add lock profiling

(cherry picked from commit 03278d6062)

.dir-locals.el

@@ -66,8 +66,6 @@
 		(concat directory-of-current-dir-locals-file "bin/dig/include"))
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/unix/include"))
 	       (expand-file-name
 		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
 	       (expand-file-name
@@ -79,7 +77,6 @@
 
 	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
 	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")
 	       (expand-file-name "/usr/local/include")
 	       )
 	      )
@@ -87,28 +84,5 @@
 
    (eval setq flycheck-clang-include-path include-directories)
    (eval setq flycheck-cppcheck-include-path include-directories)
-   (eval setq flycheck-gcc-include-path include-directories)
-   (eval setq flycheck-clang-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-gcc-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-cppcheck-args
-	 (list
-	  "--enable=all"
-	  "--suppress=missingIncludeSystem"
-	  (concat "-include=" (expand-file-name
-			       (concat directory-of-current-dir-locals-file "config.h")))
-	  )
-	 )
    )
   ))

.gitattributes

@@ -1,10 +1,3 @@
 *.sln.in eol=crlf
-*.vcxproj.* eol=crlf
-
-.gitignore			 export-ignore
-/conftools			 export-ignore
-/doc/design			 export-ignore
-/doc/dev			 export-ignore
-/util/**			 export-ignore
-/util/bindkeys.pl		-export-ignore
-/util/mksymtbl.pl		-export-ignore
+*.vcxproj.in eol=crlf
+*.vcxproj.filters.in eol=crlf

.gitignore

@@ -10,7 +10,6 @@
 *.rej
 *.so
 *_test
-*.ipch # vscode/intellisense precompiled header
 *~
 .ccache/
 .cproject
@@ -57,7 +56,3 @@ kyua.log
 named.memstats
 named.run
 timestamp
-/compile_commands.json
-/cppcheck_html/
-/cppcheck.results
-/tsan

.gitlab-ci.yml

@@ -15,20 +15,6 @@ variables:
   BUILD_PARALLEL_JOBS: 6
   TEST_PARALLEL_JOBS: 6
 
-  MAKE: make
-  CONFIGURE: ./configure
-  SCAN_BUILD: scan-build-9
-  SYMBOLIZER: /usr/lib/llvm-9/bin/llvm-symbolizer
-  ASAN_SYMBOLIZER_PATH: "$SYMBOLIZER"
-
-  CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra 
-
-  # Pass run-time flags to AddressSanitizer to get core dumps on error.
-  ASAN_OPTIONS_COMMON: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1
-
-  TARBALL_COMPRESSOR: xz
-  TARBALL_EXTENSION: xz
-
 stages:
   - precheck
   - build
@@ -36,12 +22,10 @@ stages:
   - system
   - docs
   - push
-  - postcheck
-  - release
 
 ### Runner Tag Templates
 
-# Note: BSD runners extract the operating system version to use from job name
+# Note: FreeBSD runners extract the FreeBSD version to use from job name
 
 .freebsd-amd64: &freebsd_amd64
   tags:
@@ -58,17 +42,12 @@ stages:
     - linux
     - i386
 
-.openbsd-amd64: &openbsd_amd64
-  tags:
-    - libvirt
-    - amd64
-
 ### Docker Image Templates
 
 # Alpine Linux
 
-.alpine-3.11-amd64: &alpine_3_11_amd64_image
-  image: "$CI_REGISTRY_IMAGE:alpine-3.11-amd64"
+.alpine-3.10-amd64: &alpine_3_10_amd64_image
+  image: "$CI_REGISTRY_IMAGE:alpine-3.10-amd64"
   <<: *linux_amd64
 
 # CentOS
@@ -81,10 +60,6 @@ stages:
   image: "$CI_REGISTRY_IMAGE:centos-centos7-amd64"
   <<: *linux_amd64
 
-.centos-centos8-amd64: &centos_centos8_amd64_image
-  image: "$CI_REGISTRY_IMAGE:centos-centos8-amd64"
-  <<: *linux_amd64
-
 # Debian
 
 .debian-jessie-amd64: &debian_jessie_amd64_image
@@ -101,7 +76,7 @@ stages:
 
 .debian-buster-amd64: &debian_buster_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-buster-amd64"
-  <<: *linux_amd64
+  <<: *linux_i386
 
 .debian-sid-amd64: &debian_sid_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
@@ -111,16 +86,10 @@ stages:
   image: "$CI_REGISTRY_IMAGE:debian-sid-i386"
   <<: *linux_i386
 
-# openSUSE Tumbleweed
-
-.tumbleweed-latest-amd64: &tumbleweed_latest_amd64_image
-  image: "$CI_REGISTRY_IMAGE:tumbleweed-latest-amd64"
-  <<: *linux_amd64
-
 # Fedora
 
-.fedora-31-amd64: &fedora_31_amd64_image
-  image: "$CI_REGISTRY_IMAGE:fedora-31-amd64"
+.fedora-30-amd64: &fedora_30_amd64_image
+  image: "$CI_REGISTRY_IMAGE:fedora-30-amd64"
   <<: *linux_amd64
 
 # Ubuntu
@@ -148,16 +117,6 @@ stages:
     - merge_requests
     - tags
     - web
-    - schedules
-
-.release-branch-triggering-rules: &release_branch_triggering_rules
-  only:
-    - merge_requests
-    - tags
-    - web
-    - schedules
-    - master@isc-projects/bind9
-    - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
 .precheck: &precheck_job
   <<: *default_triggering_rules
@@ -165,28 +124,25 @@ stages:
   stage: precheck
 
 .autoconf: &autoconf_job
-  <<: *release_branch_triggering_rules
+  <<: *default_triggering_rules
   <<: *debian_sid_amd64_image
   stage: precheck
   script:
     - autoreconf -fi
   artifacts:
-    paths:
-      - aclocal.m4
-      - configure
-      - ltmain.sh
-      - m4/libtool.m4
-    expire_in: "1 day"
+    untracked: true
+    expire_in: "1 hour"
 
 .configure: &configure |
-    ${CONFIGURE} \
+    ./configure \
     --disable-maintainer-mode \
     --enable-developer \
     --with-libtool \
+    --with-geoip2=auto \
     --disable-static \
     --with-cmocka \
     --with-libxml2 \
-    --with-json-c \
+    --with-json \
     --prefix=$HOME/.local \
     --without-make-clean \
     $EXTRA_CONFIGURE \
@@ -197,10 +153,9 @@ stages:
   stage: build
   before_script:
     - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
-    - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
   script:
     - *configure
-    - ${MAKE} -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
+    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
     - test -z "${RUN_MAKE_INSTALL}" || make install
   dependencies:
     - autoreconf:sid:amd64
@@ -208,37 +163,7 @@ stages:
     - autoreconf:sid:amd64
   artifacts:
     untracked: true
-    expire_in: "1 day"
-
-.windows_build: &windows_build_job
-  stage: build
-  tags:
-    - windows
-    - amd64
-  script:
-    - 'Push-Location "C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Auxiliary/Build"'
-    - '& cmd.exe /C "vcvarsall.bat x64 & set" | Foreach-Object { if ($_ -match "(.*?)=(.*)") { Set-Item -force -path "Env:\$($matches[1])" -value "$($matches[2])" } }'
-    - 'Pop-Location'
-    - 'Set-Location win32utils'
-    - '& "C:/Strawberry/perl/bin/perl.exe" Configure
-         "with-tools-version=15.0"
-         "with-platform-toolset=v141"
-         "with-platform-version=10.0.17763.0"
-         "with-vcredist=C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Redist/MSVC/14.16.27012/vcredist_x64.exe"
-         "with-openssl=C:/OpenSSL"
-         "with-libxml2=C:/libxml2"
-         "with-libuv=C:/libuv"
-         "without-python"
-         "with-system-tests"
-         x64'
-    - 'Set-Item -path "Env:CL" -value "/MP$([Math]::Truncate($BUILD_PARALLEL_JOBS/2))"'
-    - '& msbuild.exe /maxCpuCount:2 /t:Build /p:Configuration=$VSCONF bind9.sln'
-  dependencies: []
-  needs:
-    - autoreconf:sid:amd64
-  artifacts:
-    untracked: true
-    expire_in: "1 day"
+    expire_in: "1 hour"
 
 .setup_interfaces: &setup_interfaces |
     if [ "$(id -u)" -eq "0" ]; then
@@ -248,20 +173,21 @@ stages:
     fi
 
 .setup_softhsm: &setup_softhsm |
-    sh -x bin/tests/prepare-softhsm2.sh
+    sh -x util/prepare-softhsm2.sh
 
 .system_test: &system_test_job
   <<: *default_triggering_rules
   stage: system
+  retry: 2
   before_script:
     - *setup_interfaces
     - *setup_softhsm
   script:
-    - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
+    - ( cd bin/tests && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
     - test -s bin/tests/system/systests.output
   artifacts:
     untracked: true
-    expire_in: "1 day"
+    expire_in: "1 week"
     when: on_failure
 
 .kyua_report: &kyua_report_html |
@@ -271,30 +197,6 @@ stages:
        --results-filter "" \
        --output kyua_html
 
-.windows_system_test: &windows_system_test_job
-  stage: system
-  tags:
-    - windows
-    - amd64
-  script:
-    - 'Push-Location bin/tests/system'
-    - '$ifIndex = Get-NetIPInterface -AddressFamily IPv4 -InterfaceMetric 75 | Select-Object -ExpandProperty ifIndex'
-    - '& C:/tools/cygwin/bin/sed.exe -i "s/^exit.*/netsh interface ipv4 set dnsservers $ifIndex dhcp/; s/\(name\|interface\)=Loopback/$ifIndex/;" ifconfig.bat'
-    - '& C:/tools/cygwin/bin/sed.exe -i "s/kill -f/kill -W/;" conf.sh stop.pl'
-    - '& cmd.exe /C ifconfig.bat up; ""'
-    - 'Start-Sleep 2'
-    - '$Env:Path = "C:/tools/cygwin/bin;$Env:Path"'
-    - '& sh.exe runall.sh $TEST_PARALLEL_JOBS'
-    - 'If (Test-Path C:/CrashDumps/*) { dir C:/CrashDumps; Throw }'
-  artifacts:
-    untracked: true
-    expire_in: "1 day"
-    when: on_failure
-  only:
-    - schedules
-    - tags
-    - web
-
 .unit_test: &unit_test_job
   <<: *default_triggering_rules
   stage: unit
@@ -309,45 +211,7 @@ stages:
       - kyua.log
       - kyua.results
       - kyua_html/
-    expire_in: "1 day"
-    when: on_failure
-
-.cppcheck_args: &run_cppcheck |
-  cppcheck --enable=warning,performance,portability,information,missingInclude \
-           --include=config.h \
-           --quiet \
-           --std=c11 \
-           --language=c \
-           --project=compile_commands.json \
-           --error-exitcode=2 \
-           -j ${TEST_PARALLEL_JOBS:-1} \
-           --xml \
-           --output-file=cppcheck.results \
-           --relative-paths="$CI_PROJECT_DIR" \
-           --inline-suppr \
-           --suppressions-list=util/suppressions.txt
-
-.cppcheck_report: &cppcheck_report_html |
-  cppcheck-htmlreport --title="BIND 9 ($CI_COMMIT_SHORT_SHA) Cppcheck Report" \
-                      --file=cppcheck.results \
-                      --report-dir=cppcheck_html/
-
-.cppcheck: &cppcheck_job
-  <<: *default_triggering_rules
-  stage: postcheck
-  before_script:
-    - export GCC_VERSION=$(gcc --version | sed -n 's/.*\([0-9]\+\)\.[0-9]\+\.[0-9]\+.*/\1/p')
-    - sed -i "/gcc\",/a\"-DCPPCHECK\", \"-D__STDC__\", \"-D__GNUC__=${GCC_VERSION}\"," compile_commands.json
-  script:
-    - *run_cppcheck
-  after_script:
-    - *cppcheck_report_html
-  artifacts:
-    paths:
-      - compile_commands.json
-      - cppcheck.results
-      - cppcheck_html/
-    expire_in: "1 day"
+    expire_in: "1 week"
     when: on_failure
 
 ### Job Definitions
@@ -364,11 +228,8 @@ misc:sid:amd64:
     - sh util/checklibs.sh > checklibs.out
     - sh util/tabify-changes < CHANGES > CHANGES.tmp
     - diff -urNap CHANGES CHANGES.tmp
-    - perl util/check-changes CHANGES
-    - test ! -f CHANGES.SE || sh util/tabify-changes < CHANGES.SE > CHANGES.tmp
-    - test ! -f CHANGES.SE || diff -urNap CHANGES.SE CHANGES.tmp
-    - test ! -f CHANGES.SE || perl util/check-changes master=0 CHANGES.SE
     - rm CHANGES.tmp
+    - perl util/check-changes CHANGES
     - perl -w util/merge_copyrights
     - diff -urNap util/copyrights util/newcopyrights
     - rm util/newcopyrights
@@ -381,37 +242,18 @@ misc:sid:amd64:
     paths:
       - util/newcopyrights
       - checklibs.out
-    expire_in: "1 day"
+    expire_in: "1 week"
     when: on_failure
 
 🐞:sid:amd64:
   <<: *precheck_job
-  <<: *debian_buster_amd64_image
   script:
     - util/check-cocci
     - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
 
-tarball-create:sid:amd64:
-  <<: *debian_sid_amd64_image
-  stage: precheck
-  script:
-    - source version
-    - export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
-    - git archive --prefix="${BIND_DIRECTORY}/" --output="${BIND_DIRECTORY}.tar" HEAD
-    - mkdir "${BIND_DIRECTORY}"
-    - echo "SRCID=$(git rev-list --max-count=1 HEAD | cut -b1-7)" > "${BIND_DIRECTORY}/srcid"
-    - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/srcid"
-    - ${TARBALL_COMPRESSOR} "${BIND_DIRECTORY}.tar"
-  artifacts:
-    paths:
-      - bind-*.tar.${TARBALL_EXTENSION}
-  only:
-    - tags
-
 # Jobs for doc builds on Debian Sid (amd64)
 
 docs:sid:amd64:
-  <<: *release_branch_triggering_rules
   <<: *debian_sid_amd64_image
   stage: docs
   script:
@@ -425,7 +267,13 @@ docs:sid:amd64:
   artifacts:
     paths:
       - doc/arm/
-    expire_in: "1 day"
+    expire_in: "1 month"
+  only:
+    - merge_requests
+    - tags
+    - web
+    - master@isc-projects/bind9
+    - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
 push:docs:sid:amd64:
   <<: *debian_sid_amd64_image
@@ -437,36 +285,36 @@ push:docs:sid:amd64:
     - master@isc-projects/bind9
     - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
-# Jobs for regular GCC builds on Alpine Linux 3.11 (amd64)
+# Jobs for regular GCC builds on Alpine Linux 3.10 (amd64)
 
-gcc:alpine3.11:amd64:
+gcc:alpine3.10:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--enable-dnstap"
-  <<: *alpine_3_11_amd64_image
+  <<: *alpine_3_10_amd64_image
   <<: *build_job
 
-system:gcc:alpine3.11:amd64:
-  <<: *alpine_3_11_amd64_image
+system:gcc:alpine3.10:amd64:
+  <<: *alpine_3_10_amd64_image
   <<: *system_test_job
   dependencies:
-    - gcc:alpine3.11:amd64
-  needs: ["gcc:alpine3.11:amd64"]
+    - gcc:alpine3.10:amd64
+  needs: ["gcc:alpine3.10:amd64"]
 
-unit:gcc:alpine3.11:amd64:
-  <<: *alpine_3_11_amd64_image
+unit:gcc:alpine3.10:amd64:
+  <<: *alpine_3_10_amd64_image
   <<: *unit_test_job
   dependencies:
-    - gcc:alpine3.11:amd64
-  needs: ["gcc:alpine3.11:amd64"]
+    - gcc:alpine3.10:amd64
+  needs: ["gcc:alpine3.10:amd64"]
 
 # Jobs for regular GCC builds on CentOS 6 (amd64)
 
 gcc:centos6:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error"
   <<: *centos_centos6_amd64_image
   <<: *build_job
@@ -490,7 +338,7 @@ unit:gcc:centos6:amd64:
 gcc:centos7:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
   <<: *centos_centos7_amd64_image
   <<: *build_job
@@ -509,36 +357,12 @@ unit:gcc:centos7:amd64:
     - gcc:centos7:amd64
   needs: ["gcc:centos7:amd64"]
 
-# Jobs for regular GCC builds on CentOS 8 (amd64)
-
-gcc:centos8:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *centos_centos8_amd64_image
-  <<: *build_job
-
-system:gcc:centos8:amd64:
-  <<: *centos_centos8_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:centos8:amd64
-  needs: ["gcc:centos8:amd64"]
-
-unit:gcc:centos8:amd64:
-  <<: *centos_centos8_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:centos8:amd64
-  needs: ["gcc:centos8:amd64"]
-
 # Jobs for regular GCC builds on Debian 8 Jessie (amd64)
 
 gcc:jessie:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O2"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--without-cmocka --with-python --disable-geoip"
   <<: *debian_jessie_amd64_image
   <<: *build_job
@@ -562,7 +386,7 @@ unit:gcc:jessie:amd64:
 gcc:stretch:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O2"
+    CFLAGS: "-Wall -Wextra -O2 -g"
   <<: *debian_stretch_amd64_image
   <<: *build_job
 
@@ -585,7 +409,7 @@ unit:gcc:stretch:amd64:
 gcc:buster:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
   <<: *debian_buster_amd64_image
   <<: *build_job
 
@@ -603,47 +427,14 @@ unit:gcc:buster:amd64:
     - gcc:buster:amd64
   needs: ["gcc:buster:amd64"]
 
-# Jobs for scan-build builds on Debian Buster (amd64)
-
-.scan_build: &scan_build |
-  ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" \
-                --keep-cc \
-                --status-bugs \
-                --keep-going \
-                -o scan-build.reports \
-                make -j${BUILD_PARALLEL_JOBS:-1} all V=1
-
-scan-build:buster:amd64:
-  <<: *default_triggering_rules
-  <<: *debian_buster_amd64_image
-  stage: postcheck
-  variables:
-    CC: clang-9
-    CFLAGS: "${CFLAGS_COMMON}"
-    CONFIGURE: "${SCAN_BUILD} ./configure"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-  script:
-    - *configure
-    - *scan_build
-  dependencies:
-    - autoreconf:sid:amd64
-  needs:
-    - autoreconf:sid:amd64
-  artifacts:
-    paths:
-      - scan-build.reports/
-    expire_in: "1 day"
-    when: on_failure
-
 # Jobs for regular GCC builds on Debian Sid (amd64)
 
 gcc:sid:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O3"
+    CFLAGS: "-Wall -Wextra -O3 -g"
     EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
     RUN_MAKE_INSTALL: 1
-    MAKE: bear make
   <<: *debian_sid_amd64_image
   <<: *build_job
 
@@ -661,74 +452,12 @@ unit:gcc:sid:amd64:
     - gcc:sid:amd64
   needs: ["gcc:sid:amd64"]
 
-cppcheck:gcc:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *cppcheck_job
-  dependencies:
-    - gcc:sid:amd64
-  needs: ["gcc:sid:amd64"]
-
-# Job for out-of-tree GCC build on Debian Sid (amd64)
-
-oot:sid:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O3"
-    CONFIGURE: ../configure
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-    RUN_MAKE_INSTALL: 1
-    OOT_BUILD_WORKSPACE: workspace
-  <<: *debian_sid_amd64_image
-  <<: *build_job
-
-# Jobs for tarball GCC builds on Debian Sid (amd64)
-
-tarball:sid:amd64:
-  variables:
-    CC: gcc
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-    RUN_MAKE_INSTALL: 1
-  <<: *debian_sid_amd64_image
-  <<: *build_job
-  before_script:
-    - tar --extract --file bind-*.tar.${TARBALL_EXTENSION}
-    - rm -f bind-*.tar.${TARBALL_EXTENSION}
-    - cd bind-*
-  dependencies:
-    - tarball-create:sid:amd64
-  needs: ["tarball-create:sid:amd64"]
-  only:
-    - tags
-
-system:tarball:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  before_script:
-    - cd bind-*
-    - *setup_interfaces
-  dependencies:
-    - tarball:sid:amd64
-  needs: ["tarball:sid:amd64"]
-  only:
-    - tags
-
-unit:tarball:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *unit_test_job
-  before_script:
-    - cd bind-*
-  dependencies:
-    - tarball:sid:amd64
-  needs: ["tarball:sid:amd64"]
-  only:
-    - tags
-
 # Jobs for regular GCC builds on Debian Sid (i386)
 
 gcc:sid:i386:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O3 -g"
     EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2 --without-python"
   <<: *debian_sid_i386_image
   <<: *build_job
@@ -747,60 +476,36 @@ unit:gcc:sid:i386:
     - gcc:sid:i386
   needs: ["gcc:sid:i386"]
 
-# Jobs for regular GCC builds on openSUSE Tumbleweed (amd64)
+# Jobs for regular GCC builds on Fedora 30 (amd64)
 
-gcc:tumbleweed:amd64:
+gcc:fedora30:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *tumbleweed_latest_amd64_image
+  <<: *fedora_30_amd64_image
   <<: *build_job
 
-system:gcc:tumbleweed:amd64:
-  <<: *tumbleweed_latest_amd64_image
+system:gcc:fedora30:amd64:
+  <<: *fedora_30_amd64_image
   <<: *system_test_job
   dependencies:
-    - gcc:tumbleweed:amd64
-  needs: ["gcc:tumbleweed:amd64"]
+    - gcc:fedora30:amd64
+  needs: ["gcc:fedora30:amd64"]
 
-unit:gcc:tumbleweed:amd64:
-  <<: *tumbleweed_latest_amd64_image
+unit:gcc:fedora30:amd64:
+  <<: *fedora_30_amd64_image
   <<: *unit_test_job
   dependencies:
-    - gcc:tumbleweed:amd64
-  needs: ["gcc:tumbleweed:amd64"]
-
-# Jobs for regular GCC builds on Fedora 31 (amd64)
-
-gcc:fedora31:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O1"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *fedora_31_amd64_image
-  <<: *build_job
-
-system:gcc:fedora31:amd64:
-  <<: *fedora_31_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:fedora31:amd64
-  needs: ["gcc:fedora31:amd64"]
-
-unit:gcc:fedora31:amd64:
-  <<: *fedora_31_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:fedora31:amd64
-  needs: ["gcc:fedora31:amd64"]
+    - gcc:fedora30:amd64
+  needs: ["gcc:fedora30:amd64"]
 
 # Jobs for regular GCC builds on Ubuntu 16.04 Xenial Xerus (amd64)
 
 gcc:xenial:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O2"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--disable-geoip"
   <<: *ubuntu_xenial_amd64_image
   <<: *build_job
@@ -824,7 +529,7 @@ unit:gcc:xenial:amd64:
 gcc:bionic:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -Og"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--with-libidn2"
   <<: *ubuntu_bionic_amd64_image
   <<: *build_job
@@ -848,15 +553,13 @@ unit:gcc:bionic:amd64:
 asan:sid:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    CFLAGS: "-Wall -Wextra -O2 -g -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
     LDFLAGS: "-fsanitize=address,undefined"
     EXTRA_CONFIGURE: "--with-libidn2"
   <<: *debian_sid_amd64_image
   <<: *build_job
 
 system:asan:sid:amd64:
-  variables:
-    ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON}
   <<: *debian_sid_amd64_image
   <<: *system_test_job
   dependencies:
@@ -864,123 +567,18 @@ system:asan:sid:amd64:
   needs: ["asan:sid:amd64"]
 
 unit:asan:sid:amd64:
-  variables:
-    ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON}
   <<: *debian_sid_amd64_image
   <<: *unit_test_job
   dependencies:
     - asan:sid:amd64
   needs: ["asan:sid:amd64"]
 
-# Jobs for GCC builds with TSAN enabled on Debian Sid (amd64)
-
-tsan:buster:amd64:
-  <<: *debian_buster_amd64_image
-  <<: *build_job
-  variables:
-    CC: clang-9
-    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
-    LDFLAGS: "-fsanitize=thread"
-    EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock"
-
-system:tsan:buster:amd64:
-  variables:
-    TSAN_OPTIONS: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=$SYMBOLIZER exitcode=0"
-  before_script:
-    - *setup_interfaces
-    - echo $TSAN_OPTIONS
-  <<: *debian_buster_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - tsan:buster:amd64
-  needs: ["tsan:buster:amd64"]
-  allow_failure: true
-  after_script:
-    - find bin -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
-  artifacts:
-    expire_in: "1 day"
-    paths:
-      - bin/tests/system/*/tsan.*
-      - bin/tests/system/*/*/tsan.*
-      - tsan/
-    when: on_failure
-
-unit:tsan:buster:amd64:
-  variables:
-    TSAN_OPTIONS: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=$SYMBOLIZER"
-  before_script:
-    - echo $TSAN_OPTIONS
-    - lib/isc/tests/result_test
-  <<: *debian_buster_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - tsan:buster:amd64
-  needs: ["tsan:buster:amd64"]
-  allow_failure: true
-  after_script:
-    - find lib -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
-  artifacts:
-    expire_in: "1 day"
-    paths:
-      - lib/*/tests/tsan.*
-      - tsan/
-      - kyua.log
-      - kyua.results
-      - kyua_html/
-    when: on_failure
-
-rwlock:sid:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -Wall -Wextra -O2 -g -DISC_MEM_USE_INTERNAL_MALLOC=0"
-    EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock"
-  <<: *debian_sid_amd64_image
-  <<: *build_job
-
-system:rwlock:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - rwlock:sid:amd64
-  needs: ["rwlock:sid:amd64"]
-
-unit:rwlock:sid:amd64:
-  <<: *debian_sid_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - rwlock:sid:amd64
-  needs: ["rwlock:sid:amd64"]
-
-# Jobs for mutex-based atomics on Debian SID (amd64)
-mutexatomics:sid:amd64:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -DISC_MEM_USE_INTERNAL_MALLOC=0"
-    EXTRA_CONFIGURE: "--with-libidn2 --enable-mutex-atomics"
-  <<: *debian_sid_amd64_image
-  <<: *build_job
-
-#system:mutexatomics:sid:amd64:
-#  <<: *debian_sid_amd64_image
-#  <<: *system_test_job
-#  dependencies:
-#    - mutexatomics:sid:amd64
-#    - mutexatomics:sid:amd64
-#  allow_failure: true
-
-#unit:mutexatomics:sid:amd64:
-#  <<: *debian_sid_amd64_image
-#  <<: *unit_test_job
-#  dependencies:
-#    - mutexatomics:sid:amd64
-#  allow_failure: true
-
 # Jobs for Clang builds on Debian Stretch (amd64)
 
 clang:stretch:amd64:
   variables:
     CC: clang
-    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
+    CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
     EXTRA_CONFIGURE: "--with-python=python3"
   <<: *debian_stretch_amd64_image
   <<: *build_job
@@ -997,7 +595,7 @@ unit:clang:stretch:amd64:
 clang:stretch:i386:
   variables:
     CC: clang
-    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
+    CFLAGS: "-Wall -Wextra -Wenum-conversion -O2 -g"
     EXTRA_CONFIGURE: "--with-python=python2"
   <<: *debian_stretch_i386_image
   <<: *build_job
@@ -1007,7 +605,7 @@ clang:stretch:i386:
 pkcs11:sid:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so"
   <<: *debian_sid_amd64_image
   <<: *build_job
@@ -1030,7 +628,7 @@ unit:pkcs11:sid:amd64:
 
 clang:freebsd11.3:amd64:
   variables:
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
   <<: *freebsd_amd64
   <<: *build_job
 
@@ -1052,7 +650,7 @@ unit:clang:freebsd11.3:amd64:
 
 clang:freebsd12.0:amd64:
   variables:
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -O2 -g"
     EXTRA_CONFIGURE: "--enable-dnstap"
   <<: *freebsd_amd64
   <<: *build_job
@@ -1071,34 +669,12 @@ unit:clang:freebsd12.0:amd64:
     - clang:freebsd12.0:amd64
   needs: ["clang:freebsd12.0:amd64"]
 
-# Jobs for Clang builds on OpenBSD 6.6 (amd64)
-
-clang:openbsd6.6:amd64:
-  variables:
-    CC: clang
-    USER: gitlab-runner
-  <<: *openbsd_amd64
-  <<: *build_job
-
-system:clang:openbsd6.6:amd64:
-  <<: *openbsd_amd64
-  <<: *system_test_job
-  variables:
-    USER: gitlab-runner
-  dependencies:
-    - clang:openbsd6.6:amd64
-  needs: ["clang:openbsd6.6:amd64"]
-  only:
-    - schedules
-    - tags
-    - web
-
 # Jobs with libtool disabled
 
 nolibtool:sid:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "-Wall -Wextra -Og -g"
     EXTRA_CONFIGURE: "--with-libidn2 --without-libtool --with-dlopen"
   <<: *debian_sid_amd64_image
   <<: *build_job
@@ -1120,74 +696,58 @@ unit:nolibtool:sid:amd64:
 # Jobs for Visual Studio 2017 builds on Windows (amd64)
 
 msvc:windows:amd64:
-  <<: *windows_build_job
   <<: *default_triggering_rules
+  stage: build
+  tags:
+    - windows
+    - amd64
   variables:
     VSCONF: Release
+  script:
+    - 'Push-Location "C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Auxiliary/Build"'
+    - '& cmd.exe /C "vcvarsall.bat x64 & set" | Foreach-Object { if ($_ -match "(.*?)=(.*)") { Set-Item -force -path "Env:\$($matches[1])" -value "$($matches[2])" } }'
+    - 'Pop-Location'
+    - 'Set-Location win32utils'
+    - '& "C:/Strawberry/perl/bin/perl.exe" Configure
+         "with-tools-version=15.0"
+         "with-platform-toolset=v141"
+         "with-platform-version=10.0.17763.0"
+         "with-vcredist=C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Redist/MSVC/14.16.27012/vcredist_x64.exe"
+         "with-openssl=C:/OpenSSL"
+         "with-libxml2=C:/libxml2"
+         "without-python"
+         "with-system-tests"
+         x64'
+    - 'Set-Item -path "Env:CL" -value "/MP$([Math]::Truncate($BUILD_PARALLEL_JOBS/2))"'
+    - '& msbuild.exe /maxCpuCount:2 /t:Build /p:Configuration=$VSCONF bind9.sln'
+  artifacts:
+    untracked: true
+    expire_in: "1 hour"
 
 system:msvc:windows:amd64:
-  <<: *windows_system_test_job
+  stage: system
+  tags:
+    - windows
+    - amd64
   variables:
     VSCONF: Release
+  script:
+    - 'Push-Location bin/tests/system'
+    - '$ifIndex = Get-NetIPInterface -AddressFamily IPv4 -InterfaceMetric 75 | Select-Object -ExpandProperty ifIndex'
+    - '& C:/tools/cygwin/bin/sed.exe -i "s/^exit.*/netsh interface ipv4 set dnsservers $ifIndex dhcp/; s/\(name\|interface\)=Loopback/$ifIndex/;" ifconfig.bat'
+    - '& C:/tools/cygwin/bin/sed.exe -i "s/kill -f/kill -W/;" conf.sh stop.pl'
+    - '& cmd.exe /C ifconfig.bat up; ""'
+    - 'Start-Sleep 2'
+    - '$Env:Path = "C:/tools/cygwin/bin;$Env:Path"'
+    - '& sh.exe runall.sh $TEST_PARALLEL_JOBS'
+    - 'If (Test-Path C:/CrashDumps/*) { dir C:/CrashDumps; Throw }'
   dependencies:
     - msvc:windows:amd64
   needs: ["msvc:windows:amd64"]
-
-msvc-debug:windows:amd64:
-  <<: *windows_build_job
-  variables:
-    VSCONF: Debug
+  artifacts:
+    untracked: true
+    expire_in: "1 week"
+    when: on_failure
   only:
-    - schedules
     - tags
     - web
-
-system:msvc-debug:windows:amd64:
-  <<: *windows_system_test_job
-  variables:
-    VSCONF: Debug
-  dependencies:
-    - msvc-debug:windows:amd64
-  needs: ["msvc-debug:windows:amd64"]
-
-# Job producing a release tarball
-
-release:sid:amd64:
-  <<: *debian_sid_amd64_image
-  stage: release
-  script:
-    # Determine BIND version
-    - source version
-    - export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
-    # Remove redundant files and system test utilities from Windows build artifacts
-    - find Build/Release/ -name "*.pdb" -print -delete
-    - find Build/Debug/ \( -name "*.bsc" -o -name "*.idb" \) -print -delete
-    - find Build/ -regextype posix-extended -regex "Build/.*/($(find bin/tests/ -type f | sed -nE "s|^bin/tests(/system)?/win32/(.*)\.vcxproj$|\2|p" | paste -d"|" -s))\..*" -print -delete
-    # Create Windows zips
-    - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" | tee Build/Release/SHA256 Build/Debug/SHA256
-    - ( cd Build/Release; zip "../../BIND${BIND_DIRECTORY#bind-}.x64.zip" * )
-    - ( cd Build/Debug; zip "../../BIND${BIND_DIRECTORY#bind-}.debug.x64.zip" * )
-    # Prepare release tarball contents (tarballs + zips + documentation)
-    - mkdir -p release/doc/arm
-    - pushd release
-    - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip .
-    - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}"
-    - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README,srcid} .
-    - mv "${BIND_DIRECTORY}"/doc/arm/{Bv9ARM{*.html,.pdf},man.*,notes.{html,pdf,txt}} doc/arm/
-    - rm -rf "${BIND_DIRECTORY}"
-    - cp doc/arm/notes.html "RELEASE-NOTES-${BIND_DIRECTORY}.html"
-    - cp doc/arm/notes.pdf "RELEASE-NOTES-${BIND_DIRECTORY}.pdf"
-    - cp doc/arm/notes.txt "RELEASE-NOTES-${BIND_DIRECTORY}.txt"
-    - popd
-    # Create release tarball
-    - tar --create --file="${CI_COMMIT_TAG}.tar.gz" --gzip release/
-  dependencies:
-    - tarball-create:sid:amd64
-    - msvc:windows:amd64
-    - msvc-debug:windows:amd64
-  only:
-    - tags
-  artifacts:
-    paths:
-      - "*.tar.gz"
-    expire_in: "1 day"

.gitlab/issue_templates/Release.md

@@ -1,65 +0,0 @@
-## Release Schedule
-
-**Tagging Deadline:**
-
-**Public Release:**
-
-## Release Checklist
-
-## 2 Working Days Before the Tagging Deadline
-
- - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
- - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
-
-## Before the Tagging Deadline
-
- - [ ] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
- - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
- - [ ] ***(SwEng)*** Update API files for libraries with new version information.
- - [ ] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
- - [ ] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- - [ ] ***(SwEng)*** Update `CHANGES`.
- - [ ] ***(SwEng)*** Update `CHANGES.SE` (Subscription Edition only).
- - [ ] ***(SwEng)*** Update `README.md`.
- - [ ] ***(SwEng)*** Update `version`.
- - [ ] ***(SwEng)*** Build documentation on `docs.isc.org`.
- - [ ] ***(QA)*** Check that all the above steps were performed correctly.
- - [ ] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
- - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
- - [ ] ***(SwEng)*** Tag the releases[^2].  (Tags may only be pushed to the public repository for releases which are *not* security releases.)
- - [ ] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
-
-## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
-
- - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
- - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
- - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
- - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
- - [ ] ***(QA)*** Notify Support that the releases have been prepared.
- - [ ] ***(Support)*** Send out ASNs (if applicable).
-
-## On the Day of Public Release
-
- - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- - [ ] ***(Support)*** Place tarballs in public location on FTP site.
- - [ ] ***(Support)*** Publish links to downloads on ISC website.
- - [ ] ***(Support)*** Write release email to *bind-announce*.
- - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- - [ ] ***(Support)*** Update tickets in case of waiting support customers.
- - [ ] ***(QA)*** Build and test any outstanding private packages.
- - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
- - [ ] ***(QA)*** Inform Marketing of the release.
- - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
- - [ ] ***(Marketing)*** Post short note to Twitter.
- - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- - [ ] ***(Marketing)*** Write blog article (if a major release).
- - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- - [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
- - [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
-
-[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
-
-[^2]: Preferred command line: `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]`, where `[alphatag]` is an optional string such as `b1`, `rc1`, etc.

.gitlab/issue_templates/release.md

@@ -0,0 +1,44 @@
+## Release Checklist
+
+ - [ ] (Manager) Check for the presence of a milestone for the release:
+    - If there is a milestone, are all the issues for the milestone resolved? (other than this checklist).
+ - [ ] (Manager) Inform Support/Marketing of impending release (and give estimated release dates).
+ - (SwEng) Prepare the sources for tarball generation:
+   - [ ] Check perflab to ensure there has been no unexplained drop in performance for the version being released.
+   - [ ] Ensure that there are no outstanding merge requests in the private repository (subscription version only).
+   - [ ] Update API files for libraries with new version information.
+   - [ ] Change software version and library versions in configure.in (new major release only).
+   - [ ] Rebuild configure using autoconf on docs.isc.org.
+   - [ ] Update CHANGES.
+   - [ ] Update CHANGES.SE (subscription branch only).
+   - [ ] Update "version".
+   - [ ] Update "readme.md".
+   - Check the release notes are correct:
+     - [ ] Compare content with merge requests for the release.
+     - [ ] Check formatting.
+   - [ ] Build documentation on docs.isc.org.
+   - [ ] Commit changes and make sure the gitlab-ci tests are passing.
+   - [ ] Push the changes and tag ("alphatag" is an optional string such as "b1", "rc1" etc.). (```git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]```)
+   - [ ] If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` (this allows development to continue on the release branch whilst release engineering continues).
+ - [ ] (SwEng) Run the "make release" Jenkins job to produce the tarballs and zips.
+ - [ ] (SwEng) Ask QA to sanity check the tarball and zips (passing to them the number of the Jenkins job).
+ - [ ] (QA) Sanity check the tarballs.
+ - [ ] (QA) Request the signature on the tarballs.
+ - [ ] (QA) Check signatures on tarballs.
+ - [ ] (QA) Tell Support to handle notification of release.
+ - [ ] (Manager) Inform Marketing of the release
+ - [ ] (Manager) Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
+
+ - [ ] (SwEng) Update DEB and RPM packages
+ - [ ] (SwEng) Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`)
+
+## Support
+ - [ ] Make tarballs and signatures available to download.
+ - [ ] Write release email to bind9-announce.
+ - [ ] Write email to bind9-users (if a major release).
+ - [ ] Update tickets in case of waiting support customers.
+
+## Marketing
+ - [ ] Post short note to Twitter.
+ - [ ] Update [Wikipedia entry for BIND](http://en.wikipedia.org/wiki/BIND).
+ - [ ] Write blog article (if a major release).

CHANGES

@@ -1,216 +1,8 @@
-5354.	[bug]		dnssec-policy created new KSK keys when zone is in
-			initial stage of signing (the DS is not yet in
-			rumoured or omnipresent state).  Fix by checking
-			key goals rather than active state when determining
-			new keys are needed. [GL #1593]
-
-5353.	[doc]		Document port and dscp parameters in forwarders
-			configuration option. [GL !914]
-
-5352.	[bug]		Correctly handle catalog zone entries containing
-			characters that aren't legal in filenames. [GL #1592]
-
-5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
-			removal records. [GL #1554]
-
-5350.	[bug]		When a view was configured with class CHAOS, the
-			server could crash while processing a query for a
-			non-existent record. [GL #1540]
-
-5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
-
-5348.	[bug]		dnssec-settime -Psync was not being honoured.
-			[GL !2893]
-
-	--- 9.15.8 released ---
-
-5347.	[bug]		Fixed a bug that could cause an intermittent crash
-			in validator.c when validating a negative cache
-			entry. [GL #1561]
-
-5346.	[bug]		Make hazard pointer array allocations dynamic, fixing
-			a bug that caused named to crash on machines with more
-			than 40 cores. [GL #1493]
-
-5345.	[func]		Key-style trust anchors and DS-style trust anchors
-			can now both be used for the same name. [GL #1237]
-
-5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
-
-5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
-
-5342.	[bug]		Disable pktinfo for IPv6 and bind to each interface
-			explicitly instead, because libuv doesn't support
-			pktinfo control messages. [GL #1558]
-
-5341.	[func]		Simplify passing the bound TCP socket to child
-			threads by using isc_uv_export/import functions.
-			[GL !2825]
-
-5340.	[bug]		Don't deadlock when binding to a TCP socket fails.
-			[GL #1499]
-
-5339.	[bug]		With some libmaxminddb versions, named could erroneously
-			match an IP address not belonging to any subnet defined
-			in a given GeoIP2 database to one of the existing
-			entries in that database. [GL #1552]
-
-5338.	[bug]		Fix line spacing in `rndc secroots`.
-			Thanks to Tony Finch. [GL !2478]
-
-5337.	[func]		'named -V' now reports maxminddb and protobuf-c
-			versions. [GL !2686]
-
-	--- 9.15.7 released ---
-
-5336.	[bug]		The TCP high-water statistic could report an
-			incorrect value on startup. [GL #1392]
-
-5335.	[func]		Make TCP listening code multithreaded. [GL !2659]
-
-5334.	[doc]		Update documentation with dnssec-policy clarifications.
-			Also change some defaults. [GL !2711]
-
-5333.	[bug]		Fix duration printing on Solaris when value is not
-			an ISO 8601 duration. [GL #1460]
-
-5332.	[func]		Renamed "dnssec-keys" configuration statement
-			to the more descriptive "trust-anchors". [GL !2702]
-
-5331.	[func]		Use compiler-provided mechanisms for thread local
-			storage, and make the requirement for such mechanisms
-			explicit in configure. [GL #1444]
-
-5330.	[bug]		'configure --without-python' was ineffective if
-			PYTHON was set in the environment. [GL #1434]
-
-5329.	[bug]		Reconfiguring named caused memory to be leaked when any
-			GeoIP2 database was in use. [GL #1445]
-
-5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
-			a node lock. [GL #1417]
-
-5327.	[func]		Added a statistics counter to track queries
-			dropped because the recursive-clients quota was
-			exceeded. [GL #1399]
-
-5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
-			'distutils.core' is required for installation.
-			[GL #1397]
-
-5325.	[bug]		Addressed several issues with TCP connections in
-			the netmgr: restored support for TCP connection
-			timeouts, restored TCP backlog support, actively
-			close all open sockets during shutdown. [GL #1312]
-
-5324.	[bug]		Change the category of some log messages from general
-			to the more appopriate catergory of xfer-in. [GL #1394]
-
-5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
-			[GL !2609]
-
-5322.	[placeholder]
-
-5321.	[bug]		Obtain write lock before updating version->records
-			and version->bytes. [GL #1341]
-
-5320.	[cleanup]	Silence TSAN on header->count. [GL #1344]
-
-	--- 9.15.6 released ---
-
-5319.	[func]		Trust anchors can now be configured using DS
-			format to represent a key digest, by using the
-			new "initial-ds" or "static-ds" keywords in
-			the "dnssec-keys" statement.
-
-			Note: DNSKEY-format and DS-format trust anchors
-			cannot both be used for the same domain name.
-			[GL #622]
-
-5318.	[cleanup]	The DNSSEC validation code has been refactored
-			for clarity and to reduce code duplication.
-			[GL #622]
-
-5317.	[func]		A new asynchronous network communications system
-			based on libuv is now used for listening for
-			incoming requests and responding to them. (The
-			old isc_socket API remains in use for sending
-			iterative queries and processing responses; this
-			will be changed too in a later release.)
-
-			This change will make it easier to improve
-			performance and implement new protocol layers
-			(e.g., DNS over TLS) in the future. [GL #29]
-
-5316.	[func]		A new "dnssec-policy" option has been added to
-			named.conf to implement a key and signing policy
-			(KASP) for zones. When this option is in use,
-			named can generate new keys as needed and
-			automatically roll both ZSK and KSK keys. (Note
-			that the syntax for this statement differs from
-			the dnssec policy used by dnssec-keymgr.)
-
-			See the ARM for configuration details. [GL #1134]
-
-5315.	[bug]		Apply the inital RRSIG expiration spread fixed
-			to all dynamically created records in the zone
-			including NSEC3. Also fix the signature clusters
-			when the server has been offline for prolonged
-			period of times. [GL #1256]
-
-5314.	[func]		Added a new statistics variable "tcp-highwater"
-			that reports the maximum number of simultaneous TCP
-			clients BIND has handled while running. [GL #1206]
-
-5313.	[bug]		The default GeoIP2 database location did not match
-			the ARM.  'named -V' now reports the default
-			location. [GL #1301]
-
-5312.	[bug]		Do not flush the cache for `rndc validation status`.
-			Thanks to Tony Finch. [GL !2462]
-
-5311.	[cleanup]	Include all views in output of `rndc validation status`.
-			Thanks to Tony Finch. [GL !2461]
-
-5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
-
-5309.	[placeholder]
-
-5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
-			at ERROR level in receive_secure_serial(). [GL #1288]
-
-5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
-			Thanks to Tony Finch. [GL !2481]
-
-5306.	[security]	Set a limit on number of simultaneous pipelined TCP
-			queries. (CVE-2019-6477) [GL #1264]
-
-5305.	[bug]		NSEC Aggressive Cache ("synth-from-dnssec") has been
-			disabled by default because it was found to have
-			a significant performance impact on the recursive
-			service. [GL #1265]
-
-5304.	[bug]		"dnskey-sig-validity 0;" was not being accepted.
-			[GL #876]
-
-5303.	[placeholder]
-
-5302.	[bug]		Fix checking that "dnstap-output" is defined when
-			"dnstap" is specified in a view. [GL #1281]
-
-5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
-			acls. [GL #1143]
-
-5300.	[bug]		dig/mdig/delv: Add a colon after EDNS option names,
-			even when the option is empty, to improve
-			readability and allow correct parsing of YAML
-			output. [GL #1226]
-
-	--- 9.15.5 released ---
+	--- 9.14.7 released ---
 
 5299.	[security]	A flaw in DNSSEC verification when transferring
 			mirror zones could allow data to be incorrectly
-			marked valid. (CVE-2019-6475) [GL #1252]
+			marked valid. (CVE-2019-6475) [GL #16P]
 
 5298.	[security]	Named could assert if a forwarder returned a
 			referral, rather than resolving the query, when QNAME
@@ -220,13 +12,6 @@
 			is still running before starting a new one; return
 			SERVFAIL and log an error if so. [GL #1191]
 
-5296.	[placeholder]
-
-5295.	[cleanup]	Split dns_name_copy() calls into dns_name_copy() and
-			dns_name_copynf() for those calls that can potentially
-			fail and those that should not fail respectively.
-			[GL !2265]
-
 5294.	[func]		Fallback to ACE name on output in locale, which does not
 			support converting it to unicode.  [GL #846]
 
@@ -236,31 +21,16 @@
 5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
 			zone changes. [GL #1205]
 
-	--- 9.15.4 released ---
-
-5291.	[placeholder]
-
-5290.	[placeholder]
+	--- 9.14.6 released ---
 
 5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
 			[GL #1210]
 
-5288.	[bug]		dnssec-must-be-secure was not always honored.
-			[GL #1209]
-
-5287.	[placeholder]
-
 5286.	[contrib]	Address potential NULL pointer dereferences in
 			dlz_mysqldyn_mod.c. [GL #1207]
 
 5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
 
-5284.	[func]		Added +unexpected command line option to dig.
-			By default, dig won't accept a reply from a source
-			other than the one to which it sent the query.
-			Invoking dig with +unexpected argument will allow it
-			to process replies from unexpected sources.
-
 5283.	[bug]		When a response-policy zone expires, ensure that
 			its policies are removed from the RPZ summary
 			database. [GL #1146]
@@ -278,10 +48,7 @@
 			validation failures if published in the parent zone
 			as the DS RRset.  [GL #1187]
 
-5278.	[func]		Add YAML output formats for dig, mdig and delv;
-			use the "+yaml" option to enable. [GL #1145]
-
-	--- 9.15.3 released ---
+	--- 9.14.5 released ---
 
 5277.	[bug]		Cache DB statistics could underflow when serve-stale
 			was in use, because of a bug in counter maintenance
@@ -293,10 +60,6 @@
 			with '~'; stale RRset counters are still prefixed
 			with '#'. [GL #602]
 
-5276.	[func]		DNSSEC Lookaside Validation (DLV) is now obsolete;
-			all code enabling its use has been removed from the
-			validator, "delv", and the DNSSEC tools. [GL #7]
-
 5275.	[bug]		Mark DS records included in referral messages
 			with trust level "pending" so that they can be
 			validated and cached immediately, with no need to
@@ -308,22 +71,12 @@
 5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
 			[GL #1159]
 
-5272.	[cleanup]	Remove isc-config.sh script as the BIND 9 libraries
-			are now purely internal. [GL #1123]
-
-5271.	[func]		The normal (non-debugging) output of dnssec-signzone
-			and dnssec-verify tools now goes to stdout, instead of
-			the combination of stderr and stdout.
-
-5270.	[bug]		'dig +expandaaaa +short' did not work. [GL #1152]
-
 5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
 			non-blocking socket. [GL #1133]
 
-5268.	[placeholder]
-
-5267.	[func]		Allow statistics groups display to be toggle-able.
-			[GL #1030]
+5268.	[bug]		named could crash during configuration if
+			configured to use "geoip continent" ACLs with
+			legacy GeoIP. [GL #1163]
 
 5266.	[bug]		named-checkconf failed to report dnstap-output
 			missing from named.conf when dnstap was specified.
@@ -333,32 +86,26 @@
 			[GL #1106]
 
 5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
-			to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
-			have been removed. [GL #605]
+			to BIND 9. [GL #605]
 
-	--- 9.15.2 released ---
+5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
+			and switch isc_hash_function() to use SipHash 2-4.
+			[GL #605]
 
-5263.	[cleanup]	Use atomics and isc_refcount_t wherever possible.
-			[GL #1038]
-
-5262.	[func]		Removed support for the legacy GeoIP API. [GL #1112]
-
-5261.	[cleanup]	Remove SO_BSDCOMPAT socket option usage.
+	--- 9.14.4 released ---
 
 5260.	[bug]		dnstap-read was producing malformed output for large
 			packets. [GL #1093]
 
-5259.	[func]		New option '-i' for 'named-checkconf' to ignore
-			warnings about deprecated options. [GL #1101]
-
-5258.	[func]		Added support for the GeoIP2 API from MaxMind. This
-			will be compiled in by default if the "libmaxminddb"
-			library is found at compile time, but can be
-			suppressed using "configure --disable-geoip".
+5258.	[func]		Added support for the GeoIP2 API from MaxMind,
+			when BIND is compiled using "configure --with-geoip2".
+			The legacy GeoIP API can be enabled by using
+			"configure --with-geoip" instead. These options
+			cannot be used together.
 
 			Certain geoip ACL settings that were available with
 			legacy GeoIP are not available when using GeoIP2.
-			[GL #182]
+			See the ARM for details. [GL #182]
 
 5257.	[bug]		Some statistics data was not being displayed.
 			Add shading to the zone tables. [GL #1030]
@@ -380,46 +127,14 @@
 5253.	[port]		Support platforms that don't define ULLONG_MAX.
 			[GL #1098]
 
-5252.	[func]		Report if the last 'rndc reload/reconfig' failed in
-			rndc status. [GL !2040]
-
 5251.	[bug]		Statistics were broken in x86 Windows builds.
 			[GL #1081]
 
-5250.	[func]		The default size for RSA keys is now 2048 bits,
-			for both ZSKs and KSKs. [GL #1097]
-
 5249.	[bug]		Fix a possible underflow in recursion clients
 			statistics when hitting recursive clients
 			soft quota. [GL #1067]
 
-	--- 9.15.1 released ---
-
-5248.	[func]		To clarify the configuration of DNSSEC keys,
-			the "managed-keys" and "trusted-keys" options
-			have both been deprecated.  The new "dnssec-keys"
-			statement can now be used for all trust anchors,
-			with the keywords "iniital-key" or "static-key"
-			to indicate whether the configured trust anchor
-			should be used for initialization of RFC 5011 key
-			management, or as a permanent trust anchor.
-
-			The "static-key" keyword will generate a warning if
-			used for the root zone.
-
-			Configurations using "trusted-keys" or "managed-keys"
-			will continue to work with no changes, but will
-			generate warnings in the log. In a future release,
-			these options will be marked obsolete. [GL #6]
-
-5247.	[cleanup]	The 'cleaning-interval' option has been removed.
-			[GL !1731]
-
-5246.	[func]		Log TSIG if appropriate in 'sending notify to' message.
-			[GL #1058]
-
-5245.	[cleanup]	Reduce logging level for IXFR up-to-date poll
-			responses. [GL #1009]
+	--- 9.14.3 released ---
 
 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
 			that could cause an assertion failure if a
@@ -440,51 +155,28 @@
 
 5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
 
-5239.	[func]		Change the json-c detection to pkg-config. [GL #855]
-
 5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
 
 5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
 			[GL #1028]
 
-5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
-			and switch isc_hash_function() to use SipHash 2-4.
-			[GL #605]
-
-5235.	[cleanup]	Refactor lib/isc/app.c to be thread-safe, unused
-			parts of the API has been removed and the
-			isc_appctx_t data type has been changed to be
-			fully opaque. [GL #1023]
-
 5234.	[port]		arm: just use the compiler's default support for
 			yield. [GL #981]
 
-	--- 9.15.0 released ---
+	--- 9.14.2 released ---
 
 5233.	[bug]		Negative trust anchors did not work with "forward only;"
 			to validating resolvers. [GL #997]
 
-5232.	[placeholder]
-
 5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
 			[GL #960]
 
-5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
-			generating DS and CDS records. [GL #1015]
-
 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
 
-5228.	[func]		If trusted-keys and managed-keys were configured
-			simultaneously for the same name, the key could
-			not be be rolled automatically. This is now
-			a fatal configuration error. [GL #868]
-
-5227.	[placeholder]
-
-5226.	[placeholder]
-
-5225.	[func]		Allow dig to print out AAAA record fully expanded.
-			with +[no]expandaaaa. [GL #765]
+5228.	[cleanup]	If trusted-keys and managed-keys are configured
+			simultaneously for the same name, the key cannot
+			be rolled automatically. This configuration now
+			logs a warning. [GL #868]
 
 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
 
@@ -521,8 +213,6 @@
 			as a service to be killed prematurely during shutdown.
 			[GL #978]
 
-5212.	[placeholder]
-
 5211.	[bug]		Allow out-of-zone additional data to be included
 			in authoritative responses if recursion is allowed
 			and "minimal-responses" is disabled.  This behavior
@@ -556,6 +246,11 @@
 
 5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
 
+5190.	[bug]		Ignore trust anchors using disabled algorithms.
+			[GL #806]
+
+	--- 9.14.1 released ---
+
 5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
 
 5200.	[security]	tcp-clients settings could be exceeded in some cases,
@@ -586,38 +281,25 @@
 5193.	[bug]		EID and NIMLOC failed to do multi-line output
 			correctly. [GL #899]
 
-5192.	[placeholder]
-
-5191.	[placeholder]
-
-5190.	[bug]		Ignore trust anchors using disabled algorithms.
-			[GL #806]
-
 5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
 
-5188.	[func]		The "dnssec-enable" option is deprecated and no
-			longer has any effect; DNSSEC responses are
-			always enabled. [GL #866]
-
 5187.	[test]		Set time zone before running any tests in dnstap_test.
 			[GL #940]
 
 5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
 
-5185.	[placeholder]
-
 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 
 5183.	[bug]		Reinitialize ECS data before reusing client
 			structures. [GL #881]
 
+	--- 9.14.0 released ---
+
+	--- 9.14.0rc3 released ---
+
 5182.	[bug]		Fix a high-load race/crash in handling of
 			isc_socket_close() in resolver. [GL #834]
 
-5181.	[func]		Add a mechanism for a DLZ module to signal that
-			the view's allow-transfer ACL should be used to
-			determine whether transfers are allowed. [GL #803]
-
 5180.	[bug]		delv now honors the operating system's preferred
 			ephemeral port range. [GL #925]
 
@@ -632,6 +314,11 @@
 			response-policy zone's SOA record should be added
 			to the additional section (add-soa yes/no). [GL #865]
 
+5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
+			redirect name. [GL #892]
+
+	--- 9.14.0rc2 released ---
+
 5176.	[tests]		Remove a dependency on libxml in statschannel system
 			test. [GL #926]
 
@@ -661,15 +348,12 @@
 			empty node could cause a crash while processing a
 			type ANY query. [GL #901]
 
+	--- 9.14.0rc1 released ---
+
 5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
 			keep previous version of the database if RPZ fails to
 			load. [GL #813]
 
-5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
-			redirect name. [GL #892]
-
-5166.	[placeholder]
-
 5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
 			[GL #428]
 
@@ -697,6 +381,20 @@
 5157.	[bug]		Nslookup now errors out if there are extra command
 			line arguments. [GL #207]
 
+5141.	[security]	Zone transfer controls for writable DLZ zones were
+			not effective as the allowzonexfr method was not being
+			called for such zones. (CVE-2019-6465) [GL #790]
+
+5118.	[security]	Named could crash if it is managing a key with
+			`managed-keys` and the authoritative zone is rolling
+			the key to an unsupported algorithm. (CVE-2018-5745)
+			[GL #780]
+
+5110.	[security]	Named leaked memory if there were multiple Key Tag
+			EDNS options present. (CVE-2018-5744) [GL #772]
+
+	--- 9.13.6 released ---
+
 5156.	[doc]		Extended and refined the section of the ARM describing
 			mirror zones. [GL #774]
 
@@ -755,10 +453,6 @@
 			and "nsdname-enable" both now default to yes,
 			regardless of compile-time settings. [GL #824]
 
-5141.	[security]	Zone transfer controls for writable DLZ zones were
-			not effective as the allowzonexfr method was not being
-			called for such zones. (CVE-2019-6465) [GL #790]
-
 5140.	[bug]		Don't immediately mark existing keys as inactive and
 			deleted when running dnssec-keymgr for the first
 			time. [GL #117]
@@ -829,11 +523,6 @@
 
 5119.	[placeholder]
 
-5118.	[security]	Named could crash if it is managing a key with
-			`managed-keys` and the authoritative zone is rolling
-			the key to an unsupported algorithm. (CVE-2018-5745)
-			[GL #780]
-
 5117.	[placeholder]
 
 5116.	[bug]		Named/named-checkconf triggered a assertion when
@@ -854,9 +543,6 @@
 5111.	[bug]		Occluded DNSKEY records could make it into the
 			delegating NSEC/NSEC3 bitmap. [GL #742]
 
-5110.	[security]	Named leaked memory if there were multiple Key Tag
-			EDNS options present. (CVE-2018-5744) [GL #772]
-
 5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
 
 	--- 9.13.5 released ---

CODE_OF_CONDUCT

@@ -1,79 +0,0 @@
-CODE OF CONDUCT
-
-BIND 9 Code of Conduct
-
-Like the technical community as a whole, the BIND 9 team and community is
-made up of a mixture of professionals and volunteers from all over the
-world, working on every aspect of the mission - including mentorship,
-teaching, and connecting people.
-
-Diversity is one of our huge strengths, but it can also lead to
-communication issues and unhappiness. To that end, we have a few ground
-rules that we ask people to adhere to. This code applies equally to the
-core development team, open source contributors and those seeking help and
-guidance.
-
-This isn't an exhaustive list of things that you can't do. Rather, take it
-in the spirit in which it's intended - a guide to make it easier to enrich
-all of us and the technical communities in which we participate.
-
-This code of conduct applies to all spaces managed by the BIND 9 project
-or Internet Systems Consortium. This includes chat, the mailing lists, the
-issue tracker, and any other fora created by the project team which the
-community uses for communication. In addition, violations of this code
-outside these spaces may affect a person's ability to participate within
-them.
-
-If you believe someone is violating the code of conduct, we ask that you
-report it by emailing conduct@isc.org. For more details please see our
-Reporting Guidelines.
-
-  * Be friendly and patient.
-  * Be welcoming. We strive to be a community that welcomes and supports
-    people of all backgrounds and identities. This includes, but is not
-    limited to members of any race, ethnicity, culture, national origin,
-    colour, immigration status, social and economic class, educational
-    level, sex, sexual orientation, gender identity and expression, age,
-    size, family status, political belief, religion, and mental and
-    physical ability.
-  * Be considerate. Your work will be used by other people, and you in
-    turn will depend on the work of others. Any decision you take will
-    affect users and colleagues, and you should take those consequences
-    into account when making decisions. Remember that we're a world-wide
-    community, so you might not be communicating in someone else's primary
-    language.
-  * Be respectful. Not all of us will agree all the time, but disagreement
-    is no excuse for poor behavior and poor manners. We might all
-    experience some frustration now and then, but we cannot allow that
-    frustration to turn into a personal attack. It's important to remember
-    that a community where people feel uncomfortable or threatened is not
-    a productive one. Members of the BIND 9 community should be respectful
-    when dealing with other members as well as with people outside the
-    BIND 9 community.
-  * Be careful in the words that you choose. We are a community of
-    professionals, and we conduct ourselves professionally. Be kind to
-    others. Do not insult or put down other participants. Harassment and
-    other exclusionary behavior aren't acceptable. This includes, but is
-    not limited to:
-      + Violent threats or language directed against another person.
-      + Discriminatory jokes and language.
-      + Posting sexually explicit or violent material.
-      + Posting (or threatening to post) other people's personally
-        identifying information ("doxing").
-      + Personal insults, especially those using racist or sexist terms.
-      + Unwelcome sexual attention.
-      + Advocating for, or encouraging, any of the above behavior.
-      + Repeated harassment of others. In general, if someone asks you to
-        stop, then stop.
-  * When we disagree, try to understand why. Disagreements, both social
-    and technical, happen all the time and BIND 9 is no exception. It is
-    important that we resolve disagreements and differing views
-    constructively. Remember that we're different. The strength of BIND 9
-    comes from its varied community, people from a wide range of
-    backgrounds. Different people have different perspectives on issues.
-    Being unable to understand why someone holds a viewpoint doesn't mean
-    that they're wrong. Don't forget that it is human to err and blaming
-    each other doesn't get us anywhere. Instead, focus on helping to
-    resolve issues and learning from mistakes.
-
-Original text courtesy of the Django Code of Conduct project.

CODE_OF_CONDUCT.md

@@ -1,71 +0,0 @@
-# BIND 9 Code of Conduct
-
-Like the technical community as a whole, the BIND 9 team and community is made
-up of a mixture of professionals and volunteers from all over the world, working
-on every aspect of the mission - including mentorship, teaching, and connecting
-people.
-
-Diversity is one of our huge strengths, but it can also lead to communication
-issues and unhappiness. To that end, we have a few ground rules that we ask
-people to adhere to. This code applies equally to the core development team, open source contributors and those
-seeking help and guidance.
-
-This isn't an exhaustive list of things that you can't do. Rather, take it in
-the spirit in which it's intended - a guide to make it easier to enrich all of
-us and the technical communities in which we participate.
-
-This code of conduct applies to all spaces managed by the BIND 9 project or
-Internet Systems Consortium. This includes chat, the mailing lists, the issue
-tracker, and any other fora created by the project team which the
-community uses for communication. In addition, violations of this code outside
-these spaces may affect a person's ability to participate within them.
-
-If you believe someone is violating the code of conduct, we ask that you report
-it by emailing [conduct@isc.org](conduct@isc.org). For more details please see
-our [Reporting Guidelines](https://www.isc.org/conductreporting/).
-
-* **Be friendly and patient.**
-* **Be welcoming.** We strive to be a community that welcomes and supports
-  people of all backgrounds and identities. This includes, but is not limited to
-  members of any race, ethnicity, culture, national origin, colour, immigration
-  status, social and economic class, educational level, sex, sexual orientation,
-  gender identity and expression, age, size, family status, political belief,
-  religion, and mental and physical ability.
-* **Be considerate.** Your work will be used by other people, and you in turn
-  will depend on the work of others. Any decision you take will affect users and
-  colleagues, and you should take those consequences into account when making
-  decisions. Remember that we're a world-wide community, so you might not be
-  communicating in someone else's primary language.
-* **Be respectful.** Not all of us will agree all the time, but disagreement is
-  no excuse for poor behavior and poor manners. We might all experience some
-  frustration now and then, but we cannot allow that frustration to turn into a
-  personal attack. It's important to remember that a community where people feel
-  uncomfortable or threatened is not a productive one. Members of the BIND 9
-  community should be respectful when dealing with other members as well as with
-  people outside the BIND 9 community.
-* **Be careful in the words that you choose.** We are a community of
-  professionals, and we conduct ourselves professionally. Be kind to others. Do
-  not insult or put down other participants. Harassment and other exclusionary
-  behavior aren't acceptable. This includes, but is not limited to:
-  * Violent threats or language directed against another person.
-  * Discriminatory jokes and language.
-  * Posting sexually explicit or violent material.
-  * Posting (or threatening to post) other people's personally identifying
-    information ("doxing").
-  * Personal insults, especially those using racist or sexist terms.
-  * Unwelcome sexual attention.
-  * Advocating for, or encouraging, any of the above behavior.
-  * Repeated harassment of others. In general, if someone asks you to stop, then
-    stop.
-* **When we disagree, try to understand why.** Disagreements, both social and
-  technical, happen all the time and BIND 9 is no exception. It is important
-  that we resolve disagreements and differing views constructively. Remember
-  that we're different. The strength of BIND 9 comes from its varied community,
-  people from a wide range of backgrounds. Different people have different
-  perspectives on issues. Being unable to understand why someone holds a
-  viewpoint doesn't mean that they're wrong. Don't forget that it is human to
-  err and blaming each other doesn't get us anywhere. Instead, focus on helping
-  to resolve issues and learning from mistakes.
-
-Original text courtesy of the [Django Code of Conduct](https://www.djangoproject.com/conduct/)
-project.

CONTRIBUTING

@@ -34,14 +34,6 @@ access to the source repository was restricted just as commit access was.
 That's now changing, with the opening of a public git mirror to the BIND
 source tree (see below).
 
-At Internet Systems Consortium, we're committed to building communities
-that are welcoming and inclusive; environments where people are encouraged
-to share ideas, treat each other with respect, and collaborate towards the
-best solutions. To reinforce our commitment, the Internet Systems
-Consortium has adopted the Contributor Covenant version 1.4 as our Code of
-Conduct for BIND 9 project, as well as for the conduct of our developers
-throughout the industry.
-
 Access to source code
 
 Public BIND releases are always available from the ISC FTP site.

CONTRIBUTING.md

@@ -41,14 +41,6 @@ a release: read access to the source repository was restricted just
 as commit access was.  That's now changing, with the opening of a
 public git mirror to the BIND source tree (see below).
 
-At [Internet Systems Consortium](https://www.isc.org), we're committed to
-building communities that are welcoming and inclusive; environments where people
-are encouraged to share ideas, treat each other with respect, and collaborate
-towards the best solutions. To reinforce our commitment, the [Internet Systems
-Consortium](https://www.isc.org) has adopted the Contributor Covenant version
-1.4 as our Code of Conduct for BIND 9 project, as well as for the conduct of our
-developers throughout the industry.
-
 ### <a name="access"></a>Access to source code
 
 Public BIND releases are always available from the
@@ -116,7 +108,7 @@ ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.
 If you have a crash, you may want to consult
 [‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
 
-### <a name="contrib"></a>Contributing code
+### <a name="bugs"></a>Contributing code
 
 BIND is licensed under the
 [Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -181,6 +181,67 @@ SUCH DAMAGE.
 
  -----------------------------------------------------------------------------
 
+Copyright (c) 1998 Doug Rabson
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright ((c)) 2002, Rice University
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+    copyright notice, this list of conditions and the following
+    disclaimer in the documentation and/or other materials provided
+    with the distribution.
+
+    * Neither the name of Rice University (RICE) nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+
+This software is provided by RICE and the contributors on an "as is"
+basis, without any representations or warranties of any kind, express
+or implied including, but not limited to, representations or
+warranties of non-infringement, merchantability or fitness for a
+particular purpose. In no event shall RICE or contributors be liable
+for any direct, indirect, incidental, special, exemplary, or
+consequential damages (including, but not limited to, procurement of
+substitute goods or services; loss of use, data, or profits; or
+business interruption) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence
+or otherwise) arising in any way out of the use of this software, even
+if advised of the possibility of such damage.
+
+ -----------------------------------------------------------------------------
+
 Copyright (c) 1993 by Digital Equipment Corporation.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -201,6 +262,61 @@ SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Copyright 2000 Aaron D. Gifford.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+ 
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1998 Doug Rabson.
+Copyright (c) 2001 Jake Burkholder.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
 Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 All rights reserved.
 
@@ -247,6 +363,49 @@ SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Copyright (c) 2000-2002 Japan Network Information Center.  All rights reserved.
+ 
+By using this file, you agree to the terms and conditions set forth bellow.
+
+                        LICENSE TERMS AND CONDITIONS 
+
+The following License Terms and Conditions apply, unless a different
+license is obtained from Japan Network Information Center ("JPNIC"),
+a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda,
+Chiyoda-ku, Tokyo 101-0047, Japan.
+
+1. Use, Modification and Redistribution (including distribution of any
+   modified or derived work) in source and/or binary forms is permitted
+   under this License Terms and Conditions.
+
+2. Redistribution of source code must retain the copyright notices as they
+   appear in each source code file, this License Terms and Conditions.
+
+3. Redistribution in binary form must reproduce the Copyright Notice,
+   this License Terms and Conditions, in the documentation and/or other
+   materials provided with the distribution.  For the purposes of binary
+   distribution the "Copyright Notice" refers to the following language:
+   "Copyright (c) 2000-2002 Japan Network Information Center.  All rights
+   reserved."
+
+4. The name of JPNIC may not be used to endorse or promote products
+   derived from this Software without specific prior written approval of
+   JPNIC.
+
+5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC
+   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL JPNIC BE LIABLE
+   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+   BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+   OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+   ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ -----------------------------------------------------------------------------
+
 Copyright (C) 2004  Nominet, Ltd.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -263,6 +422,24 @@ PERFORMANCE OF THIS SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Portions Copyright RSA Security Inc.
+
+License to copy and use this software is granted provided that it is
+identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+(Cryptoki)" in all material mentioning or referencing this software.
+
+License is also granted to make and use derivative works provided that
+such works are identified as "derived from the RSA Security Inc. PKCS #11
+Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+referencing the derived work.
+
+RSA Security Inc. makes no representations concerning either the
+merchantability of this software or the suitability of this software for
+any particular purpose. It is provided "as is" without express or implied
+warranty of any kind.
+
+ -----------------------------------------------------------------------------
+
 Copyright (c) 1996, David Mazieres <dm@uun.org>
 Copyright (c) 2008, Damien Miller <djm@openbsd.org>
 
@@ -280,6 +457,54 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 -----------------------------------------------------------------------------
 
+Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. All advertising materials mentioning features or use of this
+   software must display the following acknowledgment:
+   "This product includes software developed by the OpenSSL Project
+   for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+
+4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+   endorse or promote products derived from this software without
+   prior written permission. For written permission, please contact
+   licensing@OpenSSL.org.
+
+5. Products derived from this software may not be called "OpenSSL"
+   nor may "OpenSSL" appear in their names without prior written
+   permission of the OpenSSL Project.
+
+6. Redistributions of any form whatsoever must retain the following
+   acknowledgment:
+   "This product includes software developed by the OpenSSL Project
+   for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+
+THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-----------------------------------------------------------------------------
+
 Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc.
 All rights reserved.
 

HISTORY

@@ -2,80 +2,6 @@ HISTORY
 
 Functional enhancements from prior major releases of BIND 9
 
-BIND 9.14
-
-BIND 9.14 (a stable branch based on the 9.13 development branch) includes
-a number of changes from BIND 9.12 and earlier releases. New features
-include:
-
-  * A new "plugin" mechanism has been added to allow query functionality
-    to be extended using dynamically loadable libraries. The "filter-aaaa"
-    feature has been removed from named and is now implemented as a
-    plugin.
-  * Socket and task code has been refactored to improve performance.
-  * QNAME minimization, as described in RFC 7816, is now supported.
-  * "Root key sentinel" support, enabling validating resolvers to indicate
-    via a special query which trust anchors are configured for the root
-    zone.
-  * Secondary zones can now be configured as "mirror" zones; their
-    contents are transferred in as with traditional slave zones, but are
-    subject to DNSSEC validation and are not treated as authoritative data
-    when answering. This makes it easier to configure a local copy of the
-    root zone as described in RFC 7706.
-  * The "validate-except" option allows configuration of domains below
-    which DNSSEC validation should not be performed.
-  * The default value of "dnssec-validation" is now "auto".
-  * IDNA2008 is now supported when linking with libidn2.
-  * "named -V" now outputs the default paths for files used by named and
-    other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See https://dnsflagday.net for more details.
-
-Cryptographic support has been modernized. BIND now uses the best
-available pseudo-random number generator for the platform on which it's
-built. Very old versions of OpenSSL are no longer supported. Cryptography
-is now mandatory: building BIND without DNSSEC is no longer supported.
-
-Special code to support certain legacy operating systems has also been
-removed; see the file PLATFORMS.md for details of supported platforms. In
-addition to OpenSSL, BIND now requires support for IPv6, threads, and
-standard atomic operations provided by the C compiler.
-
-BIND 9.12
-
-BIND 9.12 includes a number of changes from BIND 9.11 and earlier
-releases. New features include:
-
-  * named and related libraries have been substantially refactored for
-    improved query performance -- particularly on delegation heavy zones
-    -- and for improved readability, maintainability, and testability.
-  * Code implementing the name server query processing logic has been
-    moved into a new libns library, for easier testing and use in tools
-    other than named.
-  * Cached, validated NSEC and other records can now be used to synthesize
-    NXDOMAIN responses.
-  * The DNS Response Policy Service API (DNSRPS) is now supported.
-  * Setting 'max-journal-size default' now limits the size of journal
-    files to twice the size of the zone.
-  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
-    message.
-  * dnstap output files can now be configured to roll automatically when
-    reaching a given size.
-  * Log file timestamps can now also be formatted in ISO 8601 (local) or
-    ISO 8601 (UTC) formats.
-  * Logging channels and dnstap output files can now be configured to use
-    a timestamp as the suffix when rolling to a new file.
-  * 'named-checkconf -l' lists zones found in named.conf.
-  * Added support for the EDNS Padding and Keepalive options.
-  * 'new-zones-directory' option sets the location where the configuration
-    data for zones added by rndc addzone is stored.
-  * The default key algorithm in rndc-confgen is now hmac-sha256.
-  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
-    default without a configure option.
-  * The obsolete isc-hmac-fixup command has been removed.
-
 BIND 9.11
 
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier

HISTORY.md

@@ -10,81 +10,6 @@
 -->
 ### Functional enhancements from prior major releases of BIND 9
 
-#### BIND 9.14
-
-BIND 9.14 (a stable branch based on the 9.13 development branch)
-includes a number of changes from BIND 9.12 and earlier releases.
-New features include:
-
-* A new "plugin" mechanism has been added to allow query functionality
-  to be extended using dynamically loadable libraries. The "filter-aaaa"
-  feature has been removed from named and is now implemented as a plugin.
-* Socket and task code has been refactored to improve performance.
-* QNAME minimization, as described in RFC 7816, is now supported.
-* "Root key sentinel" support, enabling validating resolvers to indicate
-  via a special query which trust anchors are configured for the root zone.
-* Secondary zones can now be configured as "mirror" zones; their contents
-  are transferred in as with traditional slave zones, but are subject to
-  DNSSEC validation and are not treated as authoritative data when
-  answering. This makes it easier to configure a local copy of the root
-  zone as described in RFC 7706.
-* The "validate-except" option allows configuration of domains below which
-  DNSSEC validation should not be performed.
-* The default value of "dnssec-validation" is now "auto".
-* IDNA2008 is now supported when linking with `libidn2`.
-* "named -V" now outputs the default paths for files used by named
-  and other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
-for more details.
-
-Cryptographic support has been modernized. BIND now uses the
-best available pseudo-random number generator for the platform on which
-it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory: building BIND without DNSSEC is no
-longer supported.
-
-Special code to support certain legacy operating systems has also
-been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
-of supported platforms. In addition to OpenSSL, BIND now requires
-support for IPv6, threads, and standard atomic operations provided
-by the C compiler.
-
-#### BIND 9.12
-
-BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
-New features include:
-
-* `named` and related libraries have been substantially refactored for
-  improved query performance -- particularly on delegation heavy zones --
-  and for improved readability, maintainability, and testability.
-* Code implementing the name server query processing logic has been moved
-  into a new `libns` library, for easier testing and use in tools other
-  than `named`.
-* Cached, validated NSEC and other records can now be used to synthesize
-  NXDOMAIN responses.
-* The DNS Response Policy Service API (DNSRPS) is now supported.
-* Setting `'max-journal-size default'` now limits the size of journal files
-  to twice the size of the zone.
-* `dnstap-read -x` prints a hex dump of the wire format of each logged
-  DNS message.
-* `dnstap` output files can now be configured to roll automatically when
-  reaching a given size.
-* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
-  8601 (UTC) formats.
-* Logging channels and `dnstap` output files can now be configured to use a
-  timestamp as the suffix when rolling to a new file.
-* `'named-checkconf -l'` lists zones found in `named.conf`.
-* Added support for the EDNS Padding and Keepalive options.
-* 'new-zones-directory' option sets the location where the configuration
-  data for zones added by rndc addzone is stored.
-* The default key algorithm in `rndc-confgen` is now hmac-sha256.
-* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
-  by default without a configure option.
-* The obsolete `isc-hmac-fixup` command has been removed.
-
 #### BIND 9.11
 
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
@@ -150,7 +75,7 @@ releases.  New features include:
 - "rndc modzone" reconfigures a single zone, without requiring the entire
   server to be reconfigured.
 - "rndc showzone" displays the current configuration of a zone.
-- "rndc managed-keys" can be used to check the status of RFC 5011 managed
+- "rndc managed-keys" can be used to check the status of RFC 5001 managed
   trust anchors, or to force trust anchors to be refreshed.
 - "max-cache-size" can now be set to a percentage of available memory. The
   default is 90%.

Makefile.in

@@ -18,7 +18,11 @@ SUBDIRS =	make lib fuzz bin doc
 TARGETS =
 PREREQS =	bind.keys.h
 
-MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT \
+MANPAGES =	isc-config.sh.1
+
+HTMLPAGES =	isc-config.sh.html
+
+MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS \
 		${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
@@ -31,7 +35,7 @@ bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
 
 distclean::
 	rm -f config.cache config.h config.log config.status TAGS
-	rm -f libtool configure.lineno
+	rm -f libtool isc-config.sh configure.lineno
 	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
 
 # XXX we should clean libtool stuff too.  Only do this after we add rules
@@ -50,11 +54,25 @@ installdirs:
 	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 
-install:: installdirs
+install:: isc-config.sh installdirs
+	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	@LN@ ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
+	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	@LN@ ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
 	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
 
 uninstall::
 	rm -f ${DESTDIR}${sysconfdir}/bind.keys
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	rm -f ${DESTDIR}${bindir}/isc-config.sh
+
+tags:
+	rm -f TAGS
+	find lib bin -name "*.[ch]" -print | @ETAGS@ -
 
 test check:
 	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
@@ -103,11 +121,6 @@ PLATFORMS: PLATFORMS.md
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
-CODE_OF_CONDUCT: CODE_OF_CONDUCT.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="CODE OF CONDUCT" -f markdown-smart -t html CODE_OF_CONDUCT.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
-		sed -e '$${/^$$/d;}' > $@
-
 unit::
 	sh ${top_builddir}/unit/unittest.sh
 

PLATFORMS

@@ -3,30 +3,11 @@ PLATFORMS
 Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
-system with a C11-compliant C compiler, BSD-style sockets with
-RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
-asynchronous I/O library, and the OpenSSL cryptography library.
-
-The following C11 features are used in BIND 9:
-
-  * Atomic operations support from the compiler is needed, either in the
-    form of builtin operations, C11 atomics, or the Interlocked family of
-    functions on Windows.
-
-  * Thread Local Storage support from the compiler is needed, either in
-    the form of C11 _Thread_local/thread_local, the __thread GCC
-    extension, or the __declspec(thread) MSVC extension on Windows.
-
-BIND 9.15 requires a fairly recent version of libuv (at least 1.x). For
-some of the older systems listed below, you will have to install an
-updated libuv package from sources such as EPEL, PPA, or other native
-sources for updated packages. The other option is to build and install
-libuv from source.
-
-Certain optional BIND features have additional library dependencies. These
-include libxml2 and libjson-c for statistics, libmaxminddb for
-geolocation, libfstrm and libprotobuf-c for DNSTAP, and libidn2 for
-internationalized domain name conversion.
+system with a C99-compliant C compiler, BSD-style sockets with
+RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
+cryptography library. Atomic operations support from the compiler is
+needed, either in the form of builtin operations, C11 atomics or the
+Interlocked family of functions on Windows.
 
 ISC regularly tests BIND on many operating systems and architectures, but
 lacks the resources to test all of them. Consequently, ISC is only able to
@@ -34,16 +15,15 @@ offer support on a "best effort" basis for some.
 
 Regularly tested platforms
 
-As of Feb 2020, BIND 9.15 is fully supported and regularly tested on the
+As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
 following systems:
 
-  * Debian 9, 10
-  * Ubuntu LTS 16.04, 18.04
-  * Fedora 31
-  * Red Hat Enterprise Linux / CentOS 7, 8
-  * FreeBSD 11.3, 12.0
-  * OpenBSD 6.6
-  * Alpine Linux
+  * Debian 8, 9, 10
+  * Ubuntu 16.04, 18.04
+  * Fedora 28, 29
+  * Red Hat Enterprise Linux / CentOS 6, 7
+  * FreeBSD 11.x
+  * OpenBSD 6.2, 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully
 supported.
@@ -60,33 +40,20 @@ Server 2012 R2, none of these are tested regularly by ISC.
   * Windows 10 / x64
   * macOS 10.12+
   * Solaris 11
+  * FreeBSD 10.x, 12.0+
+  * OpenBSD 6.4+
   * NetBSD
   * Other Linux distributions still supported by their vendors, such as:
-      + Ubuntu 19.04+
+      + Ubuntu 14.04, 18.10+
       + Gentoo
       + Arch Linux
+      + Alpine Linux
   * OpenWRT/LEDE 17.01+
   * Other CPU architectures (mips, mipsel, sparc, ...)
 
-Community maintained
-
-These systems may not all have the required dependencies for building BIND
-easily available, although it will be possible in many cases to compile
-those directly from source. The community and interested parties may wish
-to help with maintenance, and we welcome patch contributions, although we
-cannot guarantee that we will accept them. All contributions will be
-assessed against the risk of adverse effect on officially supported
-platforms.
-
-  * Platforms past or close to their respective EOL dates, such as:
-      + Ubuntu 14.04, 18.10
-      + CentOS 6
-      + Debian Jessie
-      + FreeBSD 10.x
-
 Unsupported platforms
 
-These are platforms on which BIND 9.15 is known not to build or run:
+These are platforms on which BIND 9.14 is known not to build or run:
 
   * Platforms without at least OpenSSL 1.0.2
   * Windows 10 / x86
@@ -96,4 +63,13 @@ These are platforms on which BIND 9.15 is known not to build or run:
   * Platforms that don't support atomic operations (via compiler or
     library)
   * Linux without NPTL (Native POSIX Thread Library)
-  * Platforms on which libuv cannot be compiled
+
+Platform quirks
+
+NetBSD 6 i386
+
+The i386 build of NetBSD requires the libatomic library, available from
+the gcc5-libs package. Because this library is in a non-standard path, its
+location must be specified in the configure command line:
+
+LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure

PLATFORMS.md

@@ -11,30 +11,11 @@
 ## Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
-system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
-and the OpenSSL cryptography library.
-
-The following C11 features are used in BIND 9:
-
-* Atomic operations support from the compiler is needed, either in the form of
-  builtin operations, C11 atomics, or the `Interlocked` family of functions on
-  Windows.
-
-* Thread Local Storage support from the compiler is needed, either in the form
-  of C11 `_Thread_local`/`thread_local`, the `__thread` GCC extension, or
-  the `__declspec(thread)` MSVC extension on Windows.
-
-BIND 9.15 requires a fairly recent version of `libuv` (at least 1.x).  For
-some of the older systems listed below, you will have to install an updated
-`libuv` package from sources such as EPEL, PPA, or other native sources for
-updated packages. The other option is to build and install `libuv` from
-source.
-
-Certain optional BIND features have additional library dependencies.
-These include `libxml2` and `libjson-c` for statistics, `libmaxminddb` for
-geolocation, `libfstrm` and `libprotobuf-c` for DNSTAP, and `libidn2` for
-internationalized domain name conversion.
+system with a C99-compliant C compiler, BSD-style sockets with RFC-compliant
+IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
+Atomic operations support from the compiler is needed, either in the form of
+builtin operations, C11 atomics or the Interlocked family of functions on
+Windows.
 
 ISC regularly tests BIND on many operating systems and architectures, but
 lacks the resources to test all of them. Consequently, ISC is only able to
@@ -42,16 +23,15 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Feb 2020, BIND 9.15 is fully supported and regularly tested on the
+As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
 following systems:
 
-* Debian 9, 10
-* Ubuntu LTS 16.04, 18.04
-* Fedora 31
-* Red Hat Enterprise Linux / CentOS 7, 8
-* FreeBSD 11.3, 12.0
-* OpenBSD 6.6
-* Alpine Linux
+* Debian 8, 9, 10
+* Ubuntu 16.04, 18.04
+* Fedora 28, 29
+* Red Hat Enterprise Linux / CentOS 6, 7
+* FreeBSD 11.x
+* OpenBSD 6.2, 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
 
@@ -67,33 +47,20 @@ Server 2012 R2, none of these are tested regularly by ISC.
 * Windows 10 / x64
 * macOS 10.12+
 * Solaris 11
+* FreeBSD 10.x, 12.0+
+* OpenBSD 6.4+
 * NetBSD
 * Other Linux distributions still supported by their vendors, such as:
-    * Ubuntu 19.04+
+    * Ubuntu 14.04, 18.10+
     * Gentoo
     * Arch Linux
+    * Alpine Linux
 * OpenWRT/LEDE 17.01+
 * Other CPU architectures (mips, mipsel, sparc, ...)
 
-### Community maintained
-
-These systems may not all have the required dependencies for building BIND
-easily available, although it will be possible in many cases to compile
-those directly from source. The community and interested parties may wish
-to help with maintenance, and we welcome patch contributions, although we
-cannot guarantee that we will accept them.  All contributions will be
-assessed against the risk of adverse effect on officially supported
-platforms.
-
-* Platforms past or close to their respective EOL dates, such as:
-    * Ubuntu 14.04, 18.10
-    * CentOS 6
-    * Debian Jessie
-    * FreeBSD 10.x
-
 ## Unsupported platforms
 
-These are platforms on which BIND 9.15 is known *not* to build or run:
+These are platforms on which BIND 9.14 is known *not* to build or run:
 
 * Platforms without at least OpenSSL 1.0.2
 * Windows 10 / x86
@@ -102,4 +69,15 @@ These are platforms on which BIND 9.15 is known *not* to build or run:
 * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
 * Platforms that don't support atomic operations (via compiler or library)
 * Linux without NPTL (Native POSIX Thread Library)
-* Platforms on which `libuv` cannot be compiled
+
+## Platform quirks
+
+### NetBSD 6 i386
+
+The i386 build of NetBSD requires the `libatomic` library, available from
+the `gcc5-libs` package.  Because this library is in a non-standard path,
+its location must be specified in the `configure` command line:
+
+```
+LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
+```

README

@@ -7,7 +7,7 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.15 features
+ 4. BIND 9.14 features
  5. Building BIND
  6. macOS
  7. Dependencies
@@ -48,8 +48,8 @@ the file HISTORY.
 For a detailed list of changes made throughout the history of BIND 9, see
 the file CHANGES. See below for details on the CHANGES file format.
 
-For up-to-date versions and release notes, see https://www.isc.org/
-download/.
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
 
 For information about supported platforms, see PLATFORMS.
 
@@ -90,9 +90,8 @@ ISC maintains a public git repository for BIND; details can be found at
 http://www.isc.org/git/.
 
 Information for BIND contributors can be found in the following files: -
-General information: CONTRIBUTING.md - Code of Conduct: CODE_OF_CONDUCT.md
-- BIND 9 code style: doc/dev/style.md - BIND architecture and developer
-guide: doc/dev/dev.md
+General information: CONTRIBUTING.md - BIND 9 code style: doc/dev/style.md
+- BIND architecture and developer guide: doc/dev/dev.md
 
 Patches for BIND may be submitted as merge requests in the ISC GitLab
 server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
@@ -106,38 +105,99 @@ If you prefer, you may also submit code by opening a GitLab Issue and
 including your patch as an attachment, preferably generated by git
 format-patch.
 
-BIND 9.15 features
+BIND 9.14 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.14 and earlier releases. New features include:
+BIND 9.14.0 is the first release from a new stable branch of BIND 9,
+incorporating all changes from the 9.13 development branch, updating the
+most recent stable branch, 9.12. These changes include:
 
-  * New dnssec-policy statement to configure a key and signing policy for
-    zones, enabling automatic key regeneration and rollover.
-  * New network manager based on libuv.
-  * Added support for the new GeoIP2 geolocation API, libmaxminddb.
-  * Improved DNSSEC trust anchor configuration using the trust-anchors
-    statement, permitting configuration of trust anchors in DS as well as
-    DNSKEY format.
-  * YAML output for dig, mdig, and delv.
+  * A new "plugin" mechanism has been added to allow query functionality
+    to be extended using dynamically loadable libraries. The "filter-aaaa"
+    feature has been removed from named and is now implemented as a
+    plugin.
+  * QNAME minimization, as described in RFC 7816, is now supported.
+  * Socket and task code has been refactored to improve performance on
+    most modern machines.
+  * "Root key sentinel" support, enabling validating resolvers to indicate
+    via a special query which trust anchors are configured for the root
+    zone.
+  * Secondary zones can now be configured as "mirror" zones; their
+    contents are transferred in as with traditional slave zones, but are
+    subject to DNSSEC validation and are not treated as authoritative data
+    when answering. This makes it easier to configure a local copy of the
+    root zone as described in RFC 7706.
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
+  * The default value of "dnssec-validation" is now "auto".
+  * IDNA2008 is now supported when linking with libidn2.
+  * "named -V" now outputs the default paths for files used by named and
+    other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is no longer supported.
+
+Special code to support certain legacy operating systems has also been
+removed; see the file PLATFORMS.md for details of supported platforms. In
+addition to OpenSSL, BIND now requires support for IPv6, threads, and
+standard atomic operations provided by the C compiler. Non-threaded builds
+are no longer supported.
+
+BIND 9.14.1
+
+BIND 9.14.1 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
+
+BIND 9.14.2
+
+BIND 9.14.2 is a maintenance release.
+
+BIND 9.14.3
+
+BIND 9.14.3 is a maintenance release, and addresses the security
+vulnerability disclosed in CVE-2019-6471.
+
+BIND 9.14.4
+
+BIND 9.14.4 is a maintenance release, and also adds support for the new
+MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
+
+BIND 9.14.5
+
+BIND 9.14.5 is a maintenance release.
+
+BIND 9.14.6
+
+BIND 9.14.6 is a maintenance release.
+
+BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
 
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. BIND also requires the
-libuv asynchronous I/O library, and a cryptography provider library such
-as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
-requires the libcap library to set process privileges, though this
-requirement can be overridden by disabling capability support at compile
-time. See Compile-time options below for details on other libraries that
-may be required to support optional features.
+basic POSIX support, and a 64-bit integer type. Successful builds have
+been observed on many versions of Linux and UNIX, including RHEL/CentOS,
+Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
+NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
+OpenWRT.
 
-Successful builds have been observed on many versions of Linux and UNIX,
-including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
-Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
-HP-UX, and OpenWRT.
+BIND requires a cryptography provider library such as OpenSSL or a
+hardware service module supporting PKCS#11. On Linux, BIND requires the
+libcap library to set process privileges, though this requirement can be
+overridden by disabling capability support at compile time. See
+Compile-time options below for details on other libraries that may be
+required to support optional features.
 
-BIND is also available for Windows Server 2012 R2 and higher. See
-win32utils/build.txt for details on building for Windows systems.
+BIND is also available for Windows Server 2008 and higher. See win32utils/
+build.txt for details on building for Windows systems.
 
 To build on a UNIX or Linux system, use:
 
@@ -180,10 +240,9 @@ Dependencies
 
 Portions of BIND that are written in Python, including dnssec-keymgr,
 dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-argparse, ply and distutils.core modules to be available. argparse is a
-standard module as of Python 2.7 and Python 3.2. ply is available from
-https://pypi.python.org/pypi/ply. distutils.core is required for
-installation.
+argparse and ply modules to be available. argparse is a standard module as
+of Python 2.7 and Python 3.2. ply is available from https://
+pypi.python.org/pypi/ply.
 
 Compile-time options
 
@@ -216,11 +275,10 @@ To support storing configuration data for runtime-added zones in an LMDB
 database, the server must be linked with liblmdb. If this is installed in
 a nonstandard location, specify the prefix using with-lmdb=/prefix.
 
-To support MaxMind GeoIP2 location-based ACLs, the server must be linked
-with libmaxminddb. This is turned on by default if the library is found;
-if the library is installed in a nonstandard location, specify the prefix
-using --with-maxminddb=/prefix. GeoIP2 support can be switched off with
---disable-geoip.
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+--with-geoip. If the library is installed in a nonstandard location,
+specify the prefix using --with-geoip=/prefix.
 
 For DNSTAP packet logging, you must have installed libfstrm https://
 github.com/farsightsec/fstrm and libprotobuf-c https://
@@ -258,8 +316,11 @@ default, installation is into /usr/local, but this can be changed with the
 
 You may specify the option --sysconfdir to set the directory where
 configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. --sysconfdir defaults
-to $prefix/etc and --localstatedir defaults to $prefix/var.
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
 
 Automated testing
 

README.md

@@ -15,7 +15,7 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
-1. [BIND 9.15 features](#features)
+1. [BIND 9.14 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
 1. [Dependencies](#dependencies)
@@ -57,8 +57,8 @@ For a detailed list of changes made throughout the history of BIND 9, see
 the file [CHANGES](CHANGES). See [below](#changes) for details on the
 CHANGES file format.
 
-For up-to-date versions and release notes, see
-[https://www.isc.org/download/](https://www.isc.org/download/).
+For up-to-date release notes and errata, see
+[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
 
 For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
 
@@ -101,8 +101,7 @@ ISC maintains a public git repository for BIND; details can be found
 at [http://www.isc.org/git/](http://www.isc.org/git/).
 
 Information for BIND contributors can be found in the following files:
-- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
-- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
+- General information: [CONTRIBUTING.md](CONTRIBUTING)
 - BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
 - BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
 
@@ -121,39 +120,98 @@ If you prefer, you may also submit code by opening a
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="features"/> BIND 9.15 features
+### <a name="features"/> BIND 9.14 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.14 and earlier releases. New features
-include:
+BIND 9.14.0 is the first release from a new stable branch of BIND 9,
+incorporating all changes from the 9.13 development branch, updating
+the most recent stable branch, 9.12.  These changes include:
 
-* New `dnssec-policy` statement to configure a key and signing policy
-  for zones, enabling automatic key regeneration and rollover.
-* New network manager based on libuv.
-* Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
-* Improved DNSSEC trust anchor configuration using the `trust-anchors`
-  statement, permitting configuration of trust anchors in DS as well as
-  DNSKEY format.
-* YAML output for `dig`, `mdig`, and `delv`.
+* A new "plugin" mechanism has been added to allow query functionality
+  to be extended using dynamically loadable libraries. The "filter-aaaa"
+  feature has been removed from named and is now implemented as a plugin.
+* QNAME minimization, as described in RFC 7816, is now supported.
+* Socket and task code has been refactored to improve performance on most
+  modern machines.
+* "Root key sentinel" support, enabling validating resolvers to indicate
+  via a special query which trust anchors are configured for the root zone.
+* Secondary zones can now be configured as "mirror" zones; their contents
+  are transferred in as with traditional slave zones, but are subject to
+  DNSSEC validation and are not treated as authoritative data when
+  answering. This makes it easier to configure a local copy of the root
+  zone as described in RFC 7706.
+* The "validate-except" option allows configuration of domains below which
+  DNSSEC validation should not be performed.
+* The default value of "dnssec-validation" is now "auto".
+* IDNA2008 is now supported when linking with `libidn2`.
+* "named -V" now outputs the default paths for files used by named
+  and other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
+for more details.
+
+Cryptographic support has been modernized. BIND now uses the
+best available pseudo-random number generator for the platform on which
+it's built. Very old versions of OpenSSL are no longer supported.
+Cryptography is now mandatory: building BIND without DNSSEC is no
+longer supported.
+
+Special code to support certain legacy operating systems has also
+been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
+of supported platforms. In addition to OpenSSL, BIND now requires
+support for IPv6, threads, and standard atomic operations provided
+by the C compiler. Non-threaded builds are no longer supported.
+
+#### BIND 9.14.1
+
+BIND 9.14.1 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
+
+#### BIND 9.14.2
+
+BIND 9.14.2 is a maintenance release.
+
+#### BIND 9.14.3
+
+BIND 9.14.3 is a maintenance release, and addresses the security
+vulnerability disclosed in CVE-2019-6471.
+
+#### BIND 9.14.4
+
+BIND 9.14.4 is a maintenance release, and also adds support for
+the new MaxMind GeoIP2 geolocation API when built with
+`configure --with-geoip2`.
+
+#### BIND 9.14.5
+
+BIND 9.14.5 is a maintenance release.
+
+#### BIND 9.14.6
+
+BIND 9.14.6 is a maintenance release.
+
+#### BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
 
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type.  BIND also requires the
-`libuv` asynchronous I/O library, and a cryptography provider library
-such as OpenSSL or a hardware service module supporting PKCS#11. On
-Linux, BIND requires the `libcap` library to set process privileges,
-though this requirement can be overridden by disabling capability
-support at compile time. See [Compile-time options](#opts) below
-for details on other libraries that may be required to support
-optional features.
+basic POSIX support, and a 64-bit integer type. Successful builds have been
+observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
+Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
+OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
 
-Successful builds have been observed on many versions of Linux and
-UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
-Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
-OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
+BIND requires a cryptography provider library such as OpenSSL or a
+hardware service module supporting PKCS#11. On Linux, BIND requires
+the `libcap` library to set process privileges, though this requirement
+can be overridden by disabling capability support at compile time.
+See [Compile-time options](#opts) below for details on other libraries
+that may be required to support optional features.
 
-BIND is also available for Windows Server 2012 R2 and higher.  See
+BIND is also available for Windows Server 2008 and higher.  See
 `win32utils/build.txt` for details on building for Windows
 systems.
 
@@ -191,11 +249,9 @@ or if you have Xcode already installed you can run `xcode-select --install`.
 
 Portions of BIND that are written in Python, including
 `dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
-system tests, require the `argparse`, `ply` and `distutils.core` modules
-to be available.
+system tests, require the `argparse` and `ply` modules to be available.
 `argparse` is a standard module as of Python 2.7 and Python 3.2.
 `ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
-`distutils.core` is required for installation.
 
 #### <a name="opts"/> Compile-time options
 
@@ -229,11 +285,10 @@ To support storing configuration data for runtime-added zones in an LMDB
 database, the server must be linked with liblmdb. If this is installed in a
 nonstandard location, specify the prefix using `with-lmdb=/prefix`.
 
-To support MaxMind GeoIP2 location-based ACLs, the server must be linked
-with `libmaxminddb`. This is turned on by default if the library is
-found; if the library is installed in a nonstandard location,
-specify the prefix using `--with-maxminddb=/prefix`. GeoIP2 support
-can be switched off with `--disable-geoip`.
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+`--with-geoip`. If the library is installed in a nonstandard location,
+specify the prefix using `--with-geoip=/prefix`.
 
 For DNSTAP packet logging, you must have installed `libfstrm`
 [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
@@ -272,8 +327,11 @@ default, installation is into /usr/local, but this can be changed with the
 
 You may specify the option `--sysconfdir` to set the directory where
 configuration files like `named.conf` go by default, and `--localstatedir`
-to set the default parent directory of `run/named.pid`.   `--sysconfdir`
-defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
+to set the default parent directory of `run/named.pid`.   For backwards
+compatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
+`--localstatedir` defaults to `/var` if no `--prefix` option is given.  If
+there is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
+localstatedir defaults to `$prefix/var`.
 
 ### <a name="testing"/> Automated testing
 

aclocal.m4

@@ -288,93 +288,6 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
-# AM_CONDITIONAL                                            -*- Autoconf -*-
-
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_CONDITIONAL(NAME, SHELL-CONDITION)
-# -------------------------------------
-# Define a conditional.
-AC_DEFUN([AM_CONDITIONAL],
-[AC_PREREQ([2.52])dnl
- m4_if([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
-       [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
-AC_SUBST([$1_TRUE])dnl
-AC_SUBST([$1_FALSE])dnl
-_AM_SUBST_NOTMAKE([$1_TRUE])dnl
-_AM_SUBST_NOTMAKE([$1_FALSE])dnl
-m4_define([_AM_COND_VALUE_$1], [$2])dnl
-if $2; then
-  $1_TRUE=
-  $1_FALSE='#'
-else
-  $1_TRUE='#'
-  $1_FALSE=
-fi
-AC_CONFIG_COMMANDS_PRE(
-[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
-  AC_MSG_ERROR([[conditional "$1" was never defined.
-Usually this means the macro was only invoked conditionally.]])
-fi])])
-
-# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
-# From Jim Meyering
-
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_MAINTAINER_MODE([DEFAULT-MODE])
-# ----------------------------------
-# Control maintainer-specific portions of Makefiles.
-# Default is to disable them, unless 'enable' is passed literally.
-# For symmetry, 'disable' may be passed as well.  Anyway, the user
-# can override the default with the --enable/--disable switch.
-AC_DEFUN([AM_MAINTAINER_MODE],
-[m4_case(m4_default([$1], [disable]),
-       [enable], [m4_define([am_maintainer_other], [disable])],
-       [disable], [m4_define([am_maintainer_other], [enable])],
-       [m4_define([am_maintainer_other], [enable])
-        m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])])
-AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
-  dnl maintainer-mode's default is 'disable' unless 'enable' is passed
-  AC_ARG_ENABLE([maintainer-mode],
-    [AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode],
-      am_maintainer_other[ make rules and dependencies not useful
-      (and sometimes confusing) to the casual installer])],
-    [USE_MAINTAINER_MODE=$enableval],
-    [USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes]))
-  AC_MSG_RESULT([$USE_MAINTAINER_MODE])
-  AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes])
-  MAINT=$MAINTAINER_MODE_TRUE
-  AC_SUBST([MAINT])dnl
-]
-)
-
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# _AM_SUBST_NOTMAKE(VARIABLE)
-# ---------------------------
-# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
-# This macro is traced by Automake.
-AC_DEFUN([_AM_SUBST_NOTMAKE])
-
-# AM_SUBST_NOTMAKE(VARIABLE)
-# --------------------------
-# Public sister of _AM_SUBST_NOTMAKE.
-AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
-
-m4_include([m4/ax_check_compile_flag.m4])
 m4_include([m4/ax_check_openssl.m4])
 m4_include([m4/ax_posix_shell.m4])
 m4_include([m4/ax_pthread.m4])

bin/check/Makefile.in

@@ -16,16 +16,15 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES} \
-		${OPENSSL_CFLAGS}
+		${ISC_INCLUDES} @OPENSSL_INCLUDES@
 
 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 NSLIBS =	../../lib/ns/libns.@A@
 

bin/check/check-tool.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdio.h>
 #include <inttypes.h>
@@ -127,7 +129,9 @@ add(char *key, int value) {
 	isc_symvalue_t symvalue;
 
 	if (sym_mctx == NULL) {
-		isc_mem_create(&sym_mctx);
+		result = isc_mem_create(0, 0, &sym_mctx);
+		if (result != ISC_R_SUCCESS)
+			return;
 	}
 
 	if (symtab == NULL) {
@@ -138,6 +142,8 @@ add(char *key, int value) {
 	}
 
 	key = isc_mem_strdup(sym_mctx, key);
+	if (key == NULL)
+		return;
 
 	symvalue.as_pointer = NULL;
 	result = isc_symtab_define(symtab, key, value, symvalue,
@@ -662,7 +668,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	origin = dns_fixedname_initname(&fixorigin);
 	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
-	dns_zone_setdbtype(zone, 1, (const char * const *) dbtype);
+	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
 	CHECK(dns_zone_setfile(zone, filename, fileformat,
 			       &dns_master_style_default));
 	if (journal != NULL)
@@ -716,7 +722,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	FILE *output = stdout;
 	const char *flags;
 
-	flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
+	flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
 
 	if (debug) {
 		if (filename != NULL && strcmp(filename, "-") != 0)

bin/check/named-checkconf.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -86,11 +86,6 @@ Check "core" configuration only\&. This suppresses the loading of plugin modules
 statements to be ignored\&.
 .RE
 .PP
-\-i
-.RS 4
-Ignore warnings on deprecated options\&.
-.RE
-.PP
 \-p
 .RS 4
 Print out the
@@ -148,5 +143,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkconf.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -28,7 +30,6 @@
 #include <isc/util.h>
 
 #include <isccfg/namedconf.h>
-#include <isccfg/grammar.h>
 
 #include <bind9/check.h>
 
@@ -62,7 +63,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-chijlvz] [-p [-x]] [-t directory] "
+	fprintf(stderr, "usage: %s [-chjlvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }
@@ -421,7 +422,7 @@ configure_zone(const char *vclass, const char *view,
 
 	obj = NULL;
 	if (get_maps(maps, "max-zone-ttl", &obj)) {
-		maxttl = cfg_obj_asduration(obj);
+		maxttl = cfg_obj_asuint32(obj);
 		zone_options |= DNS_ZONEOPT_CHECKTTL;
 	}
 
@@ -556,7 +557,6 @@ main(int argc, char **argv) {
 	bool load_zones = false;
 	bool list_zones = false;
 	bool print = false;
-	bool nodeprecate = false;
 	unsigned int flags = 0;
 
 	isc_commandline_errprint = false;
@@ -564,7 +564,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "cdhijlm:t:pvxz"
+#define CMDLINE_FLAGS "cdhjlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -585,7 +585,7 @@ main(int argc, char **argv) {
 	}
 	isc_commandline_reset = true;
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
@@ -597,10 +597,6 @@ main(int argc, char **argv) {
 			debug++;
 			break;
 
-		case 'i':
-			nodeprecate = true;
-			break;
-
 		case 'j':
 			nomerge = false;
 			break;
@@ -681,16 +677,11 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
 
-	if (nodeprecate) {
-		cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
-	}
 	cfg_parser_setcallback(parser, directory_callback, NULL);
 
 	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
 	    ISC_R_SUCCESS)
-	{
 		exit(1);
-	}
 
 	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
 	if (result != ISC_R_SUCCESS) {
@@ -709,6 +700,8 @@ main(int argc, char **argv) {
 
 	cfg_parser_destroy(&parser);
 
+	dns_name_destroy();
+
 	isc_log_destroy(&logc);
 
 	isc_mem_destroy(&mctx);

bin/check/named-checkconf.docbook

@@ -41,7 +41,6 @@
       <year>2016</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -127,15 +126,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-i</term>
-        <listitem>
-          <para>
-	    Ignore warnings on deprecated options.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-p</term>
         <listitem>

bin/check/named-checkconf.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -96,12 +96,6 @@
 	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
           </p>
         </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
-          <p>
-	    Ignore warnings on deprecated options.
-          </p>
-        </dd>
 <dt><span class="term">-p</span></dt>
 <dd>
           <p>

bin/check/named-checkzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkzone.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
 #include <inttypes.h>
@@ -85,9 +87,9 @@ usage(void) {
 
 static void
 destroy(void) {
-	if (zone != NULL) {
+	if (zone != NULL)
 		dns_zone_detach(&zone);
-	}
+	dns_name_destroy();
 }
 
 /*% main processing routine */
@@ -517,7 +519,7 @@ main(int argc, char **argv) {
 	InitSockets();
 #endif
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	if (!quiet)
 		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
 			      == ISC_R_SUCCESS);

bin/check/named-checkzone.docbook

@@ -44,7 +44,6 @@
       <year>2016</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/check/named-checkzone.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/check/win32/checkconf.vcxproj.in

@@ -65,7 +65,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -93,7 +92,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checkconf.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/check/win32/checktool.vcxproj.in

@@ -68,7 +68,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -92,7 +91,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checktool.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/check/win32/checkzone.vcxproj.in

@@ -65,7 +65,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -99,7 +98,6 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checkzone.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/Makefile.in

@@ -27,8 +27,8 @@ CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -144,5 +144,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.c

@@ -17,6 +17,8 @@
  * and the corresponding key and update-policy statements in named.conf.
  */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -207,7 +209,7 @@ main(int argc, char **argv) {
 	/* Use canonical algorithm name */
 	algname = alg_totext(alg);
 
-	isc_mem_create(&mctx);
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
 
 	if (keyname == NULL) {
 		const char *suffix = NULL;
@@ -222,6 +224,8 @@ main(int argc, char **argv) {
 		if (suffix != NULL) {
 			len = strlen(keyname) + strlen(suffix) + 2;
 			keybuf = isc_mem_get(mctx, len);
+			if (keybuf == NULL)
+				fatal("failed to allocate memory for keyname");
 			snprintf(keybuf, len, "%s.%s", keyname, suffix);
 			keyname = (const char *) keybuf;
 		}

bin/confgen/ddns-confgen.docbook

@@ -38,7 +38,6 @@
       <year>2016</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/keygen.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdlib.h>
 #include <stdarg.h>
 

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -206,5 +206,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.c

@@ -20,6 +20,8 @@
  * controls statement altogether.
  */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -209,7 +211,7 @@ main(int argc, char **argv) {
 		keysize = alg_bits(alg);
 	algname = alg_totext(alg);
 
-	isc_mem_create(&mctx);
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
 
 	generate_key(mctx, alg, keysize, &key_txtbuffer);
@@ -222,6 +224,8 @@ main(int argc, char **argv) {
 			char *buf;
 			len = strlen(chrootdir) + strlen(keyfile) + 2;
 			buf = isc_mem_get(mctx, len);
+			if (buf == NULL)
+				fatal("isc_mem_get(%d) failed\n", len);
 			snprintf(buf, len, "%s%s%s", chrootdir,
 				 (*keyfile != '/') ? "/" : "", keyfile);
 

bin/confgen/rndc-confgen.docbook

@@ -45,7 +45,6 @@
       <year>2017</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/rndc-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/unix/os.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <confgen/os.h>
 
 #include <fcntl.h>

bin/confgen/util.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>

bin/confgen/win32/confgentool.vcxproj.in

@@ -63,7 +63,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -88,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/confgentool.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -65,7 +65,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -99,7 +98,6 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/ddnsconfgen.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/win32/os.c

@@ -9,6 +9,9 @@
  * information regarding copyright ownership.
  */
 
+
+#include <config.h>
+
 #include <confgen/os.h>
 
 #include <fcntl.h>

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -65,7 +65,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -93,7 +92,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/rndcconfgen.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/delv/Makefile.in

@@ -16,8 +16,7 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${OPENSSL_CFLAGS}
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
 
 CDEFINES =	-DVERSION=\"${VERSION}\" \
 		-DSYSCONFDIR=\"${sysconfdir}\"
@@ -25,8 +24,8 @@ CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/delv/delv.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -53,7 +53,7 @@ is a tool for sending DNS queries and validating the results, using the same int
 \fBnamed\fR\&.
 .PP
 \fBdelv\fR
-will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
+will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
 .PP
 By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
 \fBdelv\fR
@@ -139,21 +139,21 @@ BIND
 .sp
 Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
 \fB+root=NAME\fR
-options\&.
+options\&. DNSSEC Lookaside Validation can also be turned on by using the
+\fB+dlv=NAME\fR
+to specify the name of a zone containing DLV records\&.
 .sp
 Note: When reading the trust anchor file,
 \fBdelv\fR
 treats
-\fBtrust\-anchors\fR\fBinitial\-key\fR
-and
-\fBstatic\-key\fR
-entries identically\&. That is, even if a key is configured with
-\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
+\fBmanaged\-keys\fR
+statements and
+\fBtrusted\-keys\fR
+statements identically\&. That is, for a managed key, it is the
+\fIinitial\fR
+key that is trusted; RFC 5011 key management is not supported\&.
 \fBdelv\fR
-as if it had been configured as a
-\fBstatic\-key\fR\&.
-\fBdelv\fR
-does not consult the managed keys database maintained by
+will not consult the managed\-keys database maintained by
 \fBnamed\fR\&. This means that if either of the keys in
 /etc/bind\&.keys
 is revoked and rolled over, it will be necessary to update
@@ -390,16 +390,25 @@ output\&. The default is to do so\&. Note that (unlike in
 control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
 \fB\-i\fR
 or
-\fB+noroot\fR\&.
+\fB+noroot\fR
+and
+\fB+nodlv\fR\&.
 .RE
 .PP
 \fB+[no]root[=ROOT]\fR
 .RS 4
-Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
+Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
 \fB\-a\fR
 must be used to specify a file containing the key\&.
 .RE
 .PP
+\fB+[no]dlv[=DLV]\fR
+.RS 4
+Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
+\fB\-a\fR
+option must also be used to specify a file containing the DLV key\&.
+.RE
+.PP
 \fB+[no]tcp\fR
 .RS 4
 Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
@@ -409,11 +418,6 @@ Controls whether to use TCP when sending queries\&. The default is to use UDP un
 .RS 4
 Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
 .RE
-.PP
-\fB+[no]yaml\fR
-.RS 4
-Print response data in YAML format\&.
-.RE
 .SH "FILES"
 .PP
 /etc/bind\&.keys
@@ -433,5 +437,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/delv/delv.c

@@ -9,6 +9,7 @@
  * information regarding copyright ownership.
  */
 
+#include <config.h>
 #include <bind.keys.h>
 
 #ifndef WIN32
@@ -33,10 +34,8 @@
 #include <isc/app.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
-#include <isc/hex.h>
 #include <isc/lib.h>
 #include <isc/log.h>
-#include <isc/md.h>
 #include <isc/mem.h>
 #ifdef WIN32
 #include <isc/ntpaths.h>
@@ -113,8 +112,7 @@ static bool
 	nottl = false,
 	multiline = false,
 	short_form = false,
-	print_unknown_format = false,
-	yaml = false;
+	print_unknown_format = false;
 
 static bool
 	resolve_trace = false,
@@ -128,19 +126,21 @@ static bool
 static bool
 	cdflag = false,
 	no_sigs = false,
-	root_validation = true;
+	root_validation = true,
+	dlv_validation = true;
 
 static bool use_tcp = false;
 
 static char *anchorfile = NULL;
 static char *trust_anchor = NULL;
-static int num_keys = 0;
+static char *dlv_anchor = NULL;
+static int trusted_keys = 0;
 
-static dns_fixedname_t afn;
-static dns_name_t *anchor_name = NULL;
+static dns_fixedname_t afn, dfn;
+static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
 
 /* Default bind.keys contents */
-static char anchortext[] = TRUST_ANCHORS;
+static char anchortext[] = MANAGED_KEYS;
 
 /*
  * Static function prototypes
@@ -160,44 +160,42 @@ usage(void) {
 "        q-class  is one of (in,hs,ch,...) [default: in]\n"
 "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
 "        q-opt    is one of:\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"                 -a anchor-file      (specify root trust anchor)\n"
-"                 -b address[#port]   (bind to source address/port)\n"
-"                 -c class            (option included for compatibility;\n"
+"                 -x dot-notation     (shortcut for reverse lookups)\n"
 "                 -d level            (set debugging level)\n"
-"                 -h                  (print help and exit)\n"
-"                 -i                  (disable DNSSEC validation)\n"
-"                 -m                  (enable memory usage debugging)\n"
+"                 -a anchor-file      (specify root and dlv trust anchors)\n"
+"                 -b address[#port]   (bind to source address/port)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
+"                 -c class            (option included for compatibility;\n"
 "                                      only IN is supported)\n"
-"                 -v                  (print version and exit)\n"
-"                 -x dot-notation     (shortcut for reverse lookups)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
+"                 -i                  (disable DNSSEC validation)\n"
+"                 -m                  (enable memory usage debugging)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
 "                 +[no]all            (Set or clear all display flags)\n"
 "                 +[no]class          (Control display of class)\n"
-"                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]crypto         (Control display of cryptographic\n"
 "                                      fields in records)\n"
-"                 +[no]dlv            (Obsolete)\n"
-"                 +[no]dnssec         (Display DNSSEC records)\n"
-"                 +[no]mtrace         (Trace messages received)\n"
 "                 +[no]multiline      (Print records in an expanded format)\n"
-"                 +[no]root           (DNSSEC validation trust anchor)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]rrcomments     (Control display of per-record "
 				       "comments)\n"
-"                 +[no]rtrace         (Trace resolver fetches)\n"
+"                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" format)\n"
 "                 +[no]short          (Short form answer)\n"
 "                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
 "                 +[no]tcp            (TCP mode)\n"
 "                 +[no]ttl            (Control display of ttls in records)\n"
 "                 +[no]trust          (Control display of trust level)\n"
-"                 +[no]unknownformat  (Print RDATA in RFC 3597 "
-					"\"unknown\" format)\n"
+"                 +[no]rtrace         (Trace resolver fetches)\n"
+"                 +[no]mtrace         (Trace messages received)\n"
 "                 +[no]vtrace         (Trace validation process)\n"
-"                 +[no]yaml           (Present the results as YAML)\n",
+"                 +[no]dlv            (DNSSEC lookaside validation anchor)\n"
+"                 +[no]root           (DNSSEC validation trust anchor)\n"
+"                 +[no]dnssec         (Display DNSSEC records)\n"
+"        -h                           (print help and exit)\n"
+"        -v                           (print version and exit)\n",
 	stderr);
 	exit(1);
 }
@@ -357,80 +355,53 @@ setup_logging(FILE *errout) {
 
 static void
 print_status(dns_rdataset_t *rdataset) {
-	char buf[1024] = { 0 };
+	const char *astr = "", *tstr = "";
 
 	REQUIRE(rdataset != NULL);
 
-	if (!showtrust || !dns_rdataset_isassociated(rdataset)) {
+	if (!showtrust || !dns_rdataset_isassociated(rdataset))
 		return;
-	}
 
-	buf[0] = '\0';
-
-	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
-		strlcat(buf, "negative response", sizeof(buf));
-		strlcat(buf, (yaml ? "_" : ", "), sizeof(buf));
-	}
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+		astr = "negative response, ";
 
 	switch (rdataset->trust) {
 	case dns_trust_none:
-		strlcat(buf, "untrusted", sizeof(buf));
+		tstr = "untrusted";
 		break;
 	case dns_trust_pending_additional:
-		strlcat(buf, "signed additional data", sizeof(buf));
-		if (!yaml) {
-			strlcat(buf, ", ", sizeof(buf));
-		}
-		strlcat(buf, "pending validation", sizeof(buf));
+		tstr = "signed additional data, pending validation";
 		break;
 	case dns_trust_pending_answer:
-		strlcat(buf, "signed answer", sizeof(buf));
-		if (!yaml) {
-			strlcat(buf, ", ", sizeof(buf));
-		}
-		strlcat(buf, "pending validation", sizeof(buf));
+		tstr = "signed answer, pending validation";
 		break;
 	case dns_trust_additional:
-		strlcat(buf, "unsigned additional data", sizeof(buf));
+		tstr = "unsigned additional data";
 		break;
 	case dns_trust_glue:
-		strlcat(buf, "glue data", sizeof(buf));
+		tstr = "glue data";
 		break;
 	case dns_trust_answer:
-		if (root_validation) {
-			strlcat(buf, "unsigned answer", sizeof(buf));
-		} else {
-			strlcat(buf, "answer not validated", sizeof(buf));
-		}
+		if (root_validation || dlv_validation)
+			tstr = "unsigned answer";
+		else
+			tstr = "answer not validated";
 		break;
 	case dns_trust_authauthority:
-		strlcat(buf, "authority data", sizeof(buf));
+		tstr = "authority data";
 		break;
 	case dns_trust_authanswer:
-		strlcat(buf, "authoritative", sizeof(buf));
+		tstr = "authoritative";
 		break;
 	case dns_trust_secure:
-		strlcat(buf, "fully validated", sizeof(buf));
+		tstr = "fully validated";
 		break;
 	case dns_trust_ultimate:
-		strlcat(buf, "ultimate trust", sizeof(buf));
+		tstr = "ultimate trust";
 		break;
 	}
 
-	if (yaml) {
-		char *p;
-
-		/* Convert spaces to underscores for YAML */
-		for (p = buf; p != NULL && *p != '\0'; p++) {
-			if (*p == ' ') {
-				*p = '_';
-			}
-		}
-
-		printf("  - %s:\n", buf);
-	} else {
-		printf("; %s\n", buf);
-	}
+	printf("; %s%s\n", astr, tstr);
 }
 
 static isc_result_t
@@ -457,9 +428,8 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 		return (ISC_R_SUCCESS);
 
 	if (first || rdataset->trust != trust) {
-		if (!first && showtrust && !short_form && !yaml) {
+		if (!first && showtrust && !short_form)
 			putchar('\n');
-		}
 		print_status(rdataset);
 		trust = rdataset->trust;
 		first = false;
@@ -467,6 +437,8 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 
 	do {
 		t = isc_mem_get(mctx, len);
+		if (t == NULL)
+			return (ISC_R_NOMEMORY);
 
 		isc_buffer_init(&target, t, len);
 		if (short_form) {
@@ -498,17 +470,12 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 				dns_rdata_reset(&rdata);
 			}
 		} else {
-			dns_indent_t indent = { "  ", 2 };
-			if (!yaml && (rdataset->attributes &
-				      DNS_RDATASETATTR_NEGATIVE) != 0)
-			{
+			if ((rdataset->attributes &
+			     DNS_RDATASETATTR_NEGATIVE) != 0)
 				isc_buffer_putstr(&target, "; ");
-			}
+
 			result = dns_master_rdatasettotext(owner, rdataset,
-							   style,
-							   yaml ? &indent :
-								  NULL,
-							   &target);
+							   style, &target);
 		}
 
 		if (result == ISC_R_NOSPACE) {
@@ -535,53 +502,41 @@ setup_style(dns_master_style_t **stylep) {
 	isc_result_t result;
 	dns_master_style_t *style = NULL;
 
-	REQUIRE(stylep != NULL && *stylep == NULL);
+	REQUIRE(stylep != NULL || *stylep == NULL);
 
 	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (yaml) {
-		styleflags |= DNS_STYLEFLAG_YAML;
-	} else {
-		if (showcomments) {
-			styleflags |= DNS_STYLEFLAG_COMMENT;
-		}
-		if (print_unknown_format) {
-			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
-		}
-		if (rrcomments) {
-			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-		}
-		if (nottl) {
-			styleflags |= DNS_STYLEFLAG_NO_TTL;
-		}
-		if (noclass) {
-			styleflags |= DNS_STYLEFLAG_NO_CLASS;
-		}
-		if (nocrypto) {
-			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-		}
-		if (multiline) {
-			styleflags |= DNS_STYLEFLAG_MULTILINE;
-			styleflags |= DNS_STYLEFLAG_COMMENT;
-		}
+	if (showcomments)
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	if (print_unknown_format)
+		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+	if (rrcomments)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (nocrypto)
+		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
 	}
 
-	if (multiline || (nottl && noclass)) {
+	if (multiline || (nottl && noclass))
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 24, 32, 80, 8,
 						splitwidth, mctx);
-	} else if (nottl || noclass) {
+	else if (nottl || noclass)
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 32, 40, 80, 8,
 						splitwidth, mctx);
-	} else {
+	else
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 32, 40, 48, 80, 8,
 						splitwidth, mctx);
-	}
 
-	if (result == ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
 		*stylep = style;
-	}
 	return (result);
 }
 
@@ -612,161 +567,83 @@ convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) {
 
 static isc_result_t
 key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_ds_t ds;
-	uint32_t rdata1, rdata2, rdata3;
-	const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL;
-	unsigned char data[4096];
-	isc_buffer_t databuf;
+	dns_rdata_dnskey_t keystruct;
+	uint32_t flags, proto, alg;
+	const char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
 	unsigned char rrdata[4096];
 	isc_buffer_t rrdatabuf;
 	isc_region_t r;
 	dns_fixedname_t fkeyname;
 	dns_name_t *keyname;
 	isc_result_t result;
-	bool match_root = false;
-	enum {
-		INITIAL_KEY,
-		STATIC_KEY,
-		INITIAL_DS,
-		STATIC_DS,
-		TRUSTED
-	} anchortype;
+	bool match_root = false, match_dlv = false;
 
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
 
-	if (!root_validation) {
+	if (!root_validation && !dlv_validation)
 		return (ISC_R_SUCCESS);
-	}
 
-	if (anchor_name) {
+	if (anchor_name)
 		match_root = dns_name_equal(keyname, anchor_name);
-	}
+	if (dlv_name)
+		match_dlv = dns_name_equal(keyname, dlv_name);
 
-	if (!match_root) {
+	if (!match_root && !match_dlv)
 		return (ISC_R_SUCCESS);
-	}
-
-	if (!root_validation) {
+	if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
 		return (ISC_R_SUCCESS);
-	}
 
-	delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor);
+	if (match_root)
+		delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
+			  trust_anchor);
+	if (match_dlv)
+		delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
+			  dlv_anchor);
 
-	/* if DNSKEY, flags; if DS, key tag */
-	rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
+	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
 
-	/* if DNSKEY, protocol; if DS, algorithm */
-	rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	/*
+	 * The key data in keystruct is not dynamically allocated.
+	 */
+	keystruct.mctx = NULL;
 
-	/* if DNSKEY, algorithm; if DS, digest type */
-	rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
+	ISC_LINK_INIT(&keystruct.common, link);
 
-	/* What type of trust anchor is this? */
-	atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
-	if (strcasecmp(atstr, "static-key") == 0) {
-		anchortype = STATIC_KEY;
-	} else if (strcasecmp(atstr, "static-ds") == 0) {
-		anchortype = STATIC_DS;
-	} else if (strcasecmp(atstr, "initial-key") == 0) {
-		anchortype = INITIAL_KEY;
-	} else if (strcasecmp(atstr, "initial-ds") == 0) {
-		anchortype = INITIAL_DS;
-	} else {
-		delv_log(ISC_LOG_ERROR,
-			 "key '%s': invalid initialization method '%s'",
-			 keynamestr, atstr);
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
+	if (flags > 0xffff)
+		CHECK(ISC_R_RANGE);
+	if (proto > 0xff)
+		CHECK(ISC_R_RANGE);
+	if (alg > 0xff)
+		CHECK(ISC_R_RANGE);
 
-	isc_buffer_init(&databuf, data, sizeof(data));
+	keystruct.flags = (uint16_t)flags;
+	keystruct.protocol = (uint8_t)proto;
+	keystruct.algorithm = (uint8_t)alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
 	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
 
-	if (rdata1 > 0xffff) {
-		CHECK(ISC_R_RANGE);
-	}
-	if (rdata2 > 0xff) {
-		CHECK(ISC_R_RANGE);
-	}
-	if (rdata3 > 0xff) {
-		CHECK(ISC_R_RANGE);
-	}
+	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
 
-	switch (anchortype) {
-	case STATIC_KEY:
-	case INITIAL_KEY:
-	case TRUSTED:
-		dnskey.common.rdclass = dns_rdataclass_in;
-		dnskey.common.rdtype = dns_rdatatype_dnskey;
-		dnskey.mctx = NULL;
+	CHECK(dns_rdata_fromstruct(NULL,
+				   keystruct.common.rdclass,
+				   keystruct.common.rdtype,
+				   &keystruct, &rrdatabuf));
 
-		ISC_LINK_INIT(&dnskey.common, link);
-
-		dnskey.flags = (uint16_t)rdata1;
-		dnskey.protocol = (uint8_t)rdata2;
-		dnskey.algorithm = (uint8_t)rdata3;
-
-		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
-		CHECK(isc_base64_decodestring(datastr, &databuf));
-		isc_buffer_usedregion(&databuf, &r);
-		dnskey.datalen = r.length;
-		dnskey.data = r.base;
-
-		CHECK(dns_rdata_fromstruct(NULL, dnskey.common.rdclass,
-					   dnskey.common.rdtype,
-					   &dnskey, &rrdatabuf));
-		CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
-					       dns_rdatatype_dnskey,
-					       keyname, &rrdatabuf));
-		break;
-	case INITIAL_DS:
-	case STATIC_DS:
-		ds.common.rdclass = dns_rdataclass_in;
-		ds.common.rdtype = dns_rdatatype_ds;
-		ds.mctx = NULL;
-
-		ISC_LINK_INIT(&ds.common, link);
-
-		ds.key_tag = (uint16_t)rdata1;
-		ds.algorithm = (uint8_t)rdata2;
-		ds.digest_type = (uint8_t)rdata3;
-
-		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
-		CHECK(isc_hex_decodestring(datastr, &databuf));
-		isc_buffer_usedregion(&databuf, &r);
-
-		switch (ds.digest_type) {
-		case DNS_DSDIGEST_SHA1:
-			if (r.length != ISC_SHA1_DIGESTLENGTH) {
-				CHECK(ISC_R_UNEXPECTEDEND);
-			}
-			break;
-		case DNS_DSDIGEST_SHA256:
-			if (r.length != ISC_SHA256_DIGESTLENGTH) {
-				CHECK(ISC_R_UNEXPECTEDEND);
-			}
-			break;
-		case DNS_DSDIGEST_SHA384:
-			if (r.length != ISC_SHA384_DIGESTLENGTH) {
-				CHECK(ISC_R_UNEXPECTEDEND);
-			}
-			break;
-		}
-
-		ds.length = r.length;
-		ds.digest = r.base;
-
-		CHECK(dns_rdata_fromstruct(NULL, ds.common.rdclass,
-					   ds.common.rdtype,
-					   &ds, &rrdatabuf));
-		CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
-					       dns_rdatatype_ds,
-					       keyname, &rrdatabuf));
-	};
-
-	num_keys++;
+	CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
+				       keyname, &rrdatabuf));
+	trusted_keys++;
 
  cleanup:
 	if (result == DST_R_NOCRYPTO)
@@ -817,15 +694,13 @@ static isc_result_t
 setup_dnsseckeys(dns_client_t *client) {
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
-	const cfg_obj_t *trusted_keys = NULL;
+	const cfg_obj_t *keys = NULL;
 	const cfg_obj_t *managed_keys = NULL;
-	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 	const char *filename = anchorfile;
 
-	if (!root_validation) {
+	if (!root_validation && !dlv_validation)
 		return (ISC_R_SUCCESS);
-	}
 
 	if (filename == NULL) {
 #ifndef WIN32
@@ -840,27 +715,27 @@ setup_dnsseckeys(dns_client_t *client) {
 
 	if (trust_anchor == NULL) {
 		trust_anchor = isc_mem_strdup(mctx, ".");
+		if (trust_anchor == NULL)
+			fatal("out of memory");
 	}
 
-	if (trust_anchor != NULL) {
+	if (trust_anchor != NULL)
 		CHECK(convert_name(&afn, &anchor_name, trust_anchor));
-	}
+	if (dlv_anchor != NULL)
+		CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
 
 	if (access(filename, R_OK) != 0) {
-		if (anchorfile != NULL) {
+		if (anchorfile != NULL)
 			fatal("Unable to read key file '%s'", anchorfile);
-		}
 	} else {
 		result = cfg_parse_file(parser, filename,
 					&cfg_type_bindkeys, &bindkeys);
-		if (result != ISC_R_SUCCESS) {
-			if (anchorfile != NULL) {
+		if (result != ISC_R_SUCCESS)
+			if (anchorfile != NULL)
 				fatal("Unable to load keys from '%s'",
 				      anchorfile);
-			}
-		}
 	}
 
 	if (bindkeys == NULL) {
@@ -870,30 +745,26 @@ setup_dnsseckeys(dns_client_t *client) {
 		isc_buffer_add(&b, sizeof(anchortext) - 1);
 		result = cfg_parse_buffer(parser, &b, NULL, 0,
 					  &cfg_type_bindkeys, 0, &bindkeys);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("Unable to parse built-in keys");
-		}
 	}
 
 	INSIST(bindkeys != NULL);
-	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
+	cfg_map_get(bindkeys, "trusted-keys", &keys);
 	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
-	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
 
-	if (trusted_keys != NULL) {
-		CHECK(load_keys(trusted_keys, client));
-	}
-	if (managed_keys != NULL) {
+	if (keys != NULL)
+		CHECK(load_keys(keys, client));
+	if (managed_keys != NULL)
 		CHECK(load_keys(managed_keys, client));
-	}
-	if (trust_anchors != NULL) {
-		CHECK(load_keys(trust_anchors, client));
-	}
 	result = ISC_R_SUCCESS;
 
-	if (num_keys == 0) {
+	if (trusted_keys == 0)
 		fatal("No trusted keys were loaded");
-	}
+
+	if (dlv_validation)
+		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
+
 
  cleanup:
 	if (bindkeys != NULL) {
@@ -902,10 +773,9 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (parser != NULL) {
 		cfg_parser_destroy(&parser);
 	}
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
 			  isc_result_totext(result));
-	}
 	return (result);
 }
 
@@ -932,6 +802,8 @@ addserver(dns_client_t *client) {
 			fatal("Use of IPv4 disabled by -6");
 		}
 		sa = isc_mem_get(mctx, sizeof(*sa));
+		if (sa == NULL)
+			return (ISC_R_NOMEMORY);
 		ISC_LINK_INIT(sa, link);
 		isc_sockaddr_fromin(sa, &in4, destport);
 		ISC_LIST_APPEND(servers, sa, link);
@@ -940,6 +812,8 @@ addserver(dns_client_t *client) {
 			fatal("Use of IPv6 disabled by -4");
 		}
 		sa = isc_mem_get(mctx, sizeof(*sa));
+		if (sa == NULL)
+			return (ISC_R_NOMEMORY);
 		ISC_LINK_INIT(sa, link);
 		isc_sockaddr_fromin6(sa, &in6, destport);
 		ISC_LIST_APPEND(servers, sa, link);
@@ -967,6 +841,10 @@ addserver(dns_client_t *client) {
 			    cur->ai_family != AF_INET6)
 				continue;
 			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				break;
+			}
 			memset(sa, 0, sizeof(*sa));
 			ISC_LINK_INIT(sa, link);
 			memmove(&sa->type, cur->ai_addr, cur->ai_addrlen);
@@ -1039,6 +917,10 @@ findserver(dns_client_t *client) {
 			struct in_addr localhost;
 			localhost.s_addr = htonl(INADDR_LOOPBACK);
 			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
 			isc_sockaddr_fromin(sa, &localhost, destport);
 
 			ISC_LINK_INIT(sa, link);
@@ -1047,6 +929,10 @@ findserver(dns_client_t *client) {
 
 		if (use_ipv6) {
 			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
 			isc_sockaddr_fromin6(sa, &in6addr_loopback, destport);
 
 			ISC_LINK_INIT(sa, link);
@@ -1142,10 +1028,13 @@ plus_option(char *option) {
 		switch (cmd[1]) {
 		case 'l': /* dlv */
 			FULLCHECK("dlv");
-			if (state) {
-				fprintf(stderr, "Invalid option: "
-						"+dlv is obsolete\n");
-				exit(1);
+			if (state && no_sigs)
+				break;
+			dlv_validation = state;
+			if (value != NULL) {
+				dlv_anchor = isc_mem_strdup(mctx, value);
+				if (dlv_anchor == NULL)
+					fatal("out of memory");
 			}
 			break;
 		case 'n': /* dnssec */
@@ -1180,6 +1069,8 @@ plus_option(char *option) {
 			root_validation = state;
 			if (value != NULL) {
 				trust_anchor = isc_mem_strdup(mctx, value);
+				if (trust_anchor == NULL)
+					fatal("out of memory");
 			}
 			break;
 		case 'r': /* rrcomments */
@@ -1267,13 +1158,6 @@ plus_option(char *option) {
 		if (state)
 			resolve_trace = state;
 		break;
-	case 'y': /* yaml */
-		FULLCHECK("yaml");
-		yaml = state;
-		if (state) {
-			rrcomments = false;
-		}
-		break;
 	default:
 	invalid_option:
 		/*
@@ -1337,6 +1221,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			/* NOTREACHED */
 		case 'i':
 			no_sigs = true;
+			dlv_validation = false;
 			root_validation = false;
 			break;
 		case 'm':
@@ -1368,6 +1253,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 	switch (opt) {
 	case 'a':
 		anchorfile = isc_mem_strdup(mctx, value);
+		if (anchorfile == NULL)
+			fatal("out of memory");
 		return (value_from_next);
 	case 'b':
 		hash = strchr(value, '#');
@@ -1431,6 +1318,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			isc_mem_free(mctx, curqname);
 		}
 		curqname = isc_mem_strdup(mctx, value);
+		if (curqname == NULL)
+			fatal("out of memory");
 		return (value_from_next);
 	case 't':
 		*open_type_class = false;
@@ -1458,6 +1347,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 				warn("extra query name");
 			}
 			curqname = isc_mem_strdup(mctx, textname);
+			if (curqname == NULL)
+				fatal("out of memory");
 			if (typeset)
 				warn("extra query type");
 			qtype = dns_rdatatype_ptr;
@@ -1604,6 +1495,8 @@ parse_args(int argc, char **argv) {
 
 			if (curqname == NULL) {
 				curqname = isc_mem_strdup(mctx, argv[0]);
+				if (curqname == NULL)
+					fatal("out of memory");
 			}
 		}
 	}
@@ -1617,6 +1510,8 @@ parse_args(int argc, char **argv) {
 
 	if (curqname == NULL) {
 		qname = isc_mem_strdup(mctx, ".");
+		if (qname == NULL)
+			fatal("out of memory");
 
 		if (!typeset)
 			qtype = dns_rdatatype_ns;
@@ -1700,7 +1595,6 @@ main(int argc, char *argv[]) {
 	isc_result_t result;
 	dns_fixedname_t qfn;
 	dns_name_t *query_name, *response_name;
-	char namestr[DNS_NAME_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	dns_namelist_t namelist;
 	unsigned int resopt, clopt;
@@ -1724,12 +1618,14 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_lib_init failed: %d", result);
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create mctx");
 
 	CHECK(isc_appctx_create(mctx, &actx));
-	CHECK(isc_taskmgr_createinctx(mctx, 1, 0, &taskmgr));
-	CHECK(isc_socketmgr_createinctx(mctx, &socketmgr));
-	CHECK(isc_timermgr_createinctx(mctx, &timermgr));
+	CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr));
+	CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr));
+	CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr));
 
 	parse_args(argc, argv);
 
@@ -1770,35 +1666,22 @@ main(int argc, char *argv[]) {
 
 	/* Set up resolution options */
 	resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
-	if (no_sigs) {
+	if (no_sigs)
 		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
-	}
-	if (!root_validation) {
+	if (!root_validation && !dlv_validation)
 		resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
-	}
-	if (cdflag) {
+	if (cdflag)
 		resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
-	}
-	if (use_tcp) {
+	if (use_tcp)
 		resopt |= DNS_CLIENTRESOPT_TCP;
-	}
 
 	/* Perform resolution */
 	ISC_LIST_INIT(namelist);
 	result = dns_client_resolve(client, query_name, dns_rdataclass_in,
 				    qtype, resopt, &namelist);
-	if (result != ISC_R_SUCCESS && !yaml) {
+	if (result != ISC_R_SUCCESS)
 		delv_log(ISC_LOG_ERROR, "resolution failed: %s",
 			  isc_result_totext(result));
-	}
-
-	if (yaml) {
-		printf("type: DELV_RESULT\n");
-		dns_name_format(query_name, namestr, sizeof(namestr));
-		printf("query_name: %s\n", namestr);
-		printf("status: %s\n", isc_result_totext(result));
-		printf("records:\n");
-	}
 
 	for (response_name = ISC_LIST_HEAD(namelist);
 	     response_name != NULL;
@@ -1815,6 +1698,8 @@ main(int argc, char *argv[]) {
 	dns_client_freeresanswer(client, &namelist);
 
 cleanup:
+	if (dlv_anchor != NULL)
+		isc_mem_free(mctx, dlv_anchor);
 	if (trust_anchor != NULL)
 		isc_mem_free(mctx, trust_anchor);
 	if (anchorfile != NULL)

bin/delv/delv.docbook

@@ -40,7 +40,6 @@
       <year>2017</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -97,7 +96,7 @@
       <command>delv</command> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY and DS records
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
       to establish a chain of trust for DNSSEC validation.
       It does not perform iterative resolution, but simulates the
       behavior of a name server configured for DNSSEC validating and
@@ -212,21 +211,21 @@
 	  <para>
 	    Keys that do not match the root zone name are ignored.
             An alternate key name can be specified using the
-	    <option>+root=NAME</option> options.
+	    <option>+root=NAME</option> options. DNSSEC Lookaside
+            Validation can also be turned on by using the
+	    <option>+dlv=NAME</option> to specify the name of a
+            zone containing DLV records.
 	  </para>
 	  <para>
 	    Note: When reading the trust anchor file,
-	    <command>delv</command> treats <option>trust-anchors</option>
-	    <option>initial-key</option> and <option>static-key</option>
-	    entries identically.  That is, even if a key is configured
-	    with <command>initial-key</command>, indicating that it is
-	    meant to be used only as an initializing key for RFC 5011
-	    key maintenance, it is still treated by <command>delv</command>
-	    as if it had been configured as a <command>static-key</command>.
-	    <command>delv</command> does not consult the managed keys
-	    database maintained by <command>named</command>. This means
-	    that if either of the keys in
-	    <filename>/etc/bind.keys</filename> is revoked
+	    <command>delv</command> treats <option>managed-keys</option>
+	    statements and <option>trusted-keys</option> statements
+	    identically.  That is, for a managed key, it is the
+	    <emphasis>initial</emphasis> key that is trusted; RFC 5011
+	    key management is not supported. <command>delv</command>
+	    will not consult the managed-keys database maintained by
+	    <command>named</command>. This means that if either of the
+	    keys in <filename>/etc/bind.keys</filename> is revoked
 	    and rolled over, it will be necessary to update
 	    <filename>/etc/bind.keys</filename> to use DNSSEC
 	    validation in <command>delv</command>.
@@ -618,7 +617,8 @@
 	      request DNSSEC records or whether to validate them.
 	      DNSSEC records are always requested, and validation
 	      will always occur unless suppressed by the use of
-	      <option>-i</option> or <option>+noroot</option>.
+	      <option>-i</option> or <option>+noroot</option> and
+	      <option>+nodlv</option>.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -627,7 +627,7 @@
 	  <term><option>+[no]root[=ROOT]</option></term>
 	  <listitem>
 	    <para>
-	      Indicates whether to perform conventional
+	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
 	      a trust anchor of "." (the root zone), for which there is
@@ -638,6 +638,18 @@
 	  </listitem>
 	</varlistentry>
 
+	<varlistentry>
+	  <term><option>+[no]dlv[=DLV]</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The <option>-a</option> option must also be used to specify
+              a file containing the DLV key.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
 	<varlistentry>
 	  <term><option>+[no]tcp</option></term>
 	  <listitem>
@@ -659,16 +671,6 @@
 	    </para>
 	  </listitem>
 	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]yaml</option></term>
-	  <listitem>
-	    <para>
-	      Print response data in YAML format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
       </variablelist>
 
     </para>

bin/delv/delv.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -83,7 +83,7 @@
       <span class="command"><strong>delv</strong></span> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY and DS records
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
       to establish a chain of trust for DNSSEC validation.
       It does not perform iterative resolution, but simulates the
       behavior of a name server configured for DNSSEC validating and
@@ -193,21 +193,21 @@
 	  <p>
 	    Keys that do not match the root zone name are ignored.
             An alternate key name can be specified using the
-	    <code class="option">+root=NAME</code> options.
+	    <code class="option">+root=NAME</code> options. DNSSEC Lookaside
+            Validation can also be turned on by using the
+	    <code class="option">+dlv=NAME</code> to specify the name of a
+            zone containing DLV records.
 	  </p>
 	  <p>
 	    Note: When reading the trust anchor file,
-	    <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
-	    <code class="option">initial-key</code> and <code class="option">static-key</code>
-	    entries identically.  That is, even if a key is configured
-	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
-	    meant to be used only as an initializing key for RFC 5011
-	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
-	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
-	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
-	    database maintained by <span class="command"><strong>named</strong></span>. This means
-	    that if either of the keys in
-	    <code class="filename">/etc/bind.keys</code> is revoked
+	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
+	    statements and <code class="option">trusted-keys</code> statements
+	    identically.  That is, for a managed key, it is the
+	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
+	    key management is not supported. <span class="command"><strong>delv</strong></span>
+	    will not consult the managed-keys database maintained by
+	    <span class="command"><strong>named</strong></span>. This means that if either of the
+	    keys in <code class="filename">/etc/bind.keys</code> is revoked
 	    and rolled over, it will be necessary to update
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
@@ -517,13 +517,14 @@
 	      request DNSSEC records or whether to validate them.
 	      DNSSEC records are always requested, and validation
 	      will always occur unless suppressed by the use of
-	      <code class="option">-i</code> or <code class="option">+noroot</code>.
+	      <code class="option">-i</code> or <code class="option">+noroot</code> and
+	      <code class="option">+nodlv</code>.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
 <dd>
 	    <p>
-	      Indicates whether to perform conventional
+	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
 	      a trust anchor of "." (the root zone), for which there is
@@ -532,6 +533,15 @@
 	      containing the key.
 	    </p>
 	  </dd>
+<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
+<dd>
+	    <p>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The <code class="option">-a</code> option must also be used to specify
+              a file containing the DLV key.
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
 <dd>
 	    <p>
@@ -548,12 +558,6 @@
 	      in the type's presentation format.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
-<dd>
-	    <p>
-	      Print response data in YAML format.
-	    </p>
-	  </dd>
 </dl></div>
 <p>
 

bin/delv/win32/delv.vcxproj.in

@@ -63,8 +63,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -91,8 +90,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>

bin/delv/win32/delv.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/Makefile.in

@@ -19,8 +19,7 @@ READLINE_LIB = @READLINE_LIB@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ \
-		${OPENSSL_CFLAGS}
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
 
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
@@ -28,8 +27,8 @@ CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/dig/dig.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -456,11 +456,6 @@ clears the EDNS options to be sent\&.
 Send an EDNS Expire option\&.
 .RE
 .PP
-\fB+[no]expandaaaa\fR
-.RS 4
-When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
-.RE
-.PP
 \fB+[no]fail\fR
 .RS 4
 Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
@@ -744,13 +739,6 @@ Display [do not display] the TTL when printing the record\&.
 Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
 .RE
 .PP
-\fB+[no]unexpected\fR
-.RS 4
-Accept [do not accept] answers from unexpected sources\&. By default,
-\fBdig\fR
-won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
-.RE
-.PP
 \fB+[no]unknownformat\fR
 .RS 4
 Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
@@ -763,13 +751,6 @@ Use [do not use] TCP when querying name servers\&. This alternate syntax to
 is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
 .RE
 .PP
-\fB+[no]yaml\fR
-.RS 4
-Print the responses (and, if
-\fB+qr\fR
-is in use, also the outgoing queries) in a detailed YAML format\&.
-.RE
-.PP
 \fB+[no]zflag\fR
 .RS 4
 Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
@@ -849,5 +830,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/dig.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -54,7 +56,7 @@
 
 dig_lookup_t *default_lookup = NULL;
 
-static atomic_uintptr_t batchname = ATOMIC_VAR_INIT(0);
+static char *batchname = NULL;
 static FILE *batchfp = NULL;
 static char *argv0;
 static int addresscount = 0;
@@ -189,7 +191,6 @@ help(void) {
 "                 +[no]ednsnegotiation (Set EDNS version negotiation)\n"
 "                 +ednsopt=###[:value] (Send specified EDNS option)\n"
 "                 +noednsopt          (Clear list of +ednsopt options)\n"
-"                 +[no]expandaaaa     (Expand AAAA records)\n"
 "                 +[no]expire         (Request time to expire)\n"
 "                 +[no]fail           (Don't try next server on SERVFAIL)\n"
 "                 +[no]header-only    (Send query without a question section)\n"
@@ -234,12 +235,9 @@ help(void) {
 "                 +tries=###          (Set number of UDP attempts) [3]\n"
 "                 +[no]ttlid          (Control display of ttls in records)\n"
 "                 +[no]ttlunits       (Display TTLs in human-readable units)\n"
-"                 +[no]unexpected     (Print replies from unexpected sources\n"
-"                                      default=off)\n"
 "                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" "
 					"format)\n"
 "                 +[no]vc             (TCP mode (+[no]tcp))\n"
-"                 +[no]yaml           (Present the results as YAML)\n"
 "                 +[no]zflag          (Set Z flag in query)\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
 "        local d-opts and servers (after host name) affect only that lookup.\n"
@@ -265,11 +263,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 
 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
 
-	if (short_form || yaml) {
-		return;
-	}
-
-	if (query->lookup->stats) {
+	if (query->lookup->stats && !short_form) {
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		if (query->lookup->use_usec)
 			printf(";; Query time: %ld usec\n", (long) diff);
@@ -290,15 +284,11 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		 */
 		if (wcsftime(time_str, sizeof(time_str)/sizeof(time_str[0]),
 			     L"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
-		{
 			printf(";; WHEN: %ls\n", time_str);
-		}
 #else
 		if (strftime(time_str, sizeof(time_str),
 			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
-		{
 			printf(";; WHEN: %s\n", time_str);
-		}
 #endif
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
@@ -309,32 +299,30 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 		}
 		if (tsigkey != NULL) {
-			if (!validated) {
+			if (!validated)
 				puts(";; WARNING -- Some TSIG could not "
 				     "be validated");
-			}
 		}
 		if ((tsigkey == NULL) && (keysecret[0] != 0)) {
 			puts(";; WARNING -- TSIG key was not used.");
 		}
 		puts("");
-	} else if (query->lookup->identify) {
+	} else if (query->lookup->identify && !short_form) {
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
-		if (query->lookup->use_usec) {
+		if (query->lookup->use_usec)
 			printf(";; Received %" PRIu64 " bytes "
 			       "from %s(%s) in %ld us\n\n",
 			       query->lookup->doing_xfr
 				 ? query->byte_count
 				 : (uint64_t)bytes,
 			       fromtext, query->userarg, (long) diff);
-		} else {
+		else
 			printf(";; Received %" PRIu64 " bytes "
 			       "from %s(%s) in %ld ms\n\n",
 			       query->lookup->doing_xfr
 				 ?  query->byte_count
 				 : (uint64_t)bytes,
 			       fromtext, query->userarg, (long) diff / 1000);
-		}
 	}
 }
 
@@ -373,24 +361,20 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
 	if (query->lookup->print_unknown_format)
 		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
-	if (query->lookup->expandaaaa)
-		styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
 	result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0,
 				     splitwidth, " ", buf);
-	if (result == ISC_R_NOSPACE) {
+	if (result == ISC_R_NOSPACE)
 		return (result);
-	}
 	check_result(result, "dns_rdata_totext");
 	if (query->lookup->identify) {
+
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		ADD_STRING(buf, " from server ");
 		ADD_STRING(buf, query->servname);
 		if (query->lookup->use_usec) {
-			snprintf(store, sizeof(store),
-				 " in %" PRIu64 " us.", diff);
+			snprintf(store, sizeof(store), " in %" PRIu64 " us.", diff);
 		} else {
-			snprintf(store, sizeof(store),
-				 " in %" PRIu64 " ms.", diff / 1000);
+			snprintf(store, sizeof(store), " in %" PRIu64 " ms.", diff / 1000);
 		}
 		ADD_STRING(buf, store);
 	}
@@ -430,7 +414,8 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
 			loopresult = dns_rdataset_first(rdataset);
 			while (loopresult == ISC_R_SUCCESS) {
 				dns_rdataset_current(rdataset, &rdata);
-				result = say_message(&rdata, query, buf);
+				result = say_message(&rdata, query,
+						     buf);
 				if (result == ISC_R_NOSPACE)
 					return (result);
 				check_result(result, "say_message");
@@ -472,85 +457,61 @@ isdotlocal(dns_message_t *msg) {
  * Callback from dighost.c to print the reply from a server
  */
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	isc_result_t result;
 	dns_messagetextflag_t flags;
 	isc_buffer_t *buf = NULL;
 	unsigned int len = OUTPUTBUF;
 	dns_master_style_t *style = NULL;
 	unsigned int styleflags = 0;
-	bool isquery = (msg == query->lookup->sendmsg);
-
-	UNUSED(msgbuf);
 
 	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (yaml) {
-		msg->indent.string = "  ";
-		msg->indent.count = 3;
-		styleflags |= DNS_STYLEFLAG_YAML;
-	} else {
-		if (query->lookup->comments) {
-			styleflags |= DNS_STYLEFLAG_COMMENT;
-		}
-		if (query->lookup->print_unknown_format) {
-			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
-		}
-		/* Turn on rrcomments if explicitly enabled */
-		if (query->lookup->rrcomments > 0) {
+	if (query->lookup->comments)
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	if (query->lookup->print_unknown_format)
+		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+	/* Turn on rrcomments if explicitly enabled */
+	if (query->lookup->rrcomments > 0)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	if (query->lookup->ttlunits)
+		styleflags |= DNS_STYLEFLAG_TTL_UNITS;
+	if (query->lookup->nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (query->lookup->noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (query->lookup->nocrypto)
+		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	if (query->lookup->multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		/* Turn on rrcomments unless explicitly disabled */
+		if (query->lookup->rrcomments >= 0)
 			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-		}
-		if (query->lookup->ttlunits) {
-			styleflags |= DNS_STYLEFLAG_TTL_UNITS;
-		}
-		if (query->lookup->nottl) {
-			styleflags |= DNS_STYLEFLAG_NO_TTL;
-		}
-		if (query->lookup->noclass) {
-			styleflags |= DNS_STYLEFLAG_NO_CLASS;
-		}
-		if (query->lookup->nocrypto) {
-			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-		}
-		if (query->lookup->expandaaaa) {
-			styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
-		}
-		if (query->lookup->multiline) {
-			styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
-			styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
-			styleflags |= DNS_STYLEFLAG_REL_DATA;
-			styleflags |= DNS_STYLEFLAG_OMIT_TTL;
-			styleflags |= DNS_STYLEFLAG_TTL;
-			styleflags |= DNS_STYLEFLAG_MULTILINE;
-			/* Turn on rrcomments unless explicitly disabled */
-			if (query->lookup->rrcomments >= 0) {
-				styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-			}
-		}
 	}
 	if (query->lookup->multiline ||
 	    (query->lookup->nottl && query->lookup->noclass))
-	{
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 24, 32, 80, 8,
 						splitwidth, mctx);
-	} else if (query->lookup->nottl || query->lookup->noclass) {
+	else if (query->lookup->nottl || query->lookup->noclass)
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 32, 40, 80, 8,
 						splitwidth, mctx);
-	} else {
+	else
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 32, 40, 48, 80, 8,
 						splitwidth, mctx);
-	}
 	check_result(result, "dns_master_stylecreate");
 
 	if (query->lookup->cmdline[0] != 0) {
 		if (!short_form && printcmd) {
 			fputs(query->lookup->cmdline, stdout);
 		}
-		query->lookup->cmdline[0] = '\0';
+		query->lookup->cmdline[0]=0;
 	}
 	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
 	      query->lookup->comments ? "comments" : "nocomments",
@@ -568,112 +529,16 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 	if (!query->lookup->comments)
 		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
 
-	isc_buffer_allocate(mctx, &buf, len);
+	result = isc_buffer_allocate(mctx, &buf, len);
+	check_result(result, "isc_buffer_allocate");
 
-	if (yaml) {
-		enum { Q = 0x1, R = 0x2 }; /* Q:query; R:ecursive */
-		unsigned int tflag = 0;
-		isc_sockaddr_t saddr;
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-		uint16_t sport;
-		char *hash;
-		int pf;
-
-		printf("-\n");
-		printf("  type: MESSAGE\n");
-		printf("  message:\n");
-
-		if (isquery) {
-			tflag |= Q;
-			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
-				tflag |= R;
-			}
-		} else if (((msg->flags & DNS_MESSAGEFLAG_RD) != 0) &&
-			   ((msg->flags & DNS_MESSAGEFLAG_RA) != 0))
-		{
-			tflag |= R;
-		}
-
-		if (tflag == (Q|R)) {
-			printf("    type: RECURSIVE_QUERY\n");
-		} else if (tflag == Q) {
-			printf("    type: AUTH_QUERY\n");
-		} else if (tflag == R) {
-			printf("    type: RECURSIVE_RESPONSE\n");
-		} else {
-			printf("    type: AUTH_RESPONSE\n");
-		}
-
-		if (!isc_time_isepoch(&query->time_sent)) {
-			char tbuf[100];
-			isc_time_formatISO8601ms(&query->time_sent,
-						 tbuf, sizeof(tbuf));
-			printf("    query_time: !!timestamp %s\n", tbuf);
-		}
-
-		if (!isquery && !isc_time_isepoch(&query->time_recv)) {
-			char tbuf[100];
-			isc_time_formatISO8601ms(&query->time_recv,
-						 tbuf, sizeof(tbuf));
-			printf("    response_time: !!timestamp %s\n", tbuf);
-		}
-
-		printf("    message_size: %ub\n",
-		       isc_buffer_usedlength(msgbuf));
-
-		pf = isc_sockaddr_pf(&query->sockaddr);
-		if (pf == PF_INET || pf == PF_INET6) {
-			printf("    socket_family: %s\n",
-			       pf == PF_INET ? "INET" : "INET6");
-
-			printf("    socket_protocol: %s\n",
-			       query->lookup->tcp_mode ? "TCP" : "UDP");
-
-			sport = isc_sockaddr_getport(&query->sockaddr);
-			isc_sockaddr_format(&query->sockaddr,
-					    sockstr, sizeof(sockstr));
-			hash = strchr(sockstr, '#');
-			if (hash != NULL) {
-				*hash = '\0';
-			}
-			if (strcmp(sockstr, "::") == 0) {
-				strlcat(sockstr, "0", sizeof(sockstr));
-			}
-
-			printf("    response_address: %s\n", sockstr);
-			printf("    response_port: %u\n", sport);
-		}
-
-		if (query->sock != NULL &&
-		    isc_socket_getsockname(query->sock, &saddr)
-		      == ISC_R_SUCCESS)
-		{
-			sport = isc_sockaddr_getport(&saddr);
-			isc_sockaddr_format(&saddr, sockstr, sizeof(sockstr));
-			hash = strchr(sockstr, '#');
-			if (hash != NULL) {
-				*hash = '\0';
-			}
-			if (strcmp(sockstr, "::") == 0) {
-				strlcat(sockstr, "0", sizeof(sockstr));
-			}
-
-			printf("    query_address: %s\n", sockstr);
-			printf("    query_port: %u\n", sport);
-		}
-
-		printf("    %s:\n", isquery ? "query_message_data"
-					    : "response_message_data");
-		result = dns_message_headertotext(msg, style, flags, buf);
-	} else if (query->lookup->comments && !short_form) {
-		if (query->lookup->cmdline[0] != '\0' && printcmd) {
+	if (query->lookup->comments && !short_form) {
+		if (query->lookup->cmdline[0] != 0 && printcmd)
 			printf("; %s\n", query->lookup->cmdline);
-		}
-		if (msg == query->lookup->sendmsg) {
+		if (msg == query->lookup->sendmsg)
 			printf(";; Sending:\n");
-		} else {
+		else
 			printf(";; Got answer:\n");
-		}
 
 		if (headers) {
 			if (isdotlocal(msg)) {
@@ -741,8 +606,11 @@ repopulate_buffer:
 buftoosmall:
 			len += OUTPUTBUF;
 			isc_buffer_free(&buf);
-			isc_buffer_allocate(mctx, &buf, len);
-			goto repopulate_buffer;
+			result = isc_buffer_allocate(mctx, &buf, len);
+			if (result == ISC_R_SUCCESS)
+				goto repopulate_buffer;
+			else
+				goto cleanup;
 		}
 		check_result(result,
 		     "dns_message_pseudosectiontotext");
@@ -815,14 +683,14 @@ buftoosmall:
 		}
 	}
 
-	if (headers && query->lookup->comments && !short_form && !yaml) {
+	if (headers && query->lookup->comments && !short_form)
 		printf("\n");
-	}
 
 	printf("%.*s", (int)isc_buffer_usedlength(buf),
 	       (char *)isc_buffer_base(buf));
 	isc_buffer_free(&buf);
 
+cleanup:
 	if (style != NULL)
 		dns_master_styledestroy(&style, mctx);
 	return (result);
@@ -1175,24 +1043,8 @@ plus_option(char *option, bool is_batchfile,
 			}
 			break;
 		case 'x':
-			switch (cmd[2]) {
-			case 'p':
-				switch(cmd[3]) {
-				case 'a':
-					FULLCHECK("expandaaaa");
-					lookup->expandaaaa = state;
-					break;
-				case 'i':
-					FULLCHECK("expire");
-					lookup->expire = state;
-					break;
-				default:
-					goto invalid_option;
-				}
-				break;
-			default:
-				goto invalid_option;
-			}
+			FULLCHECK("expire");
+			lookup->expire = state;
 			break;
 		default:
 			goto invalid_option;
@@ -1664,25 +1516,8 @@ plus_option(char *option, bool is_batchfile,
 		}
 		break;
 	case 'u':
-		switch (cmd[1]) {
-		case 'n':
-			switch (cmd[2]) {
-			case 'e':
-				FULLCHECK("unexpected");
-				lookup->accept_reply_unexpected_src = state;
-				break;
-			case 'k':
-				FULLCHECK("unknownformat");
-				lookup->print_unknown_format = state;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		default:
-			goto invalid_option;
-		}
-
+		FULLCHECK("unknownformat");
+		lookup->print_unknown_format = state;
 		break;
 	case 'v':
 		FULLCHECK("vc");
@@ -1691,15 +1526,6 @@ plus_option(char *option, bool is_batchfile,
 			lookup->tcp_mode_set = true;
 		}
 		break;
-	case 'y': /* yaml */
-		FULLCHECK("yaml");
-		yaml = state;
-		if (state) {
-			printcmd = false;
-			lookup->stats = false;
-			lookup->rrcomments = -1;
-		}
-		break;
 	case 'z': /* zflag */
 		FULLCHECK("zflag");
 		lookup->zflag = state;
@@ -1869,7 +1695,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				value);
 		return (value_from_next);
 	case 'f':
-		atomic_store(&batchname, (uintptr_t)value);
+		batchname = value;
 		return (value_from_next);
 	case 'k':
 		strlcpy(keyfile, value, sizeof(keyfile));
@@ -2322,15 +2148,13 @@ parse_args(bool is_batchfile, bool config_only,
 	 * first entry, then trust the callback in dighost_shutdown
 	 * to get the rest
 	 */
-	char *filename = (char *)atomic_load(&batchname);
-	if ((filename != NULL) && !(is_batchfile)) {
-		if (strcmp(filename, "-") == 0) {
+	if ((batchname != NULL) && !(is_batchfile)) {
+		if (strcmp(batchname, "-") == 0)
 			batchfp = stdin;
-		} else {
-			batchfp = fopen(filename, "r");
-		}
+		else
+			batchfp = fopen(batchname, "r");
 		if (batchfp == NULL) {
-			perror(filename);
+			perror(batchname);
 			if (exitcode < 8)
 				exitcode = 8;
 			fatal("couldn't open specified batch file");
@@ -2385,14 +2209,14 @@ query_finished(void) {
 	int bargc;
 	char *bargv[16];
 
-	if (atomic_load(&batchname) == 0) {
+	if (batchname == NULL) {
 		isc_app_shutdown();
 		return;
 	}
 
 	fflush(stdout);
 	if (feof(batchfp)) {
-		atomic_store(&batchname, 0);
+		batchname = NULL;
 		isc_app_shutdown();
 		if (batchfp != stdin)
 			fclose(batchfp);
@@ -2406,7 +2230,7 @@ query_finished(void) {
 		parse_args(true, false, bargc, (char **)bargv);
 		start_lookup();
 	} else {
-		atomic_store(&batchname, 0);
+		batchname = NULL;
 		if (batchfp != stdin)
 			fclose(batchfp);
 		isc_app_shutdown();
@@ -2414,67 +2238,8 @@ query_finished(void) {
 	}
 }
 
-static void
-dig_error(const char *format, ...) {
-	va_list args;
-
-	if (yaml) {
-		printf("-\n");
-		printf("  type: DIG_ERROR\n");
-
-		/*
-		 * Print an indent before a literal block quote.
-		 * Note: this will break if used to print more than
-		 * one line of text as only the first line would be
-		 * indented.
-		 */
-		printf("  message: |\n");
-		printf("    ");
-	} else {
-		printf(";; ");
-	}
-
-	va_start(args, format);
-	vprintf(format, args);
-	va_end(args);
-
-	if (!yaml) {
-		printf("\n");
-	}
-}
-
-static void
-dig_warning(const char *format, ...) {
-	va_list args;
-
-	if (!yaml) {
-		printf(";; ");
-
-		va_start(args, format);
-		vprintf(format, args);
-		va_end(args);
-
-		printf("\n");
-	}
-}
-
-static void
-dig_comments(dig_lookup_t *lookup, const char *format, ...) {
-	va_list args;
-
-	if (lookup->comments && !yaml) {
-		printf(";; ");
-
-		va_start(args, format);
-		vprintf(format, args);
-		va_end(args);
-
-		printf("\n");
-	}
-}
-
-void
-dig_setup(int argc, char **argv) {
+void dig_setup(int argc, char **argv)
+{
 	isc_result_t result;
 
 	ISC_LIST_INIT(lookup_list);
@@ -2488,9 +2253,6 @@ dig_setup(int argc, char **argv) {
 	dighost_received = received;
 	dighost_trying = trying;
 	dighost_shutdown = query_finished;
-	dighost_error = dig_error;
-	dighost_warning = dig_warning;
-	dighost_comments = dig_comments;
 
 	progname = argv[0];
 	preparse_args(argc, argv);
@@ -2536,11 +2298,10 @@ void dig_query_start()
 void
 dig_shutdown() {
 	destroy_lookup(default_lookup);
-	if (atomic_load(&batchname) != 0) {
-		if (batchfp != stdin) {
+	if (batchname != NULL) {
+		if (batchfp != stdin)
 			fclose(batchfp);
-		}
-		atomic_store(&batchname, 0);
+		batchname = NULL;
 	}
 	cancel_all();
 	destroy_libs();

bin/dig/dig.docbook

@@ -53,7 +53,6 @@
       <year>2017</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -760,16 +759,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]expandaaaa</option></term>
-	  <listitem>
-	    <para>
-	      When printing AAAA record print all zero nibbles rather
-	      than the default RFC 5952 preferred presentation format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]fail</option></term>
 	  <listitem>
@@ -1270,17 +1259,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]unexpected</option></term>
-	  <listitem>
-	    <para>
-	      Accept [do not accept] answers from unexpected sources.  By
-	      default, <command>dig</command> won't accept a reply from a
-	      source other than the one to which it sent the query.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]unknownformat</option></term>
 	  <listitem>
@@ -1304,16 +1282,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]yaml</option></term>
-	  <listitem>
-	    <para>
-	      Print the responses (and, if <option>+qr</option> is in use,
-	      also the outgoing queries) in a detailed YAML format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]zflag</option></term>
 	  <listitem>

bin/dig/dig.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -610,13 +610,6 @@
 	      Send an EDNS Expire option.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
-<dd>
-	    <p>
-	      When printing AAAA record print all zero nibbles rather
-	      than the default RFC 5952 preferred presentation format.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd>
 	    <p>
@@ -1000,14 +993,6 @@
 	      seconds, minutes, hours, days and weeks.  Implies +ttlid.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]unexpected</code></span></dt>
-<dd>
-	    <p>
-	      Accept [do not accept] answers from unexpected sources.  By
-	      default, <span class="command"><strong>dig</strong></span> won't accept a reply from a
-	      source other than the one to which it sent the query.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
 <dd>
 	    <p>
@@ -1025,13 +1010,6 @@
 	      stands for "virtual circuit".
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
-<dd>
-	    <p>
-	      Print the responses (and, if <code class="option">+qr</code> is in use,
-	      also the outgoing queries) in a detailed YAML format.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
 <dd>
 	    <p>

bin/dig/dighost.c

@@ -19,6 +19,8 @@
  * functions in most applications.
  */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -112,8 +114,7 @@ bool
 	showsearch = false,
 	is_dst_up = false,
 	keep_open = false,
-	verbose = false,
-	yaml = false;
+	verbose = false;
 in_port_t port = 53;
 unsigned int timeout = 0;
 unsigned int extrabytes;
@@ -191,48 +192,14 @@ dig_lookup_t *current_lookup = NULL;
 		     "isc_mutex_unlock");\
 }
 
-static void
-default_warnerr(const char *format, ...) {
-	va_list args;
-
-	printf(";; ");
-	va_start(args, format);
-	vprintf(format, args);
-	va_end(args);
-	printf("\n");
-};
-
-static void
-default_comments(dig_lookup_t *lookup, const char *format, ...) {
-	va_list args;
-
-	if (lookup->comments) {
-		printf(";; ");
-		va_start(args, format);
-		vprintf(format, args);
-		va_end(args);
-		printf("\n");
-	}
-};
-
 /* dynamic callbacks */
 
 isc_result_t
-(*dighost_printmessage)(dig_query_t *query, const isc_buffer_t *msgbuf,
-			dns_message_t *msg, bool headers);
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg,
+	bool headers);
 
 void
-(*dighost_error)(const char *format, ...) = default_warnerr;
-
-void
-(*dighost_warning)(const char *format, ...) = default_warnerr;
-
-void
-(*dighost_comments)(dig_lookup_t *lookup, const char *format, ...) = default_comments;
-
-void
-(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
-		    dig_query_t *query);
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
 
 void
 (*dighost_trying)(char *frm, dig_lookup_t *lookup);
@@ -481,6 +448,9 @@ make_server(const char *servname, const char *userarg) {
 
 	debug("make_server(%s)", servname);
 	srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
+	if (srv == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
 	strlcpy(srv->servername, servname, MXNAME);
 	strlcpy(srv->userarg, userarg, MXNAME);
 	ISC_LINK_INIT(srv, link);
@@ -608,6 +578,9 @@ make_empty_lookup(void) {
 	INSIST(!free_now);
 
 	looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
+	if (looknew == NULL)
+		fatal("memory allocation failure in %s:%d",
+		       __FILE__, __LINE__);
 	looknew->pending = true;
 	looknew->textname[0] = 0;
 	looknew->cmdline[0] = 0;
@@ -649,9 +622,8 @@ make_empty_lookup(void) {
 	looknew->use_usec = false;
 	looknew->nocrypto = false;
 	looknew->ttlunits = false;
-	looknew->expandaaaa = false;
+	looknew->ttlunits = false;
 	looknew->qr = false;
-	looknew->accept_reply_unexpected_src = false;
 #ifdef HAVE_LIBIDN2
 	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
 	looknew->idnout = looknew->idnin;
@@ -710,6 +682,8 @@ cloneopts(dig_lookup_t *looknew, dig_lookup_t *lookold) {
 	size_t len = sizeof(looknew->ednsopts[0]) * EDNSOPT_OPTIONS;
 	size_t i;
 	looknew->ednsopts = isc_mem_allocate(mctx, len);
+	if (looknew->ednsopts == NULL)
+		fatal("out of memory");
 	for (i = 0; i < EDNSOPT_OPTIONS; i++) {
 		looknew->ednsopts[i].code = 0;
 		looknew->ednsopts[i].length = 0;
@@ -723,8 +697,10 @@ cloneopts(dig_lookup_t *looknew, dig_lookup_t *lookold) {
 		len = lookold->ednsopts[i].length;
 		if (len != 0) {
 			INSIST(lookold->ednsopts[i].value != NULL);
-			looknew->ednsopts[i].value = isc_mem_allocate(mctx,
-								      len);
+			looknew->ednsopts[i].value =
+				 isc_mem_allocate(mctx, len);
+			if (looknew->ednsopts[i].value == NULL)
+				fatal("out of memory");
 			memmove(looknew->ednsopts[i].value,
 				lookold->ednsopts[i].value, len);
 		}
@@ -795,10 +771,7 @@ clone_lookup(dig_lookup_t *lookold, bool servers) {
 	looknew->use_usec = lookold->use_usec;
 	looknew->nocrypto = lookold->nocrypto;
 	looknew->ttlunits = lookold->ttlunits;
-	looknew->expandaaaa = lookold->expandaaaa;
 	looknew->qr = lookold->qr;
-	looknew->accept_reply_unexpected_src =
-		lookold->accept_reply_unexpected_src;
 	looknew->idnin = lookold->idnin;
 	looknew->idnout = lookold->idnout;
 	looknew->udpsize = lookold->udpsize;
@@ -832,11 +805,13 @@ clone_lookup(dig_lookup_t *lookold, bool servers) {
 	if (lookold->ecs_addr != NULL) {
 		size_t len = sizeof(isc_sockaddr_t);
 		looknew->ecs_addr = isc_mem_allocate(mctx, len);
+		if (looknew->ecs_addr == NULL)
+			fatal("out of memory");
 		memmove(looknew->ecs_addr, lookold->ecs_addr, len);
 	}
 
-	dns_name_copynf(dns_fixedname_name(&lookold->fdomain),
-			   dns_fixedname_name(&looknew->fdomain));
+	dns_name_copy(dns_fixedname_name(&lookold->fdomain),
+		      dns_fixedname_name(&looknew->fdomain), NULL);
 
 	if (servers)
 		clone_server_list(lookold->my_server_list,
@@ -883,11 +858,16 @@ setup_text_key(void) {
 	unsigned char *secretstore;
 
 	debug("setup_text_key()");
-	isc_buffer_allocate(mctx, &namebuf, MXNAME);
+	result = isc_buffer_allocate(mctx, &namebuf, MXNAME);
+	check_result(result, "isc_buffer_allocate");
 	dns_name_init(&keyname, NULL);
+	check_result(result, "dns_name_init");
 	isc_buffer_putstr(namebuf, keynametext);
 	secretsize = (unsigned int) strlen(keysecret) * 3 / 4;
 	secretstore = isc_mem_allocate(mctx, secretsize);
+	if (secretstore == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
 	isc_buffer_init(&secretbuf, secretstore, secretsize);
 	result = isc_base64_decodestring(keysecret, &secretbuf);
 	if (result != ISC_R_SUCCESS)
@@ -977,6 +957,8 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 		fatal("invalid prefix '%s'\n", value);
 
 	sa = isc_mem_allocate(mctx, sizeof(*sa));
+	if (sa == NULL)
+		fatal("out of memory");
 	memset(sa, 0, sizeof(*sa));
 
 	if (strcmp(buf, "0") == 0) {
@@ -1208,6 +1190,9 @@ static dig_searchlist_t *
 make_searchlist_entry(char *domain) {
 	dig_searchlist_t *search;
 	search = isc_mem_allocate(mctx, sizeof(*search));
+	if (search == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
 	strlcpy(search->origin, domain, MXNAME);
 	search->origin[MXNAME-1] = 0;
 	ISC_LINK_INIT(search, link);
@@ -1362,7 +1347,8 @@ setup_libs(void) {
 	if (!have_ipv6 && !have_ipv4)
 		fatal("can't find either v4 or v6 networking");
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create");
 	isc_mem_setname(mctx, "dig", NULL);
 
 	result = isc_log_create(mctx, &lctx, &logconfig);
@@ -1377,7 +1363,7 @@ setup_libs(void) {
 
 	isc_log_setdebuglevel(lctx, 0);
 
-	result = isc_taskmgr_create(mctx, 1, 0, NULL, &taskmgr);
+	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
 	check_result(result, "isc_taskmgr_create");
 
 	result = isc_task_create(taskmgr, 0, &global_task);
@@ -1394,7 +1380,8 @@ setup_libs(void) {
 	check_result(result, "dst_lib_init");
 	is_dst_up = true;
 
-	isc_mempool_create(mctx, COMMSIZE, &commctx);
+	result = isc_mempool_create(mctx, COMMSIZE, &commctx);
+	check_result(result, "isc_mempool_create");
 	isc_mempool_setname(commctx, "COMMPOOL");
 	/*
 	 * 6 and 2 set as reasonable parameters for 3 or 4 nameserver
@@ -1470,7 +1457,9 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) {
 
 	if (value != NULL) {
 		char *buf;
-		buf = isc_mem_allocate(mctx, strlen(value) / 2 + 1);
+		buf = isc_mem_allocate(mctx, strlen(value)/2 + 1);
+		if (buf == NULL)
+			fatal("out of memory");
 		isc_buffer_init(&b, buf, (unsigned int) strlen(value)/2 + 1);
 		result = isc_hex_decodestring(value, &b);
 		check_result(result, "isc_hex_decodestring");
@@ -1786,15 +1775,12 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 			namereln = dns_name_fullcompare(name, domain,
 							&order, &nlabels);
 			if (namereln == dns_namereln_equal) {
-				if (!horizontal) {
-					dighost_warning("BAD (HORIZONTAL) "
-							"REFERRAL");
-				}
+				if (!horizontal)
+					printf(";; BAD (HORIZONTAL) REFERRAL\n");
 				horizontal = true;
 			} else if (namereln != dns_namereln_subdomain) {
-				if (!bad) {
-					dighost_warning( "BAD REFERRAL");
-				}
+				if (!bad)
+					printf(";; BAD REFERRAL\n");
 				bad = true;
 				continue;
 			}
@@ -1838,7 +1824,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				if (lookup->ns_search_only)
 					lookup->recurse = false;
 				domain = dns_fixedname_name(&lookup->fdomain);
-				dns_name_copynf(name, domain);
+				dns_name_copy(name, domain, NULL);
 			}
 			debug("adding server %s", namestr);
 			num = getaddresses(lookup, namestr, &lresult);
@@ -2042,9 +2028,6 @@ setup_lookup(dig_lookup_t *lookup) {
 	char cookiebuf[256];
 	char *origin = NULL;
 	char *textname = NULL;
-
-	REQUIRE(lookup != NULL);
-
 #ifdef HAVE_LIBIDN2
 	char idn_origin[MXNAME], idn_textname[MXNAME];
 
@@ -2053,6 +2036,7 @@ setup_lookup(dig_lookup_t *lookup) {
 	check_result(result, "dns_name_settotextfilter");
 #endif /* HAVE_LIBIDN2 */
 
+	REQUIRE(lookup != NULL);
 	INSIST(!free_now);
 
 	debug("setup_lookup(%p)", lookup);
@@ -2153,26 +2137,22 @@ setup_lookup(dig_lookup_t *lookup) {
 			isc_buffer_init(&b, textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(name, &b, NULL, 0, NULL);
-			if (result == ISC_R_SUCCESS) {
-				if (!dns_name_isabsolute(name)) {
-					result = dns_name_concatenate(name,
-							     lookup->oname,
-							     lookup->name,
-							     &lookup->namebuf);
-				} else {
-					result = dns_name_copy(name,
-							     lookup->name,
-							     &lookup->namebuf);
-				}
-			}
+			if (result == ISC_R_SUCCESS &&
+			    !dns_name_isabsolute(name))
+				result = dns_name_concatenate(name,
+							      lookup->oname,
+							      lookup->name,
+							      &lookup->namebuf);
+			else if (result == ISC_R_SUCCESS)
+				result = dns_name_copy(name, lookup->name,
+						       &lookup->namebuf);
 			if (result != ISC_R_SUCCESS) {
 				dns_message_puttempname(lookup->sendmsg,
 							&lookup->name);
 				dns_message_puttempname(lookup->sendmsg,
 							&lookup->oname);
-				if (result == DNS_R_NAMETOOLONG) {
+				if (result == DNS_R_NAMETOOLONG)
 					return (false);
-				}
 				fatal("'%s' is not in legal name syntax (%s)",
 				      lookup->textname,
 				      isc_result_totext(result));
@@ -2510,6 +2490,10 @@ setup_lookup(dig_lookup_t *lookup) {
 	     serv = ISC_LIST_NEXT(serv, link))
 	{
 		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
+		if (query == NULL) {
+			fatal("memory allocation failure in %s:%d",
+			      __FILE__, __LINE__);
+		}
 		debug("create query %p linked to lookup %p", query, lookup);
 		query->lookup = lookup;
 		query->timer = NULL;
@@ -2544,9 +2528,6 @@ setup_lookup(dig_lookup_t *lookup) {
 				COMMSIZE);
 		query->sendbuf = lookup->renderbuf;
 
-		isc_time_settoepoch(&query->time_sent);
-		isc_time_settoepoch(&query->time_recv);
-
 		ISC_LINK_INIT(query, clink);
 		ISC_LINK_INIT(query, link);
 
@@ -2555,6 +2536,16 @@ setup_lookup(dig_lookup_t *lookup) {
 		ISC_LIST_ENQUEUE(lookup->q, query, link);
 	}
 
+	/* XXX qrflag, print_query, etc... */
+	if (!ISC_LIST_EMPTY(lookup->q) && lookup->qr) {
+		extrabytes = 0;
+		dighost_printmessage(ISC_LIST_HEAD(lookup->q),
+				     lookup->sendmsg, true);
+		if (lookup->stats) {
+			printf(";; QUERY SIZE: %u\n\n",
+			       isc_buffer_usedlength(&lookup->renderbuf));
+		}
+	}
 	return (true);
 }
 
@@ -2671,6 +2662,10 @@ force_timeout(dig_query_t *query) {
 	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
 				   connect_timeout, query,
 				   sizeof(isc_event_t));
+	if (event == NULL) {
+		fatal("isc_event_allocate: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 	isc_task_send(global_task, &event);
 
 	/*
@@ -2722,7 +2717,7 @@ send_tcp_connect(dig_query_t *query) {
 
 		isc_netaddr_fromsockaddr(&netaddr, &query->sockaddr);
 		isc_netaddr_format(&netaddr, buf, sizeof(buf));
-		dighost_warning("Skipping mapped address '%s'", buf);
+		printf(";; Skipping mapped address '%s'\n", buf);
 
 		query->waiting_connect = false;
 		if (ISC_LINK_LINKED(query, link))
@@ -2732,7 +2727,7 @@ send_tcp_connect(dig_query_t *query) {
 		l = query->lookup;
 		clear_query(query);
 		if (next == NULL) {
-			dighost_warning("No acceptable nameservers");
+			printf(";; No acceptable nameservers\n");
 			check_next_lookup(l);
 			return;
 		}
@@ -2793,14 +2788,6 @@ send_tcp_connect(dig_query_t *query) {
 	}
 }
 
-static void
-print_query_size(dig_query_t *query) {
-	if (!yaml) {
-		printf(";; QUERY SIZE: %u\n\n",
-		       isc_buffer_usedlength(&query->lookup->renderbuf));
-	}
-}
-
 /*%
  * Send a UDP packet to the remote nameserver, possible starting the
  * recv action as well.  Also make sure that the timer is running and
@@ -2839,12 +2826,13 @@ send_udp(dig_query_t *query) {
 
 			isc_netaddr_fromsockaddr(&netaddr, &query->sockaddr);
 			isc_netaddr_format(&netaddr, buf, sizeof(buf));
-			dighost_warning("Skipping mapped address '%s'", buf);
+			printf(";; Skipping mapped address '%s'\n", buf);
+
 			next = ISC_LIST_NEXT(query, link);
 			l = query->lookup;
 			clear_query(query);
 			if (next == NULL) {
-				dighost_warning("No acceptable nameservers");
+				printf(";; No acceptable nameservers\n");
 				check_next_lookup(l);
 			} else {
 				send_udp(next);
@@ -2895,17 +2883,6 @@ send_udp(dig_query_t *query) {
 				    sevent, ISC_SOCKFLAG_NORETRY);
 	check_result(result, "isc_socket_sendto2");
 	sendcount++;
-
-	/* XXX qrflag, print_query, etc... */
-	if (!ISC_LIST_EMPTY(query->lookup->q) && query->lookup->qr) {
-		extrabytes = 0;
-		dighost_printmessage(ISC_LIST_HEAD(query->lookup->q),
-				     &query->lookup->renderbuf,
-				     query->lookup->sendmsg, true);
-		if (query->lookup->stats) {
-			print_query_size(query);
-		}
-	}
 }
 
 /*%
@@ -3005,11 +2982,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 			isc_netaddr_fromsockaddr(&netaddr, &query->sockaddr);
 			isc_netaddr_format(&netaddr, buf, sizeof(buf));
 
-			dighost_error("no response from %s\n", buf);
+			printf(";; no response from %s\n", buf);
 		} else {
 			fputs(l->cmdline, stdout);
-			dighost_error("connection timed out; "
-				      "no servers could be reached\n");
+			printf(";; connection timed out; no servers could be "
+			       "reached\n");
 		}
 		cancel_lookup(l);
 		check_next_lookup(l);
@@ -3081,8 +3058,8 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(&query->sockaddr, sockstr,
 				    sizeof(sockstr));
-		dighost_error("communications error to %s: %s\n",
-			      sockstr, isc_result_totext(sevent->result));
+		printf(";; communications error to %s: %s\n",
+		       sockstr, isc_result_totext(sevent->result));
 		if (keep != NULL)
 			isc_socket_detach(&keep);
 		l = query->lookup;
@@ -3181,17 +3158,6 @@ launch_next_query(dig_query_t *query, bool include_question) {
 		check_result(result, "isc_socket_send");
 		sendcount++;
 		debug("sendcount=%d", sendcount);
-
-		/* XXX qrflag, print_query, etc... */
-		if (!ISC_LIST_EMPTY(query->lookup->q) && query->lookup->qr) {
-			extrabytes = 0;
-			dighost_printmessage(ISC_LIST_HEAD(query->lookup->q),
-					     &query->lookup->renderbuf,
-					     query->lookup->sendmsg, true);
-			if (query->lookup->stats) {
-				print_query_size(query);
-			}
-		}
 	}
 	query->waiting_connect = false;
 #if 0
@@ -3231,12 +3197,11 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 	if (sevent->result == ISC_R_CANCELED) {
 		debug("in cancel handler");
 		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
-		if (query->timedout) {
-			dighost_warning("Connection to %s(%s) for %s failed: "
-					"%s.", sockstr, query->servname,
-					query->lookup->textname,
-					isc_result_totext(ISC_R_TIMEDOUT));
-		}
+		if (query->timedout)
+			printf(";; Connection to %s(%s) for %s failed: %s.\n",
+			       sockstr, query->servname,
+			       query->lookup->textname,
+			       isc_result_totext(ISC_R_TIMEDOUT));
 		isc_socket_detach(&query->sock);
 		INSIST(sockcount > 0);
 		sockcount--;
@@ -3254,12 +3219,11 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 		debug("unsuccessful connection: %s",
 		      isc_result_totext(sevent->result));
 		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
-		if (sevent->result != ISC_R_CANCELED) {
-			dighost_warning("Connection to %s(%s) for %s failed: "
-					"%s.", sockstr, query->servname,
-					 query->lookup->textname,
-					 isc_result_totext(sevent->result));
-		}
+		if (sevent->result != ISC_R_CANCELED)
+			printf(";; Connection to %s(%s) for %s failed: "
+			       "%s.\n", sockstr,
+			       query->servname, query->lookup->textname,
+			       isc_result_totext(sevent->result));
 		isc_socket_detach(&query->sock);
 		INSIST(sockcount > 0);
 		sockcount--;
@@ -3467,12 +3431,12 @@ process_cookie(dig_lookup_t *l, dns_message_t *msg,
 		if (isc_safe_memequal(isc_buffer_current(optbuf), sent, 8)) {
 			msg->cc_ok = 1;
 		} else {
-			dighost_warning("Warning: Client COOKIE mismatch");
+			printf(";; Warning: Client COOKIE mismatch\n");
 			msg->cc_bad = 1;
 			copy = false;
 		}
 	} else {
-		dighost_warning("Warning: COOKIE bad token (too short)");
+		printf(";; Warning: COOKIE bad token (too short)\n");
 		msg->cc_bad = 1;
 		copy = false;
 	}
@@ -3568,6 +3532,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 	query = event->ev_arg;
 	TIME_NOW(&query->time_recv);
+	debug("lookup=%p, query=%p", query->lookup, query);
 
 	l = query->lookup;
 
@@ -3596,8 +3561,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			debug("in recv cancel handler");
 			query->waiting_connect = false;
 		} else {
-			dighost_error("communications error: %s\n",
-				      isc_result_totext(sevent->result));
+			printf(";; communications error: %s\n",
+			       isc_result_totext(sevent->result));
 			if (keep != NULL)
 				isc_socket_detach(&keep);
 			isc_socket_detach(&query->sock);
@@ -3644,11 +3609,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			sizeof(buf1));
 			isc_sockaddr_format(&query->sockaddr, buf2,
 			sizeof(buf2));
-			dighost_warning("reply from unexpected source: %s,"
-					" expected %s\n", buf1, buf2);
-			if (!l->accept_reply_unexpected_src) {
-				match = false;
-			}
+			printf(";; reply from unexpected source: %s,"
+			" expected %s\n", buf1, buf2);
+			match = false;
 		}
 	}
 
@@ -3658,22 +3621,19 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		if (l->tcp_mode) {
 			bool fail = true;
 			if (result == ISC_R_SUCCESS) {
-				if ((!query->first_soa_rcvd || query->warn_id))
-				{
-					dighost_warning("%s: ID mismatch: "
-							"expected ID %u, got "
-							"%u",
-							query->first_soa_rcvd ?
-							"WARNING" : "ERROR",
-							l->sendmsg->id, id);
-				}
+				if (!query->first_soa_rcvd ||
+				     query->warn_id)
+					printf(";; %s: ID mismatch: "
+					       "expected ID %u, got %u\n",
+					       query->first_soa_rcvd ?
+					       "WARNING" : "ERROR",
+					       l->sendmsg->id, id);
 				if (query->first_soa_rcvd)
 					fail = false;
 				query->warn_id = false;
-			} else {
-				dighost_warning("ERROR: short (< header size) "
-						"message");
-			}
+			} else
+				printf(";; ERROR: short "
+				       "(< header size) message\n");
 			if (fail) {
 				isc_event_free(&event);
 				clear_query(query);
@@ -3683,18 +3643,16 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 				return;
 			}
 			match = true;
-		} else if (result == ISC_R_SUCCESS) {
-			dighost_warning("Warning: ID mismatch: expected ID %u,"
-					" got %u", l->sendmsg->id, id);
-		} else {
-			dighost_warning("Warning: short (< header size) "
-					"message received");
-		}
+		} else if (result == ISC_R_SUCCESS)
+			printf(";; Warning: ID mismatch: "
+			       "expected ID %u, got %u\n", l->sendmsg->id, id);
+		else
+			printf(";; Warning: short "
+			       "(< header size) message received\n");
 	}
 
-	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0) {
-		dighost_warning("Warning: query response not set");
-	}
+	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0)
+		printf(";; Warning: query response not set\n");
 
 	if (!match)
 		goto udp_mismatch;
@@ -3728,16 +3686,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 	result = dns_message_parse(msg, &b, parseflags);
 	if (result == DNS_R_RECOVERABLE) {
-		dighost_warning("Warning: Message parser reports malformed "
-				"message packet.");
+		printf(";; Warning: Message parser reports malformed "
+		       "message packet.\n");
 		result = ISC_R_SUCCESS;
 	}
 	if (result != ISC_R_SUCCESS) {
-		if (!yaml) {
-			printf(";; Got bad packet: %s\n",
-			       isc_result_totext(result));
-			hex_dump(&b);
-		}
+		printf(";; Got bad packet: %s\n", isc_result_totext(result));
+		hex_dump(&b);
 		query->waiting_connect = false;
 		dns_message_destroy(&msg);
 		isc_event_free(&event);
@@ -3774,10 +3729,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 					dns_rdataclass_format(rdataset->rdclass,
 							      classbuf,
 							      sizeof(classbuf));
-					dighost_warning(";; Question section "
-							"mismatch: got "
-							"%s/%s/%s", namestr,
-							typebuf, classbuf);
+					printf(";; Question section mismatch: "
+					       "got %s/%s/%s\n",
+					       namestr, typebuf, classbuf);
 					match = false;
 				}
 			}
@@ -3800,8 +3754,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * Add minimum EDNS version required checks here if needed.
 		 */
-		dighost_comments(l, "BADVERS, retrying with EDNS version %u.",
-				 (unsigned int)newedns);
+		if (l->comments)
+			printf(";; BADVERS, retrying with EDNS version %u.\n",
+			       (unsigned int)newedns);
 		l->edns = newedns;
 		n = requeue_lookup(l, true);
 		if (l->trace && l->trace_root)
@@ -3818,7 +3773,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	    !l->ignore && !l->tcp_mode) {
 		if (l->cookie == NULL && l->sendcookie && msg->opt != NULL)
 			process_opt(l, msg);
-		dighost_comments(l, "Truncated, retrying in TCP mode.");
+		if (l->comments)
+			printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, true);
 		n->tcp_mode = true;
 		if (l->trace && l->trace_root)
@@ -3835,9 +3791,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	    l->sendcookie && l->badcookie) {
 		process_opt(l, msg);
 		if (msg->cc_ok) {
-			dighost_comments(l, "BADCOOKIE, retrying%s.",
-					 l->seenbadcookie ?
-					 " in TCP mode" : "");
+			if (l->comments)
+				printf(";; BADCOOKIE, retrying%s.\n",
+				       l->seenbadcookie ? " in TCP mode" : "");
 			n = requeue_lookup(l, true);
 			if (l->seenbadcookie)
 				n->tcp_mode = true;
@@ -3874,12 +3830,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		 */
 		if ((ISC_LIST_HEAD(l->q) != query) ||
 		    (ISC_LIST_NEXT(query, link) != NULL)) {
-			dighost_comments(l, "Got %s from %s, trying next "
-					 "server",
-					 msg->rcode == dns_rcode_servfail ?
-					 "SERVFAIL reply" :
-					 "recursion not available",
-					 query->servname);
+			if (l->comments)
+				printf(";; Got %s from %s, "
+				       "trying next server\n",
+				       msg->rcode == dns_rcode_servfail ?
+				       "SERVFAIL reply" :
+				       "recursion not available",
+				       query->servname);
 			clear_query(query);
 			check_next_lookup(l);
 			dns_message_destroy(&msg);
@@ -3892,8 +3849,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	if (tsigkey != NULL) {
 		result = dns_tsig_verify(&b, msg, NULL, NULL);
 		if (result != ISC_R_SUCCESS) {
-			dighost_warning("Couldn't verify signature: %s",
-					isc_result_totext(result));
+			printf(";; Couldn't verify signature: %s\n",
+			       isc_result_totext(result));
 			validated = false;
 		}
 		l->tsigctx = msg->tsigctx;
@@ -3944,8 +3901,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	if (!done_process_opt) {
 		if (l->cookie != NULL) {
 			if (msg->opt == NULL) {
-				dighost_warning("expected opt record in "
-						"response");
+				printf(";; expected opt record in response\n");
 			} else {
 				process_opt(l, msg);
 			}
@@ -3957,19 +3913,19 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		if (msg->rcode == dns_rcode_nxdomain &&
 		    (l->origin != NULL || l->need_search)) {
 			if (!next_origin(query->lookup) || showsearch) {
-				dighost_printmessage(query, &b, msg, true);
+				dighost_printmessage(query, msg, true);
 				dighost_received(isc_buffer_usedlength(&b),
 						 &sevent->address, query);
 			}
 		} else if (!l->trace && !l->ns_search_only) {
-			dighost_printmessage(query, &b, msg, true);
+			dighost_printmessage(query, msg, true);
 		} else if (l->trace) {
 			int nl = 0;
 			int count = msg->counts[DNS_SECTION_ANSWER];
 
 			debug("in TRACE code");
 			if (!l->ns_search_only)
-				dighost_printmessage(query, &b, msg, true);
+				dighost_printmessage(query, msg, true);
 
 			l->rdtype = l->qrdtype;
 			if (l->trace_root || (l->ns_search_only && count > 0)) {
@@ -4000,7 +3956,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 				l->trace_root = false;
 				usesearch = false;
 			} else {
-				dighost_printmessage(query, &b, msg, true);
+				dighost_printmessage(query, msg, true);
 			}
 		}
 	}
@@ -4249,6 +4205,7 @@ destroy_libs(void) {
 	result = dns_name_settotextfilter(NULL);
 	check_result(result, "dns_name_settotextfilter");
 #endif /* HAVE_LIBIDN2 */
+	dns_name_destroy();
 
 	if (commctx != NULL) {
 		debug("freeing commctx");

bin/dig/host.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -269,5 +269,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/host.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -199,7 +201,8 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 
 	dns_name_format(name, namestr, sizeof(namestr));
  retry:
-	isc_buffer_allocate(mctx, &b, bufsize);
+	result = isc_buffer_allocate(mctx, &b, bufsize);
+	check_result(result, "isc_buffer_allocate");
 	result = dns_rdata_totext(rdata, NULL, b);
 	if (result == ISC_R_NOSPACE) {
 		isc_buffer_free(&b);
@@ -393,22 +396,19 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &cname, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		dns_name_copynf(&cname.cname, qname);
+		dns_name_copy(&cname.cname, qname, NULL);
 		dns_rdata_freestruct(&cname);
 	}
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	bool did_flag = false;
 	dns_rdataset_t *opt, *tsig = NULL;
 	const dns_name_t *tsigname;
 	isc_result_t result = ISC_R_SUCCESS;
 	int force_error;
 
-	UNUSED(msgbuf);
 	UNUSED(headers);
 
 	/*
@@ -455,7 +455,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 		/* Add AAAA and MX lookups. */
 		name = dns_fixedname_initname(&fixed);
-		dns_name_copynf(query->lookup->name, name);
+		dns_name_copy(query->lookup->name, name, NULL);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, false);

bin/dig/host.docbook

@@ -48,7 +48,6 @@
       <year>2017</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dig/host.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dig/include/dig/dig.h

@@ -140,10 +140,7 @@ struct dig_lookup {
 		ttlunits,
 		idnin,
 		idnout,
-		expandaaaa,
-		qr,
-		accept_reply_unexpected_src;  /*%  print replies from unexpected
-						   sources. */
+		qr;
 	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
@@ -252,7 +249,7 @@ extern dig_searchlistlist_t search_list;
 extern unsigned int extrabytes;
 
 extern bool check_ra, have_ipv4, have_ipv6, specified_source,
-	usesearch, showsearch, yaml;
+	usesearch, showsearch;
 extern in_port_t port;
 extern unsigned int timeout;
 extern isc_mem_t *mctx;
@@ -382,34 +379,13 @@ set_search_domain(char *domain);
  * then assigned to the appropriate function pointer
  */
 extern isc_result_t
-(*dighost_printmessage)(dig_query_t *query, const isc_buffer_t *msgbuf,
-			dns_message_t *msg, bool headers);
-
-/*
- * Print an error message in the appropriate format.
- */
-extern void
-(*dighost_error)(const char *format, ...);
-
-/*
- * Print a warning message in the appropriate format.
- */
-extern void
-(*dighost_warning)(const char *format, ...);
-
-/*
- * Print a comment in the appropriate format.
- */
-extern void
-(*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
-
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, bool headers);
 /*%<
  * Print the final result of the lookup.
  */
 
 extern void
-(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
-		    dig_query_t *query);
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
 /*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the

bin/dig/nslookup.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -301,5 +301,5 @@ runs or when the standard output is not a tty\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/nslookup.c

@@ -9,6 +9,8 @@
  * information regarding copyright ownership.
  */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -221,7 +223,9 @@ printrdata(dns_rdata_t *rdata) {
 		printf("rdata_%d = ", rdata->type);
 
 	while (!done) {
-		isc_buffer_allocate(mctx, &b, size);
+		result = isc_buffer_allocate(mctx, &b, size);
+		if (result != ISC_R_SUCCESS)
+			check_result(result, "isc_buffer_allocate");
 		result = dns_rdata_totext(rdata, NULL, b);
 		if (result == ISC_R_SUCCESS) {
 			printf("%.*s\n", (int)isc_buffer_usedlength(b),
@@ -421,27 +425,22 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &cname, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		dns_name_copynf(&cname.cname, qname);
+		dns_name_copy(&cname.cname, qname, NULL);
 		dns_rdata_freestruct(&cname);
 	}
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
-	UNUSED(msgbuf);
-
 	/* I've we've gotten this far, we've reached a server. */
 	query_error = 0;
 
 	debug("printmessage()");
 
 	if(!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
-		isc_sockaddr_format(&query->sockaddr, servtext,
-				    sizeof(servtext));
+		isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
 		printf("Server:\t\t%s\n", query->userarg);
 		printf("Address:\t%s\n", servtext);
 
@@ -479,7 +478,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 		/* Add AAAA lookup. */
 		name = dns_fixedname_initname(&fixed);
-		dns_name_copynf(query->lookup->name, name);
+		dns_name_copy(query->lookup->name, name, NULL);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, false);
@@ -853,6 +852,8 @@ get_next_command(void) {
 
 	fflush(stdout);
 	buf = isc_mem_allocate(mctx, COMMSIZE);
+	if (buf == NULL)
+		fatal("memory allocation failure");
 	isc_app_block();
 	if (interactive) {
 #ifdef HAVE_READLINE

bin/dig/nslookup.docbook

@@ -72,7 +72,6 @@
       <year>2017</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -308,7 +307,7 @@ nslookup -query=hinfo  -timeout=10
                     The class specifies the protocol group of the information.
 
                   </para>
-                  <para>
+		  <para>
                     (Default = IN; abbreviation = cl)
                   </para>
                 </listitem>
@@ -318,10 +317,10 @@ nslookup -query=hinfo  -timeout=10
                 <term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
                 <listitem>
                   <para>
-                    Turn on or off the display of the full response packet and
-                    any intermediate response packets when searching.
+		    Turn on or off the display of the full response packet and
+		    any intermediate response packets when searching.
                   </para>
-                  <para>
+		  <para>
                     (Default = nodebug; abbreviation = <optional>no</optional>deb)
                   </para>
                 </listitem>
@@ -332,9 +331,9 @@ nslookup -query=hinfo  -timeout=10
                 <listitem>
                   <para>
                     Turn debugging mode on or off.  This displays more about
-                    what nslookup is doing.
+	            what nslookup is doing.
                   </para>
-                  <para>
+		  <para>
                     (Default = nod2)
                   </para>
                 </listitem>
@@ -358,7 +357,7 @@ nslookup -query=hinfo  -timeout=10
                     names in the domain search list to the request until an
                     answer is received.
                   </para>
-                  <para>
+		  <para>
                     (Default = search)
                   </para>
                 </listitem>
@@ -370,7 +369,7 @@ nslookup -query=hinfo  -timeout=10
                   <para>
                     Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
                   </para>
-                  <para>
+		  <para>
                     (Default = 53; abbreviation = po)
                   </para>
                 </listitem>
@@ -389,15 +388,9 @@ nslookup -query=hinfo  -timeout=10
                   <para>
                     Change the type of the information query.
                   </para>
-                  <para>
-                    (Default = A and then AAAA; abbreviations = q, ty)
+		  <para>
+                    (Default = A; abbreviations = q, ty)
                   </para>
-                    <para>
-                      <emphasis role="bold">Note:</emphasis> It is
-                      only possible to specify one query type, only
-                      the default behavior looks up both when an
-                      alternative is not specified.
-                    </para>
                 </listitem>
               </varlistentry>
 
@@ -409,7 +402,7 @@ nslookup -query=hinfo  -timeout=10
                     have the
                     information.
                   </para>
-                  <para>
+		  <para>
                     (Default = recurse; abbreviation = [no]rec)
                   </para>
                 </listitem>
@@ -419,9 +412,9 @@ nslookup -query=hinfo  -timeout=10
                 <term><constant>ndots=</constant><replaceable>number</replaceable></term>
                 <listitem>
                   <para>
-                    Set the number of dots (label separators) in a domain
-                    that will disable searching.  Absolute names always
-                    stop searching.
+		    Set the number of dots (label separators) in a domain
+		    that will disable searching.  Absolute names always
+		    stop searching.
                   </para>
                 </listitem>
               </varlistentry>
@@ -452,7 +445,7 @@ nslookup -query=hinfo  -timeout=10
                     Always use a virtual circuit when sending requests to the
                     server.
                   </para>
-                  <para>
+		  <para>
                     (Default = novc)
                   </para>
                 </listitem>
@@ -462,15 +455,15 @@ nslookup -query=hinfo  -timeout=10
                 <term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
                 <listitem>
                   <para>
-                    Try the next nameserver if a nameserver responds with
-                    SERVFAIL or a referral (nofail) or terminate query
-                    (fail) on such a response.
-                  </para>
-                  <para>
+		    Try the next nameserver if a nameserver responds with
+		    SERVFAIL or a referral (nofail) or terminate query
+		    (fail) on such a response.
+		  </para>
+		  <para>
                     (Default = nofail)
                   </para>
-                </listitem>
-              </varlistentry>
+	        </listitem>
+	      </varlistentry>
 
             </variablelist>
           </para>

bin/dig/nslookup.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dig/win32/dig.vcxproj.in

@@ -63,7 +63,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -91,7 +90,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/dig.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/dighost.vcxproj.in

@@ -63,7 +63,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -89,7 +88,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/dighost.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/host.vcxproj.in

@@ -63,7 +63,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -91,7 +90,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/host.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/nslookup.vcxproj.in

@@ -63,7 +63,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -91,7 +90,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/nslookup.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dnssec/Makefile.in

@@ -15,26 +15,23 @@ VERSION=@BIND9_VERSION@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
-		${OPENSSL_CFLAGS}
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
 
-CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 
-DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
-LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
-NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
 
 # Alphabetically
 TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
@@ -50,7 +47,7 @@ SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
 		dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
 		dnssectool.c
 
-MANPAGES =	dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
+MANPAGES =	dnssec-cds.8 dnssec-dsfromkey.8  dnssec-importkey.8 \
 		dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
 		dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
 

bin/dnssec/dnssec-cds.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -293,5 +293,5 @@ RFC 7344\&.
 .RE
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2017-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-cds.c

@@ -16,6 +16,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <inttypes.h>
 #include <stdbool.h>
@@ -59,7 +61,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-cds";
+int verbose;
 
 /*
  * Infrastructure
@@ -75,6 +82,12 @@ static dns_fixedname_t fixed;
 static dns_name_t *name = NULL;
 static dns_rdataclass_t rdclass = dns_rdataclass_in;
 
+/*
+ * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
+ * from -a arguments. The size of the array is an arbitrary limit.
+ */
+static dns_dsdigest_t dtype[8];
+
 static const char *startstr  = NULL;	/* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
 static dns_rdata_rrsig_t oldestsig;	/* for recording inception time */
@@ -370,8 +383,9 @@ formatset(dns_rdataset_t *rdataset) {
 					mctx);
 	check_result(result, "dns_master_stylecreate2 failed");
 
-	isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
-	result = dns_master_rdatasettotext(name, rdataset, style, NULL, buf);
+	result = isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
+	check_result(result, "printing DS records");
+	result = dns_master_rdatasettotext(name, rdataset, style, buf);
 
 	if ((result == ISC_R_SUCCESS) && isc_buffer_availablelength(buf) < 1) {
 		result = ISC_R_NOSPACE;
@@ -529,6 +543,9 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 	nkey = dns_rdataset_count(keyset);
 
 	keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey);
+	if (keytable == NULL) {
+		fatal("out of memory");
+	}
 
 	for (result = dns_rdataset_first(keyset), i = 0;
 	     result == ISC_R_SUCCESS;
@@ -606,6 +623,10 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	int i;
 
 	algo = isc_mem_get(mctx, nkey);
+	if (algo == NULL) {
+		fatal("allocating RRSIG/DNSKEY match list: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 	memset(algo, 0, nkey);
 
 	for (result = dns_rdataset_first(sigset);
@@ -739,6 +760,10 @@ rdata_get(void) {
 	dns_rdata_t *rdata;
 
 	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fatal("allocating DS rdata: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 	dns_rdata_init(rdata);
 
 	return (rdata);
@@ -813,6 +838,34 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * For sorting the digest types so that DS records generated
+ * from CDNSKEY records are in canonical order.
+ */
+static int
+cmp_dtype(const void *ap, const void *bp) {
+	int a = *(const dns_dsdigest_t *)ap;
+	int b = *(const dns_dsdigest_t *)bp;
+	return (a - b);
+}
+
+static void
+add_dtype(const char *dn) {
+	dns_dsdigest_t dt;
+	unsigned i, n;
+
+	dt = strtodsdigest(dn);
+	n = sizeof(dtype)/sizeof(dtype[0]);
+	for (i = 0; i < n; i++) {
+		if (dtype[i] == 0 || dtype[i] == dt) {
+			dtype[i] = dt;
+			qsort(dtype, i+1, 1, cmp_dtype);
+			return;
+		}
+	}
+	fatal("too many -a digest type arguments");
+}
+
 static void
 make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		uint32_t ttl, dns_rdataset_t *rdset)
@@ -823,6 +876,10 @@ make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		dns_rdatalist_t *dslist;
 
 		dslist = isc_mem_get(mctx, sizeof(*dslist));
+		if (dslist == NULL) {
+			fatal("allocating new DS list: %s",
+			      isc_result_totext(ISC_R_NOMEMORY));
+		}
 
 		dns_rdatalist_init(dslist);
 		dslist->rdclass = rdclass;
@@ -833,7 +890,8 @@ make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		result = dns_rdatalist_tordataset(dslist, &new_ds_set);
 		check_result(result, "dns_rdatalist_tordataset(dslist)");
 
-		isc_buffer_allocate(mctx, &new_ds_buf, size);
+		result = isc_buffer_allocate(mctx, &new_ds_buf, size);
+		check_result(result, "building new DS records");
 
 		for (result = dns_rdataset_first(rdset);
 		     result == ISC_R_SUCCESS;
@@ -890,6 +948,10 @@ consistent_digests(dns_rdataset_t *dsset) {
 	n = dns_rdataset_count(dsset);
 
 	arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+	if (arrdata == NULL) {
+		fatal("allocating DS rdata array: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 
 	for (result = dns_rdataset_first(dsset), i = 0;
 	     result == ISC_R_SUCCESS;
@@ -905,6 +967,10 @@ consistent_digests(dns_rdataset_t *dsset) {
 	 * Convert sorted arrdata to more accessible format
 	 */
 	ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t));
+	if (ds == NULL) {
+		fatal("allocating unpacked DS array: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 
 	for (i = 0; i < n; i++) {
 		result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL);
@@ -1072,7 +1138,10 @@ main(int argc, char *argv[]) {
 	int ch;
 	char *endp;
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fatal("out of memory");
+	}
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -1085,7 +1154,7 @@ main(int argc, char *argv[]) {
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
+			add_dtype(isc_commandline_argument);
 			break;
 		case 'c':
 			rdclass = strtoclass(isc_commandline_argument);

bin/dnssec/dnssec-cds.docbook

@@ -41,7 +41,6 @@
       <year>2017</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-cds.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,12 +10,12 @@
 .\"     Title: dnssec-dsfromkey
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-05-08
+.\"      Date: 2012-05-02
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -50,9 +50,11 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool
 .PP
 The
 \fBdnssec\-dsfromkey\fR
-command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
+command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
+\fB\-l\fR
+option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
 \fB\-C\fR
-option\&.
+it outputs CDS (Child DS) RRs\&.
 .PP
 The input keys can be specified in a number of ways:
 .PP
@@ -81,13 +83,13 @@ file, as generated by
 \-1
 .RS 4
 An abbreviation for
-\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
+\fB\-a SHA1\fR
 .RE
 .PP
 \-2
 .RS 4
 An abbreviation for
-\fB\-a SHA\-256\fR\&.
+\fB\-a SHA\-256\fR
 .RE
 .PP
 \-a \fIalgorithm\fR
@@ -96,7 +98,7 @@ Specify a digest algorithm to use when converting DNSKEY records to DS records\&
 .sp
 The
 \fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
+must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
 .RE
 .PP
 \-A
@@ -117,7 +119,9 @@ zone file mode\&.
 .PP
 \-C
 .RS 4
-Generate CDS records rather than DS records\&.
+Generate CDS records rather than DS records\&. This is mutually exclusive with the
+\fB\-l\fR
+option for generating DLV records\&.
 .RE
 .PP
 \-f \fIfile\fR
@@ -152,6 +156,15 @@ files in
 \fBdirectory\fR\&.
 .RE
 .PP
+\-l \fIdomain\fR
+.RS 4
+Generate a DLV set instead of a DS set\&. The specified
+\fIdomain\fR
+is appended to the name for each record in the set\&. This is mutually exclusive with the
+\fB\-C\fR
+option for generating CDS records\&.
+.RE
+.PP
 \-s
 .RS 4
 Keyset mode:
@@ -211,6 +224,8 @@ A keyfile error can give a "file not found" even if the file exists\&.
 BIND 9 Administrator Reference Manual,
 RFC 3658
 (DS RRs),
+RFC 4431
+(DLV RRs),
 RFC 4509
 (SHA\-256 for DS RRs),
 RFC 6605
@@ -222,5 +237,5 @@ RFC 7344
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -47,7 +49,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-dsfromkey";
+int verbose;
 
 static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
@@ -200,13 +207,16 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	rdclass = dst_key_class(key);
 
 	name = dns_fixedname_initname(&fixed);
-	dns_name_copynf(dst_key_name(key), name);
+	result = dns_name_copy(dst_key_name(key), name, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't copy name");
 
 	dst_key_free(&key);
 }
 
 static void
-logkey(dns_rdata_t *rdata) {
+logkey(dns_rdata_t *rdata)
+{
 	isc_result_t result;
 	dst_key_t    *key = NULL;
 	isc_buffer_t buf;
@@ -225,7 +235,9 @@ logkey(dns_rdata_t *rdata) {
 }
 
 static void
-emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
+emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
+     bool cds, dns_rdata_t *rdata)
+{
 	isc_result_t result;
 	unsigned char buf[DNS_DS_BUFFERSIZE];
 	char text_buf[DST_KEY_MAXTEXTSIZE];
@@ -249,7 +261,7 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
 		return;
 
-	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
+	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
 	if (result != ISC_R_SUCCESS)
 		fatal("can't build record");
 
@@ -257,6 +269,18 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	if (result != ISC_R_SUCCESS)
 		fatal("can't print name");
 
+	/* Add lookaside origin, if set */
+	if (lookaside != NULL) {
+		if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
+			fatal("DLV origin '%s' is too long", lookaside);
+		isc_buffer_putstr(&nameb, lookaside);
+		if (lookaside[strlen(lookaside) - 1] != '.') {
+			if (isc_buffer_availablelength(&nameb) < 1)
+				fatal("DLV origin '%s' is too long", lookaside);
+			isc_buffer_putstr(&nameb, ".");
+		}
+	}
+
 	result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
 				     &textb);
 
@@ -276,28 +300,18 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	isc_buffer_usedregion(&classb, &r);
 	printf("%.*s", (int)r.length, r.base);
 
-	if (cds) {
-		printf(" CDS ");
-	} else {
-		printf(" DS ");
-	}
+	if (lookaside == NULL) {
+		if (cds)
+			printf(" CDS ");
+		else
+			printf(" DS ");
+	} else
+		printf(" DLV ");
 
 	isc_buffer_usedregion(&textb, &r);
 	printf("%.*s\n", (int)r.length, r.base);
 }
 
-static void
-emits(bool showall, bool cds, dns_rdata_t *rdata) {
-	unsigned i, n;
-
-	n = sizeof(dtype)/sizeof(dtype[0]);
-	for (i = 0; i < n; i++) {
-		if (dtype[i] != 0) {
-			emit(dtype[i], showall, cds, rdata);
-		}
-	}
-}
-
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
 
@@ -319,11 +333,12 @@ usage(void) {
 "    -f zonefile: read keys from a zone file\n"
 "    -h: print help information\n"
 "    -K directory: where to find key or keyset files\n"
+"    -l zone: print DLV records in the given lookaside zone\n"
 "    -s: read keys from keyset-<dnsname> file\n"
 "    -T: TTL of output records (omitted by default)\n"
 "    -v level: verbosity\n"
 "    -V: print version information\n");
-	fprintf(stderr, "Output: DS or CDS RRs\n");
+	fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
 
 	exit (-1);
 }
@@ -332,11 +347,14 @@ int
 main(int argc, char **argv) {
 	char		*classname = NULL;
 	char		*filename = NULL, *dir = NULL, *namestr;
-	char		*endp, *arg1;
+	char		*lookaside = NULL;
+	char		*endp;
 	int		ch;
-	bool		cds = false;
-	bool		usekeyset = false;
-	bool		showall = false;
+	dns_dsdigest_t	dtype = DNS_DSDIGEST_SHA1;
+	bool	cds = false;
+	bool	both = true;
+	bool	usekeyset = false;
+	bool	showall = false;
 	isc_result_t	result;
 	isc_log_t	*log = NULL;
 	dns_rdataset_t	rdataset;
@@ -348,7 +366,10 @@ main(int argc, char **argv) {
 		usage();
 	}
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fatal("out of memory");
+	}
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -361,18 +382,25 @@ main(int argc, char **argv) {
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case '1':
-			add_dtype(DNS_DSDIGEST_SHA1);
+			dtype = DNS_DSDIGEST_SHA1;
+			both = false;
 			break;
 		case '2':
-			add_dtype(DNS_DSDIGEST_SHA256);
+			dtype = DNS_DSDIGEST_SHA256;
+			both = false;
 			break;
 		case 'A':
 			showall = true;
 			break;
 		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
+			dtype = strtodsdigest(isc_commandline_argument);
+			both = false;
 			break;
 		case 'C':
+			if (lookaside != NULL) {
+				fatal("lookaside and CDS are mutually"
+				      " exclusive");
+			}
 			cds = true;
 			break;
 		case 'c':
@@ -384,14 +412,21 @@ main(int argc, char **argv) {
 			/* fall through */
 		case 'K':
 			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U)
+			if (strlen(dir) == 0U) {
 				fatal("directory must be non-empty string");
+			}
 			break;
 		case 'f':
 			filename = isc_commandline_argument;
 			break;
 		case 'l':
-			fatal("-l option (DLV lookaside) is obsolete");
+			if (cds) {
+				fatal("lookaside and CDS are mutually"
+				      " exclusive");
+			}
+			lookaside = isc_commandline_argument;
+			if (strlen(lookaside) == 0U)
+				fatal("lookaside must be a non-empty string");
 			break;
 		case 's':
 			usekeyset = true;
@@ -402,16 +437,18 @@ main(int argc, char **argv) {
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
+			if (*endp != '\0') {
 				fatal("-v must be followed by a number");
+			}
 			break;
 		case 'F':
 			/* Reserved for FIPS mode */
 			/* FALLTHROUGH */
 		case '?':
-			if (isc_commandline_option != '?')
+			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			}
 			/* FALLTHROUGH */
 		case 'h':
 			/* Does not return. */
@@ -439,20 +476,10 @@ main(int argc, char **argv) {
 		showall = true;
 	}
 
-	/* Default digest type if none specified. */
-	if (dtype[0] == 0) {
-		dtype[0] = DNS_DSDIGEST_SHA256;
-	}
-
-	/*
-	 * Use local variable arg1 so that clang can correctly analyse
-	 * reachable paths rather than 'argc < isc_commandline_index + 1'.
-	 */
-	arg1 = argv[isc_commandline_index];
-	if (arg1 == NULL && filename == NULL) {
+	if (argc < isc_commandline_index + 1 && filename == NULL) {
 		fatal("the key file name was not specified");
 	}
-	if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
+	if (argc > isc_commandline_index + 1) {
 		fatal("extraneous arguments");
 	}
 
@@ -467,11 +494,11 @@ main(int argc, char **argv) {
 	dns_rdataset_init(&rdataset);
 
 	if (usekeyset || filename != NULL) {
-		if (arg1 == NULL) {
-			/* using file name as the zone name */
+		if (argc < isc_commandline_index + 1) {
+			/* using zone name as the zone file name */
 			namestr = filename;
 		} else {
-			namestr = arg1;
+			namestr = argv[isc_commandline_index];
 		}
 
 		result = initname(namestr);
@@ -493,8 +520,7 @@ main(int argc, char **argv) {
 
 		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
+		     result = dns_rdataset_next(&rdataset)) {
 			dns_rdata_init(&rdata);
 			dns_rdataset_current(&rdataset, &rdata);
 
@@ -502,21 +528,36 @@ main(int argc, char **argv) {
 				logkey(&rdata);
 			}
 
-			emits(showall, cds, &rdata);
+			if (both) {
+				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
+				     cds, &rdata);
+				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
+				     cds, &rdata);
+			} else {
+				emit(dtype, showall, lookaside, cds, &rdata);
+			}
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
 
-		loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
+		loadkey(argv[isc_commandline_index], key_buf,
+			DST_KEY_MAXSIZE, &rdata);
 
-		emits(showall, cds, &rdata);
+		if (both) {
+			emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
+			     &rdata);
+			emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
+			     &rdata);
+		} else {
+			emit(dtype, showall, lookaside, cds, &rdata);
+		}
 	}
 
-	if (dns_rdataset_isassociated(&rdataset)) {
+	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
-	}
 	cleanup_logging(&log);
 	dst_lib_destroy();
+	dns_name_destroy();
 	if (verbose > 10) {
 		isc_mem_stats(mctx, stdout);
 	}

bin/dnssec/dnssec-dsfromkey.docbook

@@ -12,7 +12,7 @@
 <!-- Converted by db4-upgrade version 1.0 -->
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
   <info>
-    <date>2019-05-08</date>
+    <date>2012-05-02</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -42,7 +42,6 @@
       <year>2016</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -113,8 +112,10 @@
 
     <para>
       The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
-      Signer) resource records (RRs), or CDS (Child DS) RRs with the
-      <option>-C</option> option.
+      Signer) resource records (RRs) and other similarly-constructed RRs:
+      with the <option>-l</option> option it outputs DLV (DNSSEC Lookaside
+      Validation) RRs; or with the <option>-C</option> it outputs CDS (Child
+      DS) RRs.
     </para>
 
     <para>
@@ -149,9 +150,7 @@
 	<term>-1</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-1</option>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    An abbreviation for <option>-a SHA1</option>
 	  </para>
 	</listitem>
       </varlistentry>
@@ -160,7 +159,7 @@
 	<term>-2</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-256</option>.
+	    An abbreviation for <option>-a SHA-256</option>
 	  </para>
 	</listitem>
       </varlistentry>
@@ -179,8 +178,6 @@
 	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
 	    and the hyphen may be omitted.  If no algorithm is specified,
 	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
 	  </para>
 	</listitem>
       </varlistentry>
@@ -211,7 +208,9 @@
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Generate CDS records rather than DS records.
+	    Generate CDS records rather than DS records. This is mutually
+	    exclusive with the <option>-l</option> option for generating DLV
+	    records.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -257,6 +256,19 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-l <replaceable class="parameter">domain</replaceable></term>
+	<listitem>
+	  <para>
+	    Generate a DLV set instead of a DS set. The specified
+	    <replaceable>domain</replaceable> is appended to the name for each
+	    record in the set.
+	    This is mutually exclusive with the <option>-C</option> option
+	    for generating CDS records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-s</term>
 	<listitem>
@@ -346,6 +358,7 @@
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
       <citetitle>RFC 3658</citetitle> (DS RRs),
+      <citetitle>RFC 4431</citetitle> (DLV RRs),
       <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
       <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
       <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).

bin/dnssec/dnssec-dsfromkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -97,8 +97,10 @@
 
     <p>
       The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
-      Signer) resource records (RRs), or CDS (Child DS) RRs with the
-      <code class="option">-C</code> option.
+      Signer) resource records (RRs) and other similarly-constructed RRs:
+      with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
+      Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
+      DS) RRs.
     </p>
 
     <p>
@@ -133,15 +135,13 @@
 <dt><span class="term">-1</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-1</code>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    An abbreviation for <code class="option">-a SHA1</code>
 	  </p>
 	</dd>
 <dt><span class="term">-2</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-256</code>.
+	    An abbreviation for <code class="option">-a SHA-256</code>
 	  </p>
 	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
@@ -157,8 +157,6 @@
 	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
 	    and the hyphen may be omitted.  If no algorithm is specified,
 	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
 	  </p>
 	</dd>
 <dt><span class="term">-A</span></dt>
@@ -180,7 +178,9 @@
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Generate CDS records rather than DS records.
+	    Generate CDS records rather than DS records. This is mutually
+	    exclusive with the <code class="option">-l</code> option for generating DLV
+	    records.
 	  </p>
 	</dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
@@ -215,6 +215,16 @@
 	    <code class="option">directory</code>.
 	  </p>
 	</dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd>
+	  <p>
+	    Generate a DLV set instead of a DS set. The specified
+	    <em class="replaceable"><code>domain</code></em> is appended to the name for each
+	    record in the set.
+	    This is mutually exclusive with the <code class="option">-C</code> option
+	    for generating CDS records.
+	  </p>
+	</dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 	  <p>
@@ -297,6 +307,7 @@
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em> (DS RRs),
+      <em class="citetitle">RFC 4431</em> (DLV RRs),
       <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
       <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
       <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -134,5 +134,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
 
@@ -46,7 +48,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-importkey";
+int verbose;
 
 static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
@@ -174,7 +181,9 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	rdclass = dst_key_class(key);
 
 	name = dns_fixedname_initname(&fixed);
-	dns_name_copynf(dst_key_name(key), name);
+	result = dns_name_copy(dst_key_name(key), name, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't copy name");
 
 	dst_key_free(&key);
 }
@@ -298,7 +307,9 @@ main(int argc, char **argv) {
 	if (argc == 1)
 		usage();
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -439,6 +450,7 @@ main(int argc, char **argv) {
 		dns_rdataset_disassociate(&rdataset);
 	cleanup_logging(&log);
 	dst_lib_destroy();
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);

bin/dnssec/dnssec-importkey.docbook

@@ -39,7 +39,6 @@
       <year>2016</year>
       <year>2018</year>
       <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/dnssec/dnssec-importkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/dnssec/dnssec-keyfromlabel.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -307,5 +307,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-keyfromlabel.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <ctype.h>
 #include <inttypes.h>
 #include <stdbool.h>
@@ -46,6 +48,7 @@
 #define MAX_RSA 4096 /* should be long enough... */
 
 const char *program = "dnssec-keyfromlabel";
+int verbose;
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -163,7 +166,7 @@ main(int argc, char **argv) {
 	if (argc == 1)
 		usage();
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -368,6 +371,8 @@ main(int argc, char **argv) {
 
 			len = strlen(label) + 8;
 			l = isc_mem_allocate(mctx, len);
+			if (l == NULL)
+				fatal("cannot allocate memory");
 			snprintf(l, len, "pkcs11:%s", label);
 			isc_mem_free(mctx, label);
 			label = l;
@@ -694,6 +699,7 @@ main(int argc, char **argv) {
 
 	cleanup_logging(&log);
 	dst_lib_destroy();
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_free(mctx, label);