc/namedb as the location where the configuration files
-   for named are stored. Others use /var/named.
-
-   What addresses to listen on? For a laptop on the move a lot you may
-   only want to listen on the loop back interfaces.
-
-   To whom do you offer recursive service? Is there a firewall to
-   consider? If so, is it stateless or stateful? Are you directly on the
-   Internet? Are you on a private network? Are you on a NAT'd network? The
-   answers to all these questions change how you configure even a caching
-   name server.
-
-2. Configuration and Setup Questions
-
-Q: Why does named log the warning message "no TTL specified - using SOA
-   MINTTL instead"?
-
-A: Your zone file is illegal according to RFC1035. It must either have a
-   line like:
-
-   $TTL 86400
-
-   at the beginning, or the first record in it must have a TTL field, like
-   the "84600" in this example:
-
-   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
-
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
-   file bar: ran out of space"?
-
-A: This is often caused by TXT records with missing close quotes. Check
-   that all TXT records containing quoted strings have both open and close
-   quotes.
-
-Q: How do I restrict people from looking up the server version?
-
-A: Put a "version" option containing something other than the real version
-   in the "options" section of named.conf. Note doing this will not
-   prevent attacks and may impede people trying to diagnose problems with
-   your server. Also it is possible to "fingerprint" nameservers to
-   determine their version.
-
-Q: How do I restrict only remote users from looking up the server version?
-
-A: The following view statement will intercept lookups as the internal
-   view that holds the version information will be matched last. The
-   caveats of the previous answer still apply, of course.
-
-   view "chaos" chaos {
-           match-clients { <those to be refused>; };
-           allow-query { none; };
-           zone "." {
-                   type hint;
-                   file "/dev/null";  // or any empty file
-           };
-   };
-
-Q: What do "no source of entropy found" or "could not open entropy source
-   foo" mean?
-
-A: The server requires a source of entropy to perform certain operations,
-   mostly DNSSEC related. These messages indicate that you have no source
-   of entropy. On systems with /dev/random or an equivalent, it is used by
-   default. A source of entropy can also be defined using the
-   random-device option in named.conf.
-
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone
-   transfers. I'm sure I have the keys set up correctly, but the server is
-   rejecting the TSIG. Why?
-
-A: This may be a clock skew problem. Check that the the clocks on the
-   client and server are properly synchronized (e.g., using ntp).
-
-Q: I see a log message like the following. Why?
-
-   couldn't open pid file '/var/run/named.pid': Permission denied
-
-A: You are most likely running named as a non-root user, and that user
-   does not have permission to write in /var/run. The common ways of
-   fixing this are to create a /var/run/named directory owned by the named
-   user and set pid-file to "/var/run/named/named.pid", or set pid-file to
-   "named.pid", which will put the file in the directory specified by the
-   directory option (which, in this case, must be writable by the user
-   named is running as).
-
-Q: I can query the nameserver from the nameserver but not from other
-   machines. Why?
-
-A: This is usually the result of the firewall configuration stopping the
-   queries and / or the replies.
-
-Q: How can I make a server a slave for both an internal and an external
-   view at the same time? When I tried, both views on the slave were
-   transferred from the same view on the master.
-
-A: You will need to give the master and slave multiple IP addresses and
-   use those to make sure you reach the correct view on the other machine.
-
-   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-                   notify-source 10.0.1.1;
-                   transfer-source 10.0.1.1;
-                   query-source address 10.0.1.1;
-       external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.2;
-           transfer-source 10.0.1.2;
-           query-source address 10.0.1.2;
-
-   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-           notify-source 10.0.1.3;
-           transfer-source 10.0.1.3;
-           query-source address 10.0.1.3;
-      external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.4;
-           transfer-source 10.0.1.4;
-           query-source address 10.0.1.4;
-
-   You put the external address on the alias so that all the other dns
-   clients on these boxes see the internal view by default.
-
-A: BIND 9.3 and later: Use TSIG to select the appropriate view.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-sha256;
-                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; // reject message ment for the
-                                                  // external view.
-                                   10.0.1/24; };  // accept from these addresses.
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.1.2 { keys external; };  // tag messages from the
-                                                        // external view to the
-                                                        // other servers for the
-                                                        // view.
-                   recursion no;
-                   ...
-           };
-
-   Slave 10.0.1.2:
-           key "external" {
-                   algorithm hmac-sha256;
-                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.1.1 { keys external; };
-                   recursion no;
-                   ...
-           };
-
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME
-   and other data" when transferring a zone. What does this mean?
-
-A: These indicate a malformed master zone. You can identify the exact
-   records involved by transferring the zone using dig then running
-   named-checkzone on it.
-
-   dig axfr example.com @master-server > tmp
-   named-checkzone example.com tmp
-
-   A CNAME record cannot exist with the same name as another record except
-   for the DNSSEC records which prove its existence (NSEC).
-
-   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
-   data should be present; this ensures that the data for a canonical name
-   and its aliases cannot be different. This rule also insures that a
-   cached CNAME can be used without checking with an authoritative server
-   for other RR types."
-
-Q: I get error messages like "named.conf:99: unexpected end of input"
-   where 99 is the last line of named.conf.
-
-A: There are unbalanced quotes in named.conf.
-
-A: Some text editors (notepad and wordpad) fail to put a line title
-   indication (e.g. CR/LF) on the last line of a text file. This can be
-   fixed by "adding" a blank line to the end of the file. Named expects to
-   see EOF immediately after EOL and treats text files where this is not
-   met as truncated.
-
-Q: How do I share a dynamic zone between multiple views?
-
-A: You choose one view to be master and the second a slave and transfer
-   the zone between views.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-sha256;
-                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-           };
-
-           key "mykey" {
-                   algorithm hmac-sha256;
-                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
-           };
-
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   server 10.0.1.1 {
-                           /* Deliver notify messages to external view. */
-                           keys { external; };
-                   };
-                   zone "example.com" {
-                           type master;
-                           file "internal/example.db";
-                           allow-update { key mykey; };
-                           also-notify { 10.0.1.1; };
-                   };
-           };
-
-           view "external" {
-                   match-clients { key external; any; };
-                   zone "example.com" {
-                           type slave;
-                           file "external/example.db";
-                           masters { 10.0.1.1; };
-                           transfer-source 10.0.1.1;
-                           // allow-update-forwarding { any; };
-                           // allow-notify { ... };
-                   };
-           };
-
-Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
-   master file primaries/wireless.ietf56.ietf.org: no owner".
-
-A: This error is produced when a line in the master file contains leading
-   white space (tab/space) but there is no current record owner name to
-   inherit the name from. Usually this is the result of putting white
-   space before a comment, forgetting the "@" for the SOA record, or
-   indenting the master file.
-
-Q: Why are my logs in GMT (UTC).
-
-A: You are running chrooted (-t) and have not supplied local timezone
-   information in the chroot area.
-
-   FreeBSD: /etc/localtime
-   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
-   OSF: /etc/zoneinfo/localtime
-
-   See also tzset(3) and zic(8).
-
-Q: I get "rndc: connect failed: connection refused" when I try to run
-   rndc.
-
-A: This is usually a configuration error.
-
-   First ensure that named is running and no errors are being reported at
-   startup (/var/log/messages or equivalent). Running "named -g <usual
-   arguments>" from a title can help at this point.
-
-   Secondly ensure that named is configured to use rndc either by
-   "rndc-confgen -a", rndc-confgen or manually. The Administrators
-   Reference manual has details on how to do this.
-
-   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
-   etc/rndc.conf for the default server. Update /etc/rndc.conf if
-   necessary so that the default server listed in /etc/rndc.conf matches
-   the addresses used in named.conf. "localhost" has two address
-   (127.0.0.1 and ::1).
-
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure
-   that /etc/rndc.conf has the correct ownership and that a copy is in the
-   chroot area. You can do this by re-running "rndc-confgen -a" with
-   appropriate -t and -u arguments.
-
-Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
-   receiving responses: permission denied" error messages.
-
-A: These indicate a filesystem permission error preventing named creating
-   / renaming the temporary file. These will usually also have other
-   associated error messages like
-
-   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
-
-   Named needs write permission on the directory containing the file.
-   Named writes the new cache file to a temporary file then renames it to
-   the name specified in named.conf to ensure that the contents are always
-   complete. This is to prevent named loading a partial zone in the event
-   of power failure or similar interrupting the write of the master file.
-
-   Note file names are relative to the directory specified in options and
-   any chroot directory ([<chroot dir>/][<options dir>]).
-
-   If named is invoked as "named -t /chroot/DNS" with the following
-   named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
-   user named is running as.
-
-   options {
-           directory "/var/named";
-   };
-
-   zone "example.net" {
-           type slave;
-           file "sl/example.net";
-           masters { 192.168.4.12; };
-   };
-
-Q: I want to forward all DNS queries from my caching nameserver to another
-   server. But there are some domains which have to be served locally, via
-   rbldnsd.
-
-   How do I achieve this ?
-
-A: options {
-           forward only;
-           forwarders { <ip.of.primary.nameserver>; };
-   };
-
-   zone "sbl-xbl.spamhaus.org" {
-           type forward; forward only;
-           forwarders { <ip.of.rbldns.server> port 530; };
-   };
-
-   zone "list.dsbl.org" {
-           type forward; forward only;
-           forwarders { <ip.of.rbldns.server> port 530; };
-   };
-
-
-Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
-
-   Some times it seems to take several times the amount of memory it needs
-   to store the zone.
-
-A: When reloading a zone named my have multiple copies of the zone in
-   memory at one time. The zone it is serving and the one it is loading.
-   If reloads are ultra fast it can have more still.
-
-   e.g. Ones that are transferring out, the one that it is serving and the
-   one that is loading.
-
-   BIND 8 destroyed the zone before loading and also killed off outgoing
-   transfers of the zone.
-
-   The new strategy allows slaves to get copies of the new zone regardless
-   of how often the master is loaded compared to the transfer time. The
-   slave might skip some intermediate versions but the transfers will
-   complete and it will keep reasonably in sync with the master.
-
-   The new strategy also allows the master to recover from syntax and
-   other errors in the master file as it still has an in-core copy of the
-   old contents.
-
-Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
-   External lookups are slow.
-
-A: You can use server clauses to stop named making external lookups over
-   IPv6.
-
-   server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
-   server ::/0 { bogus yes; };
-
-3. Operations Questions
-
-Q: How to change the nameservers for a zone?
-
-A: Step 1: Ensure all nameservers, new and old, are serving the same zone
-   content.
-
-   Step 2: Work out the maximum TTL of the NS RRset in the parent and
-   child zones. This is the time it will take caches to be clear of a
-   particular version of the NS RRset. If you are just removing
-   nameservers you can skip to Step 6.
-
-   Step 3: Add new nameservers to the NS RRset for the zone and wait until
-   all the servers for the zone are answering with this new NS RRset.
-
-   Step 4: Inform the parent zone of the new NS RRset then wait for all
-   the parent servers to be answering with the new NS RRset.
-
-   Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
-   how long. If you are just adding nameservers you are done.
-
-   Step 6: Remove any old nameservers from the zones NS RRset and wait for
-   all the servers for the zone to be serving the new NS RRset.
-
-   Step 7: Inform the parent zone of the new NS RRset then wait for all
-   the parent servers to be answering with the new NS RRset.
-
-   Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
-   how long.
-
-   Step 9: Turn off the old nameservers or remove the zone entry from the
-   configuration of the old nameservers.
-
-   Step 10: Increment the serial number and wait for the change to be
-   visible in all nameservers for the zone. This ensures that zone
-   transfers are still working after the old servers are decommissioned.
-
-   Note: the above procedure is designed to be transparent to dns clients.
-   Decommissioning the old servers too early will result in some clients
-   not being able to look up answers in the zone.
-
-   Note: while it is possible to run the addition and removal stages
-   together it is not recommended.
-
-4. General Questions
-
-Q: I keep getting log messages like the following. Why?
-
-   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
-   update failed: 'RRset exists (value dependent)' prerequisite not
-   satisfied (NXRRSET)
-
-A: DNS updates allow the update request to test to see if certain
-   conditions are met prior to proceeding with the update. The message
-   above is saying that conditions were not met and the update is not
-   proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
-
-Q: I keep getting log messages like the following. Why?
-
-   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-
-A: Someone is trying to update your DNS data using the RFC2136 Dynamic
-   Update protocol. Windows 2000 machines have a habit of sending dynamic
-   update requests to DNS servers without being specifically configured to
-   do so. If the update requests are coming from a Windows 2000 machine,
-   see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
-   for information about how to turn them off.
-
-Q: When I do a "dig . ns", many of the A records for the root servers are
-   missing. Why?
-
-A: This is normal and harmless. It is a somewhat confusing side effect of
-   the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
-   makes to avoid promoting glue into answers.
-
-   When BIND 9 first starts up and primes its cache, it receives the root
-   server addresses as additional data in an authoritative response from a
-   root server, and these records are eligible for inclusion as additional
-   data in responses. Subsequently it receives a subset of the root server
-   addresses as additional data in a non-authoritative (referral) response
-   from a root server. This causes the addresses to now be considered
-   non-authoritative (glue) data, which is not eligible for inclusion in
-   responses.
-
-   The server does have a complete set of root server addresses cached at
-   all times, it just may not include all of them as additional data,
-   depending on whether they were last received as answers or as glue. You
-   can always look up the addresses with explicit queries like "dig
-   a.root-servers.net A".
-
-Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-
-A: A zone can be updated either by editing zone files and reloading the
-   server or by dynamic update, but not both. If you have enabled dynamic
-   update for a zone using the "allow-update" option, you are not supposed
-   to edit the zone file by hand, and the server will not attempt to
-   reload it.
-
-Q: Why is named listening on UDP port other than 53?
-
-A: Named uses a system selected port to make queries of other nameservers.
-   This behaviour can be overridden by using query-source to lock down the
-   port and/or address. See also notify-source and transfer-source.
-
-Q: I get warning messages like "zone example.com/IN: refresh: failure
-   trying master 1.2.3.4#53: timed out".
-
-A: Check that you can make UDP queries from the slave to the master
-
-   dig +norec example.com soa @1.2.3.4
-
-   You could be generating queries faster than the slave can cope with.
-   Lower the serial query rate.
-
-   serial-query-rate 5; // default 20
-
-Q: I don't get RRSIG's returned when I use "dig +dnssec".
-
-A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-
-Q: Can a NS record refer to a CNAME.
-
-A: No. The rules for glue (copies of the *address* records in the parent
-   zones) and additional section processing do not allow it to work.
-
-   You would have to add both the CNAME and address records (A/AAAA) as
-   glue to the parent zone and have CNAMEs be followed when doing
-   additional section processing to make it work. No nameserver
-   implementation supports either of these requirements.
-
-Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
-   mean?
-
-A: If the IN-ADDR.ARPA name covered refers to a internal address space you
-   are using then you have failed to follow RFC 1918 usage rules and are
-   leaking queries to the Internet. You should establish your own zones
-   for these addresses to prevent you querying the Internet's name servers
-   for these addresses. Please see <http://as112.net/> for details of the
-   problems you are causing and the counter measures that have had to be
-   deployed.
-
-   If you are not using these private addresses then a client has queried
-   for them. You can just ignore the messages, get the offending client to
-   stop sending you these messages as they are most probably leaking them
-   or setup your own zones empty zones to serve answers to these queries.
-
-   zone "10.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   zone "16.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   ...
-
-   zone "31.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   zone "168.192.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   empty:
-   @ 10800 IN SOA <name-of-server>. <contact-email>. (
-                  1 3600 1200 604800 10800 )
-   @ 10800 IN NS <name-of-server>.
-
-   Note
-
-   Future versions of named are likely to do this automatically.
-
-Q: Will named be affected by the 2007 changes to daylight savings rules in
-   the US.
-
-A: No, so long as the machines internal clock (as reported by "date -u")
-   remains at UTC. The only visible change if you fail to upgrade your OS,
-   if you are in a affected area, will be that log messages will be a hour
-   out during the period where the old rules do not match the new rules.
-
-   For most OS's this change just means that you need to update the
-   conversion rules from UTC to local time. Normally this involves
-   updating a file in /etc (which sets the default timezone for the
-   machine) and possibly a directory which has all the conversion rules
-   for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
-   forget to update any chroot areas as well. See your OS's documentation
-   for more details.
-
-   The local timezone conversion rules can also be done on a individual
-   basis by setting the TZ environment variable appropriately. See your
-   OS's documentation for more details.
-
-Q: Is there a bugzilla (or other tool) database that mere mortals can have
-   (read-only) access to for bind?
-
-A: No. The BIND 9 bug database is kept closed for a number of reasons.
-   These include, but are not limited to, that the database contains
-   proprietory information from people reporting bugs. The database has in
-   the past and may in future contain unfixed bugs which are capable of
-   bringing down most of the Internet's DNS infrastructure.
-
-   The release pages for each version contain up to date lists of bugs
-   that have been fixed post release. That is as close as we can get to
-   providing a bug database.
-
-Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
-
-A: NSEC3 records are strictly meta data and can only be returned in the
-   authority section. This is done so that signing the zone using NSEC3
-   records does not bring names into existence that do not exist in the
-   unsigned version of the zone.
-
-5. Operating-System Specific Questions
-
-5.1. HPUX
-
-Q: I get the following error trying to configure BIND:
-
-   checking if unistd.h or sys/types.h defines fd_set... no
-   configure: error: need either working unistd.h or sys/select.h
-
-A: You have attempted to configure BIND with the bundled C compiler. This
-   compiler does not meet the minimum compiler requirements to for
-   building BIND. You need to install a ANSI C compiler and / or teach
-   configure how to find the ANSI C compiler. The later can be done by
-   adjusting the PATH environment variable and / or specifying the
-   compiler via CC.
-
-   ./configure CC=<compiler> ...
-
-5.2. Linux
-
-Q: Why do I get the following errors:
-
-   general: errno2result.c:109: unexpected error:
-   general: unable to convert errno to isc_result: 14: Bad address
-   client: UDP client handler shutting down due to fatal receive error: unexpected error
-
-A: This is the result of a Linux kernel bug.
-
-   See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
-   2>
-
-Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
-
-A: This is due to a kernel bug where the fact that a socket is marked
-   non-blocking is ignored. It is reported that setting xfrm_larval_drop
-   to 1 helps but this may have negative side effects. See: <https://
-   bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
-   2007/12/4/260>.
-
-   xfrm_larval_drop can be set to 1 by the following procedure:
-
-   echo "1" > proc/sys/net/core/xfrm_larval_drop
-
-Q: Why do I see 5 (or more) copies of named on Linux?
-
-A: Linux threads each show up as a process under ps. The approximate
-   number of threads running is n+4, where n is the number of CPUs. Note
-   that the amount of memory used is not cumulative; if each process is
-   using 10M of memory, only a total of 10M is used.
-
-   Newer versions of Linux's ps command hide the individual threads and
-   require -L to display them.
-
-Q: Why does BIND 9 log "permission denied" errors accessing its
-   configuration files or zones on my Linux system even though it is
-   running as root?
-
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
-   including the privilege to open files owned by other users. Therefore,
-   if the server is running as root, the configuration files and zone
-   files should also be owned by root.
-
-Q: I get the error message "named: capset failed: Operation not permitted"
-   when starting named.
-
-A: The capability module, part of "Linux Security Modules/LSM", has not
-   been loaded into the kernel. See insmod(8), modprobe(8).
-
-   The relevant modules can be loaded by running:
-
-   modprobe commoncap
-   modprobe capability
-
-Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
-
-   Why can't named update slave zone database files?
-
-   Why can't named create DDNS journal files or update the master zones
-   from journals?
-
-   Why can't named create custom log files?
-
-A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
-
-   Red Hat have adopted the National Security Agency's SELinux security
-   policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
-   security , which are more secure than running named in a chroot and
-   make use of the bind-chroot environment unnecessary .
-
-   By default, named is not allowed by the SELinux policy to write, create
-   or delete any files EXCEPT in these directories:
-
-   $ROOTDIR/var/named/slaves
-   $ROOTDIR/var/named/data
-   $ROOTDIR/var/tmp
-
-
-   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
-   installed.
-
-   The SELinux policy particularly does NOT allow named to modify the
-   $ROOTDIR/var/named directory, the default location for master zone
-   database files.
-
-   SELinux policy overrules file access permissions - so even if all the
-   files under /var/named have ownership named:named and mode rw-rw-r--,
-   named will still not be able to write or create files except in the
-   directories above, with SELinux in Enforcing mode.
-
-   So, to allow named to update slave or DDNS zone files, it is best to
-   locate them in $ROOTDIR/var/named/slaves, with named.conf zone
-   statements such as:
-
-   zone "slave.zone." IN {
-           type slave;
-           file "slaves/slave.zone.db";
-           ...
-   };
-   zone "ddns.zone." IN  {
-           type master;
-           allow-updates {...};
-           file "slaves/ddns.zone.db";
-   };
-
-
-   To allow named to create its cache dump and statistics files, for
-   example, you could use named.conf options statements such as:
-
-   options {
-           ...
-           dump-file "/var/named/data/cache_dump.db";
-           statistics-file "/var/named/data/named_stats.txt";
-           ...
-   };
-
-
-   You can also tell SELinux to allow named to update any zone database
-   files, by setting the SELinux tunable boolean parameter
-   'named_write_master_zones=1', using the system-config-securitylevel
-   GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
-   booleans.
-
-   You can disable SELinux protection for named entirely by setting the
-   'named_disable_trans=1' SELinux tunable boolean parameter.
-
-   The SELinux named policy defines these SELinux contexts for named:
-
-   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
-   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
-   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
-
-
-   If you want to retain use of the SELinux policy for named, and put
-   named files in different locations, you can do so by changing the
-   context of the custom file locations .
-
-   To create a custom configuration file location, e.g. '/root/
-   named.conf', to use with the 'named -c' option, do:
-
-   # chcon system_u:object_r:named_conf_t /root/named.conf
-
-
-   To create a custom modifiable named data location, e.g. '/var/log/
-   named' for a log file, do:
-
-   # chcon system_u:object_r:named_cache_t /var/log/named
-
-
-   To create a custom zone file location, e.g. /root/zones/, do:
-
-   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
-
-
-   See these man-pages for more information : selinux(8), named_selinux
-   (8), chcon(1), setsebool(8)
-
-Q: I'm running BIND on Ubuntu -
-
-   Why can't named update slave zone database files?
-
-   Why can't named create DDNS journal files or update the master zones
-   from journals?
-
-   Why can't named create custom log files?
-
-A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
-   addition to normal file system permissions to protect the system.
-
-   Adjust the paths to use those specified in /etc/apparmor.d/
-   usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
-   to write at the location specified in named.conf.
-
-Q: Listening on individual IPv6 interfaces does not work.
-
-A: This is usually due to "/proc/net/if_inet6" not being available in the
-   chroot file system. Mount another instance of "proc" in the chroot file
-   system.
-
-   This can be be made permanent by adding a second instance to /etc/
-   fstab.
-
-   proc /proc           proc defaults 0 0
-   proc /var/named/proc proc defaults 0 0
-
-5.3. Windows
-
-Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
-   Why?
-
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
-   messages larger than 16K are not handled properly. This can be worked
-   around by setting the option "transfer-format one-answer;". Also check
-   whether your zone contains domain names with embedded spaces or other
-   special characters, like "John\032Doe\213s\032Computer", since such
-   names have been known to cause Windows 2000 slaves to incorrectly
-   reject the zone.
-
-Q: I get "Error 1067" when starting named under Windows.
-
-A: This is the service manager saying that named exited. You need to
-   examine the Application log in the EventViewer to find out why.
-
-   Common causes are that you failed to create "named.conf" (usually "C:\
-   windows\dns\etc\named.conf") or failed to specify the directory in
-   named.conf.
-
-   options {
-           Directory "C:\windows\dns\etc";
-   };
-
-5.4. FreeBSD
-
-Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-
-A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
-   use certain interrupts as a source of random events. You can make this
-   permanent by setting rand_irqs in /etc/rc.conf.
-
-   rand_irqs="3 14 15"
-
-   See also <http://people.freebsd.org/~dougb/randomness.html>.
-
-5.5. Solaris
-
-Q: How do I integrate BIND 9 and Solaris SMF
-
-A: Sun has a blog entry describing how to do this.
-
-   <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
-
-5.6. Apple Mac OS X
-
-Q: How do I run BIND 9 on Apple Mac OS X?
-
-A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
-
-   % sudo rndc-confgen  > /etc/rndc.conf
-
-   Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
-
-   key "rndc-key" {
-           algorithm hmac-sha256;
-           secret "uvceheVuqf17ZwIcTydddw==";
-   };
-
-   Then start the relevant service:
-
-   % sudo service org.isc.named start
-
-   This is persistent upon a reboot, so you will have to do it only once.
-
-A: Alternatively you can just generate /etc/rndc.key by running:
-
-   % sudo rndc-confgen -a
-
-   Then start the relevant service:
-
-   % sudo service org.isc.named start
-
-   Named will look for /etc/rndc.key when it starts if it doesn't have a
-   controls section or the existing controls are missing keys sub-clauses.
-   This is persistent upon a reboot, so you will have to do it only once.
-

FAQ.xml

@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004-2010, 2013-2017  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -20,27 +19,10 @@
 
   <articleinfo>
     <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2013</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
       <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </articleinfo>
   <qandaset defaultlabel="qanda">
 

HISTORY

@@ -1,365 +1,233 @@
-Summary of functional enhancements from prior major releases of BIND 9:
+Functional enhancements from prior major releases of BIND 9
 
 BIND 9.8.0
 
-        BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-        releases.  New features include:
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
 
-        - Built-in trust anchor for the root zone, which can be
-          switched on via "dnssec-validation auto;"
-        - Support for DNS64.
-        - Support for response policy zones (RPZ).
-        - Support for writable DLZ zones.
-        - Improved ease of configuration of GSS/TSIG for
-          interoperability with Active Directory
-        - Support for GOST signing algorithm for DNSSEC.
-        - Removed RTT Banding from server selection algorithm.
-        - New "static-stub" zone type.
-        - Allow configuration of resolver timeouts via
-          "resolver-query-timeout" option.
-	- The DLZ "dlopen" driver is now built by default.
-	- Added a new include file with function typedefs
-          for the DLZ "dlopen" driver.
-	- Made "--with-gssapi" default.
-	- More verbose error reporting from DLZ LDAP.
+  * Built-in trust anchor for the root zone, which can be switched on via
+    "dnssec-validation auto;"
+  * Support for DNS64.
+  * Support for response policy zones (RPZ).
+  * Support for writable DLZ zones.
+  * Improved ease of configuration of GSS/TSIG for interoperability with
+    Active Directory
+  * Support for GOST signing algorithm for DNSSEC.
+  * Removed RTT Banding from server selection algorithm.
+  * New "static-stub" zone type.
+  * Allow configuration of resolver timeouts via "resolver-query-timeout"
+    option.
+  * The DLZ "dlopen" driver is now built by default.
+  * Added a new include file with function typedefs for the DLZ "dlopen"
+    driver.
+  * Made "--with-gssapi" default.
+  * More verbose error reporting from DLZ LDAP.
 
 BIND 9.7.0
 
-	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-	releases.  Most are intended to simplify DNSSEC configuration.
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
 
-	New features include:
-
-	- Fully automatic signing of zones by "named".
-	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
-	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
-	  command line tool or the "local" update-policy option.  (As a side
-	  effect, this also makes it easier to configure automatic zone
-	  re-signing.)
-	- New named option "attach-cache" that allows multiple views to
-	  share a single cache.
-	- DNS rebinding attack prevention.
-	- New default values for dnssec-keygen parameters.
-	- Support for RFC 5011 automated trust anchor maintenance
-	- Smart signing: simplified tools for zone signing and key
-	  maintenance.
-	- The "statistics-channels" option is now available on Windows.
-	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
-	- On some platforms, named and other binaries can now print out
-	  a stack backtrace on assertion failure, to aid in debugging.
-	- A "tools only" installation mode on Windows, which only installs
-	  dig, host, nslookup and nsupdate.
-	- Improved PKCS#11 support, including Keyper support and explicit
-	  OpenSSL engine selection.
+  * Fully automatic signing of zones by "named".
+  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+    command line tool or the "local" update-policy option. (As a side
+    effect, this also makes it easier to configure automatic zone
+    re-signing.)
+  * New named option "attach-cache" that allows multiple views to share a
+    single cache.
+  * DNS rebinding attack prevention.
+  * New default values for dnssec-keygen parameters.
+  * Support for RFC 5011 automated trust anchor maintenance
+  * Smart signing: simplified tools for zone signing and key maintenance.
+  * The "statistics-channels" option is now available on Windows.
+  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+  * On some platforms, named and other binaries can now print out a stack
+    backtrace on assertion failure, to aid in debugging.
+  * A "tools only" installation mode on Windows, which only installs dig,
+    host, nslookup and nsupdate.
+  * Improved PKCS#11 support, including Keyper support and explicit
+    OpenSSL engine selection.
 
 BIND 9.6.0
 
-        Full NSEC3 support
-
-        Automatic zone re-signing
-
-	New update-policy methods tcp-self and 6to4-self
-
-        The BIND 8 resolver library, libbind, has been removed from the
-        BIND 9 distribution and is now available as a separate download.
-
-	Change the default pid file location from /var/run to
-	/var/run/{named,lwresd} for improved chroot/setuid support.
+  * Full NSEC3 support
+  * Automatic zone re-signing
+  * New update-policy methods tcp-self and 6to4-self
+  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+    distribution and is now available as a separate download.
+  * Change the default pid file location from /var/run to /var/run/
+    {named,lwresd} for improved chroot/setuid support.
 
 BIND 9.5.0
 
-	GSS-TSIG support (RFC 3645).
-
-	DHCID support.
-
-	Experimental http server and statistics support for named via xml.
-
-	More detailed statistics counters including those supported in BIND 8.
-
-	Faster ACL processing.
-
-	Use Doxygen to generate internal documentation.
-
-        Efficient LRU cache-cleaning mechanism.
-
-        NSID support.
+  * GSS-TSIG support (RFC 3645).
+  * DHCID support.
+  * Experimental http server and statistics support for named via xml.
+  * More detailed statistics counters including those supported in BIND 8.
+  * Faster ACL processing.
+  * Use Doxygen to generate internal documentation.
+  * Efficient LRU cache-cleaning mechanism.
+  * NSID support.
 
 BIND 9.4.0
 
-	Implemented "additional section caching (or acache)", an
-	internal cache framework for additional section content to
-	improve response performance.  Several configuration options
-	were provided to control the behavior.
-
-	New notify type 'master-only'.  Enable notify for master
-	zones only.
-
-	Accept 'notify-source' style syntax for query-source.
-
-	rndc now allows addresses to be set in the server clauses.
-
-	New option "allow-query-cache".  This lets "allow-query"
-	be used to specify the default zone access level rather
-	than having to have every zone override the global value.
-	"allow-query-cache" can be set at both the options and view
-	levels.  If "allow-query-cache" is not set then "allow-recursion"
-	is used if set, otherwise "allow-query" is used if set
-	unless "recursion no;" is set in which case "none;" is used,
-	otherwise the default (localhost; localnets;) is used.
-
-	rndc: the source address can now be specified.
-
-	ixfr-from-differences now takes master and slave in addition
-	to yes and no at the options and view levels.
-
-	Allow the journal's name to be changed via named.conf.
-
-	'rndc notify zone [class [view]]' resend the NOTIFY messages
-	for the specified zone.
-
-	'dig +trace' now randomly selects the next servers to try.
-	Report if there is a bad delegation.
-
-	Improve check-names error messages.
-
-	Make public the function to read a key file, dst_key_read_public().
-
-	dig now returns the byte count for axfr/ixfr.
-			
-	allow-update is now settable at the options / view level.
-
-	named-checkconf now checks the logging configuration.
-
-	host now can turn on memory debugging flags with '-m'.
-
-	Don't send notify messages to self.
-
-	Perform sanity checks on NS records which refer to 'in zone' names.
-
-	New zone option "notify-delay".  Specify a minimum delay
-	between sets of NOTIFY messages.
-
-	Extend adjusting TTL warning messages.
-
-	Named and named-checkzone can now both check for non-terminal
-	wildcard records.
-
-	"rndc freeze/thaw" now freezes/thaws all zones.
-
-	named-checkconf now check acls to verify that they only
-	refer to existing acls.
-
-	The server syntax has been extended to support a range of
-	servers.
-
-	Report differences between hints and real NS rrset and
-	associated address records.
-
-	Preserve the case of domain names in rdata during zone
-	transfers.
-
-	Restructured the data locking framework using architecture
-	dependent atomic operations (when available), improving
-	response performance on multi-processor machines significantly.
-	x86, x86_64, alpha, powerpc, and mips are currently supported.
-
-	UNIX domain controls are now supported.
-
-	Add support for additional zone file formats for improving
-	loading performance.  The masterfile-format option in
-	named.conf can be used to specify a non-default format.  A
-	separate command named-compilezone was provided to generate
-	zone files in the new format.  Additionally, the -I and -O
-	options for dnssec-signzone specify the input and output
-	formats.
-
-	dnssec-signzone can now randomize signature end times
-	(dnssec-signzone -j jitter).
-
-	Add support for CH A record.
-
-	Add additional zone data constancy checks.  named-checkzone
-	has extended checking of NS, MX and SRV record and the hosts
-	they reference.  named has extended post zone load checks.
-	New zone options: check-mx and integrity-check.
-
-
-	edns-udp-size can now be overridden on a per server basis.
-
-	dig can now specify the EDNS version when making a query.
-
-	Added framework for handling multiple EDNS versions.
-
-	Additional memory debugging support to track size and mctx
-	arguments.
-
-	Detect duplicates of UDP queries we are recursing on and
-	drop them.  New stats category "duplicates".
-
-	"USE INTERNAL MALLOC" is now runtime selectable.
-
-	The lame cache is now done on a <qname,qclass,qtype> basis
-	as some servers only appear to be lame for certain query
-	types.
-
-	Limit the number of recursive clients that can be waiting
-	for a single query (<qname,qtype,qclass>) to resolve.  New
-	options clients-per-query and max-clients-per-query.
-
-	dig: report the number of extra bytes still left in the
-	packet after processing all the records.
-
-	Support for IPSECKEY rdata type.
-
-	Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
-	x86 and x86_64 now have seperate atomic locking implementations.
-
-	named-checkconf now validates update-policy entries.
-
-	Attempt to make the amount of work performed in a iteration
-	self tuning.  The covers nodes clean from the cache per
-	iteration, nodes written to disk when rewriting a master
-	file and nodes destroyed per iteration when destroying a
-	zone or a cache.
-
-	ISC string copy API.
-
-	Automatic empty zone creation for D.F.IP6.ARPA and friends.
-	Note: RFC 1918 zones are not yet covered by this but are
-	likely to be in a future release.
-
-	New options: empty-server, empty-contact, empty-zones-enable
-	and disable-empty-zone.
-
-	dig now has a '-q queryname' and '+showsearch' options.
-
-	host/nslookup now continue (default)/fail on SERVFAIL.
-
-	dig now warns if 'RA' is not set in the answer when 'RD'
-	was set in the query.  host/nslookup skip servers that fail
-	to set 'RA' when 'RD' is set unless a server is explicitly
-	set.
-
-	Integrate contibuted DLZ code into named.
-
-	Integrate contibuted IDN code from JPNIC.
-
-	libbind: corresponds to that from BIND 8.4.7.
+  * Implemented "additional section caching (or acache)", an internal
+    cache framework for additional section content to improve response
+    performance. Several configuration options were provided to control
+    the behavior.
+  * New notify type 'master-only'. Enable notify for master zones only.
+  * Accept 'notify-source' style syntax for query-source.
+  * rndc now allows addresses to be set in the server clauses.
+  * New option "allow-query-cache". This lets "allow-query" be used to
+    specify the default zone access level rather than having to have every
+    zone override the global value. "allow-query-cache" can be set at both
+    the options and view levels. If "allow-query-cache" is not set then
+    "allow-recursion" is used if set, otherwise "allow-query" is used if
+    set unless "recursion no;" is set in which case "none;" is used,
+    otherwise the default (localhost; localnets;) is used.
+  * rndc: the source address can now be specified.
+  * ixfr-from-differences now takes master and slave in addition to yes
+    and no at the options and view levels.
+  * Allow the journal's name to be changed via named.conf.
+  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+    specified zone.
+  * 'dig +trace' now randomly selects the next servers to try. Report if
+    there is a bad delegation.
+  * Improve check-names error messages.
+  * Make public the function to read a key file, dst_key_read_public().
+  * dig now returns the byte count for axfr/ixfr.
+  * allow-update is now settable at the options / view level.
+  * named-checkconf now checks the logging configuration.
+  * host now can turn on memory debugging flags with '-m'.
+  * Don't send notify messages to self.
+  * Perform sanity checks on NS records which refer to 'in zone' names.
+  * New zone option "notify-delay". Specify a minimum delay between sets
+    of NOTIFY messages.
+  * Extend adjusting TTL warning messages.
+  * Named and named-checkzone can now both check for non-terminal wildcard
+    records.
+  * "rndc freeze/thaw" now freezes/thaws all zones.
+  * named-checkconf now check acls to verify that they only refer to
+    existing acls.
+  * The server syntax has been extended to support a range of servers.
+  * Report differences between hints and real NS rrset and associated
+    address records.
+  * Preserve the case of domain names in rdata during zone transfers.
+  * Restructured the data locking framework using architecture dependent
+    atomic operations (when available), improving response performance on
+    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+    and mips are currently supported.
+  * UNIX domain controls are now supported.
+  * Add support for additional zone file formats for improving loading
+    performance. The masterfile-format option in named.conf can be used to
+    specify a non-default format. A separate command named-compilezone was
+    provided to generate zone files in the new format. Additionally, the
+    -I and -O options for dnssec-signzone specify the input and output
+    formats.
+  * dnssec-signzone can now randomize signature end times (dnssec-signzone
+    -j jitter).
+  * Add support for CH A record.
+  * Add additional zone data constancy checks. named-checkzone has
+    extended checking of NS, MX and SRV record and the hosts they
+    reference. named has extended post zone load checks. New zone options:
+    check-mx and integrity-check.
+  * edns-udp-size can now be overridden on a per server basis.
+  * dig can now specify the EDNS version when making a query.
+  * Added framework for handling multiple EDNS versions.
+  * Additional memory debugging support to track size and mctx arguments.
+  * Detect duplicates of UDP queries we are recursing on and drop them.
+    New stats category "duplicates".
+  * "USE INTERNAL MALLOC" is now runtime selectable.
+  * The lame cache is now done on a basis as some servers only appear to
+    be lame for certain query types.
+  * Limit the number of recursive clients that can be waiting for a single
+    query () to resolve. New options clients-per-query and
+    max-clients-per-query.
+  * dig: report the number of extra bytes still left in the packet after
+    processing all the records.
+  * Support for IPSECKEY rdata type.
+  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
+  * x86 and x86_64 now have seperate atomic locking implementations.
+  * named-checkconf now validates update-policy entries.
+  * Attempt to make the amount of work performed in a iteration self
+    tuning. The covers nodes clean from the cache per iteration, nodes
+    written to disk when rewriting a master file and nodes destroyed per
+    iteration when destroying a zone or a cache.
+  * ISC string copy API.
+  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+    1918 zones are not yet covered by this but are likely to be in a
+    future release.
+  * New options: empty-server, empty-contact, empty-zones-enable and
+    disable-empty-zone.
+  * dig now has a '-q queryname' and '+showsearch' options.
+  * host/nslookup now continue (default)/fail on SERVFAIL.
+  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
+    is set unless a server is explicitly set.
+  * Integrate contibuted DLZ code into named.
+  * Integrate contibuted IDN code from JPNIC.
+  * libbind: corresponds to that from BIND 8.4.7.
 
 BIND 9.3.0
 
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
+  * DNSSEC is now DS based (RFC 3658).
+  * DNSSEC lookaside validation.
+  * check-names is now implemented.
+  * rrset-order is more complete.
+  * IPv4/IPv6 transition support, dual-stack-servers.
+  * IXFR deltas can now be generated when loading master files,
+    ixfr-from-differences.
+  * It is now possible to specify the size of a journal, max-journal-size.
+  * It is now possible to define a named set of master servers to be used
+    in masters clause, masters.
+  * The advertised EDNS UDP size can now be set, edns-udp-size.
+  * allow-v6-synthesis has been obsoleted.
+  * Zones containing MD and MF will now be rejected.
+  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+    NOTIMPL. This will have impact on scripts that are looking for
+    NOTIMPL.
+  * libbind: corresponds to that from BIND 8.4.5.
 
 BIND 9.2.0
 
-	The size of the cache can now be limited using the
-        "max-cache-size" option.
-
-	The server can now automatically convert RFC1886-style recursive
-	lookup requests into RFC2874-style lookups, when enabled using the
-	new option "allow-v6-synthesis".  This allows stub resolvers that
-	support AAAA records but not A6 record chains or binary labels to
-	perform lookups in domains that make use of these IPv6 DNS
-	features.
-
-	Performance has been improved.
-
-	The man pages now use the more portable "man" macros rather than
-	the "mandoc" macros, and are installed by "make install".
-
-	The named.conf parser has been completely rewritten.  It now
-	supports "include" directives in more places such as inside "view"
-	statements, and it no longer has any reserved words.
-
-	The "rndc status" command is now implemented.
-
-	rndc can now be configured automatically.
-
-	A BIND 8 compatible stub resolver library is now included in
-	lib/bind.
-
-	OpenSSL has been removed from the distribution.  This means that to
-	use DNSSEC, OpenSSL must be installed and the --with-openssl option
-	must be supplied to configure.  This does not apply to the use of
-	TSIG, which does not require OpenSSL.
-
-	The source distribution now builds on Windows.  See
-	win32utils/readme1.txt and win32utils/win32-build.txt for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-	    On some systems, IPv6 and IPv4 sockets interact in
-	    unexpected ways.  For details, see doc/misc/ipv6.
-	    To reduce the impact of these problems, the server
-	    no longer listens for requests on IPv6 addresses
-	    by default.  If you need to accept DNS queries over
-	    IPv6, you must specify "listen-on-v6 { any; };"
-	    in the named.conf options statement.
-
-	    FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-	    and OpenBSD prior to 2.8 log messages like
-	    "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-	    OS X 10.2 (Darwin 6.0) reports errors like
-	    "fcntl(3, F_SETFL, 4): Operation not supported by device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    --with-libtool does not work on AIX.
-
-	A bug in some versions of the Microsoft DNS server can cause zone
-        transfers from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
+  * The size of the cache can now be limited using the "max-cache-size"
+    option.
+  * The server can now automatically convert RFC1886-style recursive
+    lookup requests into RFC2874-style lookups, when enabled using the new
+    option "allow-v6-synthesis". This allows stub resolvers that support
+    AAAA records but not A6 record chains or binary labels to perform
+    lookups in domains that make use of these IPv6 DNS features.
+  * Performance has been improved.
+  * The man pages now use the more portable "man" macros rather than the
+    "mandoc" macros, and are installed by "make install".
+  * The named.conf parser has been completely rewritten. It now supports
+    "include" directives in more places such as inside "view" statements,
+    and it no longer has any reserved words.
+  * The "rndc status" command is now implemented.
+  * rndc can now be configured automatically.
+  * A BIND 8 compatible stub resolver library is now included in lib/bind.
+  * OpenSSL has been removed from the distribution. This means that to use
+    DNSSEC, OpenSSL must be installed and the --with-openssl option must
+    be supplied to configure. This does not apply to the use of TSIG,
+    which does not require OpenSSL.
+  * The source distribution now builds on Windows. See win32utils/
+    readme1.txt and win32utils/win32-build.txt for details.
+  * This distribution also includes a new lightweight stub resolver
+    library and associated resolver daemon that fully support forward and
+    reverse lookups of both IPv4 and IPv6 addresses. This library is
+    considered experimental and is not a complete replacement for the BIND
+    8 resolver library. Applications that use the BIND 8 res_* functions
+    to perform DNS lookups or dynamic updates still need to be linked
+    against the BIND 8 libraries. For DNS lookups, they can also use the
+    new "getrrsetbyname()" API.
+  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+    secured zones. This functionality is believed to be stable and
+    complete except for lacking support for verifications involving
+    wildcard records in secure zones.
+  * When acting as a caching server, BIND 9.2 can be configured to perform
+    DNSSEC secure resolution on behalf of its clients. This part of the
+    DNSSEC implementation is still considered experimental. For detailed
+    information about the state of the DNSSEC implementation, see the file
+    doc/misc/dnssec.

HISTORY.md

@@ -0,0 +1,246 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+### Functional enhancements from prior major releases of BIND 9
+
+#### BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases.  New features include:
+
+- Built-in trust anchor for the root zone, which can be
+  switched on via "dnssec-validation auto;"
+- Support for DNS64.
+- Support for response policy zones (RPZ).
+- Support for writable DLZ zones.
+- Improved ease of configuration of GSS/TSIG for
+  interoperability with Active Directory
+- Support for GOST signing algorithm for DNSSEC.
+- Removed RTT Banding from server selection algorithm.
+- New "static-stub" zone type.
+- Allow configuration of resolver timeouts via
+  "resolver-query-timeout" option.
+- The DLZ "dlopen" driver is now built by default.
+- Added a new include file with function typedefs
+  for the DLZ "dlopen" driver.
+- Made "--with-gssapi" default.
+- More verbose error reporting from DLZ LDAP.
+
+#### BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases.  Most are intended to simplify DNSSEC configuration.
+New features include:
+
+- Fully automatic signing of zones by "named".
+- Simplified configuration of DNSSEC Lookaside Validation (DLV).
+- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+  command line tool or the "local" update-policy option.  (As a side
+  effect, this also makes it easier to configure automatic zone
+  re-signing.)
+- New named option "attach-cache" that allows multiple views to
+  share a single cache.
+- DNS rebinding attack prevention.
+- New default values for dnssec-keygen parameters.
+- Support for RFC 5011 automated trust anchor maintenance
+- Smart signing: simplified tools for zone signing and key
+  maintenance.
+- The "statistics-channels" option is now available on Windows.
+- A new DNSSEC-aware libdns API for use by non-BIND9 applications
+- On some platforms, named and other binaries can now print out
+  a stack backtrace on assertion failure, to aid in debugging.
+- A "tools only" installation mode on Windows, which only installs
+  dig, host, nslookup and nsupdate.
+- Improved PKCS#11 support, including Keyper support and explicit
+  OpenSSL engine selection.
+
+#### BIND 9.6.0
+
+- Full NSEC3 support
+- Automatic zone re-signing
+- New update-policy methods tcp-self and 6to4-self
+- The BIND 8 resolver library, libbind, has been removed from the BIND 9
+  distribution and is now available as a separate download.
+- Change the default pid file location from /var/run to
+  /var/run/{named,lwresd} for improved chroot/setuid support.
+
+#### BIND 9.5.0
+
+- GSS-TSIG support (RFC 3645).
+- DHCID support.
+- Experimental http server and statistics support for named via xml.
+- More detailed statistics counters including those supported in BIND 8.
+- Faster ACL processing.
+- Use Doxygen to generate internal documentation.
+- Efficient LRU cache-cleaning mechanism.
+- NSID support.
+
+BIND 9.4.0
+
+- Implemented "additional section caching (or acache)", an internal cache
+  framework for additional section content to improve response performance.
+  Several configuration options were provided to control the behavior.
+- New notify type 'master-only'.  Enable notify for master zones only.
+- Accept 'notify-source' style syntax for query-source.
+- rndc now allows addresses to be set in the server clauses.
+- New option "allow-query-cache".  This lets "allow-query" be used to
+  specify the default zone access level rather than having to have every
+  zone override the global value.  "allow-query-cache" can be set at both
+  the options and view levels.  If "allow-query-cache" is not set then
+  "allow-recursion" is used if set, otherwise "allow-query" is used if set
+  unless "recursion no;" is set in which case "none;" is used, otherwise
+  the default (localhost; localnets;) is used.
+- rndc: the source address can now be specified.
+- ixfr-from-differences now takes master and slave in addition to yes and
+  no at the options and view levels.
+- Allow the journal's name to be changed via named.conf.
+- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+  specified zone.
+- 'dig +trace' now randomly selects the next servers to try.  Report if
+  there is a bad delegation.
+- Improve check-names error messages.
+- Make public the function to read a key file, dst_key_read_public().
+- dig now returns the byte count for axfr/ixfr.
+- allow-update is now settable at the options / view level.
+- named-checkconf now checks the logging configuration.
+- host now can turn on memory debugging flags with '-m'.
+- Don't send notify messages to self.
+- Perform sanity checks on NS records which refer to 'in zone' names.
+- New zone option "notify-delay".  Specify a minimum delay between sets of
+  NOTIFY messages.
+- Extend adjusting TTL warning messages.
+- Named and named-checkzone can now both check for non-terminal wildcard
+  records.
+- "rndc freeze/thaw" now freezes/thaws all zones.
+- named-checkconf now check acls to verify that they only refer to existing
+  acls.
+- The server syntax has been extended to support a range of servers.
+- Report differences between hints and real NS rrset and associated address
+  records.
+- Preserve the case of domain names in rdata during zone transfers.
+- Restructured the data locking framework using architecture dependent
+  atomic operations (when available), improving response performance on
+  multi-processor machines significantly.  x86, x86_64, alpha, powerpc, and
+  mips are currently supported.
+- UNIX domain controls are now supported.
+- Add support for additional zone file formats for improving loading
+  performance.  The masterfile-format option in named.conf can be used to
+  specify a non-default format.  A separate command named-compilezone was
+  provided to generate zone files in the new format.  Additionally, the -I
+  and -O options for dnssec-signzone specify the input and output formats.
+- dnssec-signzone can now randomize signature end times (dnssec-signzone -j
+  jitter).
+- Add support for CH A record.
+- Add additional zone data constancy checks.  named-checkzone has extended
+  checking of NS, MX and SRV record and the hosts they reference.  named
+  has extended post zone load checks.  New zone options: check-mx and
+  integrity-check.
+- edns-udp-size can now be overridden on a per server basis.
+- dig can now specify the EDNS version when making a query.
+- Added framework for handling multiple EDNS versions.
+- Additional memory debugging support to track size and mctx arguments.
+- Detect duplicates of UDP queries we are recursing on and drop them.  New
+  stats category "duplicates".
+- "USE INTERNAL MALLOC" is now runtime selectable.
+- The lame cache is now done on a <qname,qclass,qtype> basis as some
+  servers only appear to be lame for certain query types.
+- Limit the number of recursive clients that can be waiting for a single
+  query (<qname,qtype,qclass>) to resolve.  New options clients-per-query
+  and max-clients-per-query.
+- dig: report the number of extra bytes still left in the packet after
+  processing all the records.
+- Support for IPSECKEY rdata type.
+- Raise the UDP recieve buffer size to 32k if it is less than 32k.
+- x86 and x86_64 now have seperate atomic locking implementations.
+- named-checkconf now validates update-policy entries.
+- Attempt to make the amount of work performed in a iteration self tuning.
+  The covers nodes clean from the cache per iteration, nodes written to
+  disk when rewriting a master file and nodes destroyed per iteration when
+  destroying a zone or a cache.
+- ISC string copy API.
+- Automatic empty zone creation for D.F.IP6.ARPA and friends.  Note: RFC
+  1918 zones are not yet covered by this but are likely to be in a future
+  release.
+- New options: empty-server, empty-contact, empty-zones-enable and
+  disable-empty-zone.
+- dig now has a '-q queryname' and '+showsearch' options.
+- host/nslookup now continue (default)/fail on SERVFAIL.
+- dig now warns if 'RA' is not set in the answer when 'RD' was set in the
+  query.  host/nslookup skip servers that fail to set 'RA' when 'RD' is set
+  unless a server is explicitly set.
+- Integrate contibuted DLZ code into named.
+- Integrate contibuted IDN code from JPNIC.
+- libbind: corresponds to that from BIND 8.4.7.
+
+#### BIND 9.3.0
+
+- DNSSEC is now DS based (RFC 3658).
+- DNSSEC lookaside validation.
+- check-names is now implemented.
+- rrset-order is more complete.
+- IPv4/IPv6 transition support, dual-stack-servers.
+- IXFR deltas can now be generated when loading master files,
+  ixfr-from-differences.
+- It is now possible to specify the size of a journal, max-journal-size.
+- It is now possible to define a named set of master servers to be used in
+  masters clause, masters.
+- The advertised EDNS UDP size can now be set, edns-udp-size.
+- allow-v6-synthesis has been obsoleted.
+- Zones containing MD and MF will now be rejected.
+- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+  NOTIMPL.  This will have impact on scripts that are looking for NOTIMPL.
+- libbind: corresponds to that from BIND 8.4.5.
+
+#### BIND 9.2.0
+
+- The size of the cache can now be limited using the "max-cache-size"
+  option.
+- The server can now automatically convert RFC1886-style recursive lookup
+  requests into RFC2874-style lookups, when enabled using the new option
+  "allow-v6-synthesis".  This allows stub resolvers that support AAAA
+  records but not A6 record chains or binary labels to perform lookups in
+  domains that make use of these IPv6 DNS features.
+- Performance has been improved.
+- The man pages now use the more portable "man" macros rather than the
+  "mandoc" macros, and are installed by "make install".
+- The named.conf parser has been completely rewritten.  It now supports
+  "include" directives in more places such as inside "view" statements, and
+  it no longer has any reserved words.
+- The "rndc status" command is now implemented.
+- rndc can now be configured automatically.
+- A BIND 8 compatible stub resolver library is now included in lib/bind.
+- OpenSSL has been removed from the distribution.  This means that to use
+  DNSSEC, OpenSSL must be installed and the --with-openssl option must be
+  supplied to configure.  This does not apply to the use of TSIG, which
+  does not require OpenSSL.
+- The source distribution now builds on Windows.  See
+  win32utils/readme1.txt and win32utils/win32-build.txt for details.
+- This distribution also includes a new lightweight stub resolver library
+  and associated resolver daemon that fully support forward and reverse
+  lookups of both IPv4 and IPv6 addresses.  This library is considered
+  experimental and is not a complete replacement for the BIND 8 resolver
+  library.  Applications that use the BIND 8 `res_*` functions to perform
+  DNS lookups or dynamic updates still need to be linked against the BIND 8
+  libraries.  For DNS lookups, they can also use the new "getrrsetbyname()"
+  API.
+- BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+  secured zones.  This functionality is believed to be stable and complete
+  except for lacking support for verifications involving wildcard records
+  in secure zones.
+- When acting as a caching server, BIND 9.2 can be configured to perform
+  DNSSEC secure resolution on behalf of its clients.  This part of the
+  DNSSEC implementation is still considered experimental.  For detailed
+  information about the state of the DNSSEC implementation, see the file
+  doc/misc/dnssec.

Kyuafile

@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('lib/Kyuafile')

Makefile.in

@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,11 +12,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.62 2011/09/06 04:06:37 marka Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
+top_builddir =  @top_builddir@
 
 VERSION=@BIND9_VERSION@
 
@@ -28,7 +26,7 @@ MANPAGES =	isc-config.sh.1
 
 HTMLPAGES =	isc-config.sh.html
 
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
+MANOBJS =	README HISTORY OPTIONS ${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
@@ -92,16 +90,31 @@ force-test: test-force
 test-force:
 	status=0; \
 	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
-	(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
+	(test -f ${top_builddir}/unit/unittest.sh && \
+		$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
 	exit $$status
 
-FAQ: FAQ.xml
-	${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
-	LC_ALL=C ${W3M} -T text/html -dump -cols 72 >$@.tmp
-	mv $@.tmp $@
+README: README.md
+	${PANDOC} --email-obfuscation=none -s -t html README.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+HISTORY: HISTORY.md
+	${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+OPTIONS: OPTIONS.md
+	${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+CONTRIBUTING: CONTRIBUTING.md
+	${PANDOC} --email-obfuscation=none -s -t html CONTRIBUTING.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
 
 unit::
-	sh ${top_srcdir}/unit/unittest.sh
+	sh ${top_builddir}/unit/unittest.sh
 
 clean::
-	rm -f FAQ.tmp

OPTIONS

@@ -0,0 +1,29 @@
+Setting the STD_CDEFINES environment variable before running configure can
+be used to enable certain compile-time options that are not explicitly
+defined in configure.
+
+Some of these settings are:
+
+Setting                   Description
+                          Don't ovewrite memory when allocating or freeing
+-DISC_MEM_FILL=0          it; this improves performance but makes
+                          debugging more difficult.
+                          Don't track memory allocations by file and line
+-DISC_MEM_TRACKLINES=0    number; this improves performance but makes
+                          debugging more difficult.
+-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
+-DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
+                          well-known ports:
+-DCHECK_SIBLING=0         Don't check sibling glue in named-checkzone
+-DCHECK_LOCAL=0           Don't check out-of-zone addresses in
+                          named-checkzone
+-DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
+                          rather than ${localstatedir}/run/{named,lwresd}/
+                          Enable DNSSEC signature chasing support in dig.
+-DDIG_SIGCHASE=1          (Note: This feature is deprecated. Use delv
+                          instead.)
+                          Increase the maximum number of configurable
+-DNS_RPZ_MAX_ZONES=64     response policy zones from 32 to 64; this is the
+                          highest possible setting
+-DISC_HEAP_CHECK          Test heap consistency after every heap
+                          operation; used when debugging

OPTIONS.md

@@ -0,0 +1,33 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+Setting the `STD_CDEFINES` environment variable before running `configure`
+can be used to enable certain compile-time options that are not explicitly
+defined in `configure`.
+
+Some of these settings are:
+
+|Setting                            |Description |
+|-----------------------------------|----------------------------------------|
+|`-DISC_MEM_FILL=0`|Don't ovewrite memory when allocating or freeing it; this improves performance but makes debugging more difficult.|
+|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
+|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
+|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
+|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
+|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
+|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/{named,lwresd}/`|
+|`-DDIG_SIGCHASE=1`|Enable DNSSEC signature chasing support in `dig`.  (Note: This feature is deprecated. Use `delv` instead.)|
+|`-DNS_RPZ_MAX_ZONES=64`|Increase the maximum number of configurable response policy zones from 32 to 64; this is the highest possible setting|
+|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|

README

@@ -1,478 +1,464 @@
 BIND 9
 
-	BIND version 9 is a major rewrite of nearly all aspects of the
-	underlying BIND architecture.  Some of the important features of
-	BIND 9 are:
+Contents
 
-		- DNS Security
-			DNSSEC (signed zones)
-			TSIG (signed DNS requests)
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.9 features
+ 5. Building BIND
+ 6. macOS
+ 7. Compile-time options
+ 8. Automated testing
+ 9. Documentation
+10. Change log
+11. Acknowledgments
 
-		- IP version 6
-			Answers DNS queries on IPv6 sockets
-			IPv6 resource records (AAAA)
-			Experimental IPv6 Resolver Library
+Introduction
 
-		- DNS Protocol Enhancements
-			IXFR, DDNS, Notify, EDNS0
-			Improved standards conformance
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
 
-		- Views
-			One server process can provide multiple "views" of
-			the DNS namespace, e.g. an "inside" view to certain
-			clients, and an "outside" view to others.
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
 
-		- Multiprocessor Support
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
+(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licenced under the terms of the ISC License for all
+versions up to and including BIND 9.10, and the Mozilla Public License
+version 2.0 for all subsequent verisons.
 
-		- Improved Portability Architecture
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
 
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
 
-	BIND version 9 development has been underwritten by the following
-	organizations:
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
 
-		Sun Microsystems, Inc.
-		Hewlett Packard
-		Compaq Computer Corporation
-		IBM
-		Process Software Corporation
-		Silicon Graphics, Inc.
-		Network Associates, Inc.
-		U.S. Defense Information Systems Agency
-		USENIX Association
-		Stichting NLnet - NLnet Foundation
-		Nominum, Inc.
+Reporting bugs and getting help
 
-	For a summary of functional enhancements in previous
-	releases, see the HISTORY file.
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the ISC GitLab server at https://
+gitlab.isc.org/isc-projects/bind9.
 
-	For a detailed list of user-visible changes from
-	previous releases, see the CHANGES file.
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable. Please do not include any
+information in bug reports that you consider to be confidential unless the
+issue has been marked as such. In particular, if submitting the contents
+of your configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+named-checkconf -px.
 
-	For up-to-date release notes and errata, see
-	http://www.isc.org/software/bind9/releasenotes
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in named, please do NOT use GitLab to
+report it. Instead, please send mail to security-officer@isc.org.
 
-BIND 9.9.10
-	
-	BIND 9.9.10 is a maintenance release and addresses the security
-	flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
-	CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
-	CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
 
-BIND 9.9.9
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
 
-	BIND 9.9.9 is a maintenance release and addresses bugs found
-	in BIND 9.9.8 and earlier, as well as the security flaws
-	described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
-	CVE-2016-1285, CVE-2016-1286, CVE-2016-2775 and CVE-2016-2776.
+If you're planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
 
-BIND 9.9.8
+Contributing to BIND
 
-	BIND 9.9.8 is a maintenance release and addresses bugs
-	found in BIND 9.9.7 and earlier, as well as the security
-	flaws described in CVE-2015-4620, CVE-2015-5477,
-	CVE-2015-5722, and CVE-2015-5986.
+ISC maintains a public git repository for BIND; details can be found at
+http://www.isc.org/git/.
 
-	It also makes the following new features available via a
-	compile-time option:
+Information for BIND contributors can be found in the following files: -
+General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
+style.md - BIND architecture and developer guide: doc/dev/dev.md
 
-	- New "fetchlimit" quotas are now available for the use of
-	  recursive resolvers that are are under high query load for
-	  domains whose authoritative servers are nonresponsive or are
-	  experiencing a denial of service attack.
+Patches for BIND may be submitted as Merge Requests in the ISC GitLab
+server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
 
-	  + "fetches-per-server" limits the number of simultaneous queries
-	    that can be sent to any single authoritative server.  The
-	    configured value is a starting point; it is automatically
-	    adjusted downward if the server is partially or completely
-	    non-responsive. The algorithm used to adjust the quota can be
-	    configured via the "fetch-quota-params" option.
-	  + "fetches-per-zone" limits the number of simultaneous queries
-	    that can be sent for names within a single domain.  (Note:
-	    Unlike "fetches-per-server", this value is not self-tuning.)
-	  + New stats counters have been added to count
-	    queries spilled due to these quotas.
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
 
-	  NOTE: These options are NOT built in by default; use
-	  "configure --enable-fetchlimit" to enable them.
+If you prefer, you may also submit code by opening a GitLab Issue and
+including your patch as an attachment, preferably generated by git
+format-patch.
 
-BIND 9.9.7
+BIND 9.9 features
 
-	BIND 9.9.7 is a maintenance release and addresses bugs
-	found in BIND 9.9.6 and earlier, as well as the security
-	flaws described in CVE-2014-8500 and CVE-2015-1349.
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
 
-BIND 9.9.6
+  * Inline signing, allowing automatic DNSSEC signing of master zones
+    without modification of the zonefile, or "bump in the wire" signing in
+    slaves.
+  * NXDOMAIN redirection.
+  * New rndc flushtree command clears all data under a given name from the
+    DNS cache.
+  * New rndc sync command dumps pending changes in a dynamic zone to disk
+    without a freeze/thaw cycle.
+  * New rndc signing command displays or clears signing status records in
+    auto-dnssec zones.
+  * NSEC3 parameters for auto-dnssec zones can now be set prior to
+    signing, eliminating the need to initially sign with NSEC.
+  * Startup time improvements on large authoritative servers.
+  * Slave zones are now saved in raw format by default.
+  * Several improvements to response policy zones (RPZ).
+  * Improved hardware scalability by using multiple threads to listen for
+    queries and using finer-grained client locking
+  * The also-notify option now takes the same syntax as masters, so it can
+    used named masterlists and TSIG keys.
+  * dnssec-signzone -D writes an output file containing only DNSSEC data,
+    which can be included by the primary zone file.
+  * dnssec-signzone -R forces removal of signatures that are not expired
+    but were created by a key which no longer exists.
+  * dnssec-signzone -X allows a separate expiration date to be specified
+    for DNSKEY signatures from other signatures.
+  * New -L option to dnssec-keygen, dnssec-settime, and
+    dnssec-keyfromlabel sets the default TTL for the key.
+  * dnssec-dsfromkey now supports reading from standard input, to make it
+    easier to convert DNSKEY to DS.
+  * RFC 1918 reverse zones have been added to the empty-zones table per
+    RFC
 
-	BIND 9.9.6 is a maintenance release, and also includes
-	the following new functionality.
+6303.
 
-	 - The former behavior with respect to capitalization of names
-	   (prior to BIND 9.9.5) can be restored for specific clients via
-	   the new "no-case-compress" ACL.
-
-BIND 9.9.5
-
-	BIND 9.9.5 is a maintenance release, and patches the security
-	flaws described in CVE-2013-6320 and CVE-2014-0591.  It also
-	includes the following functional enhancements:
-
-	 - "named" now preserves the capitalization of names when
-	   responding to queries.
-	 - new "dnssec-importkey" command allows the use of offline
-	   DNSSEC keys with automatic DNSKEY management.
-	 - When re-signing a zone, the new "dnssec-signzone -Q" option
-	   drops signatures from keys that are still published but are
-	   no longer active.
-	 - "named-checkconf -px" will print the contents of configuration
-	   files with the shared secrets obscured, making it easier to
-	   share configuration (e.g. when submitting a bug report)
-	   without revealing private information.
-
-BIND 9.9.4
-
-	BIND 9.9.4 is a maintenance release, and patches the security
-	flaws described in CVE-2013-3919 and CVE-2013-4854. It also
-	introduces DNS Response Rate Limiting (DNS RRL) as a
-	compile-time option. To use this feature, configure with
-	the "--enable-rrl" option.
-
-BIND 9.9.3
-
-	BIND 9.9.3 is a maintenance release and patches the security
-	flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
-
-BIND 9.9.2
-
-	BIND 9.9.2 is a maintenance release and patches the security
-	flaw described in CVE-2012-4244.
+  * Dynamic updates can now optionally set the zone's SOA serial number to
+    the current UNIX time.
+  * DLZ modules can now retrieve the source IP address of the querying
+    client.
+  * request-ixfr option can now be set at the per-zone level.
+  * dig +rrcomments turns on comments about DNSKEY records, indicating
+    their key ID, algorithm and function
+  * Simplified nsupdate syntax and added readline support
 
 BIND 9.9.1
 
-	BIND 9.9.1 is a maintenance release.
+BIND 9.9.1 is a maintenance release.
 
-BIND 9.9.0
+BIND 9.9.2
 
-	BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-	releases.  New features include:
+BIND 9.9.2 is a maintenance release, and addresses the security flaw
+described in CVE-2012-4244.
 
-	- Inline signing, allowing automatic DNSSEC signing of
-	  master zones without modification of the zonefile, or 
-	  "bump in the wire" signing in slaves.
-	- NXDOMAIN redirection.
-	- New 'rndc flushtree' command clears all data under a given
-	  name from the DNS cache.
-	- New 'rndc sync' command dumps pending changes in a dynamic
-	  zone to disk without a freeze/thaw cycle.
-	- New 'rndc signing' command displays or clears signing status
-	  records in 'auto-dnssec' zones.
-	- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
-	  to signing, eliminating the need to initially sign with NSEC.
-	- Startup time improvements on large authoritative servers.
-	- Slave zones are now saved in raw format by default.
-	- Several improvements to response policy zones (RPZ).
-	- Improved hardware scalability by using multiple threads
-	  to listen for queries and using finer-grained client locking
-	- The 'also-notify' option now takes the same syntax as
-	  'masters', so it can used named masterlists and TSIG keys.
-	- 'dnssec-signzone -D' writes an output file containing only DNSSEC
-	  data, which can be included by the primary zone file.
-	- 'dnssec-signzone -R' forces removal of signatures that are
-	  not expired but were created by a key which no longer exists.
-	- 'dnssec-signzone -X' allows a separate expiration date to
-	  be specified for DNSKEY signatures from other signatures.
-	- New '-L' option to dnssec-keygen, dnssec-settime, and
-	  dnssec-keyfromlabel sets the default TTL for the key.
-	- dnssec-dsfromkey now supports reading from standard input,
-	  to make it easier to convert DNSKEY to DS.
-	- RFC 1918 reverse zones have been added to the empty-zones
-	  table per RFC 6303.
-	- Dynamic updates can now optionally set the zone's SOA serial
-	  number to the current UNIX time.
-	- DLZ modules can now retrieve the source IP address of
-	  the querying client.
-	- 'request-ixfr' option can now be set at the per-zone level.
-	- 'dig +rrcomments' turns on comments about DNSKEY records,
-	  indicating their key ID, algorithm and function
-	- Simplified nsupdate syntax and added readline support
+BIND 9.9.3
 
-Building
+BIND 9.9.3 is a maintenance release and addresses the security flaws
+described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
 
-	BIND 9 currently requires a UNIX system with an ANSI C compiler,
-	basic POSIX support, and a 64 bit integer type.
+BIND 9.9.4
 
-	We've had successful builds and tests on the following systems:
+BIND 9.9.4 is a maintenance release, and addresses the security flaws
+described in CVE-2013-3919 and CVE-2013-4854. It also introduces DNS
+Response Rate Limiting (DNS RRL) as a compile-time option. To use this
+feature, configure with the --enable-rrl option.
 
-		COMPAQ Tru64 UNIX 5.1B
-		Fedora Core 6
-		FreeBSD 4.10, 5.2.1, 6.2
-		HP-UX 11.11
-		Mac OS X 10.5
-		NetBSD 3.x, 4.0-beta, 5.0-beta
-		OpenBSD 3.3 and up
-		Solaris 8, 9, 9 (x86), 10
-		Ubuntu 7.04, 7.10
-		Windows XP/2003/2008
+BIND 9.9.5
 
-	NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
-	Windows, including Windows NT and Windows 2000, are no longer
-	supported.
+BIND 9.9.5 is a maintenance release, and addresses the security flaws
+described in CVE-2013-6320 and CVE-2014-0591. It also includes the
+following functional enhancements:
 
-	We have recent reports from the user community that a supported
-	version of BIND will build and run on the following systems:
+  * named now preserves the capitalization of names when responding to
+    queries.
+  * new dnssec-importkey command allows the use of offline DNSSEC keys
+    with automatic DNSKEY management.
+  * When re-signing a zone, the new dnssec-signzone -Q option drops
+    signatures from keys that are still published but are no longer
+    active.
+  * named-checkconf -px will print the contents of configuration files
+    with the shared secrets obscured, making it easier to share
+    configuration (e.g. when submitting a bug report) without revealing
+    private information.
 
-		AIX 4.3, 5L
-		CentOS 4, 4.5, 5
-		Darwin 9.0.0d1/ARM
-		Debian 4, 5, 6
-		Fedora Core 5, 7, 8
-		FreeBSD 6, 7, 8
-		HP-UX 11.23 PA
-		MacOS X 10.5, 10.6, 10.7
-		Red Hat Enterprise Linux 4, 5, 6
-		SCO OpenServer 5.0.6
-		Slackware 9, 10
-		SuSE 9, 10
+BIND 9.9.6
 
-	To build, just
+BIND 9.9.6 is a maintenance release, and also includes the following new
+functionality.
 
-		./configure
-		make
+  * The former behavior with respect to capitalization of names (prior to
+    BIND 9.9.5) can be restored for specific clients via the new
+    no-case-compress ACL.
 
-	Do not use a parallel "make".
+BIND 9.9.7
 
-	Several environment variables that can be set before running
-	configure will affect compilation:
+BIND 9.9.7 is a maintenance release, and addresses the security flaws
+described in CVE-2014-8500 and CVE-2015-1349.
 
-	    CC
-		The C compiler to use.	configure tries to figure
-		out the right one for supported systems.
+BIND 9.9.8
 
-	    CFLAGS
-		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.  Please include '-g'
-		if you need to set CFLAGS.
+BIND 9.9.8 is a maintenance release, and addresses the security flaws
+described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and
+CVE-2015-5986.
 
-	    STD_CINCLUDES
-		System header file directories.	 Can be used to specify
-		where add-on thread or IPv6 support is, for example.
-		Defaults to empty string.
+It also makes the following new features available via a compile-time
+option:
 
-	    STD_CDEFINES
-		Any additional preprocessor symbols you want defined.
-		Defaults to empty string.
+  * New "fetchlimit" quotas are now available for the use of recursive
+    resolvers that are are under high query load for domains whose
+    authoritative servers are nonresponsive or are experiencing a denial
+    of service attack.
+      + fetches-per-server limits the number of simultaneous queries that
+        can be sent to any single authoritative server. The configured
+        value is a starting point; it is automatically adjusted downward
+        if the server is partially or completely non-responsive. The
+        algorithm used to adjust the quota can be configured via the
+        fetch-quota-params option.
+      + fetches-per-zone limits the number of simultaneous queries that
+        can be sent for names within a single domain. (Note: Unlike
+        fetches-per-server, this value is not self-tuning.)
+      + New stats counters have been added to count queries spilled due to
+        these quotas. NOTE: These options are NOT built in by default; use
+        configure --enable-fetchlimit to enable them.
 
-		Possible settings:
-		Change the default syslog facility of named/lwresd.
-		  -DISC_FACILITY=LOG_LOCAL0	
-		Enable DNSSEC signature chasing support in dig.
-		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
-				    -DDIG_SIGCHASE_BU=1)
-		Disable dropping queries from particular well known ports.
-		  -DNS_CLIENT_DROPPORT=0
-		Sibling glue checking in named-checkzone is enabled by default.
-		To disable the default check set.  -DCHECK_SIBLING=0
-		named-checkzone checks out-of-zone addresses by default.
-		To disable this default set.  -DCHECK_LOCAL=0
-		To create the default pid files in ${localstatedir}/run rather
-		than ${localstatedir}/run/{named,lwresd}/ set.
-		  -DNS_RUN_PID_DIR=0
-		Enable workaround for Solaris kernel bug about /dev/poll
-		  -DISC_SOCKET_USE_POLLWATCH=1
-		  The watch timeout is also configurable, e.g.,
-		  -DISC_SOCKET_POLLWATCH_TIMEOUT=20
+BIND 9.9.9
 
-	    LDFLAGS
-		Linker flags. Defaults to empty string.
+BIND 9.9.9 is a maintenance release and addresses bugs found in BIND 9.9.8
+and earlier, as well as the security flaws described in CVE-2015-8000,
+CVE-2015-8461, CVE-2015-8704, CVE-2016-1285, CVE-2016-1286, CVE-2016-2775
+and CVE-2016-2776.
 
-	The following need to be set when cross compiling.
+BIND 9.9.10
 
-	    BUILD_CC
-		The native C compiler.
-	    BUILD_CFLAGS (optional)
-	    BUILD_CPPFLAGS (optional)
-		Possible Settings:
-		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
-	    BUILD_LDFLAGS (optional)
-	    BUILD_LIBS (optional)
+BIND 9.9.10 is a maintenance release and addresses the security flaws
+disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
+CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
+CVE-2017-3137, and CVE-2017-3138.
 
-	To build shared libraries, specify "--with-libtool" on the
-	configure command line.
+BIND 9.9.11
 
-	For the server to support DNSSEC, you need to build it
-	with crypto support.  You must have OpenSSL 1.0.1t
-	or newer installed and specify "--with-openssl" on the
-	configure command line.  If OpenSSL is installed under
-	a nonstandard prefix, you can tell configure where to
-	look for it using "--with-openssl=/prefix".
+BIND 9.9.11 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and
+CVE-2017-3143.
 
-	Python requires 'argparse' to be available.  'argparse' is
-	a standard module as of Python 2.7 and Python 3.2.
+BIND 9.9.12
 
-	On some platforms it is necessary to explicitly request large
-	file support to handle files bigger than 2GB.  This can be
-	done by "--enable-largefile" on the configure command line.
+BIND 9.9.12 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3145.
 
-	On some platforms, BIND 9 can be built with multithreading
-	support, allowing it to take advantage of multiple CPUs.
-	You can specify whether to build a multithreaded BIND 9 
-	by specifying "--enable-threads" or "--disable-threads"
-	on the configure command line.  The default is operating
-	system dependent.
+BIND 9.9.13
 
-	Support for the "fixed" rrset-order option can be enabled
-	or disabled by specifying "--enable-fixed-rrset" or
-	"--disable-fixed-rrset" on the configure command line.
-	The default is "disabled", to reduce memory footprint.
+BIND 9.9.13 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2018-5738.
 
-	If your operating system has integrated support for IPv6, it
-	will be used automatically.  If you have installed KAME IPv6
-	separately, use "--with-kame[=PATH]" to specify its location.
+Building BIND
 
-	"make install" will install "named" and the various BIND 9 libraries.
-	By default, installation is into /usr/local, but this can be changed
-	with the "--prefix" option when running "configure".
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed
+on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
+Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
+HP-UX, AIX, SCO OpenServer, and OpenWRT.
 
-	You may specify the option "--sysconfdir" to set the directory 
-	where configuration files like "named.conf" go by default,
-	and "--localstatedir" to set the default parent directory
-	of "run/named.pid".   For backwards compatibility with BIND 8,
-	--sysconfdir defaults to "/etc" and --localstatedir defaults to
-	"/var" if no --prefix option is given.  If there is a --prefix
-	option, sysconfdir defaults to "$prefix/etc" and localstatedir
-	defaults to "$prefix/var".
+BIND is also available for Windows XP, 2003, 2008, and higher. See
+win32utils/readme1st.txt for details on building for Windows systems.
 
-	To see additional configure options, run "configure --help".
-	Note that the help message does not reflect the BIND 8 
-	compatibility defaults for sysconfdir and localstatedir.
+To build on a UNIX or Linux system, use:
 
-	If you're planning on making changes to the BIND 9 source, you
-	should also "make depend".  If you're using Emacs, you might find
-	"make tags" helpful.
+    $ ./configure
+    $ make
 
-	If you need to re-run configure please run "make distclean" first.
-	This will ensure that all the option changes take.
+If you're planning on making changes to the BIND 9 source, you should run
+make depend. If you're using Emacs, you might find make tags helpful.
 
-	Building with gcc is not supported, unless gcc is the vendor's usual
-	compiler (e.g. the various BSD systems, Linux).
-	
-	Known compiler issues:
-	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
-	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
-	* gcc-3.3.5 powerpc generates incorrect code at -02.
-	* Irix, MipsPRO 7.4.1m is known to cause problems.
+Several environment variables that can be set before running configure
+will affect compilation:
 
-	A limited test suite can be run with "make test".  Many of
-	the tests require you to configure a set of virtual IP addresses
-	on your system, and some require Perl; see bin/tests/system/README
-	for details.
+Variable       Description
+CC             The C compiler to use. configure tries to figure out the
+               right one for supported systems.
+               C compiler flags. Defaults to include -g and/or -O2 as
+CFLAGS         supported by the compiler. Please include '-g' if you need
+               to set CFLAGS.
+               System header file directories. Can be used to specify
+STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
+               Defaults to empty string.
+               Any additional preprocessor symbols you want defined.
+STD_CDEFINES   Defaults to empty string. For a list of possible settings,
+               see the file OPTIONS.
+LDFLAGS        Linker flags. Defaults to empty string.
+BUILD_CC       Needed when cross-compiling: the native C compiler to use
+               when building for the target system.
+BUILD_CFLAGS   Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
 
-	SunOS 4 requires "printf" to be installed to make the shared
-	libraries.  sh-utils-1.16 provides a "printf" which compiles
-	on SunOS 4.
+macOS
 
-Known limitations
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from https://developer.apple.com/download/more/ or
+if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and
+other tools so that they can be easily found.
 
-	Linux requires kernel build 2.6.39 or later to get the
-	performance benefits from using multiple sockets.
+Compile-time options
+
+To see a full list of configuration options, run configure --help.
+
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
+To build shared libraries, specify --with-libtool on the configure command
+line.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
+For the server to support DNSSEC, you need to build it with crypto
+support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
+installed. If the OpenSSL library is installed in a nonstandard location,
+specify the prefix using "--with-openssl=<PREFIX>" on the configure
+command line. To use a PKCS#11 hardware service module for cryptographic
+operations, specify the path to the PKCS#11 provider library using
+"--with-pkcs11=<PREFIX>", and configure BIND with
+"--enable-native-pkcs11".
+
+To support the HTTP statistics channel, the server must be linked with
+libxml2 http://xmlsoft.org If this is installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix.
+
+Portions of BIND that are written in Python, including dnssec-coverage,
+dnssec-checkds, and some of the system tests, require the 'argparse'
+module to be available. 'argparse' is a standard module as of Python 2.7
+and Python 3.2.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB. This can be done by using
+--enable-largefile on the configure command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
+command line. By default, fixed rrset-order is disabled to reduce memory
+footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically. If you have installed KAME IPv6 separately, use --with-kame
+[=PATH] to specify its location.
+
+make install will install named and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+--prefix option when running configure.
+
+You may specify the option --sysconfdir to set the directory where
+configuration files like named.conf go by default, and --localstatedir to
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by running the command bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the 'dnspython' module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
 
 Documentation
 
-	The BIND 9 Administrator Reference Manual is included with the
-	source distribution in DocBook XML and HTML format, in the
-	doc/arm directory.
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
+directory.
 
-	Some of the programs in the BIND 9 distribution have man pages
-	in their directories.  In particular, the command line
-	options of "named" are documented in /bin/named/named.8.
-	There is now also a set of man pages for the lwres library.
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
 
-	If you are upgrading from BIND 8, please read the migration
-	notes in doc/misc/migration.  If you are upgrading from
-	BIND 4, read doc/misc/migration-4to9.
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
 
-	Frequently asked questions and their answers can be found in
-	FAQ.
+Additional information on various subjects can be found in other README
+files throughout the source tree.
 
-	Additional information on various subjects can be found
-	in the other README files.
+Change log
 
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
 
-Change Log
+Category       Description
+[func]         New feature
+[bug]          General bug fix
+[security]     Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+               the design are still in flux and may change
+[port]         Portability enhancement
+[maint]        Updates to built-in data such as root server addresses and
+               keys
+[tuning]       Changes to built-in configuration defaults and constants to
+               improve performance
+[performance]  Other changes to improve server performance
+[protocol]     Updates to the DNS protocol such as new RR types
+[test]         Changes to the automatic tests, not affecting server
+               functionality
+[cleanup]      Minor corrections and refactoring
+[doc]          Documentation
+[contrib]      Changes to the contributed tools and libraries in the
+               'contrib' subdirectory
+               Used in the master development branch to reserve change
+[placeholder]  numbers for use in other branches, e.g. when fixing a bug
+               that only exists in older releases
 
-	A detailed list of all changes to BIND 9 is included in the 
-	file CHANGES, with the most recent changes listed first.
-	Change notes include tags indicating the category of the
-	change that was made; these categories are:
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
 
-	   [func]	  New feature
+Acknowledgments
 
-	   [bug]	  General bug fix
-
-	   [security]	  Fix for a significant security flaw
-
-	   [experimental] Used for new features when the syntax
-			  or other aspects of the design are still
-			  in flux and may change
-
-	   [port]	  Portability enhancement
-
-	   [maint]	  Updates to built-in data such as root
-			  server addresses and keys
-
-	   [tuning]	  Changes to built-in configuration defaults
-			  and constants to improve performance
-
-	   [performance]  Other changes to improve server performance
-
-	   [protocol]     Updates to the DNS protocol such as new
-			  RR types
-
-	   [test]         Changes to the automatic tests, not
-			  affecting server functionality
-
-	   [cleanup]      Minor corrections and refactoring
-
-	   [doc]	  Documentation
-
-	   [contrib]	  Changes to the contributed tools and
-			  libraries in the 'contrib' subdirectory
-
-	   [placeholder]  Used in the master development branch to
-			  reserve change numbers for use in other
-			  branches, e.g. when fixing a bug that only
-			  exists in older releases
-
-	In general, [func] and [experimental] tags will only appear
-	in new-feature releases (i.e., those with version numbers
-	ending in zero).  Some new functionality may be backported to
-	older releases on a case-by-case basis.  All other change
-	types may be applied to all currently-supported releases.
-
-
-Bug Reports and Mailing Lists
-
-	Bug reports should be sent to:
-
-		bind9-bugs@isc.org
-
-	Feature requests can be sent to:
-
-		bind-suggest@isc.org
-
-	To join or view the archives of the BIND Users mailing list,
-	visit:
-
-		https://lists.isc.org/mailman/listinfo/bind-users
-
-	If you're planning on making changes to the BIND 9 source
-	code, you may also want to join the BIND Workers mailing
-	list:
-
-		https://lists.isc.org/mailman/listinfo/bind-workers
-
-	Information on read-only Git access, coding style and developer
-	guidelines can be found at:
-
-		http://www.isc.org/git/
+  * The original development of BIND 9 was underwritten by the following
+    organizations:
 
+    Sun Microsystems, Inc.
+    Hewlett Packard
+    Compaq Computer Corporation
+    IBM
+    Process Software Corporation
+    Silicon Graphics, Inc.
+    Network Associates, Inc.
+    U.S. Defense Information Systems Agency
+    USENIX Association
+    Stichting NLnet - NLnet Foundation
+    Nominum, Inc.
 
+  * This product includes software developed by the OpenSSL Project for
+    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+  * This product includes cryptographic software written by Eric Young
+    (eay@cryptsoft.com)
+  * This product includes software written by Tim Hudson
+    (tjh@cryptsoft.com)

README.md

@@ -0,0 +1,472 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+# BIND 9
+
+### Contents
+
+1. [Introduction](#intro)
+1. [Reporting bugs and getting help](#help)
+1. [Contributing to BIND](#contrib)
+1. [BIND 9.9 features](#features)
+1. [Building BIND](#build)
+1. [macOS](#macos)
+1. [Compile-time options](#opts)
+1. [Automated testing](#testing)
+1. [Documentation](#doc)
+1. [Change log](#changes)
+1. [Acknowledgments](#ack)
+
+### <a name="intro"/> Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, `named`, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously.  It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features.  BIND also includes a suite of
+administrative tools, including the `dig` and `delv` DNS lookup tools,
+`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
+administration, and more.
+
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8.  Internet Systems Consortium
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
+corporation dedicated to providing software and services in support of the
+Internet infrastructure, developed BIND 9 and is responsible for its
+ongoing maintenance and improvement.  BIND is open source software
+licenced under the terms of the ISC License for all versions up to and
+including BIND 9.10, and the Mozilla Public License version 2.0 for all
+subsequent verisons.
+
+For a summary of features introduced in past major releases of BIND,
+see the file [HISTORY](HISTORY.md).
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file [CHANGES](CHANGES). See [below](#changes) for details on the
+CHANGES file format.
+
+For up-to-date release notes and errata, see
+[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
+
+### <a name="help"/> Reporting bugs and getting help
+
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the
+[ISC GitLab server](https://gitlab.isc.org) at
+[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
+
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable.  Please do not include any
+information in bug reports that you consider to be confidential unless
+the issue has been marked as such.  In particular, if submitting the
+contents of your configuration file in a non-confidential Issue, it is
+advisable to obscure key secrets: this can be done automatically by
+using `named-checkconf -px`.
+
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in `named`, please do *NOT* use GitLab to
+report it. Instead, please send mail to
+[security-officer@isc.org](mailto:security-officer@isc.org).
+
+Professional support and training for BIND are available from
+ISC at [https://www.isc.org/support](https://www.isc.org/support).
+
+To join the __BIND Users__ mailing list, or view the archives, visit
+[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
+
+If you're planning on making changes to the BIND 9 source code, you
+may also want to join the __BIND Workers__ mailing list, at
+[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
+
+### <a name="contrib"/> Contributing to BIND
+
+ISC maintains a public git repository for BIND; details can be found
+at [http://www.isc.org/git/](http://www.isc.org/git/).
+
+Information for BIND contributors can be found in the following files:
+- General information: [doc/dev/contrib.md](doc/dev/contrib.md)
+- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
+- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
+
+Patches for BIND may be submitted as
+[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
+in the [ISC GitLab server](https://gitlab.isc.org) at
+at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
+
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
+
+If you prefer, you may also submit code by opening a
+[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
+including your patch as an attachment, preferably generated by
+`git format-patch`.
+
+### <a name="features"/> BIND 9.9 features
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases.  New features include:
+
+* Inline signing, allowing automatic DNSSEC signing of master zones without
+  modification of the zonefile, or "bump in the wire" signing in slaves.
+* NXDOMAIN redirection.
+* New `rndc flushtree` command clears all data under a given name from the
+  DNS cache.
+* New `rndc sync` command dumps pending changes in a dynamic zone to disk
+  without a freeze/thaw cycle.
+* New `rndc signing` command displays or clears signing status records in
+  `auto-dnssec` zones.
+* NSEC3 parameters for `auto-dnssec` zones can now be set prior to signing,
+  eliminating the need to initially sign with NSEC.
+* Startup time improvements on large authoritative servers.
+* Slave zones are now saved in raw format by default.
+* Several improvements to response policy zones (RPZ).
+* Improved hardware scalability by using multiple threads to listen for
+  queries and using finer-grained client locking
+* The `also-notify` option now takes the same syntax as `masters`, so it
+  can used named masterlists and TSIG keys.
+* `dnssec-signzone -D` writes an output file containing only DNSSEC data,
+  which can be included by the primary zone file.
+* `dnssec-signzone -R` forces removal of signatures that are not expired
+  but were created by a key which no longer exists.
+* `dnssec-signzone -X` allows a separate expiration date to be specified
+  for DNSKEY signatures from other signatures.
+* New `-L` option to `dnssec-keygen`, `dnssec-settime`, and
+  `dnssec-keyfromlabel` sets the default TTL for the key.
+* `dnssec-dsfromkey` now supports reading from standard input, to make it
+  easier to convert DNSKEY to DS.
+* RFC 1918 reverse zones have been added to the empty-zones table per RFC
+  6303.
+* Dynamic updates can now optionally set the zone's SOA serial number to
+  the current UNIX time.
+* DLZ modules can now retrieve the source IP address of the querying
+  client.
+* `request-ixfr` option can now be set at the per-zone level.
+* `dig +rrcomments` turns on comments about DNSKEY records, indicating
+  their key ID, algorithm and function
+* Simplified nsupdate syntax and added readline support
+
+#### BIND 9.9.1
+
+BIND 9.9.1 is a maintenance release.
+
+#### BIND 9.9.2
+
+BIND 9.9.2 is a maintenance release, and addresses the security flaw
+described in CVE-2012-4244.
+
+#### BIND 9.9.3
+
+BIND 9.9.3 is a maintenance release and addresses the security
+flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
+
+#### BIND 9.9.4
+
+BIND 9.9.4 is a maintenance release, and addresses the security
+flaws described in CVE-2013-3919 and CVE-2013-4854. It also
+introduces DNS Response Rate Limiting (DNS RRL) as a
+compile-time option. To use this feature, configure with
+the `--enable-rrl` option.
+
+#### BIND 9.9.5
+
+BIND 9.9.5 is a maintenance release, and addresses the security
+flaws described in CVE-2013-6320 and CVE-2014-0591.  It also
+includes the following functional enhancements:
+
+* `named` now preserves the capitalization of names when responding to
+  queries.
+* new `dnssec-importkey` command allows the use of offline DNSSEC keys with
+  automatic DNSKEY management.
+* When re-signing a zone, the new `dnssec-signzone -Q` option drops
+  signatures from keys that are still published but are no longer active.
+* `named-checkconf -px` will print the contents of configuration files with
+  the shared secrets obscured, making it easier to share configuration
+  (e.g. when submitting a bug report) without revealing private
+  information.
+
+#### BIND 9.9.6
+
+BIND 9.9.6 is a maintenance release, and also includes the following new
+functionality.
+
+- The former behavior with respect to capitalization of names (prior to
+  BIND 9.9.5) can be restored for specific clients via the new
+  `no-case-compress` ACL.
+
+#### BIND 9.9.7
+
+BIND 9.9.7 is a maintenance release, and addresses the security flaws
+described in CVE-2014-8500 and CVE-2015-1349.
+
+#### BIND 9.9.8
+
+BIND 9.9.8 is a maintenance release, and addresses the security flaws
+described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and
+CVE-2015-5986.
+
+It also makes the following new features available via a compile-time
+option:
+
+* New "fetchlimit" quotas are now available for the use of
+  recursive resolvers that are are under high query load for
+  domains whose authoritative servers are nonresponsive or are
+  experiencing a denial of service attack.
+    * `fetches-per-server` limits the number of simultaneous queries that
+      can be sent to any single authoritative server.  The configured value
+      is a starting point; it is automatically adjusted downward if the
+      server is partially or completely non-responsive. The algorithm used
+      to adjust the quota can be configured via the `fetch-quota-params`
+      option.
+    * `fetches-per-zone` limits the number of simultaneous queries that can
+      be sent for names within a single domain.  (Note: Unlike
+      `fetches-per-server`, this value is not self-tuning.)
+    * New stats counters have been added to count queries spilled due to
+      these quotas.
+  NOTE: These options are NOT built in by default; use
+  `configure --enable-fetchlimit` to enable them.
+
+#### BIND 9.9.9
+
+BIND 9.9.9 is a maintenance release and addresses bugs found
+in BIND 9.9.8 and earlier, as well as the security flaws
+described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
+CVE-2016-1285, CVE-2016-1286, CVE-2016-2775 and CVE-2016-2776.
+
+#### BIND 9.9.10
+	
+BIND 9.9.10 is a maintenance release and addresses the security
+flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
+CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
+CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
+
+#### BIND 9.9.11
+
+BIND 9.9.11 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and CVE-2017-3143.
+
+#### BIND 9.9.12
+
+BIND 9.9.12 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3145.
+
+#### BIND 9.9.13
+
+BIND 9.9.13 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2018-5738.
+
+### <a name="build"/> Building BIND
+
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed on
+many versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
+SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
+SCO OpenServer, and OpenWRT. 
+
+BIND is also available for Windows XP, 2003, 2008, and higher.  See
+`win32utils/readme1st.txt` for details on building for Windows systems.
+
+To build on a UNIX or Linux system, use:
+
+		$ ./configure
+		$ make
+
+If you're planning on making changes to the BIND 9 source, you should run
+`make depend`.  If you're using Emacs, you might find `make tags` helpful.
+
+Several environment variables that can be set before running `configure` will
+affect compilation:
+
+|Variable|Description |
+|--------------------|-----------------------------------------------|
+|`CC`|The C compiler to use.  `configure` tries to figure out the right one for supported systems.|
+|`CFLAGS`|C compiler flags.  Defaults to include -g and/or -O2 as supported by the compiler.  Please include '-g' if you need to set `CFLAGS`. |
+|`STD_CINCLUDES`|System header file directories.  Can be used to specify where add-on thread or IPv6 support is, for example.  Defaults to empty string.|
+|`STD_CDEFINES`|Any additional preprocessor symbols you want defined.  Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
+|`LDFLAGS`|Linker flags. Defaults to empty string.|
+|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
+|`BUILD_CFLAGS`|Optional, used for cross-compiling|
+|`BUILD_CPPFLAGS`||
+|`BUILD_LDFLAGS`||
+|`BUILD_LIBS`||
+
+#### <a name="macos"> macOS
+
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from https://developer.apple.com/download/more/
+or if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and other
+tools so that they can be easily found.
+
+
+#### <a name="opts"/> Compile-time options
+
+To see a full list of configuration options, run `configure --help`.
+
+On most platforms, BIND 9 is built with multithreading support, allowing it
+to take advantage of multiple CPUs.  You can configure this by specifying
+`--enable-threads` or `--disable-threads` on the `configure` command line.
+The default is to enable threads, except on some older operating systems on
+which threads are known to have had problems in the past.  (Note: Prior to
+BIND 9.10, the default was to disable threads on Linux systems; this has
+now been reversed.  On Linux systems, the threaded build is known to change
+BIND's behavior with respect to file permissions; it may be necessary to
+specify a user with the -u option when running `named`.)
+
+To build shared libraries, specify `--with-libtool` on the `configure`
+command line.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying
+`--with-tuning=large` on the `configure` command line. This can improve
+performance on big servers, but will consume more memory and may degrade
+performance on smaller systems.
+
+For the server to support DNSSEC, you need to build it with crypto support.
+To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
+OpenSSL library is installed in a nonstandard location, specify the prefix
+using "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a
+PKCS#11 hardware service module for cryptographic operations, specify the
+path to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and
+configure BIND with "--enable-native-pkcs11".
+
+To support the HTTP statistics channel, the server must be linked with
+libxml2 [http://xmlsoft.org](http://xmlsoft.org) If this is installed at a
+nonstandard location, specify the prefix using `--with-libxml2=/prefix`.
+
+Portions of BIND that are written in Python, including
+`dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' module to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB.  This can be done by using
+`--enable-largefile` on the `configure` command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
+configure command line.  By default, fixed rrset-order is disabled to
+reduce memory footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically.  If you have installed KAME IPv6 separately, use
+`--with-kame[=PATH]` to specify its location.
+
+`make install` will install `named` and the various BIND 9 libraries.  By
+default, installation is into /usr/local, but this can be changed with the
+`--prefix` option when running `configure`.
+
+You may specify the option `--sysconfdir` to set the directory where
+configuration files like `named.conf` go by default, and `--localstatedir`
+to set the default parent directory of `run/named.pid`.   For backwards
+compatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
+`--localstatedir` defaults to `/var` if no `--prefix` option is given.  If
+there is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
+localstatedir defaults to `$prefix/var`.
+
+### <a name="testing"/> Automated testing
+
+A system test suite can be run with `make test`.  The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another).  These
+IP addresses can be configured by running the command
+`bin/tests/system/ifconfig.sh up` as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the 'dnspython' module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using Automated Testing Framework (ATF).
+To run them, use `configure --with-atf`, then run `make test` or
+`make unit`.
+
+### <a name="doc"/> Documentation
+
+The *BIND 9 Administrator Reference Manual* is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories.  In particular, the command line options of `named` are
+documented in `bin/named/named.8`.
+
+Frequently (and not-so-frequently) asked questions and their answers
+can be found in the ISC Knowledge Base at
+[https://kb.isc.org](https://kb.isc.org).
+
+Additional information on various subjects can be found in other
+`README` files throughout the source tree.
+
+### <a name="changes"/> Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first.  Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+|Category	|Description	        			|
+|--------------	|-----------------------------------------------|
+| [func] | New feature |
+| [bug] | General bug fix |
+| [security] | Fix for a significant security flaw |
+| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
+| [port] | Portability enhancement |
+| [maint] | Updates to built-in data such as root server addresses and keys |
+| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
+| [performance] | Other changes to improve server performance |
+| [protocol] | Updates to the DNS protocol such as new RR types |
+| [test] | Changes to the automatic tests, not affecting server functionality |
+| [cleanup] | Minor corrections and refactoring |
+| [doc] | Documentation |
+| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
+| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero).  Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+### <a name="ack"/> Acknowledgments
+
+* The original development of BIND 9 was underwritten by the
+  following organizations:
+
+		Sun Microsystems, Inc.
+		Hewlett Packard
+		Compaq Computer Corporation
+		IBM
+		Process Software Corporation
+		Silicon Graphics, Inc.
+		Network Associates, Inc.
+		U.S. Defense Information Systems Agency
+		USENIX Association
+		Stichting NLnet - NLnet Foundation
+		Nominum, Inc.
+
+* This product includes software developed by the OpenSSL Project for use
+  in the OpenSSL Toolkit.
+  [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
+* This product includes cryptographic software written by Eric Young
+  (eay@cryptsoft.com)
+* This product includes software written by Tim Hudson (tjh@cryptsoft.com)

acconfig.h

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
-
 /*! \file */
 
 /***

bin/Makefile.in

@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,14 +12,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
-		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
+		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
 TARGETS =
 
 @BIND9_MAKE_RULES@

bin/check/Makefile.in

@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2007, 2009, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/check/check-tool.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -211,8 +210,9 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 	/*
 	 * Turn off search.
 	 */
-	if (dns_name_countlabels(name) > 1U)
-		strcat(namebuf, ".");
+	if (dns_name_countlabels(name) > 1U) {
+		strlcat(namebuf, ".", sizeof(namebuf));
+	}
 	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
 
 	result = getaddrinfo(namebuf, NULL, &hints, &ai);
@@ -400,8 +400,9 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 	/*
 	 * Turn off search.
 	 */
-	if (dns_name_countlabels(name) > 1U)
-		strcat(namebuf, ".");
+	if (dns_name_countlabels(name) > 1U) {
+		strlcat(namebuf, ".", sizeof(namebuf));
+	}
 	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
 
 	result = getaddrinfo(namebuf, NULL, &hints, &ai);
@@ -485,8 +486,9 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 	/*
 	 * Turn off search.
 	 */
-	if (dns_name_countlabels(name) > 1U)
-		strcat(namebuf, ".");
+	if (dns_name_countlabels(name) > 1U) {
+		strlcat(namebuf, ".", sizeof(namebuf));
+	}
 	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
 
 	result = getaddrinfo(namebuf, NULL, &hints, &ai);

bin/check/check-tool.h

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/check/named-checkconf.8

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -140,7 +139,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2002 Internet Software Consortium.
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkconf.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/check/named-checkconf.docbook

@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,6 +34,9 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
@@ -42,14 +44,9 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>

bin/check/named-checkconf.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/check/named-checkzone.8

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004-2007, 2009-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2011, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -318,7 +317,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2009-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2002 Internet Software Consortium.
+Copyright \(co 2000-2002, 2004-2007, 2009-2011, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkzone.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/check/named-checkzone.docbook

@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2009-2011, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,6 +32,9 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
@@ -44,14 +46,9 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>

bin/check/named-checkzone.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2009-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2011, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/check/win32/checkconf.vcxproj.in

@@ -63,6 +63,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -89,6 +90,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -110,4 +112,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/check/win32/checktool.vcxproj.in

@@ -66,6 +66,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Lib>
       <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
@@ -88,6 +89,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Lib>
       <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
@@ -96,4 +98,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/check/win32/checkzone.vcxproj.in

@@ -63,6 +63,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -95,6 +96,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -121,4 +123,4 @@ copy /Y named-checkzone.exe named-compilezone.exe
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/confgen/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -18,6 +18,10 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
 VERSION=@BIND9_VERSION@
 
 @BIND9_MAKE_INCLUDES@
@@ -74,11 +78,11 @@ rndc-confgen.@O@: rndc-confgen.c
 ddns-confgen.@O@: ddns-confgen.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
 
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
 	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
 	${FINALBUILDCMD}
 
-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
 	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
 	${FINALBUILDCMD}
 

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -155,5 +155,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/ddns-confgen.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -41,6 +41,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/confgen/include/confgen/os.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/keygen.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/keygen.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/rndc-confgen.8

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001, 2003 Internet Software Consortium.
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -221,7 +220,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001, 2003 Internet Software Consortium.
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/rndc-confgen.docbook

@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -38,6 +37,8 @@
 
   <docinfo>
     <copyright>
+      <year>2001</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
@@ -45,13 +46,9 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>

bin/confgen/rndc-confgen.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003 Internet Software Consortium.
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/confgen/unix/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/confgen/unix/os.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/util.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/util.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/win32/confgentool.vcxproj.in

@@ -61,6 +61,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -84,6 +85,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -106,4 +108,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -63,6 +63,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -89,6 +90,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>

bin/confgen/win32/os.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -63,6 +63,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -89,6 +90,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -107,4 +109,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/dig/Makefile.in

@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009, 2012, 2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -25,8 +24,9 @@ VERSION=@BIND9_VERSION@
 
 READLINE_LIB = @READLINE_LIB@
 
-CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
+		${BIND9_INCLUDES} ${ISC_INCLUDES} \
+		${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
 
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =

bin/dig/dig.1

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -48,7 +47,7 @@
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP \w'\fBdig\fR\ 'u
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
 .HP \w'\fBdig\fR\ 'u
 \fBdig\fR [\fB\-h\fR]
 .HP \w'\fBdig\fR\ 'u
@@ -56,7 +55,7 @@ dig \- DNS lookup utility
 .SH "DESCRIPTION"
 .PP
 \fBdig\fR
-(domain information groper) is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
+is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
 \fBdig\fR
 to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
 \fBdig\fR\&.
@@ -185,7 +184,7 @@ using the command\-line interface\&.
 .PP
 \-i
 .RS 4
-Do reverse IPv6 lookups using the obsolete RFC1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC2874) are not attempted\&.
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
 .RE
 .PP
 \-k \fIkeyfile\fR
@@ -219,13 +218,15 @@ from other arguments\&.
 .PP
 \-t \fItype\fR
 .RS 4
-The resource record type to query\&. It can be any valid query type which is supported in BIND 9\&. The default query type is "A", unless the
+The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
 \fB\-x\fR
 option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
 \fItype\fR
 to
 ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
 \fIN\fR\&.
+.sp
+All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
 .RE
 .PP
 \-v
@@ -680,7 +681,7 @@ ${HOME}/\&.digrc
 \fBhost\fR(1),
 \fBnamed\fR(8),
 \fBdnssec-keygen\fR(8),
-RFC1035\&.
+RFC 1035\&.
 .SH "BUGS"
 .PP
 There are probably too many query options\&.
@@ -689,7 +690,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2003 Internet Software Consortium.
+Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/dig.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.245 2011/12/07 17:23:28 each Exp $ */
-
 /*! \file */
 
 #include <config.h>
@@ -27,6 +24,7 @@
 #include <isc/app.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -55,6 +53,16 @@
 
 #define DIG_MAX_ADDRESSES 20
 
+#ifndef DNS_NAME_INITABSOLUTE
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+
 dig_lookup_t *default_lookup = NULL;
 
 static char *batchname = NULL;
@@ -248,12 +256,16 @@ help(void) {
 /*%
  * Callback from dighost.c to print the received message.
  */
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_uint64_t diff;
 	time_t tnow;
 	struct tm tmnow;
+#ifdef WIN32
+	wchar_t time_str[100];
+#else
 	char time_str[100];
+#endif
 	char fromtext[ISC_SOCKADDR_FORMATSIZE];
 
 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
@@ -263,10 +275,25 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		printf(";; Query time: %ld msec\n", (long int)diff/1000);
 		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
 		time(&tnow);
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
+		(void)localtime_r(&tnow, &tmnow);
+#else
 		tmnow  = *localtime(&tnow);
+#endif
+
+#ifdef WIN32
+		/*
+		 * On Windows, time zone name ("%Z") may be a localized
+		 * wide-character string, which strftime() handles incorrectly.
+		 */
+		if (wcsftime(time_str, sizeof(time_str)/sizeof(time_str[0]),
+			     L"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
+			printf(";; WHEN: %ls\n", time_str);
+#else
 		if (strftime(time_str, sizeof(time_str),
 			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
 			printf(";; WHEN: %s\n", time_str);
+#endif
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
 			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
@@ -275,12 +302,12 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		} else {
 			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 		}
-		if (key != NULL) {
+		if (tsigkey != NULL) {
 			if (!validated)
 				puts(";; WARNING -- Some TSIG could not "
 				     "be validated");
 		}
-		if ((key == NULL) && (keysecret[0] != 0)) {
+		if ((tsigkey == NULL) && (keysecret[0] != 0)) {
 			puts(";; WARNING -- TSIG key was not used.");
 		}
 		puts("");
@@ -300,7 +327,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
  * Not used in dig.
  * XXX print_trying
  */
-void
+static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(frm);
 	UNUSED(lookup);
@@ -313,7 +340,7 @@ static isc_result_t
 say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	isc_result_t result;
 	isc_uint64_t diff;
-	char store[sizeof("12345678901234567890")];
+	char store[sizeof(" in 18446744073709551616 us.")];
 	unsigned int styleflags = 0;
 
 	if (query->lookup->trace || query->lookup->ns_search_only) {
@@ -332,10 +359,11 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 		return (result);
 	check_result(result, "dns_rdata_totext");
 	if (query->lookup->identify) {
+
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		ADD_STRING(buf, " from server ");
 		ADD_STRING(buf, query->servname);
-		snprintf(store, 19, " in %d ms.", (int)diff/1000);
+		snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u ms.", diff / 1000);
 		ADD_STRING(buf, store);
 	}
 	ADD_STRING(buf, "\n");
@@ -393,7 +421,7 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
 	return (ISC_R_SUCCESS);
 }
 #ifdef DIG_SIGCHASE
-isc_result_t
+static isc_result_t
 printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target)
 {
@@ -448,10 +476,30 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 }
 #endif
 
+static isc_boolean_t
+isdotlocal(dns_message_t *msg) {
+	isc_result_t result;
+	static unsigned char local_ndata[] = { "\005local\0" };
+	static unsigned char local_offsets[] = { 0, 6 };
+	static dns_name_t local =
+		DNS_NAME_INITABSOLUTE(local_ndata, local_offsets);
+
+	for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, DNS_SECTION_QUESTION))
+	{
+		dns_name_t *name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_QUESTION, &name);
+		if (dns_name_issubdomain(name, &local))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
 /*
  * Callback from dighost.c to print the reply from a server
  */
-isc_result_t
+static isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_result_t result;
 	dns_messagetextflag_t flags;
@@ -527,6 +575,12 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 			printf(";; Got answer:\n");
 
 		if (headers) {
+			if (isdotlocal(msg)) {
+				printf(";; WARNING: .local is reserved for "
+				       "Multicast DNS\n;; You are currently "
+				       "testing what happens when an mDNS "
+				       "query is leaked to DNS\n");
+			}
 			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
 			       "id: %u\n",
 			       opcodetext[msg->opcode],
@@ -682,33 +736,27 @@ cleanup:
 static void
 printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	int i;
-	size_t remaining;
 	static isc_boolean_t first = ISC_TRUE;
 	char append[MXNAME];
 
 	if (printcmd) {
-		lookup->cmdline[sizeof(lookup->cmdline) - 1] = 0;
 		snprintf(lookup->cmdline, sizeof(lookup->cmdline),
 			 "%s; <<>> DiG " VERSION " <<>>",
 			 first?"\n":"");
 		i = 1;
 		while (i < argc) {
 			snprintf(append, sizeof(append), " %s", argv[i++]);
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
 		}
-		remaining = sizeof(lookup->cmdline) -
-			    strlen(lookup->cmdline) - 1;
-		strncat(lookup->cmdline, "\n", remaining);
+		strlcat(lookup->cmdline, "\n", sizeof(lookup->cmdline));
 		if (first && addresscount != 0) {
 			snprintf(append, sizeof(append),
 				 "; (%d server%s found)\n",
 				 addresscount,
 				 addresscount > 1 ? "s" : "");
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
 		}
 		if (first) {
 			snprintf(append, sizeof(append),
@@ -716,9 +764,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 				 short_form ? " +short" : "",
 				 printcmd ? " +cmd" : "");
 			first = ISC_FALSE;
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
 		}
 	}
 }
@@ -743,8 +790,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 	size_t n;
 #endif
 
-	strncpy(option_store, option, sizeof(option_store));
-	option_store[sizeof(option_store)-1]=0;
+	strlcpy(option_store, option, sizeof(option_store));
 	ptr = option_store;
 	cmd = next_token(&ptr, "=");
 	if (cmd == NULL) {
@@ -889,8 +935,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			strncpy(domainopt, value, sizeof(domainopt));
-			domainopt[sizeof(domainopt)-1] = '\0';
+			strlcpy(domainopt, value, sizeof(domainopt));
 			break;
 		default:
 			goto invalid_option;
@@ -1111,11 +1156,11 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 
 			result = parse_uint(&splitwidth, value,
 					    1023, "split");
-			if (splitwidth % 4 != 0) {
+			if ((splitwidth % 4) != 0U) {
 				splitwidth = ((splitwidth + 3) / 4) * 4;
 				fprintf(stderr, ";; Warning, split must be "
 						"a multiple of 4; adjusting "
-						"to %d\n", splitwidth);
+						"to %u\n", splitwidth);
 			}
 			/*
 			 * There is an adjustment done in the
@@ -1382,8 +1427,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		batchname = value;
 		return (value_from_next);
 	case 'k':
-		strncpy(keyfile, value, sizeof(keyfile));
-		keyfile[sizeof(keyfile)-1]=0;
+		strlcpy(keyfile, value, sizeof(keyfile));
 		return (value_from_next);
 	case 'p':
 		result = parse_uint(&num, value, MAXPORT, "port number");
@@ -1397,9 +1441,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				(*lookup) = clone_lookup(default_lookup,
 							 ISC_TRUE);
 			*need_clone = ISC_TRUE;
-			strncpy((*lookup)->textname, value,
+			strlcpy((*lookup)->textname, value,
 				sizeof((*lookup)->textname));
-			(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
 			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
 						     (*lookup)->ns_search_only);
 			(*lookup)->new_search = ISC_TRUE;
@@ -1476,10 +1519,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			hmacname = DNS_TSIG_HMACMD5_NAME;
 			digestbits = 0;
 		}
-		strncpy(keynametext, ptr, sizeof(keynametext));
-		keynametext[sizeof(keynametext)-1]=0;
-		strncpy(keysecret, ptr2, sizeof(keysecret));
-		keysecret[sizeof(keysecret)-1]=0;
+		strlcpy(keynametext, ptr, sizeof(keynametext));
+		strlcpy(keysecret, ptr2, sizeof(keysecret));
 		return (value_from_next);
 	case 'x':
 		if (*need_clone)
@@ -1487,9 +1528,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		*need_clone = ISC_TRUE;
 		if (get_reverse(textname, sizeof(textname), value,
 				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
-			strncpy((*lookup)->textname, textname,
+			strlcpy((*lookup)->textname, textname,
 				sizeof((*lookup)->textname));
-			(*lookup)->textname[sizeof((*lookup)->textname)-1] = 0;
 			debug("looking up %s", (*lookup)->textname);
 			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
 						(*lookup)->ns_search_only);
@@ -1624,8 +1664,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				bargc = 1;
 				input = batchline;
 				bargv[bargc] = next_token(&input, " \t\r\n");
-				while ((bargv[bargc] != NULL) &&
-				       (bargc < 62)) {
+				while ((bargc < 62) && (bargv[bargc] != NULL)) {
 					bargc++;
 					bargv[bargc] =
 						next_token(&input, " \t\r\n");
@@ -1774,9 +1813,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 					lookup = clone_lookup(default_lookup,
 								      ISC_TRUE);
 				need_clone = ISC_TRUE;
-				strncpy(lookup->textname, rv[0],
+				strlcpy(lookup->textname, rv[0],
 					sizeof(lookup->textname));
-				lookup->textname[sizeof(lookup->textname)-1]=0;
 				lookup->trace_root = ISC_TF(lookup->trace  ||
 						     lookup->ns_search_only);
 				lookup->new_search = ISC_TRUE;
@@ -1817,7 +1855,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				goto next_line;
 			input = batchline;
 			bargv[bargc] = next_token(&input, " \t\r\n");
-			while ((bargv[bargc] != NULL) && (bargc < 14)) {
+			while ((bargc < 14) && (bargv[bargc] != NULL)) {
 				bargc++;
 				bargv[bargc] = next_token(&input, " \t\r\n");
 			}
@@ -1842,7 +1880,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		lookup->trace_root = ISC_TF(lookup->trace ||
 					    lookup->ns_search_only);
 		lookup->new_search = ISC_TRUE;
-		strcpy(lookup->textname, ".");
+		strlcpy(lookup->textname, ".", sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ns;
 		lookup->rdtypeset = ISC_TRUE;
 		if (firstarg) {
@@ -1860,8 +1898,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
  * Here, we're possibly reading from a batch file, then shutting down
  * for real if there's nothing in the batch file to read.
  */
-void
-dighost_shutdown(void) {
+static void
+query_finished(void) {
 	char batchline[MXNAME];
 	int bargc;
 	char *bargv[16];
@@ -1887,7 +1925,7 @@ dighost_shutdown(void) {
 		bargc = 1;
 		input = batchline;
 		bargv[bargc] = next_token(&input, " \t\r\n");
-		while ((bargv[bargc] != NULL) && (bargc < 14)) {
+		while ((bargc < 14) && (bargv[bargc] != NULL)) {
 			bargc++;
 			bargv[bargc] = next_token(&input, " \t\r\n");
 		}
@@ -1907,23 +1945,41 @@ dighost_shutdown(void) {
 	}
 }
 
-/*% Main processing routine for dig */
-int
-main(int argc, char **argv) {
+void dig_setup(int argc, char **argv)
+{
 	isc_result_t result;
 
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
-	debug("main()");
+	debug("dig_setup()");
+
+	/* setup dighost callbacks */
+#ifdef DIG_SIGCHASE
+	dighost_printrdataset = printrdataset;
+#endif
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = query_finished;
+
 	progname = argv[0];
 	preparse_args(argc, argv);
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
+
 	setup_libs();
 	setup_system(ipv4only, ipv6only);
-	parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
+}
+
+void dig_query_setup(isc_boolean_t is_batchfile, isc_boolean_t config_only,
+		int argc, char **argv)
+{
+	debug("dig_query_setup");
+
+	parse_args(is_batchfile, config_only, argc, argv);
 	if (keyfile[0] != 0)
 		setup_file_key();
 	else if (keysecret[0] != 0)
@@ -1932,20 +1988,49 @@ main(int argc, char **argv) {
 		set_search_domain(domainopt);
 		usesearch = ISC_TRUE;
 	}
+}
+
+void dig_startup() {
+	isc_result_t result;
+
+	debug("dig_startup()");
+
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();
+}
+
+void dig_query_start()
+{
+	start_lookup();
+}
+
+void
+dig_shutdown() {
 	destroy_lookup(default_lookup);
 	if (batchname != NULL) {
 		if (batchfp != stdin)
 			fclose(batchfp);
 		batchname = NULL;
 	}
+
 #ifdef DIG_SIGCHASE
 	clean_trustedkey();
 #endif
+
 	cancel_all();
 	destroy_libs();
 	isc_app_finish();
+}
+
+/*% Main processing routine for dig */
+int
+main(int argc, char **argv) {
+
+	dig_setup(argc, argv);
+	dig_query_setup(ISC_FALSE, ISC_FALSE, argc, argv);
+	dig_startup();
+	dig_shutdown();
+
 	return (exitcode);
 }

bin/dig/dig.docbook

@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004-2011, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -38,6 +37,10 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
@@ -50,15 +53,10 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>
@@ -76,8 +74,10 @@
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-4</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      <group choice="opt" rep="norepeat">
+	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
+	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      </group>
       <arg choice="opt" rep="norepeat">name</arg>
       <arg choice="opt" rep="norepeat">type</arg>
       <arg choice="opt" rep="norepeat">class</arg>
@@ -98,8 +98,7 @@
 
   <refsection><info><title>DESCRIPTION</title></info>
 
-    <para><command>dig</command>
-      (domain information groper) is a flexible tool
+    <para><command>dig</command> is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <command>dig</command> to
@@ -279,9 +278,9 @@
         <term>-i</term>
         <listitem>
 	  <para>
-	    Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
 	    domain, which is no longer in use. Obsolete bit string
-	    label queries (RFC2874) are not attempted.
+	    label queries (RFC 2874) are not attempted.
 	  </para>
         </listitem>
       </varlistentry>
@@ -342,19 +341,25 @@
         <term>-t <replaceable class="parameter">type</replaceable></term>
         <listitem>
 	  <para>
-	    The resource record type to query. It can be any valid query type
-	    which is
-	    supported in BIND 9.  The default query type is "A", unless the
-	    <option>-x</option> option is supplied to indicate a reverse lookup.
-	    A zone transfer can be requested by specifying a type of AXFR.  When
+	    The resource record type to query. It can be any valid query
+	    type.  If it is a resource record type supported in BIND 9, it
+	    can be given by the type mnemonic (such as "NS" or "AAAA").
+	    The default query type is "A", unless the <option>-x</option>
+	    option is supplied to indicate a reverse lookup.  A zone
+	    transfer can be requested by specifying a type of AXFR.  When
 	    an incremental zone transfer (IXFR) is required, set the
 	    <parameter>type</parameter> to <literal>ixfr=N</literal>.
 	    The incremental zone transfer will contain the changes
 	    made to the zone since the serial number in the zone's SOA
-	    record was
-	    <parameter>N</parameter>.
+	    record was <parameter>N</parameter>.
 	  </para>
-        </listitem>
+	  <para>
+	    All resource record types can be expressed as "TYPEnn", where
+	    "nn" is the number of the type. If the resource record type is
+	    not supported in BIND 9, the result will be displayed as
+	    described in RFC 3597.
+	  </para>
+	</listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1104,7 +1109,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       <citerefentry>
 	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
-      <citetitle>RFC1035</citetitle>.
+      <citetitle>RFC 1035</citetitle>.
     </para>
   </refsection>
 

bin/dig/dig.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
+ - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -54,8 +53,10 @@
        [<code class="option">-v</code>]
        [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
        [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>]
-       [<code class="option">-4</code>]
-       [<code class="option">-6</code>]
+       [
+	[<code class="option">-4</code>]
+	 |  [<code class="option">-6</code>]
+      ]
        [name]
        [type]
        [class]
@@ -77,8 +78,7 @@
   <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 
-    <p><span class="command"><strong>dig</strong></span>
-      (domain information groper) is a flexible tool
+    <p><span class="command"><strong>dig</strong></span> is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <span class="command"><strong>dig</strong></span> to
@@ -238,9 +238,9 @@
 <dt><span class="term">-i</span></dt>
 <dd>
 	  <p>
-	    Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
 	    domain, which is no longer in use. Obsolete bit string
-	    label queries (RFC2874) are not attempted.
+	    label queries (RFC 2874) are not attempted.
 	  </p>
         </dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
@@ -285,19 +285,25 @@
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
-	    The resource record type to query. It can be any valid query type
-	    which is
-	    supported in BIND 9.  The default query type is "A", unless the
-	    <code class="option">-x</code> option is supplied to indicate a reverse lookup.
-	    A zone transfer can be requested by specifying a type of AXFR.  When
+	    The resource record type to query. It can be any valid query
+	    type.  If it is a resource record type supported in BIND 9, it
+	    can be given by the type mnemonic (such as "NS" or "AAAA").
+	    The default query type is "A", unless the <code class="option">-x</code>
+	    option is supplied to indicate a reverse lookup.  A zone
+	    transfer can be requested by specifying a type of AXFR.  When
 	    an incremental zone transfer (IXFR) is required, set the
 	    <em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>.
 	    The incremental zone transfer will contain the changes
 	    made to the zone since the serial number in the zone's SOA
-	    record was
-	    <em class="parameter"><code>N</code></em>.
+	    record was <em class="parameter"><code>N</code></em>.
 	  </p>
-        </dd>
+	  <p>
+	    All resource record types can be expressed as "TYPEnn", where
+	    "nn" is the number of the type. If the resource record type is
+	    not supported in BIND 9, the result will be displayed as
+	    described in RFC 3597.
+	  </p>
+	</dd>
 <dt><span class="term">-v</span></dt>
 <dd>
 	  <p>
@@ -903,7 +909,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       <span class="citerefentry">
 	<span class="refentrytitle">dnssec-keygen</span>(8)
       </span>,
-      <em class="citetitle">RFC1035</em>.
+      <em class="citetitle">RFC 1035</em>.
     </p>
   </div>
 

bin/dig/dighost.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -181,7 +180,7 @@ char keysecret[MXNAME] = "";
 dns_name_t *hmacname = NULL;
 unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
-dns_tsigkey_t *key = NULL;
+dns_tsigkey_t *tsigkey = NULL;
 isc_boolean_t validated = ISC_TRUE;
 isc_entropy_t *entp = NULL;
 isc_mempool_t *commctx = NULL;
@@ -240,13 +239,13 @@ isc_result_t	  prove_nx_domain(dns_message_t * msg,
 				  dns_rdataset_t ** sigrdataset);
 isc_result_t	  prove_nx_type(dns_message_t * msg, dns_name_t *name,
 				dns_rdataset_t *nsec,
-				dns_rdataclass_t class,
+				dns_rdataclass_t rdclass,
 				dns_rdatatype_t type,
 				dns_name_t * rdata_name,
 				dns_rdataset_t ** rdataset,
 				dns_rdataset_t ** sigrdataset);
 isc_result_t	  prove_nx(dns_message_t * msg, dns_name_t * name,
-			   dns_rdataclass_t class,
+			   dns_rdataclass_t rdclass,
 			   dns_rdatatype_t type,
 			   dns_name_t * rdata_name,
 			   dns_rdataset_t ** rdataset,
@@ -349,6 +348,29 @@ struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
 		     "isc_mutex_unlock");\
 }
 
+/* dynamic callbacks */
+
+#ifdef DIG_SIGCHASE
+isc_result_t
+(*dighost_printrdataset)(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	  isc_buffer_t *target);
+#endif
+
+isc_result_t
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg,
+	isc_boolean_t headers);
+
+void
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
+
+void
+(*dighost_trying)(char *frm, dig_lookup_t *lookup);
+
+void
+(*dighost_shutdown)(void);
+
+/* forward declarations */
+
 static void
 cancel_lookup(dig_lookup_t *lookup);
 
@@ -413,7 +435,7 @@ hex_dump(isc_buffer_t *b) {
 
 	isc_buffer_usedregion(b, &r);
 
-	printf("%d bytes\n", r.length);
+	printf("%u bytes\n", r.length);
 	for (len = 0; len < r.length; len++) {
 		printf("%02x ", r.base[len]);
 		if (len % 16 == 15) {
@@ -446,8 +468,8 @@ hex_dump(isc_buffer_t *b) {
  * ISC_R_NOSPACE if that would advance p past 'end'.
  */
 static isc_result_t
-append(const char *text, int len, char **p, char *end) {
-	if (len > end - *p)
+append(const char *text, size_t len, char **p, char *end) {
+	if (*p + len > end)
 		return (ISC_R_NOSPACE);
 	memmove(*p, text, len);
 	*p += len;
@@ -457,7 +479,7 @@ append(const char *text, int len, char **p, char *end) {
 static isc_result_t
 reverse_octets(const char *in, char **p, char *end) {
 	const char *dot = strchr(in, '.');
-	int len;
+	size_t len;
 	if (dot != NULL) {
 		isc_result_t result;
 		result = reverse_octets(dot + 1, p, end);
@@ -548,7 +570,7 @@ debug(const char *format, ...) {
 		fflush(stdout);
 		if (debugtiming) {
 			TIME_NOW(&t);
-			fprintf(stderr, "%d.%06d: ", isc_time_seconds(&t),
+			fprintf(stderr, "%u.%06u: ", isc_time_seconds(&t),
 				isc_time_nanoseconds(&t) / 1000);
 		}
 		va_start(args, format);
@@ -814,6 +836,7 @@ make_empty_lookup(void) {
 	looknew->new_search = ISC_FALSE;
 	looknew->done_as_is = ISC_FALSE;
 	looknew->need_search = ISC_FALSE;
+	looknew->eoferr = 0;
 	dns_fixedname_init(&looknew->fdomain);
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
@@ -889,10 +912,12 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->section_answer = lookold->section_answer;
 	looknew->section_authority = lookold->section_authority;
 	looknew->section_additional = lookold->section_additional;
+	looknew->origin = lookold->origin;
 	looknew->retries = lookold->retries;
 	looknew->tsigctx = NULL;
 	looknew->need_search = lookold->need_search;
 	looknew->done_as_is = lookold->done_as_is;
+	looknew->eoferr = lookold->eoferr;
 
 	dns_name_copy(dns_fixedname_name(&lookold->fdomain),
 		      dns_fixedname_name(&looknew->fdomain), NULL);
@@ -932,7 +957,6 @@ requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	return (looknew);
 }
 
-
 void
 setup_text_key(void) {
 	isc_result_t result;
@@ -970,13 +994,13 @@ setup_text_key(void) {
 
 	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
 				    (int)secretsize, ISC_FALSE, NULL, 0, 0,
-				    mctx, NULL, &key);
+				    mctx, NULL, &tsigkey);
  failure:
 	if (result != ISC_R_SUCCESS)
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
 	else
-		dst_key_setbits(key->key, digestbits);
+		dst_key_setbits(tsigkey->key, digestbits);
 
 	isc_mem_free(mctx, secretstore);
 	dns_name_invalidate(&keyname);
@@ -1171,7 +1195,7 @@ setup_file_key(void) {
 	}
 	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
 					   dstkey, ISC_FALSE, NULL, 0, 0,
-					   mctx, NULL, &key);
+					   mctx, NULL, &tsigkey);
 	if (result != ISC_R_SUCCESS) {
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
@@ -1870,7 +1894,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				      namestr, isc_result_totext(lresult));
 				if (addresses_result == ISC_R_SUCCESS) {
 					addresses_result = lresult;
-					strcpy(bad_namestr, namestr);
+					strlcpy(bad_namestr, namestr,
+						sizeof(bad_namestr));
 				}
 			}
 			numLookups += num;
@@ -2090,10 +2115,10 @@ setup_lookup(dig_lookup_t *lookup) {
 	check_result(result, "dns_message_gettempname");
 	dns_name_init(lookup->name, NULL);
 
-	isc_buffer_init(&lookup->namebuf, lookup->namespace,
-			sizeof(lookup->namespace));
-	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
-			sizeof(lookup->onamespace));
+	isc_buffer_init(&lookup->namebuf, lookup->name_space,
+			sizeof(lookup->name_space));
+	isc_buffer_init(&lookup->onamebuf, lookup->oname_space,
+			sizeof(lookup->oname_space));
 
 #ifdef WITH_IDN
 	/*
@@ -2237,7 +2262,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		}
 	}
 	dns_name_format(lookup->name, store, sizeof(store));
-	trying(store, lookup);
+	dighost_trying(store, lookup);
 	INSIST(dns_name_isabsolute(lookup->name));
 
 	isc_random_get(&id);
@@ -2305,9 +2330,9 @@ setup_lookup(dig_lookup_t *lookup) {
 	/* XXX Insist this? */
 	lookup->tsigctx = NULL;
 	lookup->querysig = NULL;
-	if (key != NULL) {
+	if (tsigkey != NULL) {
 		debug("initializing keys");
-		result = dns_message_settsigkey(lookup->sendmsg, key);
+		result = dns_message_settsigkey(lookup->sendmsg, tsigkey);
 		check_result(result, "dns_message_settsigkey");
 	}
 
@@ -2400,7 +2425,7 @@ setup_lookup(dig_lookup_t *lookup) {
 	/* XXX qrflag, print_query, etc... */
 	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
 		extrabytes = 0;
-		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
+		dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
 			     ISC_TRUE);
 	}
 	return (ISC_TRUE);
@@ -2800,7 +2825,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t *b = NULL;
 	isc_result_t result;
 	dig_query_t *query = NULL;
-	dig_lookup_t *l;
+	dig_lookup_t *l, *n;
 	isc_uint16_t length;
 
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
@@ -2835,13 +2860,20 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 				    sizeof(sockstr));
 		printf(";; communications error to %s: %s\n",
 		       sockstr, isc_result_totext(sevent->result));
+		if (keep != NULL)
+			isc_socket_detach(&keep);
 		l = query->lookup;
 		isc_socket_detach(&query->sock);
 		sockcount--;
 		debug("sockcount=%d", sockcount);
 		INSIST(sockcount >= 0);
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, ISC_TRUE);
+			n->eoferr++;
+		}
 		isc_event_free(&event);
 		clear_query(query);
+		cancel_lookup(l);
 		check_next_lookup(l);
 		UNLOCK_LOOKUP;
 		return;
@@ -3172,7 +3204,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	launch_next_query(query, ISC_FALSE);
 	return (ISC_FALSE);
  doexit:
-	received(sevent->n, &sevent->address, query);
+	dighost_received(sevent->n, &sevent->address, query);
 	return (ISC_TRUE);
 }
 
@@ -3249,13 +3281,20 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		} else {
 			printf(";; communications error: %s\n",
 			       isc_result_totext(sevent->result));
+			if (keep != NULL)
+				isc_socket_detach(&keep);
 			isc_socket_detach(&query->sock);
 			sockcount--;
 			debug("sockcount=%d", sockcount);
 			INSIST(sockcount >= 0);
 		}
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, ISC_TRUE);
+			n->eoferr++;
+		}
 		isc_event_free(&event);
 		clear_query(query);
+		cancel_lookup(l);
 		check_next_lookup(l);
 		UNLOCK_LOOKUP;
 		return;
@@ -3317,6 +3356,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			if (fail) {
 				isc_event_free(&event);
 				clear_query(query);
+				cancel_lookup(l);
 				check_next_lookup(l);
 				UNLOCK_LOOKUP;
 				return;
@@ -3339,7 +3379,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
 	check_result(result, "dns_message_create");
 
-	if (key != NULL) {
+	if (tsigkey != NULL) {
 		if (l->querysig == NULL) {
 			debug("getting initial querysig");
 			result = dns_message_getquerytsig(l->sendmsg, mctx,
@@ -3348,7 +3388,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 		result = dns_message_setquerytsig(msg, l->querysig);
 		check_result(result, "dns_message_setquerytsig");
-		result = dns_message_settsigkey(msg, key);
+		result = dns_message_settsigkey(msg, tsigkey);
 		check_result(result, "dns_message_settsigkey");
 		msg->tsigctx = l->tsigctx;
 		l->tsigctx = NULL;
@@ -3428,6 +3468,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			if (l->tcp_mode) {
 				isc_event_free(&event);
 				clear_query(query);
+				cancel_lookup(l);
 				check_next_lookup(l);
 				UNLOCK_LOOKUP;
 				return;
@@ -3440,7 +3481,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, ISC_TRUE);
 		n->tcp_mode = ISC_TRUE;
-		n->origin = query->lookup->origin;
 		if (l->trace && l->trace_root)
 			n->rdtype = l->qrdtype;
 		dns_message_destroy(&msg);
@@ -3487,7 +3527,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-	if (key != NULL) {
+	if (tsigkey != NULL) {
 		result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
 		if (result != ISC_R_SUCCESS) {
 			printf(";; Couldn't verify signature: %s\n",
@@ -3543,21 +3583,21 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		if (msg->rcode == dns_rcode_nxdomain &&
 		    (l->origin != NULL || l->need_search)) {
 			if (!next_origin(query->lookup) || showsearch) {
-				printmessage(query, msg, ISC_TRUE);
-				received(b->used, &sevent->address, query);
+				dighost_printmessage(query, msg, ISC_TRUE);
+				dighost_received(b->used, &sevent->address, query);
 			}
 		} else if (!l->trace && !l->ns_search_only) {
 #ifdef DIG_SIGCHASE
 			if (!do_sigchase)
 #endif
-				printmessage(query, msg, ISC_TRUE);
+				dighost_printmessage(query, msg, ISC_TRUE);
 		} else if (l->trace) {
 			int nl = 0;
 			int count = msg->counts[DNS_SECTION_ANSWER];
 
 			debug("in TRACE code");
 			if (!l->ns_search_only)
-				printmessage(query, msg, ISC_TRUE);
+				dighost_printmessage(query, msg, ISC_TRUE);
 
 			l->rdtype = l->qrdtype;
 			if (l->trace_root || (l->ns_search_only && count > 0)) {
@@ -3591,7 +3631,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 #ifdef DIG_SIGCHASE
 				if (!do_sigchase)
 #endif
-				printmessage(query, msg, ISC_TRUE);
+				dighost_printmessage(query, msg, ISC_TRUE);
 		}
 #ifdef DIG_SIGCHASE
 		if (do_sigchase) {
@@ -3665,7 +3705,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 #ifdef DIG_SIGCHASE
 			if (!l->sigchase)
 #endif
-				received(b->used, &sevent->address, query);
+				dighost_received(b->used, &sevent->address, query);
 		}
 
 		if (!query->lookup->ns_search_only)
@@ -3749,7 +3789,7 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
 		if (resultp == NULL)
 			fatal("couldn't get address for '%s': %s",
 			      host, isc_result_totext(result));
-		return 0;
+		return (0);
 	}
 
 	for (i = 0; i < count; i++) {
@@ -3759,7 +3799,7 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
 		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
 	}
 
-	return count;
+	return (count);
 }
 
 /*%
@@ -3915,9 +3955,9 @@ destroy_libs(void) {
 		debug("freeing timermgr");
 		isc_timermgr_destroy(&timermgr);
 	}
-	if (key != NULL) {
-		debug("freeing key %p", key);
-		dns_tsigkey_detach(&key);
+	if (tsigkey != NULL) {
+		debug("freeing key %p", tsigkey);
+		dns_tsigkey_detach(&tsigkey);
 	}
 	if (namebuf != NULL)
 		isc_buffer_free(&namebuf);
@@ -4032,7 +4072,7 @@ output_filter(isc_buffer_t *buffer, unsigned int used_org,
 	 */
 	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
 		return (ISC_R_SUCCESS);
-	strcpy(tmp1, tmp2);
+	strlcpy(tmp1, tmp2, MAXDLEN);
 
 	/*
 	 * Copy the converted contents in 'tmp1' back to 'buffer'.
@@ -4059,17 +4099,17 @@ append_textname(char *name, const char *origin, size_t namesize) {
 
 	/* Already absolute? */
 	if (namelen > 0 && name[namelen - 1] == '.')
-		return idn_success;
+		return (idn_success);
 
 	/* Append dot and origin */
 
 	if (namelen + 1 + originlen >= namesize)
-		return idn_buffer_overflow;
+		return (idn_buffer_overflow);
 
 	if (*origin != '.')
 		name[namelen++] = '.';
-	(void)strcpy(name + namelen, origin);
-	return idn_success;
+	(void)strlcpy(name + namelen, origin, namesize - namelen);
+	return (idn_success);
 }
 
 static void
@@ -4667,7 +4707,7 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset)
 	result = isc_buffer_allocate(mctx, &b, 9000);
 	check_result(result, "isc_buffer_allocate");
 
-	printrdataset(name, rdataset, b);
+	dighost_printrdataset(name, rdataset, b);
 
 	isc_buffer_usedregion(b, &r);
 	r.base[r.length] = '\0';
@@ -5804,7 +5844,7 @@ prove_nx_domain(dns_message_t *msg,
  */
 isc_result_t
 prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
-	      dns_rdataclass_t class, dns_rdatatype_t type,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      dns_name_t *rdata_name, dns_rdataset_t **rdataset,
 	      dns_rdataset_t **sigrdataset)
 {
@@ -5812,7 +5852,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
 	dns_rdataset_t *signsecset;
 	dns_rdata_t nsec = DNS_RDATA_INIT;
 
-	UNUSED(class);
+	UNUSED(rdclass);
 
 	ret = dns_rdataset_first(nsecset);
 	check_result(ret,"dns_rdataset_first");
@@ -5845,7 +5885,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
  *
  */
 isc_result_t
-prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
+prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t rdclass,
 	 dns_rdatatype_t type, dns_name_t *rdata_name,
 	 dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset)
 {
@@ -5867,7 +5907,7 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
 					 DNS_SECTION_AUTHORITY);
 	if (nsecset != NULL) {
 		printf("We have a NSEC for this zone :OK\n");
-		ret = prove_nx_type(msg, name, nsecset, class,
+		ret = prove_nx_type(msg, name, nsecset, rdclass,
 				    type, rdata_name, rdataset,
 				    sigrdataset);
 		if (ret != ISC_R_SUCCESS) {

bin/dig/host.1

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -48,7 +47,7 @@
 host \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP \w'\fBhost\fR\ 'u
-\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
+\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
@@ -264,7 +263,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2002 Internet Software Consortium.
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/host.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -170,13 +169,13 @@ show_usage(void) {
 	exit(1);
 }
 
-void
-dighost_shutdown(void) {
-	isc_app_shutdown();
+static void
+host_shutdown(void) {
+	(void) isc_app_shutdown();
 }
 
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_time_t now;
 	int diff;
 
@@ -190,7 +189,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	}
 }
 
-void
+static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(lookup);
 
@@ -234,7 +233,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 }
 #ifdef DIG_SIGCHASE
 /* Just for compatibility : not use in host program */
-isc_result_t
+static isc_result_t
 printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target)
 {
@@ -415,7 +414,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 	}
 }
 
-isc_result_t
+static isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_boolean_t did_flag = ISC_FALSE;
 	dns_rdataset_t *opt, *tsig = NULL;
@@ -475,9 +474,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
+			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
 			lookup->rdtype = dns_rdatatype_aaaa;
 			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
@@ -486,9 +484,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		}
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
+			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
 			lookup->rdtype = dns_rdatatype_mx;
 			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
@@ -860,14 +857,12 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	lookup->pending = ISC_FALSE;
 	if (get_reverse(store, sizeof(store), hostname,
 			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
-		strncpy(lookup->textname, store, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1] = 0;
+		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = ISC_TRUE;
 		default_lookups = ISC_FALSE;
 	} else {
-		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1]=0;
+		strlcpy(lookup->textname, hostname, sizeof(lookup->textname));
 		usesearch = ISC_TRUE;
 	}
 	lookup->new_search = ISC_TRUE;
@@ -889,6 +884,15 @@ main(int argc, char **argv) {
 	idnoptions = IDN_ASCCHECK;
 #endif
 
+	/* setup dighost callbacks */
+#ifdef DIG_SIGCHASE
+	dighost_printrdataset = printrdataset;
+#endif
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = host_shutdown;
+
 	debug("main()");
 	progname = argv[0];
 	pre_parse_args(argc, argv);

bin/dig/host.docbook

@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +39,9 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
@@ -48,14 +50,10 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>
@@ -68,8 +66,10 @@
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-4</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      <group choice="opt" rep="norepeat">
+	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
+	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      </group>
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-V</option></arg>
       <arg choice="req" rep="norepeat">name</arg>

bin/dig/host.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -49,8 +48,10 @@
        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
        [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
        [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-4</code>]
-       [<code class="option">-6</code>]
+       [
+	[<code class="option">-4</code>]
+	 |  [<code class="option">-6</code>]
+      ]
        [<code class="option">-v</code>]
        [<code class="option">-V</code>]
        {name}

bin/dig/include/dig/dig.h

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -155,8 +154,8 @@ isc_boolean_t	sigchase;
 	dns_rdataclass_t rdclass;
 	isc_boolean_t rdtypeset;
 	isc_boolean_t rdclassset;
-	char namespace[BUFSIZE];
-	char onamespace[BUFSIZE];
+	char name_space[BUFSIZE];
+	char oname_space[BUFSIZE];
 	isc_buffer_t namebuf;
 	isc_buffer_t onamebuf;
 	isc_buffer_t renderbuf;
@@ -183,6 +182,7 @@ isc_boolean_t	sigchase;
 	isc_buffer_t *querysig;
 	isc_uint32_t msgcounter;
 	dns_fixedname_t fdomain;
+	unsigned int eoferr;
 };
 
 /*% The dig_query structure */
@@ -272,7 +272,7 @@ extern unsigned int digestbits;
 #ifdef DIG_SIGCHASE
 extern char trustedkey[MXNAME];
 #endif
-extern dns_tsigkey_t *key;
+extern dns_tsigkey_t *tsigkey;
 extern isc_boolean_t validated;
 extern isc_taskmgr_t *taskmgr;
 extern isc_task_t *global_task;
@@ -377,37 +377,38 @@ void
 clean_trustedkey(void);
 #endif
 
+char *
+next_token(char **stringp, const char *delim);
+
 /*
- * Routines to be defined in dig.c, host.c, and nslookup.c.
+ * Routines to be defined in dig.c, host.c, and nslookup.c. and
+ * then assigned to the appropriate function pointer
  */
 #ifdef DIG_SIGCHASE
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+extern isc_result_t
+(*dighost_printrdataset)(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target);
 #endif
 
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
+extern isc_result_t
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
 /*%<
  * Print the final result of the lookup.
  */
 
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
+extern void
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
 /*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the
  * output of "dig".
  */
 
-void
-trying(char *frm, dig_lookup_t *lookup);
+extern void
+(*dighost_trying)(char *frm, dig_lookup_t *lookup);
 
-void
-dighost_shutdown(void);
-
-char *
-next_token(char **stringp, const char *delim);
+extern void
+(*dighost_shutdown)(void);
 
 #ifdef DIG_SIGCHASE
 /* Chasing functions */
@@ -420,6 +421,44 @@ chase_sig(dns_message_t *msg);
 void setup_file_key(void);
 void setup_text_key(void);
 
+void setup_file_key(void);
+void setup_text_key(void);
+
+/*
+ * Routines exported from dig.c for use by dig for iOS
+ */
+
+/*%<
+ * Call once only to set up libraries, parse global
+ * parameters and initial command line query parameters
+ */
+void
+dig_setup(int argc, char **argv);
+
+/*%<
+ * Call to supply new parameters for the next lookup
+ */
+void
+dig_query_setup(isc_boolean_t, isc_boolean_t, int argc, char **argv);
+
+/*%<
+ * set the main application event cycle running
+ */
+void
+dig_startup(void);
+
+/*%<
+ * Initiates the next lookup cycle
+ */
+void
+dig_query_start(void);
+
+/*%<
+ * Cleans up the application
+ */
+void
+dig_shutdown(void);
+
 ISC_LANG_ENDDECLS
 
 #endif

bin/dig/nslookup.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -298,5 +298,5 @@ returns with an exit status of 1 if any query failed, and 0 otherwise\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/nslookup.c

@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -164,8 +163,8 @@ rcode_totext(dns_rcode_t rcode)
 	return totext.deconsttext;
 }
 
-void
-dighost_shutdown(void) {
+static void
+query_finished(void) {
 	isc_event_t *event = global_event;
 
 	flush_lookup_list();
@@ -214,7 +213,7 @@ printa(dns_rdata_t *rdata) {
 }
 #ifdef DIG_SIGCHASE
 /* Just for compatibility : not use in host program */
-isc_result_t
+static isc_result_t
 printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target)
 {
@@ -404,22 +403,21 @@ detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
 	return (ISC_R_SUCCESS);
 }
 
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query)
 {
 	UNUSED(bytes);
 	UNUSED(from);
 	UNUSED(query);
 }
 
-void
+static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(frm);
 	UNUSED(lookup);
-
 }
 
-isc_result_t
+static isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
@@ -508,7 +506,7 @@ show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
 	printf("  %s\t\t%s\n",
 	       usesearch ? "search" : "nosearch",
 	       recurse ? "recurse" : "norecurse");
-	printf("  timeout = %d\t\tretry = %d\tport = %d\tndots = %d\n",
+	printf("  timeout = %u\t\tretry = %d\tport = %u\tndots = %d\n",
 	       timeout, tries, port, ndots);
 	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
 	printf("  srchlist = ");
@@ -595,7 +593,12 @@ version(void) {
 
 static void
 setoption(char *opt) {
-	if (strncasecmp(opt, "all", 3) == 0) {
+	size_t l = strlen(opt);
+
+#define CHECKOPT(A, N) \
+	((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
+
+	if (CHECKOPT("all", 3)) {
 		show_settings(ISC_TRUE, ISC_FALSE);
 	} else if (strncasecmp(opt, "class=", 6) == 0) {
 		if (testclass(&opt[6]))
@@ -637,41 +640,41 @@ setoption(char *opt) {
 		set_timeout(&opt[8]);
 	} else if (strncasecmp(opt, "t=", 2) == 0) {
 		set_timeout(&opt[2]);
-	} else if (strncasecmp(opt, "rec", 3) == 0) {
+	} else if (CHECKOPT("recurse", 3)) {
 		recurse = ISC_TRUE;
-	} else if (strncasecmp(opt, "norec", 5) == 0) {
+	} else if (CHECKOPT("norecurse", 5)) {
 		recurse = ISC_FALSE;
 	} else if (strncasecmp(opt, "retry=", 6) == 0) {
 		set_tries(&opt[6]);
 	} else if (strncasecmp(opt, "ret=", 4) == 0) {
 		set_tries(&opt[4]);
-	} else if (strncasecmp(opt, "def", 3) == 0) {
+	} else if (CHECKOPT("defname", 3)) {
 		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodef", 5) == 0) {
+	} else if (CHECKOPT("nodefname", 5)) {
 		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "vc", 3) == 0) {
+	} else if (CHECKOPT("vc", 2) == 0) {
 		tcpmode = ISC_TRUE;
-	} else if (strncasecmp(opt, "novc", 5) == 0) {
+	} else if (CHECKOPT("novc", 4) == 0) {
 		tcpmode = ISC_FALSE;
-	} else if (strncasecmp(opt, "deb", 3) == 0) {
+	} else if (CHECKOPT("debug", 3) == 0) {
 		short_form = ISC_FALSE;
 		showsearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
+	} else if (CHECKOPT("nodebug", 5) == 0) {
 		short_form = ISC_TRUE;
 		showsearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "d2", 2) == 0) {
+	} else if (CHECKOPT("d2", 2) == 0) {
 		debugging = ISC_TRUE;
-	} else if (strncasecmp(opt, "nod2", 4) == 0) {
+	} else if (CHECKOPT("nod2", 4) == 0) {
 		debugging = ISC_FALSE;
-	} else if (strncasecmp(opt, "search", 3) == 0) {
+	} else if (CHECKOPT("search", 3) == 0) {
 		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nosearch", 5) == 0) {
+	} else if (CHECKOPT("nosearch", 5) == 0) {
 		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "sil", 3) == 0) {
+	} else if (CHECKOPT("sil", 3) == 0) {
 		/* deprecation_msg = ISC_FALSE; */
-	} else if (strncasecmp(opt, "fail", 3) == 0) {
+	} else if (CHECKOPT("fail", 3) == 0) {
 		nofail=ISC_FALSE;
-	} else if (strncasecmp(opt, "nofail", 3) == 0) {
+	} else if (CHECKOPT("nofail", 5) == 0) {
 		nofail=ISC_TRUE;
 	} else if (strncasecmp(opt, "ndots=", 6) == 0) {
 		set_ndots(&opt[6]);
@@ -910,6 +913,15 @@ main(int argc, char **argv) {
 
 	check_ra = ISC_TRUE;
 
+	/* setup dighost callbacks */
+#ifdef DIG_SIGCHASE
+	dighost_printrdataset = printrdataset;
+#endif
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = query_finished;
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 

bin/dig/nslookup.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -74,6 +74,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dig/nslookup.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/dig/win32/dig.vcxproj.in

@@ -61,6 +61,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -87,6 +88,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -108,4 +110,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/dig/win32/dighost.vcxproj.in

@@ -61,6 +61,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -85,6 +86,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -101,4 +103,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/dig/win32/host.vcxproj.in

@@ -61,6 +61,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -87,6 +88,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -105,4 +107,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/dig/win32/nslookup.vcxproj.in

@@ -61,6 +61,7 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -87,6 +88,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -106,4 +108,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

bin/dnssec/Makefile.in

@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2005, 2007-2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -186,5 +186,5 @@ RFC 4509\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -187,7 +187,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
 				       mctx, &key);
 	if (result != ISC_R_SUCCESS)
-		fatal("invalid keyfile name %s: %s",
+		fatal("can't load %s.key: %s",
 		      filename, isc_result_totext(result));
 
 	if (verbose > 2) {

bin/dnssec/dnssec-dsfromkey.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -45,6 +45,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-dsfromkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -132,5 +132,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/dnssec/dnssec-importkey.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2013-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -41,6 +41,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-importkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -63,7 +63,7 @@ of the key is specified on the command line\&. This must match the name of the z
 .RS 4
 Selects the cryptographic algorithm\&. The value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. These values are case insensitive\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. These values are case insensitive\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -284,5 +284,5 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keyfromlabel.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -54,7 +54,8 @@ int verbose;
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
 			  " NSEC3DSA | NSEC3RSASHA1 |"
 			  " RSASHA256 | RSASHA512 | ECCGOST |"
-			  " ECDSAP256SHA256 | ECDSAP384SHA384";
+			  " ECDSAP256SHA256 | ECDSAP384SHA384 |"
+			  " ED25519 | ED448";
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -148,7 +149,7 @@ main(int argc, char **argv) {
 	char		*label = NULL;
 	dns_ttl_t	ttl = 0;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	inactive = 0, delete = 0;
+	isc_stdtime_t	inactive = 0, deltime = 0;
 	isc_stdtime_t	now;
 	int		prepub = -1;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
@@ -278,8 +279,8 @@ main(int argc, char **argv) {
 			if (setdel || unsetdel)
 				fatal("-D specified more than once");
 
-			delete = strtotime(isc_commandline_argument,
-					   now, now, &setdel);
+			deltime = strtotime(isc_commandline_argument,
+					    now, now, &setdel);
 			unsetdel = !setdel;
 			break;
 		case 'S':
@@ -388,7 +389,8 @@ main(int argc, char **argv) {
 		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
 		    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
 		    alg != DST_ALG_ECCGOST &&
-		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
+		    alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
 			fatal("%s is incompatible with NSEC3; "
 			      "do not use the -3 option", algname);
 		}
@@ -608,7 +610,7 @@ main(int argc, char **argv) {
 			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
 
 		if (setdel)
-			dst_key_settime(key, DST_TIME_DELETE, delete);
+			dst_key_settime(key, DST_TIME_DELETE, deltime);
 	} else {
 		if (setpub || setact || setrev || setinact ||
 		    setdel || unsetpub || unsetact ||

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -45,6 +45,8 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -107,7 +109,7 @@
 	    Selects the cryptographic algorithm.  The value of
             <option>algorithm</option> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    These values are case insensitive.
 	  </para>
           <para>

bin/dnssec/dnssec-keyfromlabel.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -97,7 +97,7 @@
 	    Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    These values are case insensitive.
 	  </p>
           <p>

bin/dnssec/dnssec-keygen.8

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -63,7 +62,7 @@ of the key is specified on the command line\&. For DNSSEC keys, this must match
 .RS 4
 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -96,7 +95,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
 .PP
 \-3
 .RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable\&.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
 .RE
 .PP
 \-C
@@ -347,7 +346,5 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2003 Internet Software Consortium.
+Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keygen.c

@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -85,7 +87,8 @@ usage(void) {
 				" | NSEC3DSA |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 | ECCGOST |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
-	fprintf(stderr, "        DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
+	fprintf(stderr, "        ED25519 | ED448 | DH |\n");
+	fprintf(stderr, "        HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
 				"HMAC-SHA256 | \n");
 	fprintf(stderr, "        HMAC-SHA384 | HMAC-SHA512\n");
 	fprintf(stderr, "       (default: RSASHA1, or "
@@ -104,6 +107,8 @@ usage(void) {
 	fprintf(stderr, "        ECCGOST:\tignored\n");
 	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
 	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
+	fprintf(stderr, "        ED25519:\tignored\n");
+	fprintf(stderr, "        ED448:\tignored\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
 	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
 	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
@@ -233,7 +238,7 @@ main(int argc, char **argv) {
 	dns_ttl_t	ttl = 0;
 	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
 	isc_stdtime_t	publish = 0, activate = 0, revokekey = 0;
-	isc_stdtime_t	inactive = 0, delete = 0;
+	isc_stdtime_t	inactive = 0, deltime = 0;
 	isc_stdtime_t	now;
 	int		prepub = -1;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
@@ -433,8 +438,8 @@ main(int argc, char **argv) {
 			if (setdel || unsetdel)
 				fatal("-D specified more than once");
 
-			delete = strtotime(isc_commandline_argument,
-					   now, now, &setdel);
+			deltime = strtotime(isc_commandline_argument,
+					    now, now, &setdel);
 			unsetdel = !setdel;
 			break;
 		case 'S':
@@ -549,7 +554,8 @@ main(int argc, char **argv) {
 		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
 		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
 		    alg != DST_ALG_ECCGOST &&
-		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
+		    alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
 			fatal("%s is incompatible with NSEC3; "
 			      "do not use the -3 option", algname);
 		}
@@ -583,7 +589,9 @@ main(int argc, char **argv) {
 							" to %d\n", size);
 			} else if (alg != DST_ALG_ECCGOST &&
 				   alg != DST_ALG_ECDSA256 &&
-				   alg != DST_ALG_ECDSA384)
+				   alg != DST_ALG_ECDSA384 &&
+				   alg != DST_ALG_ED25519 &&
+				   alg != DST_ALG_ED448)
 				fatal("key size not specified (-b option)");
 		}
 
@@ -720,6 +728,12 @@ main(int argc, char **argv) {
 	case DST_ALG_ECDSA384:
 		size = 384;
 		break;
+	case DST_ALG_ED25519:
+		size = 256;
+		break;
+	case DST_ALG_ED448:
+		size = 456;
+		break;
 	case DST_ALG_HMACMD5:
 		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 512)
@@ -853,6 +867,8 @@ main(int argc, char **argv) {
 	case DST_ALG_ECCGOST:
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
 		show_progress = ISC_TRUE;
 		/* fall through */
 
@@ -954,13 +970,13 @@ main(int argc, char **argv) {
 						inactive);
 
 			if (setdel) {
-				if (setinact && delete < inactive)
+				if (setinact && deltime < inactive)
 					fprintf(stderr, "%s: warning: Key is "
 						"scheduled to be deleted "
 						"before it is scheduled to be "
 						"made inactive.\n",
 						program);
-				dst_key_settime(key, DST_TIME_DELETE, delete);
+				dst_key_settime(key, DST_TIME_DELETE, deltime);
 			}
 		} else {
 			if (setpub || setact || setrev || setinact ||

bin/dnssec/dnssec-keygen.docbook

@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -38,6 +37,10 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
@@ -49,15 +52,10 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>
@@ -122,7 +120,7 @@
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
@@ -194,8 +192,8 @@
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
             default. Note that RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
-	    are NSEC3-capable.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
+	    algorithms are NSEC3-capable.
           </para>
         </listitem>
       </varlistentry>

bin/dnssec/dnssec-keygen.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -102,7 +101,7 @@
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
@@ -165,8 +164,8 @@
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
             default. Note that RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
-	    are NSEC3-capable.
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
+	    algorithms are NSEC3-capable.
           </p>
         </dd>
 <dt><span class="term">-C</span></dt>

bin/dnssec/dnssec-revoke.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -102,5 +102,5 @@ BIND 9 Administrator Reference Manual,
 RFC 5011\&.
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-revoke.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -138,7 +138,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* Falls into */
+			/* FALLTHROUGH */
 		    case 'h':
 			/* Does not return. */
 			usage();

bin/dnssec/dnssec-revoke.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009, 2011, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -38,6 +38,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-revoke.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above

bin/dnssec/dnssec-settime.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -47,7 +47,7 @@
 dnssec-settime \- Set the key timing metadata for a DNSSEC key
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-settime\fR\ 'u
-\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-settime\fR
@@ -192,5 +192,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-settime.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -79,6 +79,11 @@ usage(void) {
 						     "inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
 						     "deletion date\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+				      "key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+					   "successor key "
+					   "(default: 30 days)\n");
 	fprintf(stderr, "Printing options:\n");
 	fprintf(stderr, "    -p C/P/A/R/I/D/all: print a particular time "
 						"value or values\n");
@@ -299,7 +304,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* Falls into */
+			/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
 			usage();
@@ -378,13 +383,16 @@ main(int argc, char **argv) {
 			      "You must set one before\n\t"
 			      "generating a successor.");
 
-		pub = prevact - prepub;
-		if (pub < now && prepub != 0)
-			fatal("Predecessor will become inactive before the\n\t"
-			      "prepublication period ends.  Either change "
-			      "its inactivation date,\n\t"
-			      "or use the -i option to set a shorter "
-			      "prepublication interval.");
+		pub = previnact - prepub;
+		act = previnact;
+
+		if ((previnact - prepub) < now && prepub != 0)
+			fatal("Time until predecessor inactivation is\n\t"
+			      "shorter than the prepublication interval.  "
+			      "Either change\n\t"
+			      "predecessor inactivation date, or use the -i "
+			      "option to set\n\t"
+			      "a shorter prepublication interval.");
 
 		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
 		if (result != ISC_R_SUCCESS)
@@ -467,7 +475,7 @@ main(int argc, char **argv) {
 			     &prevdel) == ISC_R_SUCCESS &&
 	     setinact && !setdel && !unsetdel && prevdel < inact) ||
 	    (!setdel && !unsetdel && !setinact && !unsetinact &&
-	     prevdel < previnact))
+	     prevdel != 0 && prevdel < previnact))
 		fprintf(stderr, "%s: warning: Key is scheduled to "
 				"be deleted before it is\n\t"
 				"scheduled to be inactive.\n",

bin/dnssec/dnssec-settime.docbook

@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009-2011, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -43,6 +43,8 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -58,6 +60,8 @@
       <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-h</option></arg>
       <arg choice="opt" rep="norepeat"><option>-V</option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>

bin/dnssec/dnssec-settime.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -49,6 +49,8 @@
        [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
        [<code class="option">-h</code>]
        [<code class="option">-V</code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]

bin/dnssec/dnssec-signzone.8

@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004-2009, 2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" Copyright (C) 2000-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -464,7 +463,5 @@ RFC 4641\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2009, 2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2003 Internet Software Consortium.
+Copyright \(co 2000-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-signzone.c

@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -189,6 +191,20 @@ static isc_boolean_t output_stdout = ISC_FALSE;
 static void
 sign(isc_task_t *task, isc_event_t *event);
 
+/*%
+ * Store a copy of 'name' in 'fzonecut' and return a pointer to that copy.
+ */
+static dns_name_t *
+savezonecut(dns_fixedname_t *fzonecut, dns_name_t *name) {
+	dns_name_t *result;
+
+	dns_fixedname_init(fzonecut);
+	result = dns_fixedname_name(fzonecut);
+	dns_name_copy(name, result, NULL);
+
+	return (result);
+}
+
 static void
 dumpnode(dns_name_t *name, dns_dbnode_t *node) {
 	dns_rdataset_t rds;
@@ -718,6 +734,17 @@ hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {
 	}
 }
 
+static void
+hashlist_free(hashlist_t *l) {
+	if (l->hashbuf) {
+		free(l->hashbuf);
+		l->hashbuf = NULL;
+		l->entries = 0;
+		l->length = 0;
+		l->size = 0;
+	}
+}
+
 static void
 hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
 {
@@ -1472,15 +1499,19 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 			if (dns_name_issubdomain(name, gorigin) &&
 			    (zonecut == NULL ||
 			     !dns_name_issubdomain(name, zonecut))) {
-				if (is_delegation(gdb, gversion, gorigin, name, node, NULL)) {
-					dns_fixedname_init(&fzonecut);
-					zonecut = dns_fixedname_name(&fzonecut);
-					dns_name_copy(name, zonecut, NULL);
+				if (is_delegation(gdb, gversion, gorigin,
+						  name, node, NULL))
+				{
+					zonecut = savezonecut(&fzonecut, name);
 					if (!OPTOUT(nsec3flags) ||
 					    secure(name, node))
 						found = ISC_TRUE;
-				} else
+				} else if (has_dname(gdb, gversion, node)) {
+					zonecut = savezonecut(&fzonecut, name);
 					found = ISC_TRUE;
+				} else {
+					found = ISC_TRUE;
+				}
 			}
 		}
 
@@ -1721,7 +1752,6 @@ nsecify(void) {
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
 	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 
 	/*
@@ -1783,11 +1813,12 @@ nsecify(void) {
 		}
 
 		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
-			zonecut = dns_fixedname_name(&fzonecut);
-			dns_name_copy(name, zonecut, NULL);
+			zonecut = savezonecut(&fzonecut, name);
 			remove_sigs(node, ISC_TRUE, 0);
 			if (generateds)
 				add_ds(name, node, nsttl);
+		} else if (has_dname(gdb, gversion, node)) {
+			zonecut = savezonecut(&fzonecut, name);
 		}
 
 		result = dns_dbiterator_next(dbiter);
@@ -1953,7 +1984,7 @@ addnsec3(dns_name_t *name, dns_dbnode_t *node,
  * any NSEC3 records which have the same parameters as the chain we
  * are building.
  *
- * XXXMPA Should we also check that it of the form <hash>.<origin>?
+ * XXXMPA Should we also check that it of the form &lt;hash&gt;.&lt;origin&gt;?
  */
 static void
 nsec3clean(dns_name_t *name, dns_dbnode_t *node,
@@ -2168,7 +2199,6 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
 	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 
 	/*
@@ -2202,6 +2232,10 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 			(void)active_node(node);
 		}
 
+		if (has_dname(gdb, gversion, node)) {
+			zonecut = savezonecut(&fzonecut, name);
+		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@@ -2225,8 +2259,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 			if (is_delegation(gdb, gversion, gorigin,
 					  nextname, nextnode, &nsttl))
 			{
-				zonecut = dns_fixedname_name(&fzonecut);
-				dns_name_copy(nextname, zonecut, NULL);
+				zonecut = savezonecut(&fzonecut, nextname);
 				remove_sigs(nextnode, ISC_TRUE, 0);
 				if (generateds)
 					add_ds(nextname, nextnode, nsttl);
@@ -2236,6 +2269,8 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 					result = dns_dbiterator_next(dbiter);
 					continue;
 				}
+			} else if (has_dname(gdb, gversion, nextnode)) {
+				zonecut = savezonecut(&fzonecut, nextname);
 			}
 			dns_db_detachnode(gdb, &nextnode);
 			break;
@@ -2334,6 +2369,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 			dns_db_detachnode(gdb, &node);
 			continue;
 		}
+
+		if (has_dname(gdb, gversion, node)) {
+			zonecut = savezonecut(&fzonecut, name);
+		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@@ -2356,14 +2396,15 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 			if (is_delegation(gdb, gversion, gorigin,
 					  nextname, nextnode, NULL))
 			{
-				zonecut = dns_fixedname_name(&fzonecut);
-				dns_name_copy(nextname, zonecut, NULL);
+				zonecut = savezonecut(&fzonecut, nextname);
 				if (OPTOUT(nsec3flags) &&
 				    !secure(nextname, nextnode)) {
 					dns_db_detachnode(gdb, &nextnode);
 					result = dns_dbiterator_next(dbiter);
 					continue;
 				}
+			} else if (has_dname(gdb, gversion, nextnode)) {
+				zonecut = savezonecut(&fzonecut, nextname);
 			}
 			dns_db_detachnode(gdb, &nextnode);
 			break;
@@ -2468,11 +2509,11 @@ loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
 		goto cleanup;
 
 	if (set_keyttl && keyttl != rdataset.ttl) {
-		fprintf(stderr, "User-specified TTL (%d) conflicts "
+		fprintf(stderr, "User-specified TTL (%u) conflicts "
 				"with existing DNSKEY RRset TTL.\n",
 				keyttl);
 		fprintf(stderr, "Imported keys will use the RRSet "
-				"TTL (%d) instead.\n",
+				"TTL (%u) instead.\n",
 				rdataset.ttl);
 	}
 	keyttl = rdataset.ttl;
@@ -2772,18 +2813,18 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
 	check_result(result, "dns_name_tofilenametext");
 	isc_buffer_putuint8(&namebuf, 0);
-	filenamelen = strlen(prefix) + strlen(namestr);
+	filenamelen = strlen(prefix) + strlen(namestr) + 1;
 	if (dsdir != NULL)
 		filenamelen += strlen(dsdir) + 1;
-	filename = isc_mem_get(mctx, filenamelen + 1);
+	filename = isc_mem_get(mctx, filenamelen);
 	if (filename == NULL)
 		fatal("out of memory");
 	if (dsdir != NULL)
-		sprintf(filename, "%s/", dsdir);
+		snprintf(filename, filenamelen, "%s/", dsdir);
 	else
 		filename[0] = 0;
-	strcat(filename, prefix);
-	strcat(filename, namestr);
+	strlcat(filename, prefix, filenamelen);
+	strlcat(filename, namestr, filenamelen);
 
 	dns_diff_init(mctx, &diff);
 
@@ -2879,7 +2920,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	result = dns_master_dump(mctx, db, dbversion, style, filename);
 	check_result(result, "dns_master_dump");
 
-	isc_mem_put(mctx, filename, filenamelen + 1);
+	isc_mem_put(mctx, filename, filenamelen);
 
 	dns_db_closeversion(db, &dbversion, ISC_FALSE);
 	dns_db_detach(&db);
@@ -3019,12 +3060,12 @@ print_stats(isc_time_t *timer_start, isc_time_t *timer_finish,
 	isc_uint64_t sig_ms;	   /* Signatures per millisecond */
 	FILE *out = output_stdout ? stderr : stdout;
 
-	fprintf(out, "Signatures generated:               %10d\n", nsigned);
-	fprintf(out, "Signatures retained:                %10d\n", nretained);
-	fprintf(out, "Signatures dropped:                 %10d\n", ndropped);
-	fprintf(out, "Signatures successfully verified:   %10d\n", nverified);
+	fprintf(out, "Signatures generated:               %10u\n", nsigned);
+	fprintf(out, "Signatures retained:                %10u\n", nretained);
+	fprintf(out, "Signatures dropped:                 %10u\n", ndropped);
+	fprintf(out, "Signatures successfully verified:   %10u\n", nverified);
 	fprintf(out, "Signatures unsuccessfully "
-		     "verified: %10d\n", nverifyfailed);
+		     "verified: %10u\n", nverifyfailed);
 
 	time_us = isc_time_microdiff(sign_finish, sign_start);
 	time_ms = time_us / 1000;
@@ -3431,12 +3472,13 @@ main(int argc, char *argv[]) {
 		origin = file;
 
 	if (output == NULL) {
+		size_t size;
 		free_output = ISC_TRUE;
-		output = isc_mem_allocate(mctx,
-					  strlen(file) + strlen(".signed") + 1);
+		size = strlen(file) + strlen(".signed") + 1;
+		output = isc_mem_allocate(mctx, size);
 		if (output == NULL)
 			fatal("out of memory");
-		sprintf(output, "%s.signed", file);
+		snprintf(output, size, "%s.signed", file);
 	}
 
 	if (inputformatstr != NULL) {
@@ -3595,6 +3637,8 @@ main(int argc, char *argv[]) {
 		if (nsec3iter > max)
 			fatal("NSEC3 iterations too big for weakest DNSKEY "
 			      "strength. Maximum iterations allowed %u.", max);
+	} else {
+		hashlist_init(&hashlist, 0, 0);	/* silence clang */
 	}
 
 	gversion = NULL;
@@ -3752,6 +3796,8 @@ main(int argc, char *argv[]) {
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
 	dns_db_detach(&gdb);
 
+	hashlist_free(&hashlist);
+
 	while (!ISC_LIST_EMPTY(keylist)) {
 		key = ISC_LIST_HEAD(keylist);
 		ISC_LIST_UNLINK(keylist, key, link);

bin/dnssec/dnssec-signzone.docbook

@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004-2009, 2011, 2013-2017  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -38,6 +37,10 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
@@ -50,15 +53,9 @@
       <year>2015</year>
       <year>2016</year>
       <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>

bin/dnssec/dnssec-signzone.html

@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2009, 2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
+ - Copyright (C) 2000-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above