win32/socket should use common isc_socket

.dir-locals.el

@@ -1,114 +0,0 @@
-;;; Directory Local Variables
-;;; For more information see (info "(emacs) Directory Variables")
-
-((c-mode .
-  ((eval .
-	 (set (make-local-variable 'directory-of-current-dir-locals-file)
-	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
-	      )
-	 )
-   (eval .
-	 (set (make-local-variable 'include-directories)
-	      (list
-
-	       ;; top directory
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "./"))
-
-	       ;; libisc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/pthreads/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isc/netmgr"))
-
-	       ;; libdns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/dns"))
-
-	       ;; libisccc
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
-
-	       ;; libisccfg
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
-
-	       ;; libns
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/ns/include"))
-
-	       ;; libirs
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/irs/include"))
-
-	       ;; libbind9
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
-
-	       ;; bin
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/check"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/confgen/include"))	       
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dig/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/unix/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/dnssec/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/named/include"))
-	       (expand-file-name
-		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
-
-	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
-	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
-	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")
-	       (expand-file-name "/usr/local/include")
-	       )
-	      )
-	 )
-
-   (eval setq flycheck-clang-include-path include-directories)
-   (eval setq flycheck-cppcheck-include-path include-directories)
-   (eval setq flycheck-gcc-include-path include-directories)
-   (eval setq flycheck-clang-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-gcc-args
-	 (list
-	  "-include"
-	  (expand-file-name
-	   (concat directory-of-current-dir-locals-file "config.h"))
-	  )
-	 )
-   (eval setq flycheck-cppcheck-args
-	 (list
-	  "--enable=all"
-	  "--suppress=missingIncludeSystem"
-	  (concat "-include=" (expand-file-name
-			       (concat directory-of-current-dir-locals-file "config.h")))
-	  )
-	 )
-   )
-  ))

.gitattributes

@@ -1,10 +1,3 @@
 *.sln.in eol=crlf
-*.vcxproj.* eol=crlf
-
-.gitignore			 export-ignore
-/conftools			 export-ignore
-/doc/design			 export-ignore
-/doc/dev			 export-ignore
-/util/**			 export-ignore
-/util/bindkeys.pl		-export-ignore
-/util/mksymtbl.pl		-export-ignore
+*.vcxproj.in eol=crlf
+*.vcxproj.filters.in eol=crlf

.gitignore

@@ -1,63 +1,64 @@
-*-symtbl.c
-*.a
-*.gcda
-*.gcno
-*.la
-*.lo
-*.o
-*.orig
-*.plist/ # ccc-analyzer store its results in .plist directories
+Makefile
+config.log
+config.h
+config.cache
+config.status
+libtool
+/isc-config.sh
+/configure.lineno
+autom4te.cache/
 *.rej
+*.orig
+*.o
+*.lo
 *.so
+*.a
+*.la
+*.gcno
+*.gcda
 *_test
-*.ipch # vscode/intellisense precompiled header
-*~
+*-symtbl.c
+timestamp
+ans.run
+named.run
+named.memstats
+gen.dSYM/
 .ccache/
-.cproject
 .deps/
 .dirstamp
 .libs/
+unit/atf-src/atf-c++/atf-c++.pc
+unit/atf-src/atf-c/atf-c.pc
+unit/atf-src/atf-c/defs.h
+unit/atf-src/atf-c/detail/process_helpers
+unit/atf-src/atf-config/atf-config
+unit/atf-src/atf-report/atf-report
+unit/atf-src/atf-report/fail_helper
+unit/atf-src/atf-report/misc_helpers
+unit/atf-src/atf-report/pass_helper
+unit/atf-src/atf-run/atf-run
+unit/atf-src/atf-run/bad_metadata_helper
+unit/atf-src/atf-run/expect_helpers
+unit/atf-src/atf-run/misc_helpers
+unit/atf-src/atf-run/pass_helper
+unit/atf-src/atf-run/several_tcs_helper
+unit/atf-src/atf-run/zero_tcs_helper
+unit/atf-src/atf-sh/atf-check
+unit/atf-src/atf-sh/atf-sh
+unit/atf-src/atf-sh/misc_helpers
+unit/atf-src/atf-version/atf-version
+unit/atf-src/atf-version/revision.h
+unit/atf-src/atf-version/revision.h.stamp
+unit/atf-src/bconfig.h
+unit/atf-src/bootstrap/atconfig
+unit/atf-src/doc/atf.7
+unit/atf-src/stamp-h1
+unit/atf-src/test-programs/c_helpers
+unit/atf-src/test-programs/cpp_helpers
+unit/atf-src/test-programs/sh_helpers
+# ccc-analyzer store its results in .plist directories
+*.plist/
+*~
 .project
+.cproject
 .settings
-/aclocal.m4
-/ar-lib
-/autom4te.cache/
-/bind.keys.h
-/compile
-/config.cache
-/config.guess
-/config.h
-/config.h.in
-/config.log
-/config.status
-/config.sub
-/configure
-/configure.lineno
-/depcomp
-/install-sh
-/isc-config.sh
-/libltdl/*
-/libtool
-/ltmain.sh
-/m4/libtool.m4
-/m4/ltargz.m4
-/m4/ltdl.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
-/missing
-/py-compile
-/stamp-h1
-/test-driver
-Makefile
-ans.run
-gen.dSYM/
-kyua.log
-named.memstats
-named.run
-timestamp
-/compile_commands.json
-/cppcheck_html/
-/cppcheck.results
-/tsan

.gitlab/issue_templates/Release.md

@@ -1,65 +0,0 @@
-## Release Schedule
-
-**Tagging Deadline:**
-
-**Public Release:**
-
-## Release Checklist
-
-## 2 Working Days Before the Tagging Deadline
-
- - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
- - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
-
-## Before the Tagging Deadline
-
- - [ ] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
- - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
- - [ ] ***(SwEng)*** Update API files for libraries with new version information.
- - [ ] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
- - [ ] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- - [ ] ***(SwEng)*** Update `CHANGES`.
- - [ ] ***(SwEng)*** Update `CHANGES.SE` (Subscription Edition only).
- - [ ] ***(SwEng)*** Update `README.md`.
- - [ ] ***(SwEng)*** Update `version`.
- - [ ] ***(SwEng)*** Build documentation on `docs.isc.org`.
- - [ ] ***(QA)*** Check that all the above steps were performed correctly.
- - [ ] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
- - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
- - [ ] ***(SwEng)*** Tag the releases[^2].  (Tags may only be pushed to the public repository for releases which are *not* security releases.)
- - [ ] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
-
-## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
-
- - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
- - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
- - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
- - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
- - [ ] ***(QA)*** Notify Support that the releases have been prepared.
- - [ ] ***(Support)*** Send out ASNs (if applicable).
-
-## On the Day of Public Release
-
- - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- - [ ] ***(Support)*** Place tarballs in public location on FTP site.
- - [ ] ***(Support)*** Publish links to downloads on ISC website.
- - [ ] ***(Support)*** Write release email to *bind-announce*.
- - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- - [ ] ***(Support)*** Update tickets in case of waiting support customers.
- - [ ] ***(QA)*** Build and test any outstanding private packages.
- - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
- - [ ] ***(QA)*** Inform Marketing of the release.
- - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
- - [ ] ***(Marketing)*** Post short note to Twitter.
- - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- - [ ] ***(Marketing)*** Write blog article (if a major release).
- - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- - [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
- - [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
-
-[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
-
-[^2]: Preferred command line: `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]`, where `[alphatag]` is an optional string such as `b1`, `rc1`, etc.

.gitlab/issue_templates/release.md

@@ -0,0 +1,31 @@
+## Release Checklist
+
+ - [ ] (Manager) Check for the presence of a milestone for the release.
+    - If there is a milestone, are all the issues for the milestone resolved? (other than this checklist).
+ - [ ] (Manager) Inform Support/Marketing of impending release (and give estimated release dates).
+ - (SwEng) Prepare the sources for tarball generation.
+   - [ ] Ensure that there are no outstanding merge requests in the private repository (subscription version only).
+   - [ ] Update API files for libraries with new version information.
+   - [ ] Change software version and library versions in configure.in (new major release only).
+   - [ ] Ensure Kyua and ATF files are correct.
+   - [ ] Rebuild configure using autoconf on docs.isc.org.
+   - [ ] Update CHANGES.
+   - [ ] Update CHANGES.SE (subscription branch only).
+   - [ ] Update "version".
+   - [ ] Update "readme.md".
+   - [ ] Ensure the release notes are correct for this release (content, formatting, etc.).
+   - [ ] Build documentation on docs.isc.org.
+   - [ ] Commit changes and make sure the gitlab-ci tests are passing.
+   - [ ] Push the changes and tag ("alphatag" is an optional string such as "b1", "rc1" etc.). (```git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]```)
+   - [ ] If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` (this allows development to continue on the release branch whilst release engineering continues).
+ - [ ] (SwEng) Run the "make release" Jenkins job to produce the tarballs and zips.
+ - [ ] (SwEng) Ask QA to sanity check the tarball and zips (passing to them the number of the Jenkins job).
+ - [ ] (QA) Sanity check the tarballs.
+ - [ ] (QA) Request the signature on the tarballs.
+ - [ ] (QA) Check signatures on tarballs.
+ - [ ] (QA) Tell Support to handle notification of release.
+ - [ ] (Support) Make tarballs and signatures available to download.
+ - [ ] (Manager) Update [https://wiki.isc.org/bin/view/Main/BindReleaseDates](BIND release dates page) when public announcement has been made.
+ - [ ] (Manager) Inform marketing of the release
+
+ - [ ] (SwEng) Update DEB and RPM packages

Atffile

@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: lib

CODE_OF_CONDUCT

@@ -1,79 +0,0 @@
-CODE OF CONDUCT
-
-BIND 9 Code of Conduct
-
-Like the technical community as a whole, the BIND 9 team and community is
-made up of a mixture of professionals and volunteers from all over the
-world, working on every aspect of the mission - including mentorship,
-teaching, and connecting people.
-
-Diversity is one of our huge strengths, but it can also lead to
-communication issues and unhappiness. To that end, we have a few ground
-rules that we ask people to adhere to. This code applies equally to the
-core development team, open source contributors and those seeking help and
-guidance.
-
-This isn't an exhaustive list of things that you can't do. Rather, take it
-in the spirit in which it's intended - a guide to make it easier to enrich
-all of us and the technical communities in which we participate.
-
-This code of conduct applies to all spaces managed by the BIND 9 project
-or Internet Systems Consortium. This includes chat, the mailing lists, the
-issue tracker, and any other fora created by the project team which the
-community uses for communication. In addition, violations of this code
-outside these spaces may affect a person's ability to participate within
-them.
-
-If you believe someone is violating the code of conduct, we ask that you
-report it by emailing conduct@isc.org. For more details please see our
-Reporting Guidelines.
-
-  * Be friendly and patient.
-  * Be welcoming. We strive to be a community that welcomes and supports
-    people of all backgrounds and identities. This includes, but is not
-    limited to members of any race, ethnicity, culture, national origin,
-    colour, immigration status, social and economic class, educational
-    level, sex, sexual orientation, gender identity and expression, age,
-    size, family status, political belief, religion, and mental and
-    physical ability.
-  * Be considerate. Your work will be used by other people, and you in
-    turn will depend on the work of others. Any decision you take will
-    affect users and colleagues, and you should take those consequences
-    into account when making decisions. Remember that we're a world-wide
-    community, so you might not be communicating in someone else's primary
-    language.
-  * Be respectful. Not all of us will agree all the time, but disagreement
-    is no excuse for poor behavior and poor manners. We might all
-    experience some frustration now and then, but we cannot allow that
-    frustration to turn into a personal attack. It's important to remember
-    that a community where people feel uncomfortable or threatened is not
-    a productive one. Members of the BIND 9 community should be respectful
-    when dealing with other members as well as with people outside the
-    BIND 9 community.
-  * Be careful in the words that you choose. We are a community of
-    professionals, and we conduct ourselves professionally. Be kind to
-    others. Do not insult or put down other participants. Harassment and
-    other exclusionary behavior aren't acceptable. This includes, but is
-    not limited to:
-      + Violent threats or language directed against another person.
-      + Discriminatory jokes and language.
-      + Posting sexually explicit or violent material.
-      + Posting (or threatening to post) other people's personally
-        identifying information ("doxing").
-      + Personal insults, especially those using racist or sexist terms.
-      + Unwelcome sexual attention.
-      + Advocating for, or encouraging, any of the above behavior.
-      + Repeated harassment of others. In general, if someone asks you to
-        stop, then stop.
-  * When we disagree, try to understand why. Disagreements, both social
-    and technical, happen all the time and BIND 9 is no exception. It is
-    important that we resolve disagreements and differing views
-    constructively. Remember that we're different. The strength of BIND 9
-    comes from its varied community, people from a wide range of
-    backgrounds. Different people have different perspectives on issues.
-    Being unable to understand why someone holds a viewpoint doesn't mean
-    that they're wrong. Don't forget that it is human to err and blaming
-    each other doesn't get us anywhere. Instead, focus on helping to
-    resolve issues and learning from mistakes.
-
-Original text courtesy of the Django Code of Conduct project.

CODE_OF_CONDUCT.md

@@ -1,71 +0,0 @@
-# BIND 9 Code of Conduct
-
-Like the technical community as a whole, the BIND 9 team and community is made
-up of a mixture of professionals and volunteers from all over the world, working
-on every aspect of the mission - including mentorship, teaching, and connecting
-people.
-
-Diversity is one of our huge strengths, but it can also lead to communication
-issues and unhappiness. To that end, we have a few ground rules that we ask
-people to adhere to. This code applies equally to the core development team, open source contributors and those
-seeking help and guidance.
-
-This isn't an exhaustive list of things that you can't do. Rather, take it in
-the spirit in which it's intended - a guide to make it easier to enrich all of
-us and the technical communities in which we participate.
-
-This code of conduct applies to all spaces managed by the BIND 9 project or
-Internet Systems Consortium. This includes chat, the mailing lists, the issue
-tracker, and any other fora created by the project team which the
-community uses for communication. In addition, violations of this code outside
-these spaces may affect a person's ability to participate within them.
-
-If you believe someone is violating the code of conduct, we ask that you report
-it by emailing [conduct@isc.org](conduct@isc.org). For more details please see
-our [Reporting Guidelines](https://www.isc.org/conductreporting/).
-
-* **Be friendly and patient.**
-* **Be welcoming.** We strive to be a community that welcomes and supports
-  people of all backgrounds and identities. This includes, but is not limited to
-  members of any race, ethnicity, culture, national origin, colour, immigration
-  status, social and economic class, educational level, sex, sexual orientation,
-  gender identity and expression, age, size, family status, political belief,
-  religion, and mental and physical ability.
-* **Be considerate.** Your work will be used by other people, and you in turn
-  will depend on the work of others. Any decision you take will affect users and
-  colleagues, and you should take those consequences into account when making
-  decisions. Remember that we're a world-wide community, so you might not be
-  communicating in someone else's primary language.
-* **Be respectful.** Not all of us will agree all the time, but disagreement is
-  no excuse for poor behavior and poor manners. We might all experience some
-  frustration now and then, but we cannot allow that frustration to turn into a
-  personal attack. It's important to remember that a community where people feel
-  uncomfortable or threatened is not a productive one. Members of the BIND 9
-  community should be respectful when dealing with other members as well as with
-  people outside the BIND 9 community.
-* **Be careful in the words that you choose.** We are a community of
-  professionals, and we conduct ourselves professionally. Be kind to others. Do
-  not insult or put down other participants. Harassment and other exclusionary
-  behavior aren't acceptable. This includes, but is not limited to:
-  * Violent threats or language directed against another person.
-  * Discriminatory jokes and language.
-  * Posting sexually explicit or violent material.
-  * Posting (or threatening to post) other people's personally identifying
-    information ("doxing").
-  * Personal insults, especially those using racist or sexist terms.
-  * Unwelcome sexual attention.
-  * Advocating for, or encouraging, any of the above behavior.
-  * Repeated harassment of others. In general, if someone asks you to stop, then
-    stop.
-* **When we disagree, try to understand why.** Disagreements, both social and
-  technical, happen all the time and BIND 9 is no exception. It is important
-  that we resolve disagreements and differing views constructively. Remember
-  that we're different. The strength of BIND 9 comes from its varied community,
-  people from a wide range of backgrounds. Different people have different
-  perspectives on issues. Being unable to understand why someone holds a
-  viewpoint doesn't mean that they're wrong. Don't forget that it is human to
-  err and blaming each other doesn't get us anywhere. Instead, focus on helping
-  to resolve issues and learning from mistakes.
-
-Original text courtesy of the [Django Code of Conduct](https://www.djangoproject.com/conduct/)
-project.

CONTRIBUTING

@@ -1,5 +1,3 @@
-CONTRIBUTING
-
 BIND Source Access and Contributor Guidelines
 
 Feb 22, 2018
@@ -34,14 +32,6 @@ access to the source repository was restricted just as commit access was.
 That's now changing, with the opening of a public git mirror to the BIND
 source tree (see below).
 
-At Internet Systems Consortium, we're committed to building communities
-that are welcoming and inclusive; environments where people are encouraged
-to share ideas, treat each other with respect, and collaborate towards the
-best solutions. To reinforce our commitment, the Internet Systems
-Consortium has adopted the Contributor Covenant version 1.4 as our Code of
-Conduct for BIND 9 project, as well as for the conduct of our developers
-throughout the industry.
-
 Access to source code
 
 Public BIND releases are always available from the ISC FTP site.

CONTRIBUTING.md

@@ -41,14 +41,6 @@ a release: read access to the source repository was restricted just
 as commit access was.  That's now changing, with the opening of a
 public git mirror to the BIND source tree (see below).
 
-At [Internet Systems Consortium](https://www.isc.org), we're committed to
-building communities that are welcoming and inclusive; environments where people
-are encouraged to share ideas, treat each other with respect, and collaborate
-towards the best solutions. To reinforce our commitment, the [Internet Systems
-Consortium](https://www.isc.org) has adopted the Contributor Covenant version
-1.4 as our Code of Conduct for BIND 9 project, as well as for the conduct of our
-developers throughout the industry.
-
 ### <a name="access"></a>Access to source code
 
 Public BIND releases are always available from the
@@ -116,7 +108,7 @@ ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.
 If you have a crash, you may want to consult
 [‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
 
-### <a name="contrib"></a>Contributing code
+### <a name="bugs"></a>Contributing code
 
 BIND is licensed under the
 [Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).

COPYRIGHT

@@ -1,4 +1,4 @@
-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -181,6 +181,67 @@ SUCH DAMAGE.
 
  -----------------------------------------------------------------------------
 
+Copyright (c) 1998 Doug Rabson
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright ((c)) 2002, Rice University
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+    copyright notice, this list of conditions and the following
+    disclaimer in the documentation and/or other materials provided
+    with the distribution.
+
+    * Neither the name of Rice University (RICE) nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+
+This software is provided by RICE and the contributors on an "as is"
+basis, without any representations or warranties of any kind, express
+or implied including, but not limited to, representations or
+warranties of non-infringement, merchantability or fitness for a
+particular purpose. In no event shall RICE or contributors be liable
+for any direct, indirect, incidental, special, exemplary, or
+consequential damages (including, but not limited to, procurement of
+substitute goods or services; loss of use, data, or profits; or
+business interruption) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence
+or otherwise) arising in any way out of the use of this software, even
+if advised of the possibility of such damage.
+
+ -----------------------------------------------------------------------------
+
 Copyright (c) 1993 by Digital Equipment Corporation.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -201,6 +262,61 @@ SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Copyright 2000 Aaron D. Gifford.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+ 
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1998 Doug Rabson.
+Copyright (c) 2001 Jake Burkholder.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
 Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 All rights reserved.
 
@@ -247,6 +363,49 @@ SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Copyright (c) 2000-2002 Japan Network Information Center.  All rights reserved.
+ 
+By using this file, you agree to the terms and conditions set forth bellow.
+
+                        LICENSE TERMS AND CONDITIONS 
+
+The following License Terms and Conditions apply, unless a different
+license is obtained from Japan Network Information Center ("JPNIC"),
+a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda,
+Chiyoda-ku, Tokyo 101-0047, Japan.
+
+1. Use, Modification and Redistribution (including distribution of any
+   modified or derived work) in source and/or binary forms is permitted
+   under this License Terms and Conditions.
+
+2. Redistribution of source code must retain the copyright notices as they
+   appear in each source code file, this License Terms and Conditions.
+
+3. Redistribution in binary form must reproduce the Copyright Notice,
+   this License Terms and Conditions, in the documentation and/or other
+   materials provided with the distribution.  For the purposes of binary
+   distribution the "Copyright Notice" refers to the following language:
+   "Copyright (c) 2000-2002 Japan Network Information Center.  All rights
+   reserved."
+
+4. The name of JPNIC may not be used to endorse or promote products
+   derived from this Software without specific prior written approval of
+   JPNIC.
+
+5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC
+   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL JPNIC BE LIABLE
+   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+   BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+   OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+   ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ -----------------------------------------------------------------------------
+
 Copyright (C) 2004  Nominet, Ltd.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -263,6 +422,24 @@ PERFORMANCE OF THIS SOFTWARE.
 
  -----------------------------------------------------------------------------
 
+Portions Copyright RSA Security Inc.
+
+License to copy and use this software is granted provided that it is
+identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+(Cryptoki)" in all material mentioning or referencing this software.
+
+License is also granted to make and use derivative works provided that
+such works are identified as "derived from the RSA Security Inc. PKCS #11
+Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+referencing the derived work.
+
+RSA Security Inc. makes no representations concerning either the
+merchantability of this software or the suitability of this software for
+any particular purpose. It is provided "as is" without express or implied
+warranty of any kind.
+
+ -----------------------------------------------------------------------------
+
 Copyright (c) 1996, David Mazieres <dm@uun.org>
 Copyright (c) 2008, Damien Miller <djm@openbsd.org>
 
@@ -280,6 +457,54 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 -----------------------------------------------------------------------------
 
+Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. All advertising materials mentioning features or use of this
+   software must display the following acknowledgment:
+   "This product includes software developed by the OpenSSL Project
+   for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+
+4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+   endorse or promote products derived from this software without
+   prior written permission. For written permission, please contact
+   licensing@OpenSSL.org.
+
+5. Products derived from this software may not be called "OpenSSL"
+   nor may "OpenSSL" appear in their names without prior written
+   permission of the OpenSSL Project.
+
+6. Redistributions of any form whatsoever must retain the following
+   acknowledgment:
+   "This product includes software developed by the OpenSSL Project
+   for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+
+THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-----------------------------------------------------------------------------
+
 Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc.
 All rights reserved.
 

HISTORY

@@ -1,81 +1,5 @@
-HISTORY
-
 Functional enhancements from prior major releases of BIND 9
 
-BIND 9.14
-
-BIND 9.14 (a stable branch based on the 9.13 development branch) includes
-a number of changes from BIND 9.12 and earlier releases. New features
-include:
-
-  * A new "plugin" mechanism has been added to allow query functionality
-    to be extended using dynamically loadable libraries. The "filter-aaaa"
-    feature has been removed from named and is now implemented as a
-    plugin.
-  * Socket and task code has been refactored to improve performance.
-  * QNAME minimization, as described in RFC 7816, is now supported.
-  * "Root key sentinel" support, enabling validating resolvers to indicate
-    via a special query which trust anchors are configured for the root
-    zone.
-  * Secondary zones can now be configured as "mirror" zones; their
-    contents are transferred in as with traditional slave zones, but are
-    subject to DNSSEC validation and are not treated as authoritative data
-    when answering. This makes it easier to configure a local copy of the
-    root zone as described in RFC 7706.
-  * The "validate-except" option allows configuration of domains below
-    which DNSSEC validation should not be performed.
-  * The default value of "dnssec-validation" is now "auto".
-  * IDNA2008 is now supported when linking with libidn2.
-  * "named -V" now outputs the default paths for files used by named and
-    other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See https://dnsflagday.net for more details.
-
-Cryptographic support has been modernized. BIND now uses the best
-available pseudo-random number generator for the platform on which it's
-built. Very old versions of OpenSSL are no longer supported. Cryptography
-is now mandatory: building BIND without DNSSEC is no longer supported.
-
-Special code to support certain legacy operating systems has also been
-removed; see the file PLATFORMS.md for details of supported platforms. In
-addition to OpenSSL, BIND now requires support for IPv6, threads, and
-standard atomic operations provided by the C compiler.
-
-BIND 9.12
-
-BIND 9.12 includes a number of changes from BIND 9.11 and earlier
-releases. New features include:
-
-  * named and related libraries have been substantially refactored for
-    improved query performance -- particularly on delegation heavy zones
-    -- and for improved readability, maintainability, and testability.
-  * Code implementing the name server query processing logic has been
-    moved into a new libns library, for easier testing and use in tools
-    other than named.
-  * Cached, validated NSEC and other records can now be used to synthesize
-    NXDOMAIN responses.
-  * The DNS Response Policy Service API (DNSRPS) is now supported.
-  * Setting 'max-journal-size default' now limits the size of journal
-    files to twice the size of the zone.
-  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
-    message.
-  * dnstap output files can now be configured to roll automatically when
-    reaching a given size.
-  * Log file timestamps can now also be formatted in ISO 8601 (local) or
-    ISO 8601 (UTC) formats.
-  * Logging channels and dnstap output files can now be configured to use
-    a timestamp as the suffix when rolling to a new file.
-  * 'named-checkconf -l' lists zones found in named.conf.
-  * Added support for the EDNS Padding and Keepalive options.
-  * 'new-zones-directory' option sets the location where the configuration
-    data for zones added by rndc addzone is stored.
-  * The default key algorithm in rndc-confgen is now hmac-sha256.
-  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
-    default without a configure option.
-  * The obsolete isc-hmac-fixup command has been removed.
-
 BIND 9.11
 
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
@@ -507,11 +431,11 @@ BIND 9.4.0
   * Detect duplicates of UDP queries we are recursing on and drop them.
     New stats category "duplicates".
   * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a <qname,qclass,qtype> basis as some
-    servers only appear to be lame for certain query types.
+  * The lame cache is now done on a basis as some servers only appear to
+    be lame for certain query types.
   * Limit the number of recursive clients that can be waiting for a single
-    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
-    and max-clients-per-query.
+    query () to resolve. New options clients-per-query and
+    max-clients-per-query.
   * dig: report the number of extra bytes still left in the packet after
     processing all the records.
   * Support for IPSECKEY rdata type.

HISTORY.md

@@ -10,81 +10,6 @@
 -->
 ### Functional enhancements from prior major releases of BIND 9
 
-#### BIND 9.14
-
-BIND 9.14 (a stable branch based on the 9.13 development branch)
-includes a number of changes from BIND 9.12 and earlier releases.
-New features include:
-
-* A new "plugin" mechanism has been added to allow query functionality
-  to be extended using dynamically loadable libraries. The "filter-aaaa"
-  feature has been removed from named and is now implemented as a plugin.
-* Socket and task code has been refactored to improve performance.
-* QNAME minimization, as described in RFC 7816, is now supported.
-* "Root key sentinel" support, enabling validating resolvers to indicate
-  via a special query which trust anchors are configured for the root zone.
-* Secondary zones can now be configured as "mirror" zones; their contents
-  are transferred in as with traditional slave zones, but are subject to
-  DNSSEC validation and are not treated as authoritative data when
-  answering. This makes it easier to configure a local copy of the root
-  zone as described in RFC 7706.
-* The "validate-except" option allows configuration of domains below which
-  DNSSEC validation should not be performed.
-* The default value of "dnssec-validation" is now "auto".
-* IDNA2008 is now supported when linking with `libidn2`.
-* "named -V" now outputs the default paths for files used by named
-  and other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
-for more details.
-
-Cryptographic support has been modernized. BIND now uses the
-best available pseudo-random number generator for the platform on which
-it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory: building BIND without DNSSEC is no
-longer supported.
-
-Special code to support certain legacy operating systems has also
-been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
-of supported platforms. In addition to OpenSSL, BIND now requires
-support for IPv6, threads, and standard atomic operations provided
-by the C compiler.
-
-#### BIND 9.12
-
-BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
-New features include:
-
-* `named` and related libraries have been substantially refactored for
-  improved query performance -- particularly on delegation heavy zones --
-  and for improved readability, maintainability, and testability.
-* Code implementing the name server query processing logic has been moved
-  into a new `libns` library, for easier testing and use in tools other
-  than `named`.
-* Cached, validated NSEC and other records can now be used to synthesize
-  NXDOMAIN responses.
-* The DNS Response Policy Service API (DNSRPS) is now supported.
-* Setting `'max-journal-size default'` now limits the size of journal files
-  to twice the size of the zone.
-* `dnstap-read -x` prints a hex dump of the wire format of each logged
-  DNS message.
-* `dnstap` output files can now be configured to roll automatically when
-  reaching a given size.
-* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
-  8601 (UTC) formats.
-* Logging channels and `dnstap` output files can now be configured to use a
-  timestamp as the suffix when rolling to a new file.
-* `'named-checkconf -l'` lists zones found in `named.conf`.
-* Added support for the EDNS Padding and Keepalive options.
-* 'new-zones-directory' option sets the location where the configuration
-  data for zones added by rndc addzone is stored.
-* The default key algorithm in `rndc-confgen` is now hmac-sha256.
-* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
-  by default without a configure option.
-* The obsolete `isc-hmac-fixup` command has been removed.
-
 #### BIND 9.11
 
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier

Makefile.in

@@ -14,11 +14,15 @@ top_builddir =  @top_builddir@
 
 VERSION=@BIND9_VERSION@
 
-SUBDIRS =	make lib fuzz bin doc
+SUBDIRS =	make unit lib fuzz bin doc
 TARGETS =
 PREREQS =	bind.keys.h
 
-MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT \
+MANPAGES =	isc-config.sh.1
+
+HTMLPAGES =	isc-config.sh.html
+
+MANOBJS =	README HISTORY OPTIONS CONTRIBUTING PLATFORMS \
 		${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
@@ -31,7 +35,7 @@ bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
 
 distclean::
 	rm -f config.cache config.h config.log config.status TAGS
-	rm -f libtool configure.lineno
+	rm -f libtool isc-config.sh configure.lineno
 	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
 
 # XXX we should clean libtool stuff too.  Only do this after we add rules
@@ -50,11 +54,25 @@ installdirs:
 	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 
-install:: installdirs
+install:: isc-config.sh installdirs
+	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	@LN@ ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
+	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	@LN@ ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
 	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
 
 uninstall::
 	rm -f ${DESTDIR}${sysconfdir}/bind.keys
+	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
+	rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
+	rm -f ${DESTDIR}${bindir}/bind9-config
+	rm -f ${DESTDIR}${bindir}/isc-config.sh
+
+tags:
+	rm -f TAGS
+	find lib bin -name "*.[ch]" -print | @ETAGS@ -
 
 test check:
 	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
@@ -79,32 +97,27 @@ test-force:
 	exit $$status
 
 README: README.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
+	${PANDOC} --email-obfuscation=none -s -t html README.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 HISTORY: HISTORY.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
+	${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 OPTIONS: OPTIONS.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
+	${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 CONTRIBUTING: CONTRIBUTING.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
+	${PANDOC} --email-obfuscation=none -s -t html CONTRIBUTING.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 PLATFORMS: PLATFORMS.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
-		sed -e '$${/^$$/d;}' > $@
-
-CODE_OF_CONDUCT: CODE_OF_CONDUCT.md
-	${PANDOC} --email-obfuscation=none -s --metadata title="CODE OF CONDUCT" -f markdown-smart -t html CODE_OF_CONDUCT.md | \
+	${PANDOC} --email-obfuscation=none -s -t html PLATFORMS.md | \
 		${W3M} -dump -cols 75 -O ascii -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 

OPTIONS

@@ -1,12 +1,10 @@
-OPTIONS
-
 Setting the STD_CDEFINES environment variable before running configure can
 be used to enable certain compile-time options that are not explicitly
 defined in configure.
 
 Some of these settings are:
 
-         Setting                            Description
+Setting                   Description
                           Overwrite memory with tag values when allocating
 -DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
                           makes debugging of memory problems easier.

PLATFORMS

@@ -1,32 +1,11 @@
-PLATFORMS
-
 Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
-system with a C11-compliant C compiler, BSD-style sockets with
-RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
-asynchronous I/O library, and the OpenSSL cryptography library.
-
-The following C11 features are used in BIND 9:
-
-  * Atomic operations support from the compiler is needed, either in the
-    form of builtin operations, C11 atomics, or the Interlocked family of
-    functions on Windows.
-
-  * Thread Local Storage support from the compiler is needed, either in
-    the form of C11 _Thread_local/thread_local, the __thread GCC
-    extension, or the __declspec(thread) MSVC extension on Windows.
-
-BIND 9.15 requires a fairly recent version of libuv (at least 1.x). For
-some of the older systems listed below, you will have to install an
-updated libuv package from sources such as EPEL, PPA, or other native
-sources for updated packages. The other option is to build and install
-libuv from source.
-
-Certain optional BIND features have additional library dependencies. These
-include libxml2 and libjson-c for statistics, libmaxminddb for
-geolocation, libfstrm and libprotobuf-c for DNSTAP, and libidn2 for
-internationalized domain name conversion.
+system with a C99-compliant C compiler, BSD-style sockets with
+RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
+cryptography library. Atomic operations support from the compiler is
+needed, either in the form of builtin operations, C11 atomics or the
+Interlocked family of functions on Windows.
 
 ISC regularly tests BIND on many operating systems and architectures, but
 lacks the resources to test all of them. Consequently, ISC is only able to
@@ -34,66 +13,49 @@ offer support on a "best effort" basis for some.
 
 Regularly tested platforms
 
-As of Dec 2019, BIND 9.15 is fully supported and regularly tested on the
-following systems:
+As of May 2018, BIND 9.13 is tested on the following systems:
 
-  * Debian 9, 10
-  * Ubuntu LTS 16.04, 18.04
-  * Fedora 31
-  * Red Hat Enterprise Linux / CentOS 7, 8
-  * FreeBSD 11.3, 12.0
-  * OpenBSD 6.5
-  * Alpine Linux
+  * Debian 8, 9
+  * Ubuntu 16.04, 18.04
+  * Fedora 27, 28
+  * Red Hat/CentOS 6, 7
+  * FreeBSD 10.x, 11.x
+  * OpenBSD 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully
 supported.
 
 Best effort
 
-The following are platforms on which BIND is known to build and run. ISC
-makes every effort to fix bugs on these platforms, but may be unable to do
-so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
+The following are platforms on which BIND is known to build and run, but
+on which it is not routinely tested. ISC makes every effort to fix bugs on
+these platforms, but may be unable to do so quickly due to lack of
+hardware, less familiarity on the part of engineering staff, and other
+constraints.
 
-  * Windows Server 2012 R2, 2016 / x64
   * Windows 10 / x64
+  * Windows Server 2012 R2, 2016 / x64
   * macOS 10.12+
-  * Solaris 11
+  * Solaris 10
+  * FreeBSD 12+
+  * OpenBSD 6.2
   * NetBSD
-  * Other Linux distributions still supported by their vendors, such as:
-      + Ubuntu 19.04+
+  * Older or less popular Linux distributions still supported by their
+    vendors, such as:
+      + Ubuntu 14.04, 18.10+
       + Gentoo
-      + Arch Linux
-  * OpenWRT/LEDE 17.01+
+      + ArchLinux
+      + Alpine Linux
+  * OpenWRT/LEDE 17.0
   * Other CPU architectures (mips, mipsel, sparc, ...)
 
-Community maintained
-
-These systems may not all have the required dependencies for building BIND
-easily available, although it will be possible in many cases to compile
-those directly from source. The community and interested parties may wish
-to help with maintenance, and we welcome patch contributions, although we
-cannot guarantee that we will accept them. All contributions will be
-assessed against the risk of adverse effect on officially supported
-platforms.
-
-  * Platforms past or close to their respective EOL dates, such as:
-      + Ubuntu 14.04, 18.10
-      + CentOS 6
-      + Debian Jessie
-      + FreeBSD 10.x
-
 Unsupported platforms
 
-These are platforms on which BIND 9.15 is known not to build or run:
+These are platforms on which BIND is known not to build or run:
 
   * Platforms without at least OpenSSL 1.0.2
   * Windows 10 / x86
   * Windows Server 2012 and older
-  * Solaris 10 and older
   * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
   * Platforms that don't support atomic operations (via compiler or
     library)
-  * Linux without NPTL (Native POSIX Thread Library)
-  * Platforms on which libuv cannot be compiled

PLATFORMS.md

@@ -11,30 +11,11 @@
 ## Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
-system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
-and the OpenSSL cryptography library.
-
-The following C11 features are used in BIND 9:
-
-* Atomic operations support from the compiler is needed, either in the form of
-  builtin operations, C11 atomics, or the `Interlocked` family of functions on
-  Windows.
-
-* Thread Local Storage support from the compiler is needed, either in the form
-  of C11 `_Thread_local`/`thread_local`, the `__thread` GCC extension, or
-  the `__declspec(thread)` MSVC extension on Windows.
-
-BIND 9.15 requires a fairly recent version of `libuv` (at least 1.x).  For
-some of the older systems listed below, you will have to install an updated
-`libuv` package from sources such as EPEL, PPA, or other native sources for
-updated packages. The other option is to build and install `libuv` from
-source.
-
-Certain optional BIND features have additional library dependencies.
-These include `libxml2` and `libjson-c` for statistics, `libmaxminddb` for
-geolocation, `libfstrm` and `libprotobuf-c` for DNSTAP, and `libidn2` for
-internationalized domain name conversion.
+system with a C99-compliant C compiler, BSD-style sockets with RFC-compliant
+IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
+Atomic operations support from the compiler is needed, either in the form of
+builtin operations, C11 atomics or the Interlocked family of functions on
+Windows.
 
 ISC regularly tests BIND on many operating systems and architectures, but
 lacks the resources to test all of them. Consequently, ISC is only able to
@@ -42,64 +23,78 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Dec 2019, BIND 9.15 is fully supported and regularly tested on the
-following systems:
+As of May 2018, BIND 9.13 is tested on the following systems:
 
-* Debian 9, 10
-* Ubuntu LTS 16.04, 18.04
-* Fedora 31
-* Red Hat Enterprise Linux / CentOS 7, 8
-* FreeBSD 11.3, 12.0
-* OpenBSD 6.5
-* Alpine Linux
+* Debian 8, 9
+* Ubuntu 16.04, 18.04
+* Fedora 27, 28
+* Red Hat/CentOS 6, 7
+* FreeBSD 10.x, 11.x
+* OpenBSD 6.3
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
 
 ### Best effort
 
-The following are platforms on which BIND is known to build and run.
-ISC makes every effort to fix bugs on these platforms, but may be unable to
-do so quickly due to lack of hardware, less familiarity on the part of
-engineering staff, and other constraints. With the exception of Windows
-Server 2012 R2, none of these are tested regularly by ISC.
+The following are platforms on which BIND is known to build and run,
+but on which it is not routinely tested. ISC makes every effort to fix bugs
+on these platforms, but may be unable to do so quickly due to lack of
+hardware, less familiarity on the part of engineering staff, and other
+constraints.
 
-* Windows Server 2012 R2, 2016 / x64
 * Windows 10 / x64
+* Windows Server 2012 R2, 2016 / x64
 * macOS 10.12+
-* Solaris 11
+* Solaris 10
+* FreeBSD 12+
+* OpenBSD 6.2
 * NetBSD
-* Other Linux distributions still supported by their vendors, such as:
-    * Ubuntu 19.04+
+* Older or less popular Linux distributions still supported by their vendors, such as:
+    * Ubuntu 14.04, 18.10+
     * Gentoo
-    * Arch Linux
-* OpenWRT/LEDE 17.01+
+    * ArchLinux
+    * Alpine Linux
+* OpenWRT/LEDE 17.0
 * Other CPU architectures (mips, mipsel, sparc, ...)
 
-### Community maintained
-
-These systems may not all have the required dependencies for building BIND
-easily available, although it will be possible in many cases to compile
-those directly from source. The community and interested parties may wish
-to help with maintenance, and we welcome patch contributions, although we
-cannot guarantee that we will accept them.  All contributions will be
-assessed against the risk of adverse effect on officially supported
-platforms.
-
-* Platforms past or close to their respective EOL dates, such as:
-    * Ubuntu 14.04, 18.10
-    * CentOS 6
-    * Debian Jessie
-    * FreeBSD 10.x
-
 ## Unsupported platforms
 
-These are platforms on which BIND 9.15 is known *not* to build or run:
+These are platforms on which BIND is known *not* to build or run:
 
 * Platforms without at least OpenSSL 1.0.2
 * Windows 10 / x86
 * Windows Server 2012 and older
-* Solaris 10 and older
 * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
 * Platforms that don't support atomic operations (via compiler or library)
 * Linux without NPTL (Native POSIX Thread Library)
-* Platforms on which `libuv` cannot be compiled
+
+## Platform quirks
+
+### ARM
+
+If the compilation ends with following error:
+
+```
+Error: selected processor does not support `yield' in ARM mode
+```
+
+You will need to set `-march` compiler option to `native`, so the compiler
+recognizes `yield` assembler instruction.  The proper way to set `-march=native`
+would be to put it into `CFLAGS`, e.g. run `./configure` like this:
+`CFLAGS="-march=native -Os -g" ./configure` plus your usual options.
+
+If that doesn't work, you can enforce the minimum CPU and FPU (taken from Debian
+armhf documentation):
+
+* The lowest worthwhile CPU implementation is Armv7-A, therefore the recommended
+  build option is `-march=armv7-a`.
+
+* FPU should be set at VFPv3-D16 as they represent the miminum specification of
+  the processors to support here, therefore the recommended build option is
+  `-mfpu=vfpv3-d16`.
+
+The configure command should look like this:
+
+```
+CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
+```

README

@@ -1,5 +1,3 @@
-README
-
 BIND 9
 
 Contents
@@ -7,15 +5,14 @@ Contents
  1. Introduction
  2. Reporting bugs and getting help
  3. Contributing to BIND
- 4. BIND 9.15 features
+ 4. BIND 9.13 features
  5. Building BIND
  6. macOS
- 7. Dependencies
- 8. Compile-time options
- 9. Automated testing
-10. Documentation
-11. Change log
-12. Acknowledgments
+ 7. Compile-time options
+ 8. Automated testing
+ 9. Documentation
+10. Change log
+11. Acknowledgments
 
 Introduction
 
@@ -39,7 +36,7 @@ in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
 501(c)(3) public benefit corporation dedicated to providing software and
 services in support of the Internet infrastructure, developed BIND 9 and
 is responsible for its ongoing maintenance and improvement. BIND is open
-source software licensed under the terms of the Mozilla Public License,
+source software licenced under the terms of the Mozilla Public License,
 version 2.0.
 
 For a summary of features introduced in past major releases of BIND, see
@@ -48,8 +45,8 @@ the file HISTORY.
 For a detailed list of changes made throughout the history of BIND 9, see
 the file CHANGES. See below for details on the CHANGES file format.
 
-For up-to-date versions and release notes, see https://www.isc.org/
-download/.
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
 
 For information about supported platforms, see PLATFORMS.
 
@@ -71,9 +68,6 @@ If the bug you are reporting is a potential security issue, such as an
 assertion failure or other crash in named, please do NOT use GitLab to
 report it. Instead, please send mail to security-officer@isc.org.
 
-For a general overview of ISC security policies, read the Knowledge Base
-article at https://kb.isc.org/docs/aa-00861.
-
 Professional support and training for BIND are available from ISC at
 https://www.isc.org/support.
 
@@ -90,11 +84,10 @@ ISC maintains a public git repository for BIND; details can be found at
 http://www.isc.org/git/.
 
 Information for BIND contributors can be found in the following files: -
-General information: CONTRIBUTING.md - Code of Conduct: CODE_OF_CONDUCT.md
-- BIND 9 code style: doc/dev/style.md - BIND architecture and developer
-guide: doc/dev/dev.md
+General information: CONTRIBUTING.md - BIND 9 code style: doc/dev/style.md
+- BIND architecture and developer guide: doc/dev/dev.md
 
-Patches for BIND may be submitted as merge requests in the ISC GitLab
+Patches for BIND may be submitted as Merge Requests in the ISC GitLab
 server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
 
 By default, external contributors don't have ability to fork BIND in the
@@ -106,38 +99,56 @@ If you prefer, you may also submit code by opening a GitLab Issue and
 including your patch as an attachment, preferably generated by git
 format-patch.
 
-BIND 9.15 features
+BIND 9.13 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.14 and earlier releases. New features include:
+BIND 9.13 is the newest development branch of BIND 9. It includes a number
+of changes from BIND 9.12 and earlier releases. New features include:
 
-  * New "dnssec-policy" statement to configure a key and signing policy
-    for zones, enabling automatic key regeneration and rollover.
-  * New new network manager based on libuv.
-  * Support for the new GeoIP2 geolocation API
-  * Improved DNSSEC trust anchor configuration using the trust-anchors
-    statement, permitting configuration of trust anchors in DS as well as
-    DNSKEY format.
-  * YAML output for dig, mdig, and delv.
+  * QNAME minimization, as described in RFC 7816, is now supported.
+  * "Root key sentinel" support, enabling validating resolvers to indicate
+    via a special query which trust anchors are configured for the root
+    zone.
+  * Secondary zones can now be configured as "mirror" zones; their
+    contents are transferred in as with traditional slave zones, but are
+    subject to DNSSEC validation and are not treated as authoritative data
+    when answering. This makes it easier to configure a local copy of the
+    root zone as described in RFC 7706.
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
+  * The default value of "dnssec-validation" is now "auto".
+  * IDNA2008 is now supported when linking with libidn2.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is now longer supported.
+
+Special code to support certain legacy operating systems has also been
+removed; see the file PLATFORMS.md for details of supported platforms. In
+addition to OpenSSL, BIND now requires support for IPv6, threads, and
+standard atomic operations provided by the C compiler.
 
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. BIND also requires the
-libuv asynchronous I/O library, and a cryptography provider library such
-as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
-requires the libcap library to set process privileges, though this
-requirement can be overridden by disabling capability support at compile
-time. See Compile-time options below for details on other libraries that
-may be required to support optional features.
+basic POSIX support, and a 64-bit integer type. Successful builds have
+been observed on many versions of Linux and UNIX, including RedHat,
+Fedora, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS
+X, Solaris, HP-UX, and OpenWRT.
 
-Successful builds have been observed on many versions of Linux and UNIX,
-including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
-Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
-HP-UX, and OpenWRT.
+BIND requires a cryptography provider library such as OpenSSL or a
+hardware service module supporting PKCS#11. On Linux, BIND requires the
+libcap library to set process privileges, though this requirement can be
+overridden by disabling capability support at compile time. See
+Compile-time options below for details on other libraries that may be
+required to support optional features.
 
-BIND is also available for Windows Server 2012 R2 and higher. See win32utils/
-build.txt for details on building for Windows systems.
+BIND is also available for Windows 2008 and higher. See win32utils/
+readme1st.txt for details on building for Windows systems.
 
 To build on a UNIX or Linux system, use:
 
@@ -150,7 +161,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
 Several environment variables that can be set before running configure
 will affect compilation:
 
-   Variable                            Description
+Variable       Description
 CC             The C compiler to use. configure tries to figure out the
                right one for supported systems.
                C compiler flags. Defaults to include -g and/or -O2 as
@@ -165,33 +176,43 @@ STD_CDEFINES   Defaults to empty string. For a list of possible settings,
 LDFLAGS        Linker flags. Defaults to empty string.
 BUILD_CC       Needed when cross-compiling: the native C compiler to use
                when building for the target system.
-BUILD_CFLAGS   CFLAGS for the target system during cross-compiling.
-BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
-BUILD_LDFLAGS  LDFLAGS for the target system during cross-compiling.
-BUILD_LIBS     LIBS for the target system during cross-compiling.
+BUILD_CFLAGS   Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
 
 macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
 This can be downloaded from https://developer.apple.com/download/more/ or
-if you have Xcode already installed you can run xcode-select --install.
-
-Dependencies
-
-Portions of BIND that are written in Python, including dnssec-keymgr,
-dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-argparse, ply and distutils.core modules to be available. argparse is a
-standard module as of Python 2.7 and Python 3.2. ply is available from
-https://pypi.python.org/pypi/ply. distutils.core is required for
-installation.
+if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and
+other tools so that they can be easily found.
 
 Compile-time options
 
 To see a full list of configuration options, run configure --help.
 
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
 To build shared libraries, specify --with-libtool on the configure command
 line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto
 support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
 installed. If the OpenSSL library is installed in a nonstandard location,
@@ -201,12 +222,9 @@ operations, specify the path to the PKCS#11 provider library using
 --with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
 
 To support the HTTP statistics channel, the server must be linked with at
-least one of the following libraries: libxml2 http://xmlsoft.org or json-c
-https://github.com/json-c/json-c. If these are installed at a nonstandard
-location, then:
-
-  * for libxml2, specify the prefix using --with-libxml2=/prefix,
-  * for json-c, adjust PKG_CONFIG_PATH.
+least one of the following: libxml2 http://xmlsoft.org or json-c https://
+github.com/json-c. If these are installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
 
 To support compression on the HTTP statistics channel, the server must be
 linked against libzlib. If this is installed in a nonstandard location,
@@ -216,28 +234,26 @@ To support storing configuration data for runtime-added zones in an LMDB
 database, the server must be linked with liblmdb. If this is installed in
 a nonstandard location, specify the prefix using with-lmdb=/prefix.
 
-To support MaxMind GeoIP2 location-based ACLs, the server must be linked
-with libmaxminddb. This is turned on by default if the library is found;
-if the library is installed in a nonstandard location, specify the prefix
-using --with-maxminddb=/prefix. GeoIP2 support can be switched off with
---disable-geoip.
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+--with-geoip. If the library is installed in a nonstandard location,
+specify the prefix using --with-geoip=/prefix.
 
 For DNSTAP packet logging, you must have installed libfstrm https://
 github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev
-or libcap-devel package. Process capability support can also be disabled
-by configuring with --disable-linux-caps.
+or libcap-devel module. Process capability support can also be disabled by
+configuring with --disable-linux-caps.
+
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+'argparse' and 'ply' modules to be available. 'argparse' is a standard
+module as of Python 2.7 and Python 3.2. 'ply' is available from https://
+pypi.python.org/pypi/ply.
 
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB. This can be done by using
@@ -248,18 +264,17 @@ specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
 command line. By default, fixed rrset-order is disabled to reduce memory
 footprint.
 
-The --enable-querytrace option causes named to log every step of
-processing every query. This should only be enabled when debugging,
-because it has a significant negative impact on query performance.
-
 make install will install named and the various BIND 9 libraries. By
 default, installation is into /usr/local, but this can be changed with the
 --prefix option when running configure.
 
 You may specify the option --sysconfdir to set the directory where
 configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. --sysconfdir defaults
-to $prefix/etc and --localstatedir defaults to $prefix/var.
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
 
 Automated testing
 
@@ -271,18 +286,16 @@ ifconfig.sh up as root.
 
 Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
 and will be skipped if these are not available. Some tests require Python
-and the dnspython module and will be skipped if these are not available.
+and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework. To
-build them, use configure --with-cmocka. Execution of tests is done by the
-Kyua test execution engine; if the kyua command is available, then unit
-tests can be run via make test or make unit.
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
 
 Documentation
 
 The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
 directory.
 
 Some of the programs in the BIND 9 distribution have man pages in their
@@ -302,7 +315,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
 changes listed first. Change notes include tags indicating the category of
 the change that was made; these categories are:
 
-   Category                            Description
+Category       Description
 [func]         New feature
 [bug]          General bug fix
 [security]     Fix for a significant security flaw
@@ -330,46 +343,26 @@ releases (i.e., those with version numbers ending in zero). Some new
 functionality may be backported to older releases on a case-by-case basis.
 All other change types may be applied to all currently-supported releases.
 
-Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form [RT #NNN] and
-referred to entries in the "bind9-bugs" RT database, which was not open to
-the public. More recent entries use the form [GL #NNN] or, less often, [GL
-!NNN], which, respectively, refer to issues or merge requests in the
-GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security sensitive.
-
-To look up a GitLab issue by its number, use the URL https://
-gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
-use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-GitLab instance, which is not visible to the public.
-
 Acknowledgments
 
   * The original development of BIND 9 was underwritten by the following
     organizations:
 
-      Sun Microsystems, Inc.
-      Hewlett Packard
-      Compaq Computer Corporation
-      IBM
-      Process Software Corporation
-      Silicon Graphics, Inc.
-      Network Associates, Inc.
-      U.S. Defense Information Systems Agency
-      USENIX Association
-      Stichting NLnet - NLnet Foundation
-      Nominum, Inc.
+    Sun Microsystems, Inc.
+    Hewlett Packard
+    Compaq Computer Corporation
+    IBM
+    Process Software Corporation
+    Silicon Graphics, Inc.
+    Network Associates, Inc.
+    U.S. Defense Information Systems Agency
+    USENIX Association
+    Stichting NLnet - NLnet Foundation
+    Nominum, Inc.
 
   * This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
-
   * This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
-
   * This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)

README.md

@@ -15,10 +15,9 @@
 1. [Introduction](#intro)
 1. [Reporting bugs and getting help](#help)
 1. [Contributing to BIND](#contrib)
-1. [BIND 9.15 features](#features)
+1. [BIND 9.13 features](#features)
 1. [Building BIND](#build)
 1. [macOS](#macos)
-1. [Dependencies](#dependencies)
 1. [Compile-time options](#opts)
 1. [Automated testing](#testing)
 1. [Documentation](#doc)
@@ -48,7 +47,7 @@ used in versions 4 and 8.  Internet Systems Consortium
 corporation dedicated to providing software and services in support of the
 Internet infrastructure, developed BIND 9 and is responsible for its
 ongoing maintenance and improvement.  BIND is open source software
-licensed under the terms of the Mozilla Public License, version 2.0.
+licenced under the terms of the Mozilla Public License, version 2.0.
 
 For a summary of features introduced in past major releases of BIND,
 see the file [HISTORY](HISTORY.md).
@@ -57,8 +56,8 @@ For a detailed list of changes made throughout the history of BIND 9, see
 the file [CHANGES](CHANGES). See [below](#changes) for details on the
 CHANGES file format.
 
-For up-to-date versions and release notes, see
-[https://www.isc.org/download/](https://www.isc.org/download/).
+For up-to-date release notes and errata, see
+[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
 
 For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
 
@@ -82,9 +81,6 @@ assertion failure or other crash in `named`, please do *NOT* use GitLab to
 report it. Instead, please send mail to
 [security-officer@isc.org](mailto:security-officer@isc.org).
 
-For a general overview of ISC security policies, read the Knowledge Base
-article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
 Professional support and training for BIND are available from
 ISC at [https://www.isc.org/support](https://www.isc.org/support).
 
@@ -101,13 +97,12 @@ ISC maintains a public git repository for BIND; details can be found
 at [http://www.isc.org/git/](http://www.isc.org/git/).
 
 Information for BIND contributors can be found in the following files:
-- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
-- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
+- General information: [CONTRIBUTING.md](CONTRIBUTING)
 - BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
 - BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
 
 Patches for BIND may be submitted as
-[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
+[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
 in the [ISC GitLab server](https://gitlab.isc.org) at
 at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
 
@@ -121,40 +116,59 @@ If you prefer, you may also submit code by opening a
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
-### <a name="features"/> BIND 9.15 features
+### <a name="features"/> BIND 9.13 features
 
-BIND 9.15 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.14 and earlier releases. New features
+BIND 9.13 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.12 and earlier releases.  New features
 include:
 
-* New "dnssec-policy" statement to configure a key and signing policy
-  for zones, enabling automatic key regeneration and rollover.
-* New new network manager based on libuv.
-* Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using the `trust-anchors`
-  statement, permitting configuration of trust anchors in DS as well as
-  DNSKEY format.
-* YAML output for `dig`, `mdig`, and `delv`.
+* QNAME minimization, as described in RFC 7816, is now supported.
+* "Root key sentinel" support, enabling validating resolvers to indicate
+  via a special query which trust anchors are configured for the root zone.
+* Secondary zones can now be configured as "mirror" zones; their contents
+  are transferred in as with traditional slave zones, but are subject to
+  DNSSEC validation and are not treated as authoritative data when
+  answering. This makes it easier to configure a local copy of the root
+  zone as described in RFC 7706.
+* The "validate-except" option allows configuration of domains below which
+  DNSSEC validation should not be performed.
+* The default value of "dnssec-validation" is now "auto".
+* IDNA2008 is now supported when linking with `libidn2`.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
+for more details.
+
+Cryptographic support has been modernized. BIND now uses the
+best available pseudo-random number generator for the platform on which
+it's built. Very old versions of OpenSSL are no longer supported.
+Cryptography is now mandatory: building BIND without DNSSEC is now
+longer supported.
+
+Special code to support certain legacy operating systems has also
+been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
+of supported platforms. In addition to OpenSSL, BIND now requires
+support for IPv6, threads, and standard atomic operations provided
+by the C compiler.
 
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type.  BIND also requires the
-`libuv` asynchronous I/O library, and a cryptography provider library
-such as OpenSSL or a hardware service module supporting PKCS#11. On
-Linux, BIND requires the `libcap` library to set process privileges,
-though this requirement can be overridden by disabling capability
-support at compile time. See [Compile-time options](#opts) below
-for details on other libraries that may be required to support
-optional features.
+basic POSIX support, and a 64-bit integer type. Successful builds have been
+observed on many versions of Linux and UNIX, including RedHat, Fedora,
+Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X,
+Solaris, HP-UX, and OpenWRT.
 
-Successful builds have been observed on many versions of Linux and
-UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
-Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
-OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
+BIND requires a cryptography provider library such as OpenSSL or a
+hardware service module supporting PKCS#11. On Linux, BIND requires
+the `libcap` library to set process privileges, though this requirement
+can be overridden by disabling capability support at compile time.
+See [Compile-time options](#opts) below for details on other libraries
+that may be required to support optional features.
 
-BIND is also available for Windows Server 2012 R2 and higher.  See
-`win32utils/build.txt` for details on building for Windows
+BIND is also available for Windows 2008 and higher.  See
+`win32utils/readme1st.txt` for details on building for Windows
 systems.
 
 To build on a UNIX or Linux system, use:
@@ -176,34 +190,44 @@ affect compilation:
 |`STD_CDEFINES`|Any additional preprocessor symbols you want defined.  Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
 |`LDFLAGS`|Linker flags. Defaults to empty string.|
 |`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
-|`BUILD_CFLAGS`|`CFLAGS` for the target system during cross-compiling.|
-|`BUILD_CPPFLAGS`|`CPPFLAGS` for the target system during cross-compiling.|
-|`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
-|`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
+|`BUILD_CFLAGS`|Optional, used for cross-compiling|
+|`BUILD_CPPFLAGS`||
+|`BUILD_LDFLAGS`||
+|`BUILD_LIBS`||
 
 #### <a name="macos"> macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
-This can be downloaded from [https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
-or if you have Xcode already installed you can run `xcode-select --install`.
+This can be downloaded from https://developer.apple.com/download/more/
+or if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and other
+tools so that they can be easily found.
 
-### <a name="dependencies"/> Dependencies
-
-Portions of BIND that are written in Python, including
-`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
-system tests, require the `argparse`, `ply` and `distutils.core` modules
-to be available.
-`argparse` is a standard module as of Python 2.7 and Python 3.2.
-`ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
-`distutils.core` is required for installation.
 
 #### <a name="opts"/> Compile-time options
 
 To see a full list of configuration options, run `configure --help`.
 
+On most platforms, BIND 9 is built with multithreading support, allowing it
+to take advantage of multiple CPUs.  You can configure this by specifying
+`--enable-threads` or `--disable-threads` on the `configure` command line.
+The default is to enable threads, except on some older operating systems on
+which threads are known to have had problems in the past.  (Note: Prior to
+BIND 9.10, the default was to disable threads on Linux systems; this has
+now been reversed.  On Linux systems, the threaded build is known to change
+BIND's behavior with respect to file permissions; it may be necessary to
+specify a user with the -u option when running `named`.)
+
 To build shared libraries, specify `--with-libtool` on the `configure`
 command line.
 
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying
+`--with-tuning=large` on the `configure` command line. This can improve
+performance on big servers, but will consume more memory and may degrade
+performance on smaller systems.
+
 For the server to support DNSSEC, you need to build it with crypto support.
 To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
@@ -213,46 +237,42 @@ path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
 configure BIND with `--enable-native-pkcs11`.
 
 To support the HTTP statistics channel, the server must be linked with at
-least one of the following libraries: `libxml2`
-[http://xmlsoft.org](http://xmlsoft.org) or `json-c`
-[https://github.com/json-c/json-c](https://github.com/json-c/json-c).
-If these are installed at a nonstandard location, then:
-
-* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`,
-* for `json-c`, adjust `PKG_CONFIG_PATH`.
+least one of the following: libxml2
+[http://xmlsoft.org](http://xmlsoft.org) or json-c
+[https://github.com/json-c](https://github.com/json-c).  If these are
+installed at a nonstandard location, specify the prefix using
+`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
 
 To support compression on the HTTP statistics channel, the server must be
-linked against `libzlib`.  If this is installed in a nonstandard location,
+linked against libzlib.  If this is installed in a nonstandard location,
 specify the prefix using `--with-zlib=/prefix`.
 
 To support storing configuration data for runtime-added zones in an LMDB
 database, the server must be linked with liblmdb. If this is installed in a
 nonstandard location, specify the prefix using `with-lmdb=/prefix`.
 
-To support MaxMind GeoIP2 location-based ACLs, the server must be linked
-with `libmaxminddb`. This is turned on by default if the library is
-found; if the library is installed in a nonstandard location,
-specify the prefix using `--with-maxminddb=/prefix`. GeoIP2 support
-can be switched off with `--disable-geoip`.
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+`--with-geoip`. If the library is installed in a nonstandard location,
+specify the prefix using `--with-geoip=/prefix`.
 
-For DNSTAP packet logging, you must have installed `libfstrm`
+For DNSTAP packet logging, you must have installed libfstrm
 [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
-and `libprotobuf-c`
+and libprotobuf-c
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
 and BIND must be configured with `--enable-dnstap`.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying
-`--with-tuning=large` on the `configure` command line. This can improve
-performance on big servers, but will consume more memory and may degrade
-performance on smaller systems.
-
 On Linux, process capabilities are managed in user space using
 the `libcap` library, which can be installed on most Linux systems via
-the `libcap-dev` or `libcap-devel` package. Process capability support can
+the `libcap-dev` or `libcap-devel` module. Process capability support can
 also be disabled by configuring with `--disable-linux-caps`.
 
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' and 'ply' modules to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2.
+'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
+
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB.  This can be done by using
 `--enable-largefile` on the `configure` command line.
@@ -262,18 +282,17 @@ specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
 configure command line.  By default, fixed rrset-order is disabled to
 reduce memory footprint.
 
-The `--enable-querytrace` option causes `named` to log every step of
-processing every query. This should only be enabled when debugging, because
-it has a significant negative impact on query performance.
-
 `make install` will install `named` and the various BIND 9 libraries.  By
 default, installation is into /usr/local, but this can be changed with the
 `--prefix` option when running `configure`.
 
 You may specify the option `--sysconfdir` to set the directory where
 configuration files like `named.conf` go by default, and `--localstatedir`
-to set the default parent directory of `run/named.pid`.   `--sysconfdir`
-defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
+to set the default parent directory of `run/named.pid`.   For backwards
+compatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
+`--localstatedir` defaults to `/var` if no `--prefix` option is given.  If
+there is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
+localstatedir defaults to `$prefix/var`.
 
 ### <a name="testing"/> Automated testing
 
@@ -283,21 +302,19 @@ multiple servers to run locally and communicate with one another).  These
 IP addresses can be configured by running the command
 `bin/tests/system/ifconfig.sh up` as root.
 
-Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
 and will be skipped if these are not available. Some tests require Python
-and the `dnspython` module and will be skipped if these are not available.
+and the 'dnspython' module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
-To build them, use `configure --with-cmocka`. Execution of tests is done
-by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
-`kyua` command is available, then unit tests can be run via `make test`
-or `make unit`.
+Unit tests are implemented using Automated Testing Framework (ATF).
+To run them, use `configure --with-atf`, then run `make test` or
+`make unit`.
 
 ### <a name="doc"/> Documentation
 
 The *BIND 9 Administrator Reference Manual* is included with the source
-distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
+distribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
 directory.
 
 Some of the programs in the BIND 9 distribution have man pages in their
@@ -340,25 +357,6 @@ releases (i.e., those with version numbers ending in zero).  Some new
 functionality may be backported to older releases on a case-by-case basis.
 All other change types may be applied to all currently-supported releases.
 
-#### Bug report identifiers
-
-Most notes in the CHANGES file include a reference to a bug report or
-issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
-and referred to entries in the "bind9-bugs" RT database, which was not open
-to the public. More recent entries use the form `[GL #NNN]` or, less often,
-`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security sensitive.
-
-To look up a GitLab issue by its number, use the URL
-[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
-To look up a merge request, use
-[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
-
-In rare cases, an issue or merge request number may be followed with the
-letter "P". This indicates that the information is in the private ISC
-GitLab instance, which is not visible to the public.
-
 ### <a name="ack"/> Acknowledgments
 
 * The original development of BIND 9 was underwritten by the

aclocal.m4

@@ -288,98 +288,8 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
-# AM_CONDITIONAL                                            -*- Autoconf -*-
-
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_CONDITIONAL(NAME, SHELL-CONDITION)
-# -------------------------------------
-# Define a conditional.
-AC_DEFUN([AM_CONDITIONAL],
-[AC_PREREQ([2.52])dnl
- m4_if([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
-       [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
-AC_SUBST([$1_TRUE])dnl
-AC_SUBST([$1_FALSE])dnl
-_AM_SUBST_NOTMAKE([$1_TRUE])dnl
-_AM_SUBST_NOTMAKE([$1_FALSE])dnl
-m4_define([_AM_COND_VALUE_$1], [$2])dnl
-if $2; then
-  $1_TRUE=
-  $1_FALSE='#'
-else
-  $1_TRUE='#'
-  $1_FALSE=
-fi
-AC_CONFIG_COMMANDS_PRE(
-[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
-  AC_MSG_ERROR([[conditional "$1" was never defined.
-Usually this means the macro was only invoked conditionally.]])
-fi])])
-
-# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
-# From Jim Meyering
-
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_MAINTAINER_MODE([DEFAULT-MODE])
-# ----------------------------------
-# Control maintainer-specific portions of Makefiles.
-# Default is to disable them, unless 'enable' is passed literally.
-# For symmetry, 'disable' may be passed as well.  Anyway, the user
-# can override the default with the --enable/--disable switch.
-AC_DEFUN([AM_MAINTAINER_MODE],
-[m4_case(m4_default([$1], [disable]),
-       [enable], [m4_define([am_maintainer_other], [disable])],
-       [disable], [m4_define([am_maintainer_other], [enable])],
-       [m4_define([am_maintainer_other], [enable])
-        m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])])
-AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
-  dnl maintainer-mode's default is 'disable' unless 'enable' is passed
-  AC_ARG_ENABLE([maintainer-mode],
-    [AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode],
-      am_maintainer_other[ make rules and dependencies not useful
-      (and sometimes confusing) to the casual installer])],
-    [USE_MAINTAINER_MODE=$enableval],
-    [USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes]))
-  AC_MSG_RESULT([$USE_MAINTAINER_MODE])
-  AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes])
-  MAINT=$MAINTAINER_MODE_TRUE
-  AC_SUBST([MAINT])dnl
-]
-)
-
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# _AM_SUBST_NOTMAKE(VARIABLE)
-# ---------------------------
-# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
-# This macro is traced by Automake.
-AC_DEFUN([_AM_SUBST_NOTMAKE])
-
-# AM_SUBST_NOTMAKE(VARIABLE)
-# --------------------------
-# Public sister of _AM_SUBST_NOTMAKE.
-AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
-
-m4_include([m4/ax_check_compile_flag.m4])
 m4_include([m4/ax_check_openssl.m4])
-m4_include([m4/ax_posix_shell.m4])
 m4_include([m4/ax_pthread.m4])
-m4_include([m4/ax_restore_flags.m4])
-m4_include([m4/ax_save_flags.m4])
 m4_include([m4/libtool.m4])
 m4_include([m4/ltoptions.m4])
 m4_include([m4/ltsugar.m4])

bin/Makefile.in

@@ -12,7 +12,7 @@ VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
 SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
 TARGETS =
 
 @BIND9_MAKE_RULES@

bin/check/Makefile.in

@@ -16,16 +16,15 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES} \
-		${OPENSSL_CFLAGS}
+		${ISC_INCLUDES} @OPENSSL_INCLUDES@
 
 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 NSLIBS =	../../lib/ns/libns.@A@
 
@@ -67,7 +66,7 @@ named-checkzone.@O@: named-checkzone.c
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
 	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
-	export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	export LIBS0="${NSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \

bin/check/check-tool.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdio.h>
 #include <inttypes.h>
@@ -127,7 +129,9 @@ add(char *key, int value) {
 	isc_symvalue_t symvalue;
 
 	if (sym_mctx == NULL) {
-		isc_mem_create(&sym_mctx);
+		result = isc_mem_create(0, 0, &sym_mctx);
+		if (result != ISC_R_SUCCESS)
+			return;
 	}
 
 	if (symtab == NULL) {
@@ -138,6 +142,8 @@ add(char *key, int value) {
 	}
 
 	key = isc_mem_strdup(sym_mctx, key);
+	if (key == NULL)
+		return;
 
 	symvalue.as_pointer = NULL;
 	result = isc_symtab_define(symtab, key, value, symvalue,
@@ -662,7 +668,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	origin = dns_fixedname_initname(&fixorigin);
 	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
-	dns_zone_setdbtype(zone, 1, (const char * const *) dbtype);
+	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
 	CHECK(dns_zone_setfile(zone, filename, fileformat,
 			       &dns_master_style_default));
 	if (journal != NULL)
@@ -716,7 +722,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	FILE *output = stdout;
 	const char *flags;
 
-	flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
+	flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
 
 	if (debug) {
 		if (filename != NULL && strcmp(filename, "-") != 0)

bin/check/named-checkconf.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
@@ -79,18 +79,6 @@ When loading a zonefile read the journal if it exists\&.
 List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
 .RE
 .PP
-\-c
-.RS 4
-Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
-\fBplugin\fR
-statements to be ignored\&.
-.RE
-.PP
-\-i
-.RS 4
-Ignore warnings on deprecated options\&.
-.RE
-.PP
 \-p
 .RS 4
 Print out the
@@ -148,5 +136,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkconf.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -28,7 +30,6 @@
 #include <isc/util.h>
 
 #include <isccfg/namedconf.h>
-#include <isccfg/grammar.h>
 
 #include <bind9/check.h>
 
@@ -45,8 +46,6 @@
 
 static const char *program = "named-checkconf";
 
-static bool loadplugins = true;
-
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -62,7 +61,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-chijlvz] [-p [-x]] [-t directory] "
+	fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }
@@ -283,10 +282,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
 			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
 		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
@@ -303,10 +300,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKMX;
 			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKMX;
 		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
@@ -332,10 +327,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
 		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
@@ -352,10 +345,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
 		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
@@ -375,10 +366,8 @@ configure_zone(const char *vclass, const char *view,
 			zone_options |= DNS_ZONEOPT_CHECKSPF;
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 		zone_options |= DNS_ZONEOPT_CHECKSPF;
 	}
@@ -394,10 +383,8 @@ configure_zone(const char *vclass, const char *view,
 		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
 			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else {
+		} else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	} else {
 	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
 	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
@@ -407,21 +394,19 @@ configure_zone(const char *vclass, const char *view,
 	fmtobj = NULL;
 	if (get_maps(maps, "masterfile-format", &fmtobj)) {
 		const char *masterformatstr = cfg_obj_asstring(fmtobj);
-		if (strcasecmp(masterformatstr, "text") == 0) {
+		if (strcasecmp(masterformatstr, "text") == 0)
 			masterformat = dns_masterformat_text;
-		} else if (strcasecmp(masterformatstr, "raw") == 0) {
+		else if (strcasecmp(masterformatstr, "raw") == 0)
 			masterformat = dns_masterformat_raw;
-		} else if (strcasecmp(masterformatstr, "map") == 0) {
+		else if (strcasecmp(masterformatstr, "map") == 0)
 			masterformat = dns_masterformat_map;
-		} else {
+		else
 			INSIST(0);
-			ISC_UNREACHABLE();
-		}
 	}
 
 	obj = NULL;
 	if (get_maps(maps, "max-zone-ttl", &obj)) {
-		maxttl = cfg_obj_asduration(obj);
+		maxttl = cfg_obj_asuint32(obj);
 		zone_options |= DNS_ZONEOPT_CHECKTTL;
 	}
 
@@ -556,7 +541,6 @@ main(int argc, char **argv) {
 	bool load_zones = false;
 	bool list_zones = false;
 	bool print = false;
-	bool nodeprecate = false;
 	unsigned int flags = 0;
 
 	isc_commandline_errprint = false;
@@ -564,7 +548,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "cdhijlm:t:pvxz"
+#define CMDLINE_FLAGS "dhjlm:t:pvxz"
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (c) {
 		case 'm':
@@ -585,22 +569,14 @@ main(int argc, char **argv) {
 	}
 	isc_commandline_reset = true;
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
-		case 'c':
-			loadplugins = false;
-			break;
-
 		case 'd':
 			debug++;
 			break;
 
-		case 'i':
-			nodeprecate = true;
-			break;
-
 		case 'j':
 			nomerge = false;
 			break;
@@ -681,21 +657,15 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
 
-	if (nodeprecate) {
-		cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
-	}
 	cfg_parser_setcallback(parser, directory_callback, NULL);
 
 	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
 	    ISC_R_SUCCESS)
-	{
 		exit(1);
-	}
 
-	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
 		exit_status = 1;
-	}
 
 	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
 		result = load_zones_fromconfig(config, mctx, list_zones);
@@ -709,6 +679,8 @@ main(int argc, char **argv) {
 
 	cfg_parser_destroy(&parser);
 
+	dns_name_destroy();
+
 	isc_log_destroy(&logc);
 
 	isc_mem_destroy(&mctx);

bin/check/named-checkconf.docbook

@@ -40,8 +40,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -54,7 +52,7 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>named-checkconf</command>
-      <arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-hjlvz</option></arg>
       <arg choice="opt" rep="norepeat"><option>-p</option>
 	<arg choice="opt" rep="norepeat"><option>-x</option>
       </arg></arg>
@@ -116,26 +114,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-c</term>
-        <listitem>
-          <para>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <command>plugin</command> statements to be ignored.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i</term>
-        <listitem>
-          <para>
-	    Ignore warnings on deprecated options.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-p</term>
         <listitem>

bin/check/named-checkconf.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,7 +33,7 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">named-checkconf</code> 
-       [<code class="option">-chjlvz</code>]
+       [<code class="option">-hjlvz</code>]
        [<code class="option">-p</code>
 	 [<code class="option">-x</code>
       ]]
@@ -88,20 +88,6 @@
             (e.g. master or slave).
           </p>
         </dd>
-<dt><span class="term">-c</span></dt>
-<dd>
-          <p>
-	    Check "core" configuration only. This suppresses the loading
-	    of plugin modules, and causes all parameters to
-	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
-          </p>
-        </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
-          <p>
-	    Ignore warnings on deprecated options.
-          </p>
-        </dd>
 <dt><span class="term">-p</span></dt>
 <dd>
           <p>

bin/check/named-checkzone.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/check/named-checkzone.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
 #include <inttypes.h>
@@ -85,9 +87,9 @@ usage(void) {
 
 static void
 destroy(void) {
-	if (zone != NULL) {
+	if (zone != NULL)
 		dns_zone_detach(&zone);
-	}
+	dns_name_destroy();
 }
 
 /*% main processing routine */
@@ -137,14 +139,12 @@ main(int argc, char **argv) {
 #define PROGCMP(X) \
 	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
 
-	if (PROGCMP("named-checkzone")) {
+	if (PROGCMP("named-checkzone"))
 		progmode = progmode_check;
-	} else if (PROGCMP("named-compilezone")) {
+	else if (PROGCMP("named-compilezone"))
 		progmode = progmode_compile;
-	} else {
+	else
 		INSIST(0);
-		ISC_UNREACHABLE();
-	}
 
 	/* Compilation specific defaults */
 	if (progmode == progmode_compile) {
@@ -517,7 +517,7 @@ main(int argc, char **argv) {
 	InitSockets();
 #endif
 
-	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	if (!quiet)
 		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
 			      == ISC_R_SUCCESS);

bin/check/named-checkzone.docbook

@@ -43,8 +43,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/check/named-checkzone.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/check/win32/checkconf.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{03A96113-CB14-43AA-AEB2-48950E3915C5}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>checkconf</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -65,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -93,7 +89,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checkconf.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/check/win32/checktool.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -17,21 +17,18 @@
     <ProjectGuid>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>checktool</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -68,7 +65,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -92,7 +88,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/check/win32/checktool.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/check/win32/checkzone.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{66028555-7DD5-4016-B601-9EF9A1EE8BFA}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>checkzone</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -65,16 +62,15 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
@@ -99,8 +95,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -109,8 +104,8 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
     <PostBuildEvent>

bin/check/win32/checkzone.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/Makefile.in

@@ -27,9 +27,9 @@ CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/confgen/ddns-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -144,5 +144,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/ddns-confgen.c

@@ -17,6 +17,8 @@
  * and the corresponding key and update-policy statements in named.conf.
  */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -123,12 +125,10 @@ main(int argc, char **argv) {
 	if (PROGCMP("tsig-keygen")) {
 		progmode = progmode_keygen;
 		quiet = true;
-	} else if (PROGCMP("ddns-confgen")) {
+	} else if (PROGCMP("ddns-confgen"))
 		progmode = progmode_confgen;
-	} else {
+	else
 		INSIST(0);
-		ISC_UNREACHABLE();
-	}
 
 	isc_commandline_errprint = false;
 
@@ -207,7 +207,7 @@ main(int argc, char **argv) {
 	/* Use canonical algorithm name */
 	algname = alg_totext(alg);
 
-	isc_mem_create(&mctx);
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
 
 	if (keyname == NULL) {
 		const char *suffix = NULL;
@@ -222,6 +222,8 @@ main(int argc, char **argv) {
 		if (suffix != NULL) {
 			len = strlen(keyname) + strlen(suffix) + 2;
 			keybuf = isc_mem_get(mctx, len);
+			if (keybuf == NULL)
+				fatal("failed to allocate memory for keyname");
 			snprintf(keybuf, len, "%s.%s", keyname, suffix);
 			keyname = (const char *) keybuf;
 		}

bin/confgen/ddns-confgen.docbook

@@ -37,8 +37,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/ddns-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/keygen.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdlib.h>
 #include <stdarg.h>
 

bin/confgen/rndc-confgen.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -206,5 +206,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/confgen/rndc-confgen.c

@@ -20,6 +20,8 @@
  * controls statement altogether.
  */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -209,7 +211,7 @@ main(int argc, char **argv) {
 		keysize = alg_bits(alg);
 	algname = alg_totext(alg);
 
-	isc_mem_create(&mctx);
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
 
 	generate_key(mctx, alg, keysize, &key_txtbuffer);
@@ -222,6 +224,8 @@ main(int argc, char **argv) {
 			char *buf;
 			len = strlen(chrootdir) + strlen(keyfile) + 2;
 			buf = isc_mem_get(mctx, len);
+			if (buf == NULL)
+				fatal("isc_mem_get(%d) failed\n", len);
 			snprintf(buf, len, "%s%s%s", chrootdir,
 				 (*keyfile != '/') ? "/" : "", keyfile);
 

bin/confgen/rndc-confgen.docbook

@@ -44,8 +44,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>

bin/confgen/rndc-confgen.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this

bin/confgen/unix/os.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <confgen/os.h>
 
 #include <fcntl.h>

bin/confgen/util.c

@@ -12,6 +12,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdlib.h>

bin/confgen/win32/confgentool.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{64964B03-4815-41F0-9057-E766A94AF197}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>confgentool</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -63,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -88,7 +84,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/confgentool.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>ddnsconfgen</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -65,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -99,7 +95,6 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/ddnsconfgen.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/confgen/win32/os.c

@@ -9,6 +9,9 @@
  * information regarding copyright ownership.
  */
 
+
+#include <config.h>
+
 #include <confgen/os.h>
 
 #include <fcntl.h>

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{1E2C1635-3093-4D59-80E7-4743AC10F22F}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>rndcconfgen</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -65,7 +62,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -93,7 +89,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/confgen/win32/rndcconfgen.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/delv/Makefile.in

@@ -16,17 +16,16 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${OPENSSL_CFLAGS}
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
 
 CDEFINES =	-DVERSION=\"${VERSION}\" \
 		-DSYSCONFDIR=\"${sysconfdir}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/delv/delv.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -53,7 +53,7 @@ is a tool for sending DNS queries and validating the results, using the same int
 \fBnamed\fR\&.
 .PP
 \fBdelv\fR
-will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
+will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
 .PP
 By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
 \fBdelv\fR
@@ -139,21 +139,21 @@ BIND
 .sp
 Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
 \fB+root=NAME\fR
-options\&.
+options\&. DNSSEC Lookaside Validation can also be turned on by using the
+\fB+dlv=NAME\fR
+to specify the name of a zone containing DLV records\&.
 .sp
 Note: When reading the trust anchor file,
 \fBdelv\fR
 treats
-\fBtrust\-anchors\fR\fBinitial\-key\fR
-and
-\fBstatic\-key\fR
-entries identically\&. That is, even if a key is configured with
-\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
+\fBmanaged\-keys\fR
+statements and
+\fBtrusted\-keys\fR
+statements identically\&. That is, for a managed key, it is the
+\fIinitial\fR
+key that is trusted; RFC 5011 key management is not supported\&.
 \fBdelv\fR
-as if it had been configured as a
-\fBstatic\-key\fR\&.
-\fBdelv\fR
-does not consult the managed keys database maintained by
+will not consult the managed\-keys database maintained by
 \fBnamed\fR\&. This means that if either of the keys in
 /etc/bind\&.keys
 is revoked and rolled over, it will be necessary to update
@@ -390,16 +390,25 @@ output\&. The default is to do so\&. Note that (unlike in
 control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
 \fB\-i\fR
 or
-\fB+noroot\fR\&.
+\fB+noroot\fR
+and
+\fB+nodlv\fR\&.
 .RE
 .PP
 \fB+[no]root[=ROOT]\fR
 .RS 4
-Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
+Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
 \fB\-a\fR
 must be used to specify a file containing the key\&.
 .RE
 .PP
+\fB+[no]dlv[=DLV]\fR
+.RS 4
+Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
+\fB\-a\fR
+option must also be used to specify a file containing the DLV key\&.
+.RE
+.PP
 \fB+[no]tcp\fR
 .RS 4
 Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
@@ -409,11 +418,6 @@ Controls whether to use TCP when sending queries\&. The default is to use UDP un
 .RS 4
 Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
 .RE
-.PP
-\fB+[no]yaml\fR
-.RS 4
-Print response data in YAML format\&.
-.RE
 .SH "FILES"
 .PP
 /etc/bind\&.keys
@@ -433,5 +437,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/delv/delv.c

@@ -9,6 +9,7 @@
  * information regarding copyright ownership.
  */
 
+#include <config.h>
 #include <bind.keys.h>
 
 #ifndef WIN32
@@ -33,10 +34,8 @@
 #include <isc/app.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
-#include <isc/hex.h>
 #include <isc/lib.h>
 #include <isc/log.h>
-#include <isc/md.h>
 #include <isc/mem.h>
 #ifdef WIN32
 #include <isc/ntpaths.h>
@@ -113,8 +112,7 @@ static bool
 	nottl = false,
 	multiline = false,
 	short_form = false,
-	print_unknown_format = false,
-	yaml = false;
+	print_unknown_format = false;
 
 static bool
 	resolve_trace = false,
@@ -128,19 +126,21 @@ static bool
 static bool
 	cdflag = false,
 	no_sigs = false,
-	root_validation = true;
+	root_validation = true,
+	dlv_validation = true;
 
 static bool use_tcp = false;
 
 static char *anchorfile = NULL;
 static char *trust_anchor = NULL;
-static int num_keys = 0;
+static char *dlv_anchor = NULL;
+static int trusted_keys = 0;
 
-static dns_fixedname_t afn;
-static dns_name_t *anchor_name = NULL;
+static dns_fixedname_t afn, dfn;
+static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
 
 /* Default bind.keys contents */
-static char anchortext[] = TRUST_ANCHORS;
+static char anchortext[] = MANAGED_KEYS;
 
 /*
  * Static function prototypes
@@ -160,44 +160,42 @@ usage(void) {
 "        q-class  is one of (in,hs,ch,...) [default: in]\n"
 "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
 "        q-opt    is one of:\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"                 -a anchor-file      (specify root trust anchor)\n"
-"                 -b address[#port]   (bind to source address/port)\n"
-"                 -c class            (option included for compatibility;\n"
+"                 -x dot-notation     (shortcut for reverse lookups)\n"
 "                 -d level            (set debugging level)\n"
-"                 -h                  (print help and exit)\n"
-"                 -i                  (disable DNSSEC validation)\n"
-"                 -m                  (enable memory usage debugging)\n"
+"                 -a anchor-file      (specify root and dlv trust anchors)\n"
+"                 -b address[#port]   (bind to source address/port)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
+"                 -c class            (option included for compatibility;\n"
 "                                      only IN is supported)\n"
-"                 -v                  (print version and exit)\n"
-"                 -x dot-notation     (shortcut for reverse lookups)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
+"                 -i                  (disable DNSSEC validation)\n"
+"                 -m                  (enable memory usage debugging)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
 "                 +[no]all            (Set or clear all display flags)\n"
 "                 +[no]class          (Control display of class)\n"
-"                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]crypto         (Control display of cryptographic\n"
 "                                      fields in records)\n"
-"                 +[no]dlv            (Obsolete)\n"
-"                 +[no]dnssec         (Display DNSSEC records)\n"
-"                 +[no]mtrace         (Trace messages received)\n"
 "                 +[no]multiline      (Print records in an expanded format)\n"
-"                 +[no]root           (DNSSEC validation trust anchor)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]rrcomments     (Control display of per-record "
 				       "comments)\n"
-"                 +[no]rtrace         (Trace resolver fetches)\n"
+"                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" format)\n"
 "                 +[no]short          (Short form answer)\n"
 "                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
 "                 +[no]tcp            (TCP mode)\n"
 "                 +[no]ttl            (Control display of ttls in records)\n"
 "                 +[no]trust          (Control display of trust level)\n"
-"                 +[no]unknownformat  (Print RDATA in RFC 3597 "
-					"\"unknown\" format)\n"
+"                 +[no]rtrace         (Trace resolver fetches)\n"
+"                 +[no]mtrace         (Trace messages received)\n"
 "                 +[no]vtrace         (Trace validation process)\n"
-"                 +[no]yaml           (Present the results as YAML)\n",
+"                 +[no]dlv            (DNSSEC lookaside validation anchor)\n"
+"                 +[no]root           (DNSSEC validation trust anchor)\n"
+"                 +[no]dnssec         (Display DNSSEC records)\n"
+"        -h                           (print help and exit)\n"
+"        -v                           (print version and exit)\n",
 	stderr);
 	exit(1);
 }
@@ -357,80 +355,53 @@ setup_logging(FILE *errout) {
 
 static void
 print_status(dns_rdataset_t *rdataset) {
-	char buf[1024] = { 0 };
+	const char *astr = "", *tstr = "";
 
 	REQUIRE(rdataset != NULL);
 
-	if (!showtrust || !dns_rdataset_isassociated(rdataset)) {
+	if (!showtrust || !dns_rdataset_isassociated(rdataset))
 		return;
-	}
 
-	buf[0] = '\0';
-
-	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
-		strlcat(buf, "negative response", sizeof(buf));
-		strlcat(buf, (yaml ? "_" : ", "), sizeof(buf));
-	}
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+		astr = "negative response, ";
 
 	switch (rdataset->trust) {
 	case dns_trust_none:
-		strlcat(buf, "untrusted", sizeof(buf));
+		tstr = "untrusted";
 		break;
 	case dns_trust_pending_additional:
-		strlcat(buf, "signed additional data", sizeof(buf));
-		if (!yaml) {
-			strlcat(buf, ", ", sizeof(buf));
-		}
-		strlcat(buf, "pending validation", sizeof(buf));
+		tstr = "signed additional data, pending validation";
 		break;
 	case dns_trust_pending_answer:
-		strlcat(buf, "signed answer", sizeof(buf));
-		if (!yaml) {
-			strlcat(buf, ", ", sizeof(buf));
-		}
-		strlcat(buf, "pending validation", sizeof(buf));
+		tstr = "signed answer, pending validation";
 		break;
 	case dns_trust_additional:
-		strlcat(buf, "unsigned additional data", sizeof(buf));
+		tstr = "unsigned additional data";
 		break;
 	case dns_trust_glue:
-		strlcat(buf, "glue data", sizeof(buf));
+		tstr = "glue data";
 		break;
 	case dns_trust_answer:
-		if (root_validation) {
-			strlcat(buf, "unsigned answer", sizeof(buf));
-		} else {
-			strlcat(buf, "answer not validated", sizeof(buf));
-		}
+		if (root_validation || dlv_validation)
+			tstr = "unsigned answer";
+		else
+			tstr = "answer not validated";
 		break;
 	case dns_trust_authauthority:
-		strlcat(buf, "authority data", sizeof(buf));
+		tstr = "authority data";
 		break;
 	case dns_trust_authanswer:
-		strlcat(buf, "authoritative", sizeof(buf));
+		tstr = "authoritative";
 		break;
 	case dns_trust_secure:
-		strlcat(buf, "fully validated", sizeof(buf));
+		tstr = "fully validated";
 		break;
 	case dns_trust_ultimate:
-		strlcat(buf, "ultimate trust", sizeof(buf));
+		tstr = "ultimate trust";
 		break;
 	}
 
-	if (yaml) {
-		char *p;
-
-		/* Convert spaces to underscores for YAML */
-		for (p = buf; p != NULL && *p != '\0'; p++) {
-			if (*p == ' ') {
-				*p = '_';
-			}
-		}
-
-		printf("  - %s:\n", buf);
-	} else {
-		printf("; %s\n", buf);
-	}
+	printf("; %s%s\n", astr, tstr);
 }
 
 static isc_result_t
@@ -457,9 +428,8 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 		return (ISC_R_SUCCESS);
 
 	if (first || rdataset->trust != trust) {
-		if (!first && showtrust && !short_form && !yaml) {
+		if (!first && showtrust && !short_form)
 			putchar('\n');
-		}
 		print_status(rdataset);
 		trust = rdataset->trust;
 		first = false;
@@ -467,6 +437,8 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 
 	do {
 		t = isc_mem_get(mctx, len);
+		if (t == NULL)
+			return (ISC_R_NOMEMORY);
 
 		isc_buffer_init(&target, t, len);
 		if (short_form) {
@@ -498,17 +470,12 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
 				dns_rdata_reset(&rdata);
 			}
 		} else {
-			dns_indent_t indent = { "  ", 2 };
-			if (!yaml && (rdataset->attributes &
-				      DNS_RDATASETATTR_NEGATIVE) != 0)
-			{
+			if ((rdataset->attributes &
+			     DNS_RDATASETATTR_NEGATIVE) != 0)
 				isc_buffer_putstr(&target, "; ");
-			}
+
 			result = dns_master_rdatasettotext(owner, rdataset,
-							   style,
-							   yaml ? &indent :
-								  NULL,
-							   &target);
+							   style, &target);
 		}
 
 		if (result == ISC_R_NOSPACE) {
@@ -535,53 +502,41 @@ setup_style(dns_master_style_t **stylep) {
 	isc_result_t result;
 	dns_master_style_t *style = NULL;
 
-	REQUIRE(stylep != NULL && *stylep == NULL);
+	REQUIRE(stylep != NULL || *stylep == NULL);
 
 	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (yaml) {
-		styleflags |= DNS_STYLEFLAG_YAML;
-	} else {
-		if (showcomments) {
-			styleflags |= DNS_STYLEFLAG_COMMENT;
-		}
-		if (print_unknown_format) {
-			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
-		}
-		if (rrcomments) {
-			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-		}
-		if (nottl) {
-			styleflags |= DNS_STYLEFLAG_NO_TTL;
-		}
-		if (noclass) {
-			styleflags |= DNS_STYLEFLAG_NO_CLASS;
-		}
-		if (nocrypto) {
-			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-		}
-		if (multiline) {
-			styleflags |= DNS_STYLEFLAG_MULTILINE;
-			styleflags |= DNS_STYLEFLAG_COMMENT;
-		}
+	if (showcomments)
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	if (print_unknown_format)
+		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+	if (rrcomments)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (nocrypto)
+		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
 	}
 
-	if (multiline || (nottl && noclass)) {
+	if (multiline || (nottl && noclass))
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 24, 32, 80, 8,
 						splitwidth, mctx);
-	} else if (nottl || noclass) {
+	else if (nottl || noclass)
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 32, 40, 80, 8,
 						splitwidth, mctx);
-	} else {
+	else
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 32, 40, 48, 80, 8,
 						splitwidth, mctx);
-	}
 
-	if (result == ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
 		*stylep = style;
-	}
 	return (result);
 }
 
@@ -612,161 +567,83 @@ convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) {
 
 static isc_result_t
 key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_ds_t ds;
-	uint32_t rdata1, rdata2, rdata3;
-	const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL;
-	unsigned char data[4096];
-	isc_buffer_t databuf;
+	dns_rdata_dnskey_t keystruct;
+	uint32_t flags, proto, alg;
+	const char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
 	unsigned char rrdata[4096];
 	isc_buffer_t rrdatabuf;
 	isc_region_t r;
 	dns_fixedname_t fkeyname;
 	dns_name_t *keyname;
 	isc_result_t result;
-	bool match_root = false;
-	enum {
-		INITIAL_KEY,
-		STATIC_KEY,
-		INITIAL_DS,
-		STATIC_DS,
-		TRUSTED
-	} anchortype;
+	bool match_root = false, match_dlv = false;
 
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
 
-	if (!root_validation) {
+	if (!root_validation && !dlv_validation)
 		return (ISC_R_SUCCESS);
-	}
 
-	if (anchor_name) {
+	if (anchor_name)
 		match_root = dns_name_equal(keyname, anchor_name);
-	}
+	if (dlv_name)
+		match_dlv = dns_name_equal(keyname, dlv_name);
 
-	if (!match_root) {
+	if (!match_root && !match_dlv)
 		return (ISC_R_SUCCESS);
-	}
-
-	if (!root_validation) {
+	if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
 		return (ISC_R_SUCCESS);
-	}
 
-	delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor);
+	if (match_root)
+		delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
+			  trust_anchor);
+	if (match_dlv)
+		delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
+			  dlv_anchor);
 
-	/* if DNSKEY, flags; if DS, key tag */
-	rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
+	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
 
-	/* if DNSKEY, protocol; if DS, algorithm */
-	rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	/*
+	 * The key data in keystruct is not dynamically allocated.
+	 */
+	keystruct.mctx = NULL;
 
-	/* if DNSKEY, algorithm; if DS, digest type */
-	rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
+	ISC_LINK_INIT(&keystruct.common, link);
 
-	/* What type of trust anchor is this? */
-	atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
-	if (strcasecmp(atstr, "static-key") == 0) {
-		anchortype = STATIC_KEY;
-	} else if (strcasecmp(atstr, "static-ds") == 0) {
-		anchortype = STATIC_DS;
-	} else if (strcasecmp(atstr, "initial-key") == 0) {
-		anchortype = INITIAL_KEY;
-	} else if (strcasecmp(atstr, "initial-ds") == 0) {
-		anchortype = INITIAL_DS;
-	} else {
-		delv_log(ISC_LOG_ERROR,
-			 "key '%s': invalid initialization method '%s'",
-			 keynamestr, atstr);
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
+	if (flags > 0xffff)
+		CHECK(ISC_R_RANGE);
+	if (proto > 0xff)
+		CHECK(ISC_R_RANGE);
+	if (alg > 0xff)
+		CHECK(ISC_R_RANGE);
 
-	isc_buffer_init(&databuf, data, sizeof(data));
+	keystruct.flags = (uint16_t)flags;
+	keystruct.protocol = (uint8_t)proto;
+	keystruct.algorithm = (uint8_t)alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
 	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
 
-	if (rdata1 > 0xffff) {
-		CHECK(ISC_R_RANGE);
-	}
-	if (rdata2 > 0xff) {
-		CHECK(ISC_R_RANGE);
-	}
-	if (rdata3 > 0xff) {
-		CHECK(ISC_R_RANGE);
-	}
+	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
 
-	switch (anchortype) {
-	case STATIC_KEY:
-	case INITIAL_KEY:
-	case TRUSTED:
-		dnskey.common.rdclass = dns_rdataclass_in;
-		dnskey.common.rdtype = dns_rdatatype_dnskey;
-		dnskey.mctx = NULL;
+	CHECK(dns_rdata_fromstruct(NULL,
+				   keystruct.common.rdclass,
+				   keystruct.common.rdtype,
+				   &keystruct, &rrdatabuf));
 
-		ISC_LINK_INIT(&dnskey.common, link);
-
-		dnskey.flags = (uint16_t)rdata1;
-		dnskey.protocol = (uint8_t)rdata2;
-		dnskey.algorithm = (uint8_t)rdata3;
-
-		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
-		CHECK(isc_base64_decodestring(datastr, &databuf));
-		isc_buffer_usedregion(&databuf, &r);
-		dnskey.datalen = r.length;
-		dnskey.data = r.base;
-
-		CHECK(dns_rdata_fromstruct(NULL, dnskey.common.rdclass,
-					   dnskey.common.rdtype,
-					   &dnskey, &rrdatabuf));
-		CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
-					       dns_rdatatype_dnskey,
-					       keyname, &rrdatabuf));
-		break;
-	case INITIAL_DS:
-	case STATIC_DS:
-		ds.common.rdclass = dns_rdataclass_in;
-		ds.common.rdtype = dns_rdatatype_ds;
-		ds.mctx = NULL;
-
-		ISC_LINK_INIT(&ds.common, link);
-
-		ds.key_tag = (uint16_t)rdata1;
-		ds.algorithm = (uint8_t)rdata2;
-		ds.digest_type = (uint8_t)rdata3;
-
-		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
-		CHECK(isc_hex_decodestring(datastr, &databuf));
-		isc_buffer_usedregion(&databuf, &r);
-
-		switch (ds.digest_type) {
-		case DNS_DSDIGEST_SHA1:
-			if (r.length != ISC_SHA1_DIGESTLENGTH) {
-				CHECK(ISC_R_UNEXPECTEDEND);
-			}
-			break;
-		case DNS_DSDIGEST_SHA256:
-			if (r.length != ISC_SHA256_DIGESTLENGTH) {
-				CHECK(ISC_R_UNEXPECTEDEND);
-			}
-			break;
-		case DNS_DSDIGEST_SHA384:
-			if (r.length != ISC_SHA384_DIGESTLENGTH) {
-				CHECK(ISC_R_UNEXPECTEDEND);
-			}
-			break;
-		}
-
-		ds.length = r.length;
-		ds.digest = r.base;
-
-		CHECK(dns_rdata_fromstruct(NULL, ds.common.rdclass,
-					   ds.common.rdtype,
-					   &ds, &rrdatabuf));
-		CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
-					       dns_rdatatype_ds,
-					       keyname, &rrdatabuf));
-	};
-
-	num_keys++;
+	CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
+				       keyname, &rrdatabuf));
+	trusted_keys++;
 
  cleanup:
 	if (result == DST_R_NOCRYPTO)
@@ -817,15 +694,13 @@ static isc_result_t
 setup_dnsseckeys(dns_client_t *client) {
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
-	const cfg_obj_t *trusted_keys = NULL;
+	const cfg_obj_t *keys = NULL;
 	const cfg_obj_t *managed_keys = NULL;
-	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 	const char *filename = anchorfile;
 
-	if (!root_validation) {
+	if (!root_validation && !dlv_validation)
 		return (ISC_R_SUCCESS);
-	}
 
 	if (filename == NULL) {
 #ifndef WIN32
@@ -840,27 +715,27 @@ setup_dnsseckeys(dns_client_t *client) {
 
 	if (trust_anchor == NULL) {
 		trust_anchor = isc_mem_strdup(mctx, ".");
+		if (trust_anchor == NULL)
+			fatal("out of memory");
 	}
 
-	if (trust_anchor != NULL) {
+	if (trust_anchor != NULL)
 		CHECK(convert_name(&afn, &anchor_name, trust_anchor));
-	}
+	if (dlv_anchor != NULL)
+		CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
 
 	if (access(filename, R_OK) != 0) {
-		if (anchorfile != NULL) {
+		if (anchorfile != NULL)
 			fatal("Unable to read key file '%s'", anchorfile);
-		}
 	} else {
 		result = cfg_parse_file(parser, filename,
 					&cfg_type_bindkeys, &bindkeys);
-		if (result != ISC_R_SUCCESS) {
-			if (anchorfile != NULL) {
+		if (result != ISC_R_SUCCESS)
+			if (anchorfile != NULL)
 				fatal("Unable to load keys from '%s'",
 				      anchorfile);
-			}
-		}
 	}
 
 	if (bindkeys == NULL) {
@@ -868,44 +743,32 @@ setup_dnsseckeys(dns_client_t *client) {
 
 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
 		isc_buffer_add(&b, sizeof(anchortext) - 1);
-		result = cfg_parse_buffer(parser, &b, NULL, 0,
-					  &cfg_type_bindkeys, 0, &bindkeys);
-		if (result != ISC_R_SUCCESS) {
+		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
+					  &bindkeys);
+		if (result != ISC_R_SUCCESS)
 			fatal("Unable to parse built-in keys");
-		}
 	}
 
 	INSIST(bindkeys != NULL);
-	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
+	cfg_map_get(bindkeys, "trusted-keys", &keys);
 	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
-	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
 
-	if (trusted_keys != NULL) {
-		CHECK(load_keys(trusted_keys, client));
-	}
-	if (managed_keys != NULL) {
+	if (keys != NULL)
+		CHECK(load_keys(keys, client));
+	if (managed_keys != NULL)
 		CHECK(load_keys(managed_keys, client));
-	}
-	if (trust_anchors != NULL) {
-		CHECK(load_keys(trust_anchors, client));
-	}
 	result = ISC_R_SUCCESS;
 
-	if (num_keys == 0) {
+	if (trusted_keys == 0)
 		fatal("No trusted keys were loaded");
-	}
+
+	if (dlv_validation)
+		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
 
  cleanup:
-	if (bindkeys != NULL) {
-		cfg_obj_destroy(parser, &bindkeys);
-	}
-	if (parser != NULL) {
-		cfg_parser_destroy(&parser);
-	}
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
 			  isc_result_totext(result));
-	}
 	return (result);
 }
 
@@ -932,6 +795,8 @@ addserver(dns_client_t *client) {
 			fatal("Use of IPv4 disabled by -6");
 		}
 		sa = isc_mem_get(mctx, sizeof(*sa));
+		if (sa == NULL)
+			return (ISC_R_NOMEMORY);
 		ISC_LINK_INIT(sa, link);
 		isc_sockaddr_fromin(sa, &in4, destport);
 		ISC_LIST_APPEND(servers, sa, link);
@@ -940,6 +805,8 @@ addserver(dns_client_t *client) {
 			fatal("Use of IPv6 disabled by -4");
 		}
 		sa = isc_mem_get(mctx, sizeof(*sa));
+		if (sa == NULL)
+			return (ISC_R_NOMEMORY);
 		ISC_LINK_INIT(sa, link);
 		isc_sockaddr_fromin6(sa, &in6, destport);
 		ISC_LIST_APPEND(servers, sa, link);
@@ -967,6 +834,10 @@ addserver(dns_client_t *client) {
 			    cur->ai_family != AF_INET6)
 				continue;
 			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				break;
+			}
 			memset(sa, 0, sizeof(*sa));
 			ISC_LINK_INIT(sa, link);
 			memmove(&sa->type, cur->ai_addr, cur->ai_addrlen);
@@ -1039,6 +910,10 @@ findserver(dns_client_t *client) {
 			struct in_addr localhost;
 			localhost.s_addr = htonl(INADDR_LOOPBACK);
 			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
 			isc_sockaddr_fromin(sa, &localhost, destport);
 
 			ISC_LINK_INIT(sa, link);
@@ -1047,6 +922,10 @@ findserver(dns_client_t *client) {
 
 		if (use_ipv6) {
 			sa = isc_mem_get(mctx, sizeof(*sa));
+			if (sa == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
 			isc_sockaddr_fromin6(sa, &in6addr_loopback, destport);
 
 			ISC_LINK_INIT(sa, link);
@@ -1142,10 +1021,13 @@ plus_option(char *option) {
 		switch (cmd[1]) {
 		case 'l': /* dlv */
 			FULLCHECK("dlv");
-			if (state) {
-				fprintf(stderr, "Invalid option: "
-						"+dlv is obsolete\n");
-				exit(1);
+			if (state && no_sigs)
+				break;
+			dlv_validation = state;
+			if (value != NULL) {
+				dlv_anchor = isc_mem_strdup(mctx, value);
+				if (dlv_anchor == NULL)
+					fatal("out of memory");
 			}
 			break;
 		case 'n': /* dnssec */
@@ -1180,6 +1062,8 @@ plus_option(char *option) {
 			root_validation = state;
 			if (value != NULL) {
 				trust_anchor = isc_mem_strdup(mctx, value);
+				if (trust_anchor == NULL)
+					fatal("out of memory");
 			}
 			break;
 		case 'r': /* rrcomments */
@@ -1267,13 +1151,6 @@ plus_option(char *option) {
 		if (state)
 			resolve_trace = state;
 		break;
-	case 'y': /* yaml */
-		FULLCHECK("yaml");
-		yaml = state;
-		if (state) {
-			rrcomments = false;
-		}
-		break;
 	default:
 	invalid_option:
 		/*
@@ -1290,8 +1167,6 @@ plus_option(char *option) {
  * options: "46a:b:c:d:himp:q:t:vx:";
  */
 static const char *single_dash_opts = "46himv";
-static const char *dash_opts = "46abcdhimpqtvx";
-
 static bool
 dash_option(char *option, char *next, bool *open_type_class) {
 	char opt, *value;
@@ -1337,6 +1212,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			/* NOTREACHED */
 		case 'i':
 			no_sigs = true;
+			dlv_validation = false;
 			root_validation = false;
 			break;
 		case 'm':
@@ -1348,7 +1224,6 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			/* NOTREACHED */
 		default:
 			INSIST(0);
-			ISC_UNREACHABLE();
 		}
 		if (strlen(option) > 1U)
 			option = &option[1];
@@ -1368,6 +1243,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 	switch (opt) {
 	case 'a':
 		anchorfile = isc_mem_strdup(mctx, value);
+		if (anchorfile == NULL)
+			fatal("out of memory");
 		return (value_from_next);
 	case 'b':
 		hash = strchr(value, '#');
@@ -1431,6 +1308,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			isc_mem_free(mctx, curqname);
 		}
 		curqname = isc_mem_strdup(mctx, value);
+		if (curqname == NULL)
+			fatal("out of memory");
 		return (value_from_next);
 	case 't':
 		*open_type_class = false;
@@ -1458,6 +1337,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 				warn("extra query name");
 			}
 			curqname = isc_mem_strdup(mctx, textname);
+			if (curqname == NULL)
+				fatal("out of memory");
 			if (typeset)
 				warn("extra query type");
 			qtype = dns_rdatatype_ptr;
@@ -1486,10 +1367,8 @@ preparse_args(int argc, char **argv) {
 	char *option;
 
 	for (argc--, argv++; argc > 0; argc--, argv++) {
-		if (argv[0][0] != '-') {
+		if (argv[0][0] != '-')
 			continue;
-		}
-
 		option = &argv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
@@ -1512,27 +1391,6 @@ preparse_args(int argc, char **argv) {
 			}
 			option = &option[1];
 		}
-
-		if (strlen(option) == 0U) {
-			continue;
-		}
-
-		/* Look for dash value option. */
-		if (strpbrk(option, dash_opts) != &option[0] ||
-		    strlen(option) > 1U)
-		{
-			/* Error or value in option. */
-			continue;
-		}
-
-		/* Dash value is next argument so we need to skip it. */
-		argc--;
-		argv++;
-
-		/* Handle missing argument */
-		if (argc == 0) {
-			break;
-		}
 	}
 }
 
@@ -1604,6 +1462,8 @@ parse_args(int argc, char **argv) {
 
 			if (curqname == NULL) {
 				curqname = isc_mem_strdup(mctx, argv[0]);
+				if (curqname == NULL)
+					fatal("out of memory");
 			}
 		}
 	}
@@ -1617,6 +1477,8 @@ parse_args(int argc, char **argv) {
 
 	if (curqname == NULL) {
 		qname = isc_mem_strdup(mctx, ".");
+		if (qname == NULL)
+			fatal("out of memory");
 
 		if (!typeset)
 			qtype = dns_rdatatype_ns;
@@ -1700,7 +1562,6 @@ main(int argc, char *argv[]) {
 	isc_result_t result;
 	dns_fixedname_t qfn;
 	dns_name_t *query_name, *response_name;
-	char namestr[DNS_NAME_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	dns_namelist_t namelist;
 	unsigned int resopt, clopt;
@@ -1724,12 +1585,14 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_lib_init failed: %d", result);
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create mctx");
 
 	CHECK(isc_appctx_create(mctx, &actx));
-	CHECK(isc_taskmgr_createinctx(mctx, 1, 0, &taskmgr));
-	CHECK(isc_socketmgr_createinctx(mctx, &socketmgr));
-	CHECK(isc_timermgr_createinctx(mctx, &timermgr));
+	CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr));
+	CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr));
+	CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr));
 
 	parse_args(argc, argv);
 
@@ -1770,35 +1633,22 @@ main(int argc, char *argv[]) {
 
 	/* Set up resolution options */
 	resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
-	if (no_sigs) {
+	if (no_sigs)
 		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
-	}
-	if (!root_validation) {
+	if (!root_validation && !dlv_validation)
 		resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
-	}
-	if (cdflag) {
+	if (cdflag)
 		resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
-	}
-	if (use_tcp) {
+	if (use_tcp)
 		resopt |= DNS_CLIENTRESOPT_TCP;
-	}
 
 	/* Perform resolution */
 	ISC_LIST_INIT(namelist);
 	result = dns_client_resolve(client, query_name, dns_rdataclass_in,
 				    qtype, resopt, &namelist);
-	if (result != ISC_R_SUCCESS && !yaml) {
+	if (result != ISC_R_SUCCESS)
 		delv_log(ISC_LOG_ERROR, "resolution failed: %s",
 			  isc_result_totext(result));
-	}
-
-	if (yaml) {
-		printf("type: DELV_RESULT\n");
-		dns_name_format(query_name, namestr, sizeof(namestr));
-		printf("query_name: %s\n", namestr);
-		printf("status: %s\n", isc_result_totext(result));
-		printf("records:\n");
-	}
 
 	for (response_name = ISC_LIST_HEAD(namelist);
 	     response_name != NULL;
@@ -1815,6 +1665,8 @@ main(int argc, char *argv[]) {
 	dns_client_freeresanswer(client, &namelist);
 
 cleanup:
+	if (dlv_anchor != NULL)
+		isc_mem_free(mctx, dlv_anchor);
 	if (trust_anchor != NULL)
 		isc_mem_free(mctx, trust_anchor);
 	if (anchorfile != NULL)

bin/delv/delv.docbook

@@ -39,8 +39,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -97,7 +95,7 @@
       <command>delv</command> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY and DS records
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
       to establish a chain of trust for DNSSEC validation.
       It does not perform iterative resolution, but simulates the
       behavior of a name server configured for DNSSEC validating and
@@ -212,21 +210,21 @@
 	  <para>
 	    Keys that do not match the root zone name are ignored.
             An alternate key name can be specified using the
-	    <option>+root=NAME</option> options.
+	    <option>+root=NAME</option> options. DNSSEC Lookaside
+            Validation can also be turned on by using the
+	    <option>+dlv=NAME</option> to specify the name of a
+            zone containing DLV records.
 	  </para>
 	  <para>
 	    Note: When reading the trust anchor file,
-	    <command>delv</command> treats <option>trust-anchors</option>
-	    <option>initial-key</option> and <option>static-key</option>
-	    entries identically.  That is, even if a key is configured
-	    with <command>initial-key</command>, indicating that it is
-	    meant to be used only as an initializing key for RFC 5011
-	    key maintenance, it is still treated by <command>delv</command>
-	    as if it had been configured as a <command>static-key</command>.
-	    <command>delv</command> does not consult the managed keys
-	    database maintained by <command>named</command>. This means
-	    that if either of the keys in
-	    <filename>/etc/bind.keys</filename> is revoked
+	    <command>delv</command> treats <option>managed-keys</option>
+	    statements and <option>trusted-keys</option> statements
+	    identically.  That is, for a managed key, it is the
+	    <emphasis>initial</emphasis> key that is trusted; RFC 5011
+	    key management is not supported. <command>delv</command>
+	    will not consult the managed-keys database maintained by
+	    <command>named</command>. This means that if either of the
+	    keys in <filename>/etc/bind.keys</filename> is revoked
 	    and rolled over, it will be necessary to update
 	    <filename>/etc/bind.keys</filename> to use DNSSEC
 	    validation in <command>delv</command>.
@@ -618,7 +616,8 @@
 	      request DNSSEC records or whether to validate them.
 	      DNSSEC records are always requested, and validation
 	      will always occur unless suppressed by the use of
-	      <option>-i</option> or <option>+noroot</option>.
+	      <option>-i</option> or <option>+noroot</option> and
+	      <option>+nodlv</option>.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -627,7 +626,7 @@
 	  <term><option>+[no]root[=ROOT]</option></term>
 	  <listitem>
 	    <para>
-	      Indicates whether to perform conventional
+	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
 	      a trust anchor of "." (the root zone), for which there is
@@ -638,6 +637,18 @@
 	  </listitem>
 	</varlistentry>
 
+	<varlistentry>
+	  <term><option>+[no]dlv[=DLV]</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The <option>-a</option> option must also be used to specify
+              a file containing the DLV key.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
 	<varlistentry>
 	  <term><option>+[no]tcp</option></term>
 	  <listitem>
@@ -659,16 +670,6 @@
 	    </para>
 	  </listitem>
 	</varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]yaml</option></term>
-	  <listitem>
-	    <para>
-	      Print response data in YAML format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
       </variablelist>
 
     </para>

bin/delv/delv.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -83,7 +83,7 @@
       <span class="command"><strong>delv</strong></span> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
-      CNAME or DNAME chains, and queries for DNSKEY and DS records
+      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
       to establish a chain of trust for DNSSEC validation.
       It does not perform iterative resolution, but simulates the
       behavior of a name server configured for DNSSEC validating and
@@ -193,21 +193,21 @@
 	  <p>
 	    Keys that do not match the root zone name are ignored.
             An alternate key name can be specified using the
-	    <code class="option">+root=NAME</code> options.
+	    <code class="option">+root=NAME</code> options. DNSSEC Lookaside
+            Validation can also be turned on by using the
+	    <code class="option">+dlv=NAME</code> to specify the name of a
+            zone containing DLV records.
 	  </p>
 	  <p>
 	    Note: When reading the trust anchor file,
-	    <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
-	    <code class="option">initial-key</code> and <code class="option">static-key</code>
-	    entries identically.  That is, even if a key is configured
-	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
-	    meant to be used only as an initializing key for RFC 5011
-	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
-	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
-	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
-	    database maintained by <span class="command"><strong>named</strong></span>. This means
-	    that if either of the keys in
-	    <code class="filename">/etc/bind.keys</code> is revoked
+	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
+	    statements and <code class="option">trusted-keys</code> statements
+	    identically.  That is, for a managed key, it is the
+	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
+	    key management is not supported. <span class="command"><strong>delv</strong></span>
+	    will not consult the managed-keys database maintained by
+	    <span class="command"><strong>named</strong></span>. This means that if either of the
+	    keys in <code class="filename">/etc/bind.keys</code> is revoked
 	    and rolled over, it will be necessary to update
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
@@ -517,13 +517,14 @@
 	      request DNSSEC records or whether to validate them.
 	      DNSSEC records are always requested, and validation
 	      will always occur unless suppressed by the use of
-	      <code class="option">-i</code> or <code class="option">+noroot</code>.
+	      <code class="option">-i</code> or <code class="option">+noroot</code> and
+	      <code class="option">+nodlv</code>.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
 <dd>
 	    <p>
-	      Indicates whether to perform conventional
+	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
 	      a trust anchor of "." (the root zone), for which there is
@@ -532,6 +533,15 @@
 	      containing the key.
 	    </p>
 	  </dd>
+<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
+<dd>
+	    <p>
+	      Indicates whether to perform DNSSEC lookaside validation,
+	      and if so, specifies the name of the DLV trust anchor.
+	      The <code class="option">-a</code> option must also be used to specify
+              a file containing the DLV key.
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
 <dd>
 	    <p>
@@ -548,12 +558,6 @@
 	      in the type's presentation format.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
-<dd>
-	    <p>
-	      Print response data in YAML format.
-	    </p>
-	  </dd>
 </dl></div>
 <p>
 

bin/delv/win32/delv.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>delv</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -63,8 +60,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -91,8 +87,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>

bin/delv/win32/delv.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/Makefile.in

@@ -19,17 +19,16 @@ READLINE_LIB = @READLINE_LIB@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ \
-		${OPENSSL_CFLAGS}
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
 
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

bin/dig/dig.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -74,9 +74,7 @@ will perform an NS query for "\&." (the root)\&.
 It is possible to set per\-user defaults for
 \fBdig\fR
 via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
-\fB\-r\fR
-option disables this feature, for scripts that need predictable behaviour\&.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
 .PP
 The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
 \fB\-t\fR
@@ -176,6 +174,11 @@ reads a list of lookup requests to process from the given
 using the command\-line interface\&.
 .RE
 .PP
+\-i
+.RS 4
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
+.RE
+.PP
 \-k \fIkeyfile\fR
 .RS 4
 Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
@@ -205,12 +208,6 @@ The domain name to query\&. This is useful to distinguish the
 from other arguments\&.
 .RE
 .PP
-\-r
-.RS 4
-Do not read options from
-${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
-.RE
-.PP
 \-t \fItype\fR
 .RS 4
 The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
@@ -249,7 +246,9 @@ arguments\&.
 \fBdig\fR
 automatically performs a lookup for a name like
 94\&.2\&.0\&.192\&.in\-addr\&.arpa
-and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
+\fB\-i\fR
+option)\&.
 .RE
 .PP
 \-y \fI[hmac:]\fR\fIkeyname:secret\fR
@@ -361,20 +360,14 @@ Display [do not display] the CLASS when printing the record\&.
 .PP
 \fB+[no]cmd\fR
 .RS 4
-Toggles the printing of the initial comment in the output, identifying the version of
+Toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
-and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
+and the query options that have been applied\&. This comment is printed by default\&.
 .RE
 .PP
 \fB+[no]comments\fR
 .RS 4
-Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
-.sp
-Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
-\fB+[no]cmd\fR,
-\fB+[no]question\fR,
-\fB+[no]stats\fR, and
-\fB+[no]rrcomments\fR\&.
+Toggle the display of comment lines in the output\&. The default is to print comments\&.
 .RE
 .PP
 \fB+[no]cookie\fR\fB[=####]\fR
@@ -456,11 +449,6 @@ clears the EDNS options to be sent\&.
 Send an EDNS Expire option\&.
 .RE
 .PP
-\fB+[no]expandaaaa\fR
-.RS 4
-When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
-.RE
-.PP
 \fB+[no]fail\fR
 .RS 4
 Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
@@ -480,16 +468,12 @@ option is enabled\&. If short form answers are requested, the default is not to
 .PP
 \fB+[no]idnin\fR
 .RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
 .RE
 .PP
 \fB+[no]idnout\fR
 .RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
-.sp
-The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
 .RE
 .PP
 \fB+[no]ignore\fR
@@ -572,12 +556,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size
 .PP
 \fB+[no]qr\fR
 .RS 4
-Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
+Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
 .RE
 .PP
 \fB+[no]question\fR
 .RS 4
-Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
+Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
 .RE
 .PP
 \fB+[no]raflag\fR
@@ -595,11 +579,11 @@ A synonym for
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
 \fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when using the
+normally sends recursive queries\&. Recursion is automatically disabled when the
 \fI+nssearch\fR
-option, and when using
+or
 \fI+trace\fR
-except for an initial recursive query to get the list of root servers\&.
+query options are used\&.
 .RE
 .PP
 \fB+retry=T\fR
@@ -630,7 +614,7 @@ determines if the name will be treated as relative or not and hence whether a se
 .PP
 \fB+[no]short\fR
 .RS 4
-Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
+Provide a terse answer\&. The default is to print the answer in a verbose form\&.
 .RE
 .PP
 \fB+[no]showsearch\fR
@@ -660,7 +644,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
 .PP
 \fB+[no]stats\fR
 .RS 4
-Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
+This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
 .RE
 .PP
 \fB+[no]subnet=addr[/prefix\-length]\fR
@@ -744,13 +728,6 @@ Display [do not display] the TTL when printing the record\&.
 Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
 .RE
 .PP
-\fB+[no]unexpected\fR
-.RS 4
-Accept [do not accept] answers from unexpected sources\&. By default,
-\fBdig\fR
-won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
-.RE
-.PP
 \fB+[no]unknownformat\fR
 .RS 4
 Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
@@ -763,13 +740,6 @@ Use [do not use] TCP when querying name servers\&. This alternate syntax to
 is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
 .RE
 .PP
-\fB+[no]yaml\fR
-.RS 4
-Print the responses (and, if
-\fB+qr\fR
-is in use, also the outgoing queries) in a detailed YAML format\&.
-.RE
-.PP
 \fB+[no]zflag\fR
 .RS 4
 Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
@@ -825,10 +795,7 @@ has been built with IDN (internationalized domain name) support, it can accept a
 appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
 \fI+noidnin\fR
 and
-\fI+noidnout\fR
-or define the
-\fBIDN_DISABLE\fR
-environment variable\&.
+\fI+noidnout\fR\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -849,5 +816,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/dig.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -54,7 +56,7 @@
 
 dig_lookup_t *default_lookup = NULL;
 
-static atomic_uintptr_t batchname = ATOMIC_VAR_INIT(0);
+static char *batchname = NULL;
 static FILE *batchfp = NULL;
 static char *argv0;
 static int addresscount = 0;
@@ -63,8 +65,8 @@ static char domainopt[DNS_NAME_MAXTEXT];
 static char hexcookie[81];
 
 static bool short_form = false, printcmd = true,
-	plusquest = false, pluscomm = false,
-	ipv4only = false, ipv6only = false, digrc = true;
+	ip6_int = false, plusquest = false, pluscomm = false,
+	ipv4only = false, ipv6only = false;
 static uint32_t splitwidth = 0xffffffff;
 
 /*% opcode text */
@@ -151,11 +153,11 @@ help(void) {
 "                 -b address[#port]   (bind to source address/port)\n"
 "                 -c class            (specify query class)\n"
 "                 -f filename         (batch mode)\n"
+"                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
 "                 -k keyfile          (specify tsig key file)\n"
 "                 -m                  (enable memory usage debugging)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
-"                 -r                  (do not read ~/.digrc)\n"
 "                 -t type             (specify query type)\n"
 "                 -u                  (display times in usec instead of msec)\n"
 "                 -x dot-notation     (shortcut for reverse lookups)\n"
@@ -173,13 +175,11 @@ help(void) {
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +[no]cdflag         (Set checking disabled flag in query)\n"
 "                 +[no]class          (Control display of class in records)\n"
-"                 +[no]cmd            (Control display of command line -\n"
-"                                      global option)\n"
-"                 +[no]comments       (Control display of packet header\n"
-"                                      and section name comments)\n"
+"                 +[no]cmd            (Control display of command line)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]cookie         (Add a COOKIE option to the request)\n"
-"                 +[no]crypto         (Control display of cryptographic\n"
-"                                      fields in records)\n"
+"                 +[no]crypto         (Control display of cryptographic "
+				       "fields in records)\n"
 "                 +[no]defname        (Use search list (+[no]search))\n"
 "                 +[no]dnssec         (Request DNSSEC records)\n"
 "                 +domain=###         (Set default domainname)\n"
@@ -189,20 +189,15 @@ help(void) {
 "                 +[no]ednsnegotiation (Set EDNS version negotiation)\n"
 "                 +ednsopt=###[:value] (Send specified EDNS option)\n"
 "                 +noednsopt          (Clear list of +ednsopt options)\n"
-"                 +[no]expandaaaa     (Expand AAAA records)\n"
 "                 +[no]expire         (Request time to expire)\n"
 "                 +[no]fail           (Don't try next server on SERVFAIL)\n"
 "                 +[no]header-only    (Send query without a question section)\n"
 "                 +[no]identify       (ID responders in short answers)\n"
-#ifdef HAVE_LIBIDN2
-"                 +[no]idnin          (Parse IDN names [default=on on tty])\n"
-"                 +[no]idnout         (Convert IDN response "
-					"[default=on on tty])\n"
-#endif
+"                 +[no]idnin          (Parse IDN names)\n"
+"                 +[no]idnout         (Convert IDN response)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)\n"
 "                 +[no]keepalive      (Request EDNS TCP keepalive)\n"
-"                 +[no]keepopen       (Keep the TCP socket open between "
-					"queries)\n"
+"                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
 "                 +[no]mapped         (Allow mapped IPv4 over IPv6)\n"
 "                 +[no]multiline      (Print records in an expanded format)\n"
 "                 +ndots=###          (Set search NDOTS value)\n"
@@ -221,7 +216,7 @@ help(void) {
 					"comments)\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
 "                 +[no]short          (Display nothing except short\n"
-"                                      form of answers - global option)\n"
+"                                      form of answer)\n"
 "                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
 "                 +[no]stats          (Control display of statistics)\n"
@@ -229,17 +224,12 @@ help(void) {
 "                 +[no]tcflag         (Set TC flag in query (+[no]tcflag))\n"
 "                 +[no]tcp            (TCP mode (+[no]vc))\n"
 "                 +timeout=###        (Set query timeout) [5]\n"
-"                 +[no]trace          (Trace delegation down from root "
-					"[+dnssec])\n"
+"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
 "                 +tries=###          (Set number of UDP attempts) [3]\n"
 "                 +[no]ttlid          (Control display of ttls in records)\n"
 "                 +[no]ttlunits       (Display TTLs in human-readable units)\n"
-"                 +[no]unexpected     (Print replies from unexpected sources\n"
-"                                      default=off)\n"
-"                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" "
-					"format)\n"
+"                 +[no]unknownformat  (Print RDATA in RFC 3597 \"unknown\" format)\n"
 "                 +[no]vc             (TCP mode (+[no]tcp))\n"
-"                 +[no]yaml           (Present the results as YAML)\n"
 "                 +[no]zflag          (Set Z flag in query)\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
 "        local d-opts and servers (after host name) affect only that lookup.\n"
@@ -265,11 +255,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 
 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
 
-	if (short_form || yaml) {
-		return;
-	}
-
-	if (query->lookup->stats) {
+	if (query->lookup->stats && !short_form) {
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		if (query->lookup->use_usec)
 			printf(";; Query time: %ld usec\n", (long) diff);
@@ -290,15 +276,11 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		 */
 		if (wcsftime(time_str, sizeof(time_str)/sizeof(time_str[0]),
 			     L"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
-		{
 			printf(";; WHEN: %ls\n", time_str);
-		}
 #else
 		if (strftime(time_str, sizeof(time_str),
 			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
-		{
 			printf(";; WHEN: %s\n", time_str);
-		}
 #endif
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
@@ -309,32 +291,30 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 		}
 		if (tsigkey != NULL) {
-			if (!validated) {
+			if (!validated)
 				puts(";; WARNING -- Some TSIG could not "
 				     "be validated");
-			}
 		}
 		if ((tsigkey == NULL) && (keysecret[0] != 0)) {
 			puts(";; WARNING -- TSIG key was not used.");
 		}
 		puts("");
-	} else if (query->lookup->identify) {
+	} else if (query->lookup->identify && !short_form) {
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
-		if (query->lookup->use_usec) {
+		if (query->lookup->use_usec)
 			printf(";; Received %" PRIu64 " bytes "
 			       "from %s(%s) in %ld us\n\n",
 			       query->lookup->doing_xfr
 				 ? query->byte_count
 				 : (uint64_t)bytes,
 			       fromtext, query->userarg, (long) diff);
-		} else {
+		else
 			printf(";; Received %" PRIu64 " bytes "
 			       "from %s(%s) in %ld ms\n\n",
 			       query->lookup->doing_xfr
 				 ?  query->byte_count
 				 : (uint64_t)bytes,
 			       fromtext, query->userarg, (long) diff / 1000);
-		}
 	}
 }
 
@@ -373,24 +353,20 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
 	if (query->lookup->print_unknown_format)
 		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
-	if (query->lookup->expandaaaa)
-		styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
 	result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0,
 				     splitwidth, " ", buf);
-	if (result == ISC_R_NOSPACE) {
+	if (result == ISC_R_NOSPACE)
 		return (result);
-	}
 	check_result(result, "dns_rdata_totext");
 	if (query->lookup->identify) {
+
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		ADD_STRING(buf, " from server ");
 		ADD_STRING(buf, query->servname);
 		if (query->lookup->use_usec) {
-			snprintf(store, sizeof(store),
-				 " in %" PRIu64 " us.", diff);
+			snprintf(store, sizeof(store), " in %" PRIu64 " us.", diff);
 		} else {
-			snprintf(store, sizeof(store),
-				 " in %" PRIu64 " ms.", diff / 1000);
+			snprintf(store, sizeof(store), " in %" PRIu64 " ms.", diff / 1000);
 		}
 		ADD_STRING(buf, store);
 	}
@@ -430,7 +406,8 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
 			loopresult = dns_rdataset_first(rdataset);
 			while (loopresult == ISC_R_SUCCESS) {
 				dns_rdataset_current(rdataset, &rdata);
-				result = say_message(&rdata, query, buf);
+				result = say_message(&rdata, query,
+						     buf);
 				if (result == ISC_R_NOSPACE)
 					return (result);
 				check_result(result, "say_message");
@@ -472,85 +449,60 @@ isdotlocal(dns_message_t *msg) {
  * Callback from dighost.c to print the reply from a server
  */
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	isc_result_t result;
 	dns_messagetextflag_t flags;
 	isc_buffer_t *buf = NULL;
 	unsigned int len = OUTPUTBUF;
 	dns_master_style_t *style = NULL;
 	unsigned int styleflags = 0;
-	bool isquery = (msg == query->lookup->sendmsg);
-
-	UNUSED(msgbuf);
 
 	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (yaml) {
-		msg->indent.string = "  ";
-		msg->indent.count = 3;
-		styleflags |= DNS_STYLEFLAG_YAML;
-	} else {
-		if (query->lookup->comments) {
-			styleflags |= DNS_STYLEFLAG_COMMENT;
-		}
-		if (query->lookup->print_unknown_format) {
-			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
-		}
-		/* Turn on rrcomments if explicitly enabled */
-		if (query->lookup->rrcomments > 0) {
+	if (query->lookup->comments)
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	if (query->lookup->print_unknown_format)
+		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+	/* Turn on rrcomments if explicitly enabled */
+	if (query->lookup->rrcomments > 0)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	if (query->lookup->ttlunits)
+		styleflags |= DNS_STYLEFLAG_TTL_UNITS;
+	if (query->lookup->nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (query->lookup->noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (query->lookup->nocrypto)
+		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	if (query->lookup->multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		/* Turn on rrcomments unless explicitly disabled */
+		if (query->lookup->rrcomments >= 0)
 			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-		}
-		if (query->lookup->ttlunits) {
-			styleflags |= DNS_STYLEFLAG_TTL_UNITS;
-		}
-		if (query->lookup->nottl) {
-			styleflags |= DNS_STYLEFLAG_NO_TTL;
-		}
-		if (query->lookup->noclass) {
-			styleflags |= DNS_STYLEFLAG_NO_CLASS;
-		}
-		if (query->lookup->nocrypto) {
-			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
-		}
-		if (query->lookup->expandaaaa) {
-			styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
-		}
-		if (query->lookup->multiline) {
-			styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
-			styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
-			styleflags |= DNS_STYLEFLAG_REL_DATA;
-			styleflags |= DNS_STYLEFLAG_OMIT_TTL;
-			styleflags |= DNS_STYLEFLAG_TTL;
-			styleflags |= DNS_STYLEFLAG_MULTILINE;
-			/* Turn on rrcomments unless explicitly disabled */
-			if (query->lookup->rrcomments >= 0) {
-				styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-			}
-		}
 	}
 	if (query->lookup->multiline ||
 	    (query->lookup->nottl && query->lookup->noclass))
-	{
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 24, 32, 80, 8,
 						splitwidth, mctx);
-	} else if (query->lookup->nottl || query->lookup->noclass) {
+	else if (query->lookup->nottl || query->lookup->noclass)
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 24, 32, 40, 80, 8,
 						splitwidth, mctx);
-	} else {
+	else
 		result = dns_master_stylecreate(&style, styleflags,
 						24, 32, 40, 48, 80, 8,
 						splitwidth, mctx);
-	}
 	check_result(result, "dns_master_stylecreate");
 
 	if (query->lookup->cmdline[0] != 0) {
-		if (!short_form && printcmd) {
+		if (!short_form)
 			fputs(query->lookup->cmdline, stdout);
-		}
-		query->lookup->cmdline[0] = '\0';
+		query->lookup->cmdline[0]=0;
 	}
 	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
 	      query->lookup->comments ? "comments" : "nocomments",
@@ -571,110 +523,13 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 	result = isc_buffer_allocate(mctx, &buf, len);
 	check_result(result, "isc_buffer_allocate");
 
-	if (yaml) {
-		enum { Q = 0x1, R = 0x2 }; /* Q:query; R:ecursive */
-		unsigned int tflag = 0;
-		isc_sockaddr_t saddr;
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-		uint16_t sport;
-		char *hash;
-		int pf;
-
-		printf("-\n");
-		printf("  type: MESSAGE\n");
-		printf("  message:\n");
-
-		if (isquery) {
-			tflag |= Q;
-			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
-				tflag |= R;
-			}
-		} else if (((msg->flags & DNS_MESSAGEFLAG_RD) != 0) &&
-			   ((msg->flags & DNS_MESSAGEFLAG_RA) != 0))
-		{
-			tflag |= R;
-		}
-
-		if (tflag == (Q|R)) {
-			printf("    type: RECURSIVE_QUERY\n");
-		} else if (tflag == Q) {
-			printf("    type: AUTH_QUERY\n");
-		} else if (tflag == R) {
-			printf("    type: RECURSIVE_RESPONSE\n");
-		} else {
-			printf("    type: AUTH_RESPONSE\n");
-		}
-
-		if (!isc_time_isepoch(&query->time_sent)) {
-			char tbuf[100];
-			isc_time_formatISO8601ms(&query->time_sent,
-						 tbuf, sizeof(tbuf));
-			printf("    query_time: !!timestamp %s\n", tbuf);
-		}
-
-		if (!isquery && !isc_time_isepoch(&query->time_recv)) {
-			char tbuf[100];
-			isc_time_formatISO8601ms(&query->time_recv,
-						 tbuf, sizeof(tbuf));
-			printf("    response_time: !!timestamp %s\n", tbuf);
-		}
-
-		printf("    message_size: %ub\n",
-		       isc_buffer_usedlength(msgbuf));
-
-		pf = isc_sockaddr_pf(&query->sockaddr);
-		if (pf == PF_INET || pf == PF_INET6) {
-			printf("    socket_family: %s\n",
-			       pf == PF_INET ? "INET" : "INET6");
-
-			printf("    socket_protocol: %s\n",
-			       query->lookup->tcp_mode ? "TCP" : "UDP");
-
-			sport = isc_sockaddr_getport(&query->sockaddr);
-			isc_sockaddr_format(&query->sockaddr,
-					    sockstr, sizeof(sockstr));
-			hash = strchr(sockstr, '#');
-			if (hash != NULL) {
-				*hash = '\0';
-			}
-			if (strcmp(sockstr, "::") == 0) {
-				strlcat(sockstr, "0", sizeof(sockstr));
-			}
-
-			printf("    response_address: %s\n", sockstr);
-			printf("    response_port: %u\n", sport);
-		}
-
-		if (query->sock != NULL &&
-		    isc_socket_getsockname(query->sock, &saddr)
-		      == ISC_R_SUCCESS)
-		{
-			sport = isc_sockaddr_getport(&saddr);
-			isc_sockaddr_format(&saddr, sockstr, sizeof(sockstr));
-			hash = strchr(sockstr, '#');
-			if (hash != NULL) {
-				*hash = '\0';
-			}
-			if (strcmp(sockstr, "::") == 0) {
-				strlcat(sockstr, "0", sizeof(sockstr));
-			}
-
-			printf("    query_address: %s\n", sockstr);
-			printf("    query_port: %u\n", sport);
-		}
-
-		printf("    %s:\n", isquery ? "query_message_data"
-					    : "response_message_data");
-		result = dns_message_headertotext(msg, style, flags, buf);
-	} else if (query->lookup->comments && !short_form) {
-		if (query->lookup->cmdline[0] != '\0' && printcmd) {
+	if (query->lookup->comments && !short_form) {
+		if (query->lookup->cmdline[0] != 0)
 			printf("; %s\n", query->lookup->cmdline);
-		}
-		if (msg == query->lookup->sendmsg) {
+		if (msg == query->lookup->sendmsg)
 			printf(";; Sending:\n");
-		} else {
+		else
 			printf(";; Got answer:\n");
-		}
 
 		if (headers) {
 			if (isdotlocal(msg)) {
@@ -819,9 +674,8 @@ buftoosmall:
 		}
 	}
 
-	if (headers && query->lookup->comments && !short_form && !yaml) {
+	if (headers && query->lookup->comments && !short_form)
 		printf("\n");
-	}
 
 	printf("%.*s", (int)isc_buffer_usedlength(buf),
 	       (char *)isc_buffer_base(buf));
@@ -1180,24 +1034,8 @@ plus_option(char *option, bool is_batchfile,
 			}
 			break;
 		case 'x':
-			switch (cmd[2]) {
-			case 'p':
-				switch(cmd[3]) {
-				case 'a':
-					FULLCHECK("expandaaaa");
-					lookup->expandaaaa = state;
-					break;
-				case 'i':
-					FULLCHECK("expire");
-					lookup->expire = state;
-					break;
-				default:
-					goto invalid_option;
-				}
-				break;
-			default:
-				goto invalid_option;
-			}
+			FULLCHECK("expire");
+			lookup->expire = state;
 			break;
 		default:
 			goto invalid_option;
@@ -1605,7 +1443,7 @@ plus_option(char *option, bool is_batchfile,
 				lookup->trace = state;
 				lookup->trace_root = state;
 				if (state) {
-					lookup->recurse = true;
+					lookup->recurse = false;
 					lookup->identify = true;
 					lookup->comments = false;
 					lookup->rrcomments = 0;
@@ -1669,25 +1507,8 @@ plus_option(char *option, bool is_batchfile,
 		}
 		break;
 	case 'u':
-		switch (cmd[1]) {
-		case 'n':
-			switch (cmd[2]) {
-			case 'e':
-				FULLCHECK("unexpected");
-				lookup->accept_reply_unexpected_src = state;
-				break;
-			case 'k':
-				FULLCHECK("unknownformat");
-				lookup->print_unknown_format = state;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		default:
-			goto invalid_option;
-		}
-
+		FULLCHECK("unknownformat");
+		lookup->print_unknown_format = state;
 		break;
 	case 'v':
 		FULLCHECK("vc");
@@ -1696,15 +1517,6 @@ plus_option(char *option, bool is_batchfile,
 			lookup->tcp_mode_set = true;
 		}
 		break;
-	case 'y': /* yaml */
-		FULLCHECK("yaml");
-		yaml = state;
-		if (state) {
-			printcmd = false;
-			lookup->stats = false;
-			lookup->rrcomments = -1;
-		}
-		break;
 	case 'z': /* zflag */
 		FULLCHECK("zflag");
 		lookup->zflag = state;
@@ -1730,8 +1542,8 @@ plus_option(char *option, bool is_batchfile,
 /*%
  * #true returned if value was used
  */
-static const char *single_dash_opts = "46dhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static const char *single_dash_opts = "46dhimnuv";
+static const char *dash_opts = "46bcdfhikmnptvyx";
 static bool
 dash_option(char *option, char *next, dig_lookup_t **lookup,
 	    bool *open_type_class, bool *need_clone,
@@ -1794,7 +1606,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			exit(0);
 			break;
 		case 'i':
-			/* deprecated */
+			ip6_int = true;
 			break;
 		case 'm': /* memdebug */
 			/* memdebug is handled in preparse_args() */
@@ -1802,10 +1614,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		case 'n':
 			/* deprecated */
 			break;
-		case 'r':
-			debug("digrc (late)");
-			digrc = false;
-			break;
 		case 'u':
 			(*lookup)->use_usec = true;
 			break;
@@ -1874,7 +1682,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				value);
 		return (value_from_next);
 	case 'f':
-		atomic_store(&batchname, (uintptr_t)value);
+		batchname = value;
 		return (value_from_next);
 	case 'k':
 		strlcpy(keyfile, value, sizeof(keyfile));
@@ -1979,12 +1787,13 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			*lookup = clone_lookup(default_lookup, true);
 		*need_clone = true;
 		if (get_reverse(textname, sizeof(textname), value,
-				false) == ISC_R_SUCCESS) {
+				ip6_int, false) == ISC_R_SUCCESS) {
 			strlcpy((*lookup)->textname, textname,
 				sizeof((*lookup)->textname));
 			debug("looking up %s", (*lookup)->textname);
 			(*lookup)->trace_root = ((*lookup)->trace  ||
 						 (*lookup)->ns_search_only);
+			(*lookup)->ip6_int = ip6_int;
 			if (!(*lookup)->rdtypeset)
 				(*lookup)->rdtype = dns_rdatatype_ptr;
 			if (!(*lookup)->rdclassset)
@@ -2032,23 +1841,11 @@ preparse_args(int argc, char **argv) {
 		option = &rv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
-			case 'd':
-				/* For debugging early startup */
-				debugging = true;
-				break;
 			case 'm':
 				memdebugging = true;
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
 					ISC_MEM_DEBUGRECORD;
 				break;
-			case 'r':
-				/*
-				 * Must be done early, because ~/.digrc
-				 * is read before command line parsing
-				 */
-				debug("digrc (early)");
-				digrc = false;
-				break;
 			case '4':
 				if (ipv6only)
 					fatal("only one of -4 and -6 allowed");
@@ -2062,20 +1859,6 @@ preparse_args(int argc, char **argv) {
 			}
 			option = &option[1];
 		}
-		if (strlen(option) == 0U) {
-			continue;
-		}
-		/* Look for dash value option. */
-		if (strpbrk(option, dash_opts) != &option[0] ||
-		    strlen(option) > 1U) {
-			/* Error or value in option. */
-			continue;
-		}
-		/* Dash value is next argument so we need to skip it. */
-		rc--, rv++;
-		/* Handle missing argument */
-		if (rc == 0)
-			break;
 	}
 }
 
@@ -2142,9 +1925,8 @@ parse_args(bool is_batchfile, bool config_only,
 		 */
 		INSIST(batchfp == NULL);
 		homedir = getenv("HOME");
-		if (homedir != NULL && digrc) {
+		if (homedir != NULL) {
 			unsigned int n;
-			debug("digrc (open)");
 			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
 				     homedir);
 			if (n < sizeof(rcfile)) {
@@ -2327,15 +2109,13 @@ parse_args(bool is_batchfile, bool config_only,
 	 * first entry, then trust the callback in dighost_shutdown
 	 * to get the rest
 	 */
-	char *filename = (char *)atomic_load(&batchname);
-	if ((filename != NULL) && !(is_batchfile)) {
-		if (strcmp(filename, "-") == 0) {
+	if ((batchname != NULL) && !(is_batchfile)) {
+		if (strcmp(batchname, "-") == 0)
 			batchfp = stdin;
-		} else {
-			batchfp = fopen(filename, "r");
-		}
+		else
+			batchfp = fopen(batchname, "r");
 		if (batchfp == NULL) {
-			perror(filename);
+			perror(batchname);
 			if (exitcode < 8)
 				exitcode = 8;
 			fatal("couldn't open specified batch file");
@@ -2390,14 +2170,14 @@ query_finished(void) {
 	int bargc;
 	char *bargv[16];
 
-	if (atomic_load(&batchname) == 0) {
+	if (batchname == NULL) {
 		isc_app_shutdown();
 		return;
 	}
 
 	fflush(stdout);
 	if (feof(batchfp)) {
-		atomic_store(&batchname, 0);
+		batchname = NULL;
 		isc_app_shutdown();
 		if (batchfp != stdin)
 			fclose(batchfp);
@@ -2411,7 +2191,7 @@ query_finished(void) {
 		parse_args(true, false, bargc, (char **)bargv);
 		start_lookup();
 	} else {
-		atomic_store(&batchname, 0);
+		batchname = NULL;
 		if (batchfp != stdin)
 			fclose(batchfp);
 		isc_app_shutdown();
@@ -2419,67 +2199,8 @@ query_finished(void) {
 	}
 }
 
-static void
-dig_error(const char *format, ...) {
-	va_list args;
-
-	if (yaml) {
-		printf("-\n");
-		printf("  type: DIG_ERROR\n");
-
-		/*
-		 * Print an indent before a literal block quote.
-		 * Note: this will break if used to print more than
-		 * one line of text as only the first line would be
-		 * indented.
-		 */
-		printf("  message: |\n");
-		printf("    ");
-	} else {
-		printf(";; ");
-	}
-
-	va_start(args, format);
-	vprintf(format, args);
-	va_end(args);
-
-	if (!yaml) {
-		printf("\n");
-	}
-}
-
-static void
-dig_warning(const char *format, ...) {
-	va_list args;
-
-	if (!yaml) {
-		printf(";; ");
-
-		va_start(args, format);
-		vprintf(format, args);
-		va_end(args);
-
-		printf("\n");
-	}
-}
-
-static void
-dig_comments(dig_lookup_t *lookup, const char *format, ...) {
-	va_list args;
-
-	if (lookup->comments && !yaml) {
-		printf(";; ");
-
-		va_start(args, format);
-		vprintf(format, args);
-		va_end(args);
-
-		printf("\n");
-	}
-}
-
-void
-dig_setup(int argc, char **argv) {
+void dig_setup(int argc, char **argv)
+{
 	isc_result_t result;
 
 	ISC_LIST_INIT(lookup_list);
@@ -2493,9 +2214,6 @@ dig_setup(int argc, char **argv) {
 	dighost_received = received;
 	dighost_trying = trying;
 	dighost_shutdown = query_finished;
-	dighost_error = dig_error;
-	dighost_warning = dig_warning;
-	dighost_comments = dig_comments;
 
 	progname = argv[0];
 	preparse_args(argc, argv);
@@ -2541,11 +2259,10 @@ void dig_query_start()
 void
 dig_shutdown() {
 	destroy_lookup(default_lookup);
-	if (atomic_load(&batchname) != 0) {
-		if (batchfp != stdin) {
+	if (batchname != NULL) {
+		if (batchfp != stdin)
 			fclose(batchfp);
-		}
-		atomic_store(&batchname, 0);
+		batchname = NULL;
 	}
 	cancel_all();
 	destroy_libs();

bin/dig/dig.docbook

@@ -52,8 +52,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -133,10 +131,9 @@
 
     <para>
       It is possible to set per-user defaults for <command>dig</command> via
-      <filename>${HOME}/.digrc</filename>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <option>-r</option> option disables this feature, for
-      scripts that need predictable behaviour.
+      <filename>${HOME}/.digrc</filename>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </para>
 
     <para>
@@ -274,6 +271,17 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-k <replaceable class="parameter">keyfile</replaceable></term>
 	<listitem>
@@ -326,16 +334,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-r</term>
-	<listitem>
-	  <para>
-	    Do not read options from <filename>${HOME}/.digrc</filename>.
-	    This is useful for scripts that need predictable behaviour.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-t <replaceable class="parameter">type</replaceable></term>
 	<listitem>
@@ -396,7 +394,8 @@
 	    <literal>94.2.0.192.in-addr.arpa</literal> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <option>-i</option>
+	    option).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -594,11 +593,9 @@
 	  <listitem>
 	    <para>
 	      Toggles the printing of the initial comment in the
-	      output, identifying the version of <command>dig</command>
-	      and the query options that have been applied.  This option
-	      always has global effect; it cannot be set globally
-	      and then overridden on a per-lookup basis.  The default
-	      is to print this comment.
+	      output identifying the version of <command>dig</command>
+	      and the query options that have been applied.  This
+	      comment is printed by default.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -607,18 +604,8 @@
 	  <term><option>+[no]comments</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the display of some comment lines in the output,
-	      containing information about the packet header and
-	      OPT pseudosection, and the names of the response
-	      section.  The default is to print these comments.
-	    </para>
-	    <para>
-	      Other types of comments in the output are not affected by
-	      this option, but can be controlled using other command
-	      line switches. These include <command>+[no]cmd</command>,
-	      <command>+[no]question</command>,
-	      <command>+[no]stats</command>, and
-	      <command>+[no]rrcomments</command>.
+	      Toggle the display of comment lines in the output.
+	      The default is to print comments.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -760,16 +747,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]expandaaaa</option></term>
-	  <listitem>
-	    <para>
-	      When printing AAAA record print all zero nibbles rather
-	      than the default RFC 5952 preferred presentation format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]fail</option></term>
 	  <listitem>
@@ -812,13 +789,7 @@
 	    <para>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </para>
-	    <para>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -829,13 +800,7 @@
 	    <para>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </para>
-	    <para>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -978,8 +943,8 @@
 	  <term><option>+[no]qr</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the display of the query message as it is sent.
-	      By default, the query is not printed.
+	      Print [do not print] the query as it is sent.  By
+	      default, the query is not printed.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -988,7 +953,7 @@
 	  <term><option>+[no]question</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the display of the question section of a query
+	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
 	    </para>
@@ -1023,10 +988,8 @@
 	      in the query.  This bit is set by default, which means
 	      <command>dig</command> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      using the <parameter>+nssearch</parameter> option, and
-	      when using <parameter>+trace</parameter> except for
-	      an initial recursive query to get the list of root
-	      servers.
+	      the <parameter>+nssearch</parameter> or
+	      <parameter>+trace</parameter> query options are used.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1079,9 +1042,7 @@
 	  <listitem>
 	    <para>
 	      Provide a terse answer.  The default is to print the
-	      answer in a verbose form.  This option always has global
-	      effect; it cannot be set globally and then overridden on
-	      a per-lookup basis.
+	      answer in a verbose form.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1126,9 +1087,10 @@
 	  <term><option>+[no]stats</option></term>
 	  <listitem>
 	    <para>
-	      Toggles the printing of statistics: when the query was made,
-	      the size of the reply and so on.  The default behavior is to
-	      print the query statistics as a comment after each lookup.
+	      This query option toggles the printing of statistics:
+	      when the query was made, the size of the reply and
+	      so on.  The default behavior is to print the query
+	      statistics.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1270,17 +1232,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]unexpected</option></term>
-	  <listitem>
-	    <para>
-	      Accept [do not accept] answers from unexpected sources.  By
-	      default, <command>dig</command> won't accept a reply from a
-	      source other than the one to which it sent the query.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]unknownformat</option></term>
 	  <listitem>
@@ -1304,16 +1255,6 @@
 	  </listitem>
 	</varlistentry>
 
-	<varlistentry>
-	  <term><option>+[no]yaml</option></term>
-	  <listitem>
-	    <para>
-	      Print the responses (and, if <option>+qr</option> is in use,
-	      also the outgoing queries) in a detailed YAML format.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
 	<varlistentry>
 	  <term><option>+[no]zflag</option></term>
 	  <listitem>

bin/dig/dig.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -106,10 +106,9 @@
 
     <p>
       It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
-      <code class="filename">${HOME}/.digrc</code>. This file is read and any
-      options in it are applied before the command line arguments.
-      The <code class="option">-r</code> option disables this feature, for
-      scripts that need predictable behaviour.
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
     </p>
 
     <p>
@@ -228,6 +227,14 @@
 	    <span class="command"><strong>dig</strong></span> using the command-line interface.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
+	    domain, which is no longer in use. Obsolete bit string
+	    label queries (RFC 2874) are not attempted.
+	  </p>
+	</dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
 <dd>
 	  <p>
@@ -267,13 +274,6 @@
 	    the <em class="parameter"><code>name</code></em> from other arguments.
 	  </p>
 	</dd>
-<dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
-	    Do not read options from <code class="filename">${HOME}/.digrc</code>.
-	    This is useful for scripts that need predictable behaviour.
-	  </p>
-	</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
@@ -324,7 +324,8 @@
 	    <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
 	    query type and class to PTR and IN respectively. IPv6
 	    addresses are looked up using nibble format under the
-	    IP6.ARPA domain.
+	    IP6.ARPA domain (but see also the <code class="option">-i</code>
+	    option).
 	  </p>
 	</dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
@@ -481,28 +482,16 @@
 <dd>
 	    <p>
 	      Toggles the printing of the initial comment in the
-	      output, identifying the version of <span class="command"><strong>dig</strong></span>
-	      and the query options that have been applied.  This option
-	      always has global effect; it cannot be set globally
-	      and then overridden on a per-lookup basis.  The default
-	      is to print this comment.
+	      output identifying the version of <span class="command"><strong>dig</strong></span>
+	      and the query options that have been applied.  This
+	      comment is printed by default.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the display of some comment lines in the output,
-	      containing information about the packet header and
-	      OPT pseudosection, and the names of the response
-	      section.  The default is to print these comments.
-	    </p>
-	    <p>
-	      Other types of comments in the output are not affected by
-	      this option, but can be controlled using other command
-	      line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
-	      <span class="command"><strong>+[no]question</strong></span>,
-	      <span class="command"><strong>+[no]stats</strong></span>, and
-	      <span class="command"><strong>+[no]rrcomments</strong></span>.
+	      Toggle the display of comment lines in the output.
+	      The default is to print comments.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
@@ -610,13 +599,6 @@
 	      Send an EDNS Expire option.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
-<dd>
-	    <p>
-	      When printing AAAA record print all zero nibbles rather
-	      than the default RFC 5952 preferred presentation format.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd>
 	    <p>
@@ -649,13 +631,7 @@
 	    <p>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process IDN input when standard output
-	      is a tty.  The IDN processing on input is disabled when
-	      dig output is redirected to files, pipes, and other
-	      non-tty file descriptors.
+	      compile time.  The default is to process IDN input.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
@@ -663,13 +639,7 @@
 	    <p>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
-	      compile time.
-	    </p>
-	    <p>
-	      The default is to process puny code on output when
-	      standard output is a tty.  The puny code processing on
-	      output is disabled when dig output is redirected to
-	      files, pipes, and other non-tty file descriptors.
+	      compile time.  The default is to convert output.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
@@ -776,14 +746,14 @@
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the display of the query message as it is sent.
-	      By default, the query is not printed.
+	      Print [do not print] the query as it is sent.  By
+	      default, the query is not printed.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the display of the question section of a query
+	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
 	    </p>
@@ -809,10 +779,8 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      using the <em class="parameter"><code>+nssearch</code></em> option, and
-	      when using <em class="parameter"><code>+trace</code></em> except for
-	      an initial recursive query to get the list of root
-	      servers.
+	      the <em class="parameter"><code>+nssearch</code></em> or
+	      <em class="parameter"><code>+trace</code></em> query options are used.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
@@ -853,9 +821,7 @@
 <dd>
 	    <p>
 	      Provide a terse answer.  The default is to print the
-	      answer in a verbose form.  This option always has global
-	      effect; it cannot be set globally and then overridden on
-	      a per-lookup basis.
+	      answer in a verbose form.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
@@ -888,9 +854,10 @@
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd>
 	    <p>
-	      Toggles the printing of statistics: when the query was made,
-	      the size of the reply and so on.  The default behavior is to
-	      print the query statistics as a comment after each lookup.
+	      This query option toggles the printing of statistics:
+	      when the query was made, the size of the reply and
+	      so on.  The default behavior is to print the query
+	      statistics.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
@@ -1000,14 +967,6 @@
 	      seconds, minutes, hours, days and weeks.  Implies +ttlid.
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]unexpected</code></span></dt>
-<dd>
-	    <p>
-	      Accept [do not accept] answers from unexpected sources.  By
-	      default, <span class="command"><strong>dig</strong></span> won't accept a reply from a
-	      source other than the one to which it sent the query.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
 <dd>
 	    <p>
@@ -1025,13 +984,6 @@
 	      stands for "virtual circuit".
 	    </p>
 	  </dd>
-<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
-<dd>
-	    <p>
-	      Print the responses (and, if <code class="option">+qr</code> is in use,
-	      also the outgoing queries) in a detailed YAML format.
-	    </p>
-	  </dd>
 <dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
 <dd>
 	    <p>
@@ -1109,9 +1061,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <em class="parameter"><code>+noidnin</code></em> and
-      <em class="parameter"><code>+noidnout</code></em> or define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-
+      <em class="parameter"><code>+noidnout</code></em>.
     </p>
   </div>
 

bin/dig/host.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -112,6 +112,11 @@ Print debugging traces\&. Equivalent to the
 verbose option\&.
 .RE
 .PP
+\-i
+.RS 4
+Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
+.RE
+.PP
 \-l
 .RS 4
 List zone: The
@@ -252,7 +257,7 @@ If
 \fBhost\fR
 has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
 \fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
 \fBIDN_DISABLE\fR
 environment variable\&. The IDN support is disabled if the variable is set when
 \fBhost\fR
@@ -269,5 +274,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/host.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -141,6 +143,7 @@ show_usage(void) {
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
+"       -i IP6.INT reverse lookups\n"
 "       -l lists all hosts in a domain, using AXFR\n"
 "       -m set memory debugging flag (trace|record|usage)\n"
 "       -N changes the number of dots allowed before root lookup is done\n"
@@ -149,7 +152,6 @@ show_usage(void) {
 "       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
-"       -U enables UDP mode\n"
 "       -v enables verbose output\n"
 "       -V print version number and exit\n"
 "       -w specifies to wait forever for a reply\n"
@@ -394,22 +396,19 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &cname, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		dns_name_copynf(&cname.cname, qname);
+		dns_name_copy(&cname.cname, qname, NULL);
 		dns_rdata_freestruct(&cname);
 	}
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	bool did_flag = false;
 	dns_rdataset_t *opt, *tsig = NULL;
 	const dns_name_t *tsigname;
 	isc_result_t result = ISC_R_SUCCESS;
 	int force_error;
 
-	UNUSED(msgbuf);
 	UNUSED(headers);
 
 	/*
@@ -456,7 +455,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 		/* Add AAAA and MX lookups. */
 		name = dns_fixedname_initname(&fixed);
-		dns_name_copynf(query->lookup->name, name);
+		dns_name_copy(query->lookup->name, name, NULL);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, false);
@@ -626,29 +625,28 @@ pre_parse_args(int argc, char **argv) {
 		case 'a': break;
 		case 'A': break;
 		case 'c': break;
-		case 'C': break;
 		case 'd': break;
-		case 'D':
-			if (debugging)
-				debugtiming = true;
-			debugging = true;
-			break;
 		case 'i': break;
 		case 'l': break;
 		case 'n': break;
-		case 'N': break;
 		case 'r': break;
-		case 'R': break;
 		case 's': break;
 		case 't': break;
-		case 'T': break;
-		case 'U': break;
 		case 'v': break;
 		case 'V':
 			  version();
 			  exit(0);
 			  break;
 		case 'w': break;
+		case 'C': break;
+		case 'D':
+			if (debugging)
+				debugtiming = true;
+			debugging = true;
+			break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
 		case 'W': break;
 		default:
 			show_usage();
@@ -764,7 +762,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 			default_lookups = false;
 			break;
 		case 'i':
-			/* deprecated */
+			lookup->ip6_int = true;
 			break;
 		case 'n':
 			/* deprecated */
@@ -843,8 +841,8 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 		check_ra = true;
 
 	lookup->pending = false;
-	if (get_reverse(store, sizeof(store), hostname, true)
-	    == ISC_R_SUCCESS) {
+	if (get_reverse(store, sizeof(store), hostname,
+			lookup->ip6_int, true) == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = true;

bin/dig/host.docbook

@@ -47,8 +47,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -181,6 +179,18 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-l</term>
 	<listitem>

bin/dig/host.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -138,6 +138,15 @@
 	    Equivalent to the <code class="option">-v</code> verbose option.
 	  </p>
 	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Obsolete.
+	    Use the IP6.INT domain for reverse lookups of IPv6
+	    addresses as defined in RFC1886 and deprecated in RFC4159.
+	    The default is to use IP6.ARPA as specified in RFC3596.
+	  </p>
+	</dd>
 <dt><span class="term">-l</span></dt>
 <dd>
 	  <p>
@@ -302,7 +311,7 @@
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
+      If you'd like to turn off the IDN support for some reason, defines
       the <code class="envar">IDN_DISABLE</code> environment variable.
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.

bin/dig/include/dig/dig.h

@@ -26,7 +26,6 @@
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/list.h>
-#include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/sockaddr.h>
@@ -82,11 +81,6 @@ typedef struct dig_server dig_server_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
-#define DIG_QUERY_MAGIC		ISC_MAGIC('D','i','g','q')
-
-#define DIG_VALID_QUERY(x)	ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
-
-
 /*% The dig_lookup structure */
 struct dig_lookup {
 	bool
@@ -109,6 +103,7 @@ struct dig_lookup {
 		trace_root, /*% initial query for either +trace or +nssearch */
 		tcp_mode,
 		tcp_mode_set,
+		ip6_int,
 		comments,
 		stats,
 		section_question,
@@ -140,10 +135,7 @@ struct dig_lookup {
 		ttlunits,
 		idnin,
 		idnout,
-		expandaaaa,
-		qr,
-		accept_reply_unexpected_src;  /*%  print replies from unexpected
-						   sources. */
+		qr;
 	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
@@ -193,7 +185,6 @@ struct dig_lookup {
 
 /*% The dig_query structure */
 struct dig_query {
-	unsigned int magic;
 	dig_lookup_t *lookup;
 	bool waiting_connect,
 		pending_free,
@@ -212,12 +203,15 @@ struct dig_query {
 	bool ixfr_axfr;
 	char *servname;
 	char *userarg;
+	isc_bufferlist_t sendlist,
+		recvlist,
+		lengthlist;
 	isc_buffer_t recvbuf,
 		lengthbuf,
-		tmpsendbuf,
-		sendbuf;
-	char *recvspace, *tmpsendspace,
-		lengthspace[4];
+		slbuf;
+	char *recvspace,
+		lengthspace[4],
+		slspace[4];
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
 	ISC_LINK(dig_query_t) clink;
@@ -225,6 +219,7 @@ struct dig_query {
 	isc_time_t time_sent;
 	isc_time_t time_recv;
 	uint64_t byte_count;
+	isc_buffer_t sendbuf;
 	isc_timer_t *timer;
 };
 
@@ -252,7 +247,7 @@ extern dig_searchlistlist_t search_list;
 extern unsigned int extrabytes;
 
 extern bool check_ra, have_ipv4, have_ipv6, specified_source,
-	usesearch, showsearch, yaml;
+	usesearch, showsearch;
 extern in_port_t port;
 extern unsigned int timeout;
 extern isc_mem_t *mctx;
@@ -289,7 +284,8 @@ int
 getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
 
 isc_result_t
-get_reverse(char *reverse, size_t len, char *value, bool strict);
+get_reverse(char *reverse, size_t len, char *value, bool ip6_int,
+	    bool strict);
 
 ISC_PLATFORM_NORETURN_PRE void
 fatal(const char *format, ...)
@@ -382,34 +378,13 @@ set_search_domain(char *domain);
  * then assigned to the appropriate function pointer
  */
 extern isc_result_t
-(*dighost_printmessage)(dig_query_t *query, const isc_buffer_t *msgbuf,
-			dns_message_t *msg, bool headers);
-
-/*
- * Print an error message in the appropriate format.
- */
-extern void
-(*dighost_error)(const char *format, ...);
-
-/*
- * Print a warning message in the appropriate format.
- */
-extern void
-(*dighost_warning)(const char *format, ...);
-
-/*
- * Print a comment in the appropriate format.
- */
-extern void
-(*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
-
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, bool headers);
 /*%<
  * Print the final result of the lookup.
  */
 
 extern void
-(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
-		    dig_query_t *query);
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
 /*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the

bin/dig/nslookup.1

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -277,17 +277,6 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
 .PP
 \fBnslookup\fR
 returns with an exit status of 1 if any query failed, and 0 otherwise\&.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBnslookup\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
-\fBnslookup\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
-\fBIDN_DISABLE\fR
-environment variable\&. The IDN support is disabled if the variable is set when
-\fBnslookup\fR
-runs or when the standard output is not a tty\&.
 .SH "FILES"
 .PP
 /etc/resolv\&.conf
@@ -301,5 +290,5 @@ runs or when the standard output is not a tty\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dig/nslookup.c

@@ -9,6 +9,8 @@
  * information regarding copyright ownership.
  */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -423,27 +425,22 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &cname, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		dns_name_copynf(&cname.cname, qname);
+		dns_name_copy(&cname.cname, qname, NULL);
 		dns_rdata_freestruct(&cname);
 	}
 }
 
 static isc_result_t
-printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
-	     dns_message_t *msg, bool headers)
-{
+printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
-	UNUSED(msgbuf);
-
 	/* I've we've gotten this far, we've reached a server. */
 	query_error = 0;
 
 	debug("printmessage()");
 
 	if(!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
-		isc_sockaddr_format(&query->sockaddr, servtext,
-				    sizeof(servtext));
+		isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
 		printf("Server:\t\t%s\n", query->userarg);
 		printf("Address:\t%s\n", servtext);
 
@@ -481,7 +478,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf,
 
 		/* Add AAAA lookup. */
 		name = dns_fixedname_initname(&fixed);
-		dns_name_copynf(query->lookup->name, name);
+		dns_name_copy(query->lookup->name, name, NULL);
 		chase_cnamechain(msg, name);
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, false);
@@ -775,7 +772,7 @@ addlookup(char *opt) {
 		rdclass = dns_rdataclass_in;
 	}
 	lookup = make_empty_lookup();
-	if (get_reverse(store, sizeof(store), opt, true)
+	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, true)
 	    == ISC_R_SUCCESS) {
 		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
@@ -855,6 +852,8 @@ get_next_command(void) {
 
 	fflush(stdout);
 	buf = isc_mem_allocate(mctx, COMMSIZE);
+	if (buf == NULL)
+		fatal("memory allocation failure");
 	isc_app_block();
 	if (interactive) {
 #ifdef HAVE_READLINE
@@ -880,29 +879,12 @@ get_next_command(void) {
 	isc_mem_free(mctx, buf);
 }
 
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-    fprintf(stderr, "Usage:\n");
-    fprintf(stderr,
-"   nslookup [-opt ...]             # interactive mode using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] - server    # interactive mode using 'server'\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host        # just look up 'host' using default server\n");
-    fprintf(stderr,
-"   nslookup [-opt ...] host server # just look up 'host' using 'server'\n");
-    exit(1);
-}
-
 static void
 parse_args(int argc, char **argv) {
 	bool have_lookup = false;
 
 	usesearch = true;
-	for (argc--, argv++; argc > 0 && argv[0] != NULL; argc--, argv++) {
+	for (argc--, argv++; argc > 0; argc--, argv++) {
 		debug("main parsing %s", argv[0]);
 		if (argv[0][0] == '-') {
 			if (strncasecmp(argv[0], "-ver", 4) == 0) {
@@ -918,9 +900,6 @@ parse_args(int argc, char **argv) {
 				in_use = true;
 				addlookup(argv[0]);
 			} else {
-				if (argv[1] != NULL) {
-					usage();
-				}
 				set_nameserver(argv[0]);
 				check_ra = false;
 			}
@@ -944,6 +923,12 @@ flush_lookup_list(void) {
 						  ISC_SOCKCANCEL_ALL);
 				isc_socket_detach(&q->sock);
 			}
+			if (ISC_LINK_LINKED(&q->recvbuf, link))
+				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
+						 link);
+			if (ISC_LINK_LINKED(&q->lengthbuf, link))
+				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
+						 link);
 			isc_buffer_invalidate(&q->recvbuf);
 			isc_buffer_invalidate(&q->lengthbuf);
 			qp = q;

bin/dig/nslookup.docbook

@@ -71,8 +71,6 @@
       <year>2016</year>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -491,8 +489,7 @@ nslookup -query=hinfo  -timeout=10
       If you'd like to turn off the IDN support for some reason, define
       the <envar>IDN_DISABLE</envar> environment variable.
       The IDN support is disabled if the variable is set when
-      <command>nslookup</command> runs or when the standard output is not
-      a tty.
+      <command>nslookup</command> runs.
     </para>
   </refsection>
 

bin/dig/nslookup.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -362,31 +362,14 @@ nslookup -query=hinfo  -timeout=10
   </div>
 
   <div class="refsection">
-<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
-      If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, define
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
-      a tty.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.12"></a><h2>FILES</h2>
+<a name="id-1.11"></a><h2>FILES</h2>
 
     <p><code class="filename">/etc/resolv.conf</code>
     </p>
   </div>
 
   <div class="refsection">
-<a name="id-1.13"></a><h2>SEE ALSO</h2>
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
         <span class="refentrytitle">dig</span>(1)

bin/dig/win32/dig.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{F938F9B8-D395-4A40-BEC7-0122D289C692}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>dig</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -63,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -91,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/dig.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/dighost.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{140DE800-E552-43CC-B0C7-A33A92E368CA}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>dighost</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -63,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -89,7 +85,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/dighost.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/host.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{BA1048A8-6961-4A20-BE12-08BE20611C9D}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>host</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -63,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -91,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/host.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dig/win32/nslookup.vcxproj.in

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|@PLATFORM@">
       <Configuration>Debug</Configuration>
@@ -14,21 +14,18 @@
     <ProjectGuid>{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>nslookup</RootNamespace>
-    @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    @PLATFORM_TOOLSET@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -63,7 +60,6 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
@@ -91,7 +87,6 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
       <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>

bin/dig/win32/nslookup.vcxproj.user

@@ -1,3 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 </Project>

bin/dnssec/Makefile.in

@@ -15,26 +15,23 @@ VERSION=@BIND9_VERSION@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
-		${OPENSSL_CFLAGS}
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
 
-CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 
-DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
-LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
-NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
 
 # Alphabetically
 TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
@@ -50,7 +47,7 @@ SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
 		dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
 		dnssectool.c
 
-MANPAGES =	dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
+MANPAGES =	dnssec-cds.8 dnssec-dsfromkey.8  dnssec-importkey.8 \
 		dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
 		dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
 

bin/dnssec/dnssec-cds.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
 .sp
 The
 \fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
 .RE
 .PP
 \-c \fIclass\fR
@@ -293,5 +293,5 @@ RFC 7344\&.
 .RE
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-cds.c

@@ -16,6 +16,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <errno.h>
 #include <inttypes.h>
 #include <stdbool.h>
@@ -59,7 +61,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-cds";
+int verbose;
 
 /*
  * Infrastructure
@@ -75,6 +82,12 @@ static dns_fixedname_t fixed;
 static dns_name_t *name = NULL;
 static dns_rdataclass_t rdclass = dns_rdataclass_in;
 
+/*
+ * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
+ * from -a arguments. The size of the array is an arbitrary limit.
+ */
+static uint8_t dtype[8];
+
 static const char *startstr  = NULL;	/* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
 static dns_rdata_rrsig_t oldestsig;	/* for recording inception time */
@@ -116,7 +129,7 @@ static int nkey; /* number of child zone DNSKEY records */
 typedef struct keyinfo {
 	dns_rdata_t rdata;
 	dst_key_t *dst;
-	dns_secalg_t algo;
+	uint8_t algo;
 	dns_keytag_t tag;
 } keyinfo_t;
 
@@ -150,8 +163,8 @@ verbose_time(int level, const char *msg, isc_stdtime_t time) {
 	if (verbose < 3) {
 		vbprintf(level, "%s %s\n", msg, timestr);
 	} else {
-		vbprintf(level, "%s %s (%" PRIu32 ")\n",
-			 msg, timestr, time);
+		vbprintf(level, "%s %s (%lld)\n",
+			 msg, timestr, (long long)time);
 	}
 }
 
@@ -372,7 +385,7 @@ formatset(dns_rdataset_t *rdataset) {
 
 	result = isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
 	check_result(result, "printing DS records");
-	result = dns_master_rdatasettotext(name, rdataset, style, NULL, buf);
+	result = dns_master_rdatasettotext(name, rdataset, style, buf);
 
 	if ((result == ISC_R_SUCCESS) && isc_buffer_availablelength(buf) < 1) {
 		result = ISC_R_NOSPACE;
@@ -469,6 +482,7 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		dns_rdata_ds_t ds;
 		dns_rdata_t dsrdata = DNS_RDATA_INIT;
 		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+		dns_rdatatype_t keytype;
 		bool c;
 
 		dns_rdataset_current(dsset, &dsrdata);
@@ -479,8 +493,12 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 			continue;
 		}
 
+		/* allow for both DNSKEY and CDNSKEY */
+		keytype = ki->rdata.type;
+		ki->rdata.type = dns_rdatatype_dnskey;
 		result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
 					   dsbuf, &newdsrdata);
+		ki->rdata.type = keytype;
 		if (result != ISC_R_SUCCESS) {
 			vbprintf(3, "dns_ds_buildrdata("
 				 "keytag=%d, algo=%d, digest=%d): %s\n",
@@ -530,6 +548,9 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 	nkey = dns_rdataset_count(keyset);
 
 	keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey);
+	if (keytable == NULL) {
+		fatal("out of memory");
+	}
 
 	for (result = dns_rdataset_first(keyset), i = 0;
 	     result == ISC_R_SUCCESS;
@@ -552,7 +573,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
 		ki->algo = dnskey.algorithm;
 
 		dns_rdata_toregion(keyrdata, &r);
-		ki->tag = dst_region_computeid(&r);
+		ki->tag = dst_region_computeid(&r, ki->algo);
 
 		ki->dst = NULL;
 		if (!match_key_dsset(ki, dsset, strictness)) {
@@ -598,15 +619,19 @@ free_keytable(keyinfo_t **keytable_p) {
  * otherwise the key algorithm. This is used by the signature coverage
  * check functions below.
  */
-static dns_secalg_t *
+static uint8_t *
 matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 	      dns_rdataset_t *sigset)
 {
 	isc_result_t result;
-	dns_secalg_t *algo;
+	uint8_t *algo;
 	int i;
 
 	algo = isc_mem_get(mctx, nkey);
+	if (algo == NULL) {
+		fatal("allocating RRSIG/DNSKEY match list: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 	memset(algo, 0, nkey);
 
 	for (result = dns_rdataset_first(sigset);
@@ -682,7 +707,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
  * fetched from the child zone, any working signature is enough.
  */
 static bool
-signed_loose(dns_secalg_t *algo) {
+signed_loose(uint8_t *algo) {
 	bool ok = false;
 	int i;
 	for (i = 0; i < nkey; i++) {
@@ -701,7 +726,7 @@ signed_loose(dns_secalg_t *algo) {
  * RRset.
  */
 static bool
-signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
+signed_strict(dns_rdataset_t *dsset, uint8_t *algo) {
 	isc_result_t result;
 	bool all_ok = true;
 
@@ -740,6 +765,10 @@ rdata_get(void) {
 	dns_rdata_t *rdata;
 
 	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fatal("allocating DS rdata: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 	dns_rdata_init(rdata);
 
 	return (rdata);
@@ -797,6 +826,7 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 				return (ISC_R_NOSPACE);
 			}
 
+			cdnskey->type = dns_rdatatype_dnskey;
 			rdata = rdata_get();
 			result = dns_ds_buildrdata(name, cdnskey, dtype[i],
 						   r.base, rdata);
@@ -814,6 +844,34 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * For sorting the digest types so that DS records generated
+ * from CDNSKEY records are in canonical order.
+ */
+static int
+cmp_dtype(const void *ap, const void *bp) {
+	int a = *(const uint8_t *)ap;
+	int b = *(const uint8_t *)bp;
+	return (a - b);
+}
+
+static void
+add_dtype(const char *dn) {
+	uint8_t dt;
+	unsigned i, n;
+
+	dt = strtodsdigest(dn);
+	n = sizeof(dtype)/sizeof(dtype[0]);
+	for (i = 0; i < n; i++) {
+		if (dtype[i] == 0 || dtype[i] == dt) {
+			dtype[i] = dt;
+			qsort(dtype, i+1, 1, cmp_dtype);
+			return;
+		}
+	}
+	fatal("too many -a digest type arguments");
+}
+
 static void
 make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		uint32_t ttl, dns_rdataset_t *rdset)
@@ -824,6 +882,10 @@ make_new_ds_set(ds_maker_func_t *ds_from_rdata,
 		dns_rdatalist_t *dslist;
 
 		dslist = isc_mem_get(mctx, sizeof(*dslist));
+		if (dslist == NULL) {
+			fatal("allocating new DS list: %s",
+			      isc_result_totext(ISC_R_NOMEMORY));
+		}
 
 		dns_rdatalist_init(dslist);
 		dslist->rdclass = rdclass;
@@ -880,7 +942,7 @@ consistent_digests(dns_rdataset_t *dsset) {
 	dns_rdata_t *arrdata;
 	dns_rdata_ds_t *ds;
 	dns_keytag_t key_tag;
-	dns_secalg_t algorithm;
+	uint8_t algorithm;
 	bool match;
 	int i, j, n, d;
 
@@ -892,6 +954,10 @@ consistent_digests(dns_rdataset_t *dsset) {
 	n = dns_rdataset_count(dsset);
 
 	arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+	if (arrdata == NULL) {
+		fatal("allocating DS rdata array: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 
 	for (result = dns_rdataset_first(dsset), i = 0;
 	     result == ISC_R_SUCCESS;
@@ -907,6 +973,10 @@ consistent_digests(dns_rdataset_t *dsset) {
 	 * Convert sorted arrdata to more accessible format
 	 */
 	ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t));
+	if (ds == NULL) {
+		fatal("allocating unpacked DS array: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 
 	for (i = 0; i < n; i++) {
 		result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL);
@@ -1074,7 +1144,10 @@ main(int argc, char *argv[]) {
 	int ch;
 	char *endp;
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fatal("out of memory");
+	}
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -1087,7 +1160,7 @@ main(int argc, char *argv[]) {
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
+			add_dtype(isc_commandline_argument);
 			break;
 		case 'c':
 			rdclass = strtoclass(isc_commandline_argument);

bin/dnssec/dnssec-cds.docbook

@@ -40,8 +40,6 @@
     <copyright>
       <year>2017</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -145,9 +143,9 @@
 	    record. This option has no effect when using CDS records.
           </para>
           <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <replaceable>algorithm</replaceable> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </para>
         </listitem>

bin/dnssec/dnssec-cds.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -129,9 +129,9 @@
 	    record. This option has no effect when using CDS records.
           </p>
           <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
+	    The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
+	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </p>
         </dd>

bin/dnssec/dnssec-dsfromkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,12 +10,12 @@
 .\"     Title: dnssec-dsfromkey
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-05-08
+.\"      Date: 2012-05-02
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -39,99 +39,61 @@
 dnssec-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
+\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
 .SH "DESCRIPTION"
 .PP
-The
 \fBdnssec\-dsfromkey\fR
-command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
-\fB\-C\fR
-option\&.
-.PP
-The input keys can be specified in a number of ways:
-.PP
-By default,
-\fBdnssec\-dsfromkey\fR
-reads a key file named like
-Knnnn\&.+aaa+iiiii\&.key, as generated by
-\fBdnssec\-keygen\fR\&.
-.PP
-With the
-\fB\-f \fR\fB\fIfile\fR\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
-.PP
-With the
-\fB\-s\fR
-option,
-\fBdnssec\-dsfromkey\fR
-reads a
-keyset\-
-file, as generated by
-\fBdnssec\-keygen\fR\fB\-C\fR\&.
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
 .SH "OPTIONS"
 .PP
 \-1
 .RS 4
-An abbreviation for
-\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
 .RE
 .PP
 \-2
 .RS 4
-An abbreviation for
-\fB\-a SHA\-256\fR\&.
+Use SHA\-256 as the digest algorithm\&.
 .RE
 .PP
 \-a \fIalgorithm\fR
 .RS 4
-Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
-.sp
-The
-\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
-.RE
-.PP
-\-A
-.RS 4
-Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
-\fB\-f\fR
-zone file mode\&.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class (default is IN)\&. Useful only in
-\fB\-s\fR
-keyset or
-\fB\-f\fR
-zone file mode\&.
+Select the digest algorithm\&. The value of
+\fBalgorithm\fR
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&.
 .RE
 .PP
 \-C
 .RS 4
-Generate CDS records rather than DS records\&.
+Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
+.RE
+.PP
+\-T \fITTL\fR
+.RS 4
+Specifies the TTL of the DS records\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Look for key files (or, in keyset mode,
+keyset\-
+files) in
+\fBdirectory\fR\&.
 .RE
 .PP
 \-f \fIfile\fR
 .RS 4
-Zone file mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name of a zone whose master file can be read from
+Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
 \fBfile\fR\&. If the zone name is the same as
 \fBfile\fR, then it may be omitted\&.
 .sp
 If
-\fIfile\fR
-is
+\fBfile\fR
+is set to
 "\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
 \fBdig\fR
 command as input, as in:
@@ -139,32 +101,26 @@ command as input, as in:
 \fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
 .RE
 .PP
-\-h
+\-A
 .RS 4
-Prints usage information\&.
+Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
 .RE
 .PP
-\-K \fIdirectory\fR
+\-l \fIdomain\fR
 .RS 4
-Look for key files or
-keyset\-
-files in
-\fBdirectory\fR\&.
+Generate a DLV set instead of a DS set\&. The specified
+\fBdomain\fR
+is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
 .RE
 .PP
 \-s
 .RS 4
-Keyset mode:
-\fBdnssec\-dsfromkey\fR\*(Aqs final
-\fIdnsname\fR
-argument is the DNS domain name used to locate a
-keyset\-
-file\&.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
 .RE
 .PP
-\-T \fITTL\fR
+\-c \fIclass\fR
 .RS 4
-Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
+Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
 .RE
 .PP
 \-v \fIlevel\fR
@@ -172,6 +128,11 @@ Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
 Sets the debugging level\&.
 .RE
 .PP
+\-h
+.RS 4
+Prints usage information\&.
+.RE
+.PP
 \-V
 .RS 4
 Prints version information\&.
@@ -180,16 +141,16 @@ Prints version information\&.
 .PP
 To build the SHA\-256 DS RR from the
 \fBKexample\&.com\&.+003+26160\fR
-keyfile name, you can issue the following command:
+keyfile name, the following command would be issued:
 .PP
 \fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
 .PP
 The command would print something like:
 .PP
-\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
 .SH "FILES"
 .PP
-The keyfile can be designated by the key identification
+The keyfile can be designed by the key identification
 Knnnn\&.+aaa+iiiii
 or the full file name
 Knnnn\&.+aaa+iiiii\&.key
@@ -209,18 +170,13 @@ A keyfile error can give a "file not found" even if the file exists\&.
 \fBdnssec-keygen\fR(8),
 \fBdnssec-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 3658
-(DS RRs),
-RFC 4509
-(SHA\-256 for DS RRs),
-RFC 6605
-(SHA\-384 for DS RRs),
-RFC 7344
-(CDS and CDNSKEY RRs)\&.
+RFC 3658,
+RFC 4431\&.
+RFC 4509\&.
 .SH "AUTHOR"
 .PP
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-dsfromkey.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stdlib.h>
@@ -47,7 +49,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-dsfromkey";
+int verbose;
 
 static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
@@ -200,13 +207,16 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	rdclass = dst_key_class(key);
 
 	name = dns_fixedname_initname(&fixed);
-	dns_name_copynf(dst_key_name(key), name);
+	result = dns_name_copy(dst_key_name(key), name, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't copy name");
 
 	dst_key_free(&key);
 }
 
 static void
-logkey(dns_rdata_t *rdata) {
+logkey(dns_rdata_t *rdata)
+{
 	isc_result_t result;
 	dst_key_t    *key = NULL;
 	isc_buffer_t buf;
@@ -225,7 +235,9 @@ logkey(dns_rdata_t *rdata) {
 }
 
 static void
-emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
+emit(unsigned int dtype, bool showall, char *lookaside,
+     bool cds, dns_rdata_t *rdata)
+{
 	isc_result_t result;
 	unsigned char buf[DNS_DS_BUFFERSIZE];
 	char text_buf[DST_KEY_MAXTEXTSIZE];
@@ -249,7 +261,7 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
 		return;
 
-	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
+	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
 	if (result != ISC_R_SUCCESS)
 		fatal("can't build record");
 
@@ -257,6 +269,18 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	if (result != ISC_R_SUCCESS)
 		fatal("can't print name");
 
+	/* Add lookaside origin, if set */
+	if (lookaside != NULL) {
+		if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
+			fatal("DLV origin '%s' is too long", lookaside);
+		isc_buffer_putstr(&nameb, lookaside);
+		if (lookaside[strlen(lookaside) - 1] != '.') {
+			if (isc_buffer_availablelength(&nameb) < 1)
+				fatal("DLV origin '%s' is too long", lookaside);
+			isc_buffer_putstr(&nameb, ".");
+		}
+	}
+
 	result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
 				     &textb);
 
@@ -276,54 +300,48 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 	isc_buffer_usedregion(&classb, &r);
 	printf("%.*s", (int)r.length, r.base);
 
-	if (cds) {
-		printf(" CDS ");
-	} else {
-		printf(" DS ");
-	}
+	if (lookaside == NULL) {
+		if (cds)
+			printf(" CDS ");
+		else
+			printf(" DS ");
+	} else
+		printf(" DLV ");
 
 	isc_buffer_usedregion(&textb, &r);
 	printf("%.*s\n", (int)r.length, r.base);
 }
 
-static void
-emits(bool showall, bool cds, dns_rdata_t *rdata) {
-	unsigned i, n;
-
-	n = sizeof(dtype)/sizeof(dtype[0]);
-	for (i = 0; i < n; i++) {
-		if (dtype[i] != 0) {
-			emit(dtype[i], showall, cds, rdata);
-		}
-	}
-}
-
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
-	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
-	fprintf(stderr, "    %s [-h|-V]\n\n", program);
+	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-K dir] [-c class] -s dnsname\n\n",
+		program);
+	fprintf(stderr, "    %s options -f zonefile (as zone name)\n\n", program);
+	fprintf(stderr, "    %s options -f zonefile zonename\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Options:\n"
-"    -1: digest algorithm SHA-1\n"
-"    -2: digest algorithm SHA-256\n"
-"    -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)\n"
-"    -A: include all keys in DS set, not just KSKs (-f only)\n"
-"    -c class: rdata class for DS set (default IN) (-f or -s only)\n"
-"    -C: print CDS records\n"
-"    -f zonefile: read keys from a zone file\n"
-"    -h: print help information\n"
-"    -K directory: where to find key or keyset files\n"
-"    -s: read keys from keyset-<dnsname> file\n"
-"    -T: TTL of output records (omitted by default)\n"
-"    -v level: verbosity\n"
-"    -V: print version information\n");
-	fprintf(stderr, "Output: DS or CDS RRs\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "    -K <directory>: directory in which to find "
+			"key file or keyset file\n");
+	fprintf(stderr, "    -a algorithm: digest algorithm "
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
+	fprintf(stderr, "    -1: use SHA-1\n");
+	fprintf(stderr, "    -2: use SHA-256\n");
+	fprintf(stderr, "    -C: print CDS record\n");
+	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
+	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
+	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
+	fprintf(stderr, "    -T TTL\n");
+	fprintf(stderr, "    -f file: read keyset from zone file\n");
+	fprintf(stderr, "    -A: when used with -f, "
+			"include all keys in DS set, not just KSKs\n");
+	fprintf(stderr, "Output: DS or DLV RRs\n");
 
 	exit (-1);
 }
@@ -332,11 +350,14 @@ int
 main(int argc, char **argv) {
 	char		*classname = NULL;
 	char		*filename = NULL, *dir = NULL, *namestr;
-	char		*endp, *arg1;
+	char		*lookaside = NULL;
+	char		*endp;
 	int		ch;
-	bool		cds = false;
-	bool		usekeyset = false;
-	bool		showall = false;
+	unsigned int	dtype = DNS_DSDIGEST_SHA1;
+	bool	cds = false;
+	bool	both = true;
+	bool	usekeyset = false;
+	bool	showall = false;
 	isc_result_t	result;
 	isc_log_t	*log = NULL;
 	dns_rdataset_t	rdataset;
@@ -344,11 +365,12 @@ main(int argc, char **argv) {
 
 	dns_rdata_init(&rdata);
 
-	if (argc == 1) {
+	if (argc == 1)
 		usage();
-	}
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -361,18 +383,24 @@ main(int argc, char **argv) {
 	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
 		switch (ch) {
 		case '1':
-			add_dtype(DNS_DSDIGEST_SHA1);
+			dtype = DNS_DSDIGEST_SHA1;
+			both = false;
 			break;
 		case '2':
-			add_dtype(DNS_DSDIGEST_SHA256);
+			dtype = DNS_DSDIGEST_SHA256;
+			both = false;
 			break;
 		case 'A':
 			showall = true;
 			break;
 		case 'a':
-			add_dtype(strtodsdigest(isc_commandline_argument));
+			dtype = strtodsdigest(isc_commandline_argument);
+			both = false;
 			break;
 		case 'C':
+			if (lookaside != NULL)
+				fatal("lookaside and CDS are mutually"
+				      " exclusive");
 			cds = true;
 			break;
 		case 'c':
@@ -391,7 +419,12 @@ main(int argc, char **argv) {
 			filename = isc_commandline_argument;
 			break;
 		case 'l':
-			fatal("-l option (DLV lookaside) is obsolete");
+			if (cds)
+				fatal("lookaside and CDS are mutually"
+				      " exclusive");
+			lookaside = isc_commandline_argument;
+			if (strlen(lookaside) == 0U)
+				fatal("lookaside must be a non-empty string");
 			break;
 		case 's':
 			usekeyset = true;
@@ -430,103 +463,92 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
-	if (usekeyset && filename != NULL) {
+	if (usekeyset && filename != NULL)
 		fatal("cannot use both -s and -f");
-	}
 
 	/* When not using -f, -A is implicit */
-	if (filename == NULL) {
+	if (filename == NULL)
 		showall = true;
-	}
 
-	/* Default digest type if none specified. */
-	if (dtype[0] == 0) {
-		dtype[0] = DNS_DSDIGEST_SHA256;
-	}
-
-	/*
-	 * Use local variable arg1 so that clang can correctly analyse
-	 * reachable paths rather than 'argc < isc_commandline_index + 1'.
-	 */
-	arg1 = argv[isc_commandline_index];
-	if (arg1 == NULL && filename == NULL) {
+	if (argc < isc_commandline_index + 1 && filename == NULL)
 		fatal("the key file name was not specified");
-	}
-	if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
+	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
-	}
 
 	result = dst_lib_init(mctx, NULL);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(result));
-	}
 
 	setup_logging(mctx, &log);
 
 	dns_rdataset_init(&rdataset);
 
 	if (usekeyset || filename != NULL) {
-		if (arg1 == NULL) {
-			/* using file name as the zone name */
+		if (argc < isc_commandline_index + 1 && filename != NULL) {
+			/* using zone name as the zone file name */
 			namestr = filename;
-		} else {
-			namestr = arg1;
-		}
+		} else
+			namestr = argv[isc_commandline_index];
 
 		result = initname(namestr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("could not initialize name %s", namestr);
-		}
 
-		if (usekeyset) {
+		if (usekeyset)
 			result = loadkeyset(dir, &rdataset);
-		} else {
-			INSIST(filename != NULL);
+		else
 			result = loadset(filename, &rdataset);
-		}
 
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS)
 			fatal("could not load DNSKEY set: %s\n",
 			      isc_result_totext(result));
-		}
 
 		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
+		     result = dns_rdataset_next(&rdataset)) {
 			dns_rdata_init(&rdata);
 			dns_rdataset_current(&rdataset, &rdata);
 
-			if (verbose > 2) {
+			if (verbose > 2)
 				logkey(&rdata);
-			}
 
-			emits(showall, cds, &rdata);
+			if (both) {
+				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
+				     cds, &rdata);
+				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
+				     cds, &rdata);
+			} else
+				emit(dtype, showall, lookaside, cds, &rdata);
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
 
-		loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
+		loadkey(argv[isc_commandline_index], key_buf,
+			DST_KEY_MAXSIZE, &rdata);
 
-		emits(showall, cds, &rdata);
+		if (both) {
+			emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
+			     &rdata);
+			emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
+			     &rdata);
+		} else
+			emit(dtype, showall, lookaside, cds, &rdata);
 	}
 
-	if (dns_rdataset_isassociated(&rdataset)) {
+	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
-	}
 	cleanup_logging(&log);
 	dst_lib_destroy();
-	if (verbose > 10) {
+	dns_name_destroy();
+	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
-	}
 	isc_mem_destroy(&mctx);
 
 	fflush(stdout);
 	if (ferror(stdout)) {
 		fprintf(stderr, "write error\n");
 		return (1);
-	} else {
+	} else
 		return (0);
-	}
 }

bin/dnssec/dnssec-dsfromkey.docbook

@@ -12,7 +12,7 @@
 <!-- Converted by db4-upgrade version 1.0 -->
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
   <info>
-    <date>2019-05-08</date>
+    <date>2012-05-02</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -41,8 +41,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -50,108 +48,56 @@
   <refsynopsisdiv>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
       <arg choice="req" rep="norepeat">keyfile</arg>
     </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
-      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
-    <cmdsynopsis sepchar=" ">
-      <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain"><option>-1</option></arg>
-	<arg choice="plain"><option>-2</option></arg>
-	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      </group>
-      <group>
-	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      </group>
-      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req" rep="norepeat">-s</arg>
+      <arg choice="opt" rep="norepeat"><option>-1</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-2</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg choice="req" rep="norepeat">dnsname</arg>
-    </cmdsynopsis>
+   </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
       <command>dnssec-dsfromkey</command>
-      <group choice="opt">
-	<arg choice="plain" rep="norepeat"><option>-h</option></arg>
-	<arg choice="plain" rep="norepeat"><option>-V</option></arg>
-      </group>
-    </cmdsynopsis>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+   </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsection><info><title>DESCRIPTION</title></info>
 
-    <para>
-      The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
-      Signer) resource records (RRs), or CDS (Child DS) RRs with the
-      <option>-C</option> option.
+    <para><command>dnssec-dsfromkey</command>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </para>
-
-    <para>
-      The input keys can be specified in a number of ways:
-    </para>
-
-    <para>
-      By default, <command>dnssec-dsfromkey</command> reads a key file
-      named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
-      by <command>dnssec-keygen</command>.
-    </para>
-
-    <para>
-      With the <option>-f <replaceable>file</replaceable></option>
-      option, <command>dnssec-dsfromkey</command> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </para>
-
-    <para>
-      With the <option>-s</option>
-      option, <command>dnssec-dsfromkey</command> reads
-      a <filename>keyset-</filename> file, as generated
-      by <command>dnssec-keygen</command> <option>-C</option>.
-    </para>
-
   </refsection>
 
   <refsection><info><title>OPTIONS</title></info>
 
+
     <variablelist>
       <varlistentry>
 	<term>-1</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-1</option>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </para>
 	</listitem>
       </varlistentry>
@@ -160,7 +106,7 @@
 	<term>-2</term>
 	<listitem>
 	  <para>
-	    An abbreviation for <option>-a SHA-256</option>.
+	    Use SHA-256 as the digest algorithm.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -169,49 +115,40 @@
 	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
 	<listitem>
 	  <para>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </para>
-          <para>
-	    The <replaceable>algorithm</replaceable> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Select the digest algorithm. The value of
+	    <option>algorithm</option> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </para>
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <option>-f</option> zone file mode.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <option>-s</option> keyset or <option>-f</option>
-	    zone file mode.
-	  </para>
-	  </listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-C</term>
 	<listitem>
 	  <para>
-	    Generate CDS records rather than DS records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the TTL of the DS records.
+	  </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Look for key files (or, in keyset mode,
+	    <filename>keyset-</filename> files) in
+	    <option>directory</option>.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -220,14 +157,13 @@
 	<term>-f <replaceable class="parameter">file</replaceable></term>
 	<listitem>
 	  <para>
-	    Zone file mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <option>file</option>.  If the zone name is the same as
 	    <option>file</option>, then it may be omitted.
 	  </para>
 	  <para>
-	    If <replaceable>file</replaceable> is <literal>"-"</literal>, then
+	    If <option>file</option> is set to <literal>"-"</literal>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <command>dig</command>
 	    command as input, as in:
@@ -239,20 +175,26 @@
       </varlistentry>
 
       <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints usage information.
-	  </para>
-	</listitem>
+        <term>-A</term>
+        <listitem>
+          <para>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<term>-l <replaceable class="parameter">domain</replaceable></term>
 	<listitem>
 	  <para>
-	    Look for key files or <filename>keyset-</filename> files in
-	    <option>directory</option>.
+	    Generate a DLV set instead of a DS set.  The specified
+	    <option>domain</option> is appended to the name for each
+	    record in the set.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -261,18 +203,18 @@
 	<term>-s</term>
 	<listitem>
 	  <para>
-	    Keyset mode: <command>dnssec-dsfromkey</command>'s
-	    final <replaceable>dnsname</replaceable> argument is the DNS
-	    domain name used to locate a <filename>keyset-</filename> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
 	<listitem>
 	  <para>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </para>
 	  </listitem>
       </varlistentry>
@@ -286,6 +228,15 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints usage information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term>-V</term>
 	<listitem>
@@ -302,22 +253,21 @@
     <para>
       To build the SHA-256 DS RR from the
       <userinput>Kexample.com.+003+26160</userinput>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </para>
     <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
     </para>
     <para>
       The command would print something like:
     </para>
-    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
+    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
     </para>
-
   </refsection>
 
   <refsection><info><title>FILES</title></info>
 
     <para>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <filename>Knnnn.+aaa+iiiii</filename> or the full file name
       <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
       <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
@@ -345,10 +295,9 @@
 	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 3658</citetitle> (DS RRs),
-      <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
-      <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
-      <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
+      <citetitle>RFC 3658</citetitle>,
+      <citetitle>RFC 4431</citetitle>.
+      <citetitle>RFC 4509</citetitle>.
     </para>
   </refsection>
 

bin/dnssec/dnssec-dsfromkey.html

@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,167 +33,105 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
        {keyfile}
     </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
        {-s}
+       [<code class="option">-1</code>]
+       [<code class="option">-2</code>]
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+       [<code class="option">-s</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+       [<code class="option">-A</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
        {dnsname}
-    </p></div>
+   </p></div>
     <div class="cmdsynopsis"><p>
       <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
+       [<code class="option">-h</code>]
+       [<code class="option">-V</code>]
+   </p></div>
   </div>
 
   <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 
-    <p>
-      The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
-      Signer) resource records (RRs), or CDS (Child DS) RRs with the
-      <code class="option">-C</code> option.
+    <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
     </p>
-
-    <p>
-      The input keys can be specified in a number of ways:
-    </p>
-
-    <p>
-      By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
-      named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span>.
-    </p>
-
-    <p>
-      With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
-      or partial zone file (which can contain just the DNSKEY records).
-    </p>
-
-    <p>
-      With the <code class="option">-s</code>
-      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
-      a <code class="filename">keyset-</code> file, as generated
-      by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
-    </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
 
+
     <div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-1</code>.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Use SHA-1 as the digest algorithm (the default is to use
+	    both SHA-1 and SHA-256).
 	  </p>
 	</dd>
 <dt><span class="term">-2</span></dt>
 <dd>
 	  <p>
-	    An abbreviation for <code class="option">-a SHA-256</code>.
+	    Use SHA-256 as the digest algorithm.
 	  </p>
 	</dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 	  <p>
-	    Specify a digest algorithm to use when converting DNSKEY
-	    records to DS records. This option can be repeated, so
-	    that multiple DS records are created for each DNSKEY
-	    record.
-          </p>
-          <p>
-	    The <em class="replaceable"><code>algorithm</code></em> must be one of
-	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
-	    and the hyphen may be omitted.  If no algorithm is specified,
-	    the default is SHA-256.
-	    (Note: The SHA-1 algorithm is no longer recommended for use
-	    when generating new DS and CDS records.)
+	    Select the digest algorithm. The value of
+	    <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
+	    These values are case insensitive.
 	  </p>
 	</dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-          <p>
-            Include ZSKs when generating DS records. Without this option, only
-            keys which have the KSK flag set will be converted to DS records
-            and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
-	    Specifies the DNS class (default is IN). Useful only
-	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
-	    zone file mode.
-	  </p>
-	  </dd>
 <dt><span class="term">-C</span></dt>
 <dd>
 	  <p>
-	    Generate CDS records rather than DS records.
+	    Generate CDS records rather than DS records.  This is mutually
+	    exclusive with generating lookaside records.
+	  </p>
+	</dd>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the TTL of the DS records.
+	  </p>
+	  </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Look for key files (or, in keyset mode,
+	    <code class="filename">keyset-</code> files) in
+	    <code class="option">directory</code>.
 	  </p>
 	</dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
 	  <p>
-	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is
-	    the DNS domain name of a zone whose master file can be read
+	    Zone file mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a zone master file, which can be read
 	    from <code class="option">file</code>.  If the zone name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
 	  <p>
-	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
+	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <span class="command"><strong>dig</strong></span>
 	    command as input, as in:
@@ -202,31 +140,37 @@
 	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
 	  </p>
 	</dd>
-<dt><span class="term">-h</span></dt>
+<dt><span class="term">-A</span></dt>
+<dd>
+          <p>
+            Include ZSKs when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode.
+          </p>
+        </dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd>
 	  <p>
-	    Prints usage information.
-	  </p>
-	</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
-	    Look for key files or <code class="filename">keyset-</code> files in
-	    <code class="option">directory</code>.
+	    Generate a DLV set instead of a DS set.  The specified
+	    <code class="option">domain</code> is appended to the name for each
+	    record in the set.
+	    The DNSSEC Lookaside Validation (DLV) RR is described
+	    in RFC 4431.  This is mutually exclusive with generating
+	    CDS records.
 	  </p>
 	</dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 	  <p>
-	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
-	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
-	    domain name used to locate a <code class="filename">keyset-</code> file.
+	    Keyset mode: in place of the keyfile name, the argument is
+	    the DNS domain name of a keyset file.
 	  </p>
 	</dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd>
 	  <p>
-	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	    Specifies the DNS class (default is IN).  Useful only
+	    in keyset or zone file mode.
 	  </p>
 	  </dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
@@ -235,6 +179,12 @@
 	    Sets the debugging level.
 	  </p>
 	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints usage information.
+	  </p>
+	</dd>
 <dt><span class="term">-V</span></dt>
 <dd>
 	  <p>
@@ -250,23 +200,22 @@
     <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, you can issue the following command:
+      keyfile name, the following command would be issued:
     </p>
     <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
     <p>
       The command would print something like:
     </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
     </p>
-
   </div>
 
   <div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
 
     <p>
-      The keyfile can be designated by the key identification
+      The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
@@ -296,10 +245,9 @@
 	<span class="refentrytitle">dnssec-signzone</span>(8)
       </span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em> (DS RRs),
-      <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
-      <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
-      <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
+      <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4431</em>.
+      <em class="citetitle">RFC 4509</em>.
     </p>
   </div>
 

bin/dnssec/dnssec-importkey.8

@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -134,5 +134,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br

bin/dnssec/dnssec-importkey.c

@@ -11,6 +11,8 @@
 
 /*! \file */
 
+#include <config.h>
+
 #include <stdbool.h>
 #include <stdlib.h>
 
@@ -46,7 +48,12 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-importkey";
+int verbose;
 
 static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
@@ -174,7 +181,9 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	rdclass = dst_key_class(key);
 
 	name = dns_fixedname_initname(&fixed);
-	dns_name_copynf(dst_key_name(key), name);
+	result = dns_name_copy(dst_key_name(key), name, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't copy name");
 
 	dst_key_free(&key);
 }
@@ -298,7 +307,9 @@ main(int argc, char **argv) {
 	if (argc == 1)
 		usage();
 
-	isc_mem_create(&mctx);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
 
 #if USE_PKCS11
 	pk11_result_register();
@@ -439,6 +450,7 @@ main(int argc, char **argv) {
 		dns_rdataset_disassociate(&rdataset);
 	cleanup_logging(&log);
 	dst_lib_destroy();
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);

bin/dnssec/dnssec-importkey.docbook

@@ -38,8 +38,6 @@
       <year>2015</year>
       <year>2016</year>
       <year>2018</year>
-      <year>2019</year>
-      <year>2020</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>